How does Global Protect Portal "Max Times User Can Disable" option work?

How does Global Protect Portal "Max Times User Can Disable" option work?

9121
Created On 04/22/21 04:18 AM - Last Modified 08/17/21 20:48 PM


Question


How does the Global Protect Portal "Max Times User Can Disable" option under the "App" tab work and how to configure it?

Environment


  • PAN-OS 8.1 and above.
  • Any Palo Alto Firewall.
  • Global Protect (GP) configured.

Answer


  • This setting specifies the number of times an end-user can disable the Global Protect client before the GP client has to connect.
  • GP maintains a lifetime disable limit on the portal side. If the administrator changes the "Max Times User Can Disable" to a value > 0, it will be the limit to how many times the GP client can be disabled regardless of the latest update of the maximum count.
  • The GlobalProtect client maintains the count in the "UserOverrides" key under HKEY_CURRENT_USER\Software\Palo AltoNetworks\GlobalProtect\Settings. When the GP client connects to Portal, this value is compared to the value set in Portal. If the value is less than the configured value on Portal, the user is allowed to disable the GP client.

Configuration:
  1. From Firewall GUI: Network > GlobalProtect > Portals > (select the configured Portal).
  2. Under GlobalProtect Portal Configuration, Click on  Agent > ( Click the configured Agent).
  3. On the popup window, click on the App tab,
  4. in the App Configurations window on the right side find   "Max Times User Can Disable" under  " Disable GlobalProtect Apps"  
  5. By default, this setting is set to 0, this means that the users have no limit to the number of times that they can disable the app
MaxTimes

Additional Information


Listed below are different ways for an end-user to disable GP client after the "Max Times User Can Disable" limit has been reached.
  1. Change the Max Times User Can Disable count to a higher number on the portal side and restart PanGPA on the end-user machine.
  2. Change the Max Times User Can Disable to 0 on the portal side, and reconnect PanGPA (default option)
  3. The simpler way of resetting the values on the client would be to simply uninstall/reinstall the GP client
Note: The registry value of UserOverrides on the GP client machine is unknown to Portal. The GP client may have disabled a few times. If the value set on Portal is less than the value on the GP Client, then the user will not be able to disable the GlobalProtect Client. As an example: If the value on Portal is set to 25, if the end-user has already disabled the GP Client more than 25 times, then they cannot ever disable the GlobalProtect client.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VCOCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail