How to configure and verify a Global Protect disable code using 'Allow with Ticket'
Objective
There are 5 options a firewall administrator can configure to allow Global Protect users to disable the Global Protect agent by the user directly. This document is specifically focused on one option named 'Allow with Ticket'. Where the other 4 options are: Allow, Disallow, Allow with Comment, and Allow with Passcode.
Environment
- GlobalProtect App
- GlobalProtect Portal and Gateway
Procedure
This document assumes an already configured and working GlobalProtect configuration. This article will focus on only the Allow with Ticket configuration and verification.
- Configure the Allow with Ticket disable option in the Global Protect Portal. Navigate to:
See the following screenshot for an example:
- Find the option named Allow User to Disable GlobalProtect App, drop down the options menu, and select Allow with Ticket
NOTE: The setting description on the latest PAN-OS versions has been changed to Allow user to disconnect GlobalProtect App (Always-on mode)
- Click OK and commit the configuration
NOTE: Even though the GP Portal configuration was modified and committed as in the above steps, you will need to ensure that the GP App is able to pull down this new Portal Configuration before it will be able to work. The best way to ensure the GP App pulls down the new Portal Configuration is to use the GP Agent settings 'Refresh Connection option on the GP agent itself.
Please see the following screenshot:
To verify Disable/Disconnect with the Allow with Ticket
- Click the hamburger menu and select the Disable/Disconnect button, see the following screenshot:
Clicking the disable/disconnect button will generate a Request Number that will need a corresponding Ticket from the GP Portal firewall to process the disable/disconnect operation. For example, the screenshot shows a Request Number: 5BCC-F75F and a blank Ticket field.
NOTE: A Ticket works only for a corresponding Request Number (i.e. a Ticket does not work for any Request Number).
NOTE: The end-user is supposed to enter the corresponding Ticket number for the generated Request Number. If, for any reason, the end-user cancels the Request Number or the GP App changes the state such that the Request Number does not remain active, the end-user will have to click Disable again to obtain a new Request Number.
- The GP Portal firewall administrator can generate a Ticket by following the steps:
- Go to Network > GlobalProtect > Portals
- Click the checkbox next to the GP Portal name
- At the bottom of this same screen, select Generate Ticket
- Enter the Request Number, Duration in minutes, and click OK to generate the Ticket
NOTE: The Disable Timeout (min) (in latest PAN-OS versions: Disconnect Timeout (min)) under the Disable GlobalProtect App configuration and Duration of a Ticket work together, and the lower of the two values or the remaining lifetime of the Ticket is used for a single Disable/Disconnect event. For example:
- The Disable/Disconnect Timeout (min) under the Disable GlobalProtect App is configured 5 minutes
- A Ticket is generated with a Duration of 8 minutes
- When the Ticket is used on the GP App, it will Disable/Disconnect the GP App for 5 minutes because that's the lower of the two values. After 5 minutes, the GP App will try to automatically connect to the GP Portal and Gateway
- Notice, the 3 minutes of the Ticket's Duration (8 - 5 = 3) are remaining. If the end-user Disables/Disconnects the GP App again within the remaining 3-minute window, the GP App will NOT generate a new Request Number; instead, it will immediately Disable/Disconnect for the remaining 3 minutes.
- The firewall admin is supposed to send the Ticket number to the end-user
- The end-user is supposed to enter the Ticket for the corresponding Request Number on the GP App and click OK to complete the Disable/Disconnect operation