03-16-2023 01:36 PM
This is easily accomplished. What you'll want to look into is "Always On" for the connection method, ensure that you have the 'Allow user to diconnect GlobalProtect App' option configured away from 'Allow' or 'Allow with Comment' to one of the other options, and ensure that internal host detection is configured and enabled.
One this to note; I'm personally not a fan of setting the 'Allow user to disconnect GlobalProtect App' option to disallow outside of heavily regulated industry. I'd recommend that you set this option to 'Allow with Ticket'. This ensures that you have the ability to disable the agent if absolutely necessary, but requires they contact someone with the ability to generate the ticket prior to doing so.
