Force GlobalProtect client logout

dintymoore — Mon, 17 Oct 2022 14:26:24 GMT

Warning, this is a first post from a newbie user! We are using cloud-managed Prisma Access and have GlobalProtect configured to use machine certificate and Azure SAML authentication for our users. We configured the GlobalProtect App to use pre-logon, always-on access. For most of our users this has worked with no issues. There is one Windows laptop in a weird situation. This client shows two different connections active at the same time in the Insights > Mobile Users - GlobalProtect > Devices of Connected Users list. One of the logged-on users is the actual user's account, the other is pre-logon. We think the way this happened is that last week the user established a GP session with his normal account and then, to test what happens when a new user logs in for the first time, did a switch-user logon on the laptop and logged on with a different account. After doing so the user discovered that when he switched back to his normal account session on the laptop, he wasn't able to connect to connect to any internet resources. Neither logging the test user account out of the laptop, refreshing the GP connection from his normal user account, signing out of GP from his normal user account, nor rebooting the laptop fixed his connection problem or removed the duplicate GP connections from the list on Prisma. He left his laptop powered off over the weekend and tried again this morning. After his first logon using his normal account he experienced the same issue, but then tried a reboot and after that was able to login and access resources as expected. Prisma still shows two different connections for this laptop.

All of that leads to my question. I figured there has to be a way to force a specific client to disconnect/logout of GlobalProtect from cloud-managed Prisma, but I can't find it. There are documents describing how to do that from Panorama-managed Prisma, but when I look at the equivalent location in the cloud-managed UI there is no logout option. Is it hidden somewhere else, am I (a superuser) lacking some permission, or is forcing GP logouts not possible in cloud-managed Prisma at this time?

Re: Force GlobalProtect client logout

nikoolayy1 — Wed, 02 Nov 2022 21:03:38 GMT

This sound like a RFE as Palo Alto may have just forgoten to expose this option in the cloud only managment interface. Please see:

https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590

Outside of that it sounds like your pre-logon window is not terminated right after the user logs in as if "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" to be a value of "0" this may fix the issue as mentioned in the official aricle below:

The gateway client settings is not properly selected when switching from pre-logon user to the logged on user

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBx0CAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

topic Force GlobalProtect client logout in Prisma Access Discussions

Force GlobalProtect client logout

Re: Force GlobalProtect client logout

The gateway client settings is not properly selected when switching from pre-logon user to the logged on user