Can I configure our laptops to disconnect from the internet, if VPN is not on? If so, how?
Just look up Palo’s instructions for configuring always on vpn, that sounds like what you want.
I´ll do the same effort in answering: (from chatgpt):
Enforcing an “always-on” VPN configuration using Palo Alto GlobalProtect involves configuring the GlobalProtect portal and gateway settings to ensure a persistent VPN connection. Please note that the specific steps might vary slightly depending on the version of GlobalProtect and the Palo Alto Networks firewall you are using. Here’s a general guide:
Configure GlobalProtect Portal:
Log in to the Palo Alto Networks firewall web interface.
Navigate to the Network > GlobalProtect > Portals.
Edit the existing portal or create a new one.
Under the “Agent” tab, enable the “Always On” option.
Configure GlobalProtect Gateway:
Navigate to Network > GlobalProtect > Gateways.
Edit the existing gateway or create a new one.
Under the “Client Configuration” tab, ensure that the “Always On” option is enabled.
Configure GlobalProtect Client Settings:
Navigate to Network > GlobalProtect > Client Settings.
Edit the existing client settings or create a new one.
Under the “General” tab, make sure “Connect Method” is set to “On-demand” or “User-logon.”
Apply Configurations to Security Policies:
Ensure that the security policies on your Palo Alto Networks firewall allow the necessary traffic for GlobalProtect. The policies should permit traffic from the GlobalProtect clients to the internal resources.
Distribute Configurations to GlobalProtect Clients:
The GlobalProtect client needs to be configured on each endpoint. You can either manually configure the client or use an automated method like Group Policy (for Windows) or Mobile Device Management (for mobile devices).
Test Always-On VPN Connection:
Deploy the GlobalProtect client on a test machine.
Confirm that the VPN connection is automatically established upon user logon or system startup.
You have to enforce the VPN. You can also add some information to the connection if the client isn’t connected via vpn or if the user is behind a guest portal
Enforce Network Address is what you are looking for.
It basically gives you the possibility to lock connectivity if tunnel with GP is not established.
On top of that, you can even configure some exceptions in form of IP or FQDN that your workstation would be allowed to reach even if Tunnel Is down and Enforce Network Access is on.
Enforce Network Access is configurable from App Settings in GP Portal
Why read docs for yourself or use TAC when I can submit a question, sit back and wait for someone to handcraft the entire answer? No AI needed!
Thanks - we turned always vpn on; however, the if I do not approve the duo notification, the internet stays on and does not disconnect.
Thanks! We set that; however, we are now running into a problem that when we hard wire connect to our network and sign out of GP, users dont have network connectivity. Users will be coming in and out of the office, so this solution seems to be half working.
I used to post a question and then switch accounts and put mildly wrong answer and then usually people would start commenting trying to correct my wrong answer…people LOVE correcting others
You’ll probably have to deploy certificate based authentication so that the vpn can authenticate and connect without user intervention. Either that or you need an endpoint management tool that can somehow disable network access if GP isn’t connected. I don’t know that there is a way for GP to natively do what you want.
You’re welcome! Umh, in that case I believe you have two options:
-
Best one imho is to use Internal Host Detection. GP will detect it’s on Internal Network via reverse DNS query and it won’t build tunnel toward Gateway, but Enforce should not kick in as GP in the end is active (Never tested this personally but I am pretty sure it would work like that). This one would be an automatic action which doesn’t require user intervention.
-
Give the users the chance to ‘disable’ GP as when this action is executed, then Enforce Network Access is automatically disabled. I understand you would give anyway the possibility to sign out, so I guess it won’t be a security concern, while it requires manual action from user.
Hope it helps 
Thanks! Realized that we did not have the newest global protect client installed, so that’s why it was not working. Thanks for all your help!