How to configure and verify a Global Protect disable code using 'Allow with Ticket'
4056
Created On 07/27/22 22:54 PM - Last Modified 04/25/25 19:27 PM
Objective
There are 5 options a firewall administrator can configure to allow Global Protect users to disable the Global Protect agent by the user directly. This document is specially focused on one option named 'Allow with Ticket'. Where the other 4 options are; Allow, Disallow, Allow with Comment, and Allow with Passcode.
Environment
- 8.1 and later PANOS versions
- PA-VM and Physical Firewalls
Procedure
This document assumes an already configured and working Global Protect configuration. This How-To will focus on only the disable code configuration and verification.
- Configure the 'Allow with Ticket' disable option in the Global Protect Portal. Navigate to:
Network > GlobalProtect > Portals > click on the desired portal name > Agent > click on the desired Configuration (in the CONFIGS column) > click App TAB.
See the following screenshot for an example from my lab:
See the following screenshot for an example from my lab:
- Find the option named 'Allow User to Disable GlobalProtect App' and drop down the options menu and select 'Allow with Ticket'.
Please see the following screenshot:
- Click 'OK' and commit the configuration
- Even though the GP Portal configuration was modified and committed as in the above steps, you will need to ensure that the actual GP agents are able to pull down this new Portal Configuration before this will be able to work. The best way to ensure the GP agent pulls down the new Portal Configuration is to use the GP Agent settings 'Refresh Connection' option on the GP agent itself.
This action is performed on the Global Protect Agent itself on the end user's computer by clicking the 3 horizontal bars button at the top right of the Global Protect Agent.
Please see the following screenshot:
Please see the following screenshot:
- Again on the Global Protect Agent click the 3 horizontal bars button at the top right of the Global Protect Agent and click 'Disable'
See the following screenshot:
- Note the 'Request Number' from the Global Protect Agent. Below on my lab GP Agent we can see my disable Request Number is '5BCC-F75F'. This Request Number will need to be emailed or by other means sent to the PA firewall administrator.
See the following screenshot:
- The PA firewall administrator will then enter this same code into the following area of the firewall's webui:
- Network > GlobalProtect > Portals
- Click the checkbox next to the GP Portal Name
- Then at the bottom of this same screen Click 'Generate Ticket'
See the following screenshot:
- The firewall administrator will enter the Request Number and Duration in minutes that the Ticket will be valid for.
NOTE: The Request Number MUST be entered in ALL-CAPS
Then Click 'OK' and the Ticket code will be displayed. Here in my lab example the Ticket is '114F-271B' This code must be sent back to the end user to be entered into the Global Protect agent.
Please see the following screenshot:
Please see the following screenshot:
- Once the Global Protect end user receives the Ticket (within 10 minutes per this example) from the firewall administrator, the user will enter this Ticket number in the GP agent and click OK and the Global Protect Agent will now be disabled.
NOTE: On the GP agent this Ticket number does NOT need to be in ALL-CAPS
Please see the following screenshot:
Please see the following screenshot:
NOTE: As mentioned at the beginning of this document, if the GP end user does not see the popup window containing the Request Number when clicking Disable in the GP Agent, and the firewall administrator has already committed the firewall configuration to allow disable using Tickets, then most likely the GP agent has not yet pulled down the new Portal Configuration. If this is the case attempt to 'Refresh Connection' on the GP agent a couple of additional times to ensure the configuration is pulled down to the GP agent.