How to Generate a ticket for disabling GlobalProtect Agent using an API call

• Disable the GlobalProtect Windows App using tickets.
• Use API call to generate the ticket and eliminate the need to provide Firewall Access for ticket generation.
• API call can be integrated with another application where the Administrators enter the portal name, duration, request number & template name.

• Palo Alto Firewall with GlobalProtect configured.
• GlobalProtect Windows App

1. Generate an API key and familiarize with how to make API calls to the Firewall.

• The following document provides details regarding the API calls :-

2. Use the following API op cmd for generating the ticket :-

<request><global-protect-portal><ticket><duration>DURATION</duration><portal>PORTAL</portal><tpl>Template Name</tpl><request>REQUEST</request></ticket></global-protect-portal></request>

• In the above API call, the variables are :-

1. DURATION  - Duration in minutes
2. PORTAL - Name of the Portal
3. REQUEST - Request number which is generated when disabling the GlobalProtect App
4. TPL - Template name (If templates are using in Panorama)

• Here is an example of the complete API call used from a browser (Without Template):- 

https://192.168.1.1//api/?type=op&cmd=<request><global-protect-portal><ticket><duration>10</duration><portal>Portal1</portal><request>5961-BABA</request></ticket></global-protect-portal></request>&key=ABCDEFG

• Here is an example of the complete API call used from a browser (With Template):- 

https://192.168.1.1//api/?type=op&cmd=<request><global-protect-portal><ticket><duration>10</duration><portal>Portal1</portal><request>5961-BABA</request><tpl>firewall_template</tpl></ticket></global-protect-portal></request>&key=ABCDEFG

• Information on methods for disabling GlobalProtect app for windows :-
  • https://docs.paloaltonetworks.com/globalprotect/4-1/globalprotect-app-user-guide/globalprotect-app-for-windows/disable-the-globalprotect-app-for-windows