How does Global Protect Portal "Max Times User Can Disconnect" option work?

• PAN-OS 9.1 and above
• Any Palo Alto Firewall
• Global Protect connect method is Always-on
• Global Protect (GP) configured 

• This setting specifies the number of times an end-user can Disconnect the Global Protect client before the GP client has to connect.
• GP maintains a lifetime disconnect limit on the portal side. If the administrator changes the "Max Times User Can Disconnect" to a value > 0, it will be the limit to how many times the GP client can be Disconnected regardless of the latest update of the maximum count.
• The GlobalProtect client maintains the count in the "UserOverrides" key under HKEY_CURRENT_USER\Software\Palo AltoNetworks\GlobalProtect\Settings. When the GP client connects to Portal, this value is compared to the value set in Portal. If the value is less than the configured value on Portal, the user is allowed to disconnect the GP client.

Configuration:

1. From Firewall GUI: Network > GlobalProtect > Portals > (select the configured Portal).
2. Under GlobalProtect Portal Configuration, Click on  Agent > ( Click the configured Agent).
3. On the pop-up window, click on the App tab.
4. in the App Configurations window on the right side find   "Max Times User Can Disconnect" under  " Disconnect GlobalProtect Apps (Always-on mode)"  
5. By default, this setting is set to 0, this means that the users have no limit to the number of times that they can disconnect the app

Listed below are different ways for an end-user to Disconnect GP client after the "Max Times User Can Disconnect" limit has been reached.

1. Change the Max Times User Can Disconnect count to a higher number on the portal side and restart PanGPA on the end-user machine.
2. Change the Max Times User Can Disconnect to 0 on the portal side, and reconnect PanGPA (default option).
3. The simpler way of resetting the values on the client would be to simply uninstall/reinstall the GP client.

Note: The registry value of UserOverrides on the GP client machine is unknown to Portal. The GP client may have disconnected a few times. If the value set on Portal is less than the value on the GP Client, then the user will not be able to disconnect the GlobalProtect Client. As an example: If the value on Portal is set to 25, if the end-user has already disconnected the GP Client more than 25 times, then they cannot ever disconnect the GlobalProtect client.