What type of traffic is still allowed after enabling "Enforce GlobalProtect for Network Access" in Global Protect client configuration?
40691
Created On 11/29/20 15:45 PM - Last Modified 06/03/25 01:56 AM
Question
What type of traffic is still allowed even after enabling "Enforce GlobalProtect for Network Access" in Global Protect client configuration?
Environment
- Palo Alto Firewalls (hardware and VM)
- Supported PAN-OS
- GlobalProtect
Answer
- When "Enforce GlobalProtect for Network Access " is enabled, client PC's network access is blocked until a connection to the gateway is established
- By default there are certain type of traffic excluded from blocking. These are:
- 1. DNS (UDP/53, TCP/53)
- 2. DHCP
- 3. Captive Portal Detection
- Captive Portal Detection messages are triggered if client can’t access Portal/Gateway regardless of the enforcement settings.
- Messages are basically HTTP requests
- Some of the URLs that Global Protect uses for captive portal detection (The list may change in the future):
- captive.apple.com
- clients3.google.com
- www.msftconnecttest.com
- Even if Captive Portal is detected, no particular action is taken unless we have the enforcement enabled and either Captive Portal detection message is set or Captive Portal exception timeout value is set. Assuming we have one of the Captive Portal settings is set, then the followings will happen,
- The Global Protect will send probes to detect if a captive portal is present or not.
- If Captive Portal is detected by Global Protect, it will notify that all traffic has to be allowed.
- Once the client authenticates on the Captive Portal or reaches the Captive Portal exception timeout value, Global Protect blocks network access except DHCP and DNS.
Additional Information
- When GlobalProtect (GP) is disabled/disconnected, GP enforcer feature is also disabled and so users will be able to connect to Internet (enforcer will not block).
- Captive Portal and Enforce GlobalProtect for Network Access.