topic Re: What is the Agent User Override Key used for in GlobalProtect in General Topics

What is the Agent User Override Key used for in GlobalProtect

jambulo — Fri, 09 Mar 2018 14:36:45 GMT

In the GlobalProtect Portal config(under the Agent tab), there's a setting for "Agent User Override Key". I'm finding conflicting information on what this might be used for.

The firewall's help file says this field is used for disabling GlobalProtect with a Ticket....

"after a user attempts to disable GlobalProtect, the endpoint displays an 8-character, hexadecimal, ticket request number. The user then contacts the firewall administrator or support team (preferably by phone for security) and provides this number. The administrator or support person types the hexadecimal ticket request number into the Agent User Override Key field (in the GlobalProtect agent configuration Agent tab) so they can see the ticket number (also an 8-character hexadecimal number). The administrator or support person then provides this ticket number to the user who then enters the ticket number into the challenge field to disable the agent."

...but, the online GlobalProtect admin guide gives different instructions for disabling GlobalProtect with a Ticket...

"the disconnect action triggers the agent to generate a Request Number. The end user must then communicate the Request Number to the administrator. The administrator then clicks Generate Ticket on the NetworkGlobalProtectPortals page and enters the request number from the user to generate the ticket. The administrator then provides the ticket to the end user, who enters it into the Disable GlobalProtect dialog to enable the agent to disconnect."

(https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-portals/define-the-globalprotect-client-authentication-configurations/customize-the-globalprotect-agent#id0cd8a407-0254-4fca-89a1-fc143b3ab483)

...it looks like the online admin guide might be more accurate. So then, what is the purpose of the "Agent User Override Key" field?

Re: What is the Agent User Override Key used for in GlobalProtect

reaper — Thu, 15 Mar 2018 12:18:18 GMT

you can set the agent (in the agent config) to allow, disallow, or allow with comment/passcode/ticket the ability to diable the VPN client (this could be a concern if your policy is to have an 'always-on' stance and the user need/wants to disable the VPN client to get to local resources or other reasons

the override key is the latter option, that requires an interaction with a firewall admin or operator that is able to provide a responce, the one before requires the knowledge of a password and the 3rd last simply requires the user to fill out a comment (which is logged) before being able to disable the VPN client

Re: What is the Agent User Override Key used for in GlobalProtect

jambulo — Thu, 15 Mar 2018 16:31:18 GMT

@reaperSo what's the difference between "User Agent Override Key" and the "Generate Ticket" button(under Portals)?

Would you be able to explain to me the process of disabling GP when "allow with ticket" is enabled?

Re: What is the Agent User Override Key used for in GlobalProtect

reaper — Fri, 16 Mar 2018 10:59:17 GMT

ok I've gone through the process

the 'user agent override key' is more of a base key (like the master key) that sets the root for the ticket system

once the config is running, the user requests the disable and gets a 2 part challenge that the admin can input into the 'generate ticket' and then get a responce which the user needs to complete the transaction, the 'user override key' serves as the 'public key' for this transaction

i'll see if i can get the documentation updated

Re: What is the Agent User Override Key used for in GlobalProtect

jambulo — Fri, 16 Mar 2018 15:58:23 GMT

@reaperOk, so at no point in the disable process, will the user, or firewall admin, need to enter in this Agent User Override Key? Are you saying this "user override key" is just being used to validate the connection(much like an SSL certificate on a web server is used to validate the connection)?

Re: What is the Agent User Override Key used for in GlobalProtect

reaper — Fri, 16 Mar 2018 16:06:50 GMT

@jambulo

it allows you to change the system default 'key' for the ticket system with one you decide (kind of like a certificate authority used to sign the certificates on the web server)

It is part of the system configuration, not part of the ticket transaction