Password Expiry Warning on the GlobalProtect Client

Password Expiry Warning on the GlobalProtect Client

Created On 09/25/18 17:18 PM - Last Modified 04/28/20 23:37 PM


When using LDAP as the authentication method, users can be prompted with the password expiry warning message when their password is due to expire.

This can be achieved by using LDAP as an authentication method, as shown in the screenshot below:

  • Pan-OS
  • Global Protect
  • LDAP Authentication



  • Server Profile: Specify the configured LDAP profile
  • Login Attribute: Enter the LDAP directory attribute that uniquely identifies the user or group
  • Password Expiry Warning: Enter the number of days prior to password expiration to start displaying notification messages to users to alert them that their passwords are expiring in X number of days (this can be configured ranging from 1 day to 255 days).


By default, notification messages will be displayed seven days before password expiry. Users will not be able to access the VPN if their passwords expire.

Set the maximum password age under the default domain policy in the AD server as shown in the screenshot below:


Shown below is the warning message on the GlobalProtect client.

password expiry.png


Additional Information

Note: As a best practice, consider configuring the agents to use a pre-logon connect method. This will allow users to connect to the domain to change their passwords even after the password has expired.


owner: hnatarajan

  • Print
  • Copy Link

Choose Language