What is the Agent User Override Key used for in GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What is the Agent User Override Key used for in GlobalProtect

L4 Transporter

In the GlobalProtect Portal config(under the Agent tab), there's a setting for "Agent User Override Key".  I'm finding conflicting information on what this might be used for.

 

The firewall's help file says this field is used for disabling GlobalProtect with a Ticket....

"after a user attempts to disable GlobalProtect, the endpoint displays an 8-character, hexadecimal, ticket request number. The user then contacts the firewall administrator or support team (preferably by phone for security) and provides this number. The administrator or support person types the hexadecimal ticket request number into the Agent User Override Key field (in the GlobalProtect agent configuration Agent tab) so they can see the ticket number (also an 8-character hexadecimal number). The administrator or support person then provides this ticket number to the user who then enters the ticket number into the challenge field to disable the agent."

 

...but, the online GlobalProtect admin guide gives different instructions for disabling GlobalProtect with a Ticket...

"the disconnect action triggers the agent to generate a Request Number. The end user must then communicate the Request Number to the administrator. The administrator then clicks Generate Ticket on the NetworkGlobalProtectPortals page and enters the request number from the user to generate the ticket. The administrator then provides the ticket to the end user, who enters it into the Disable GlobalProtect dialog to enable the agent to disconnect."

(https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...)

 

...it looks like the online admin guide might be more accurate.  So then, what is the purpose of the "Agent User Override Key" field?

AgentUserOverrideKey.PNG

5 REPLIES 5

Cyber Elite
Cyber Elite

you can set the agent (in the agent config) to allow, disallow, or allow with comment/passcode/ticket the ability to diable the VPN client (this could be a concern if your policy is to have an 'always-on' stance and the user need/wants to disable the VPN client to get to local resources or other reasons

 

the override key is the latter option, that requires an interaction with a firewall admin or operator that is able to provide a responce, the one before requires the knowledge of a password and the 3rd last simply requires the user to fill out a comment (which is logged) before being able to disable the VPN client

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaperSo what's the difference between "User Agent Override Key" and the "Generate Ticket" button(under Portals)?

 

Would you be able to explain to me the process of disabling GP when "allow with ticket" is enabled?

ok I've gone through the process

 

the 'user agent override key' is more of a base key (like the master key) that sets the root for the ticket system

 

once the config is running, the user requests the disable and gets a 2 part challenge that the admin can input into the 'generate ticket' and then get a responce which the user needs to complete the transaction, the 'user override key' serves as the 'public key' for this transaction

 

i'll see if i can get the documentation updated

GlobalProtect Ticket.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaperOk, so at no point in the disable process, will the user, or firewall admin, need to enter in this Agent User Override Key? Are you saying this "user override key" is just being used to validate the connection(much like an SSL certificate on a web server is used to validate the connection)?

@jambulo

it allows you to change the system default 'key' for the ticket system with one you decide (kind of like a certificate authority used to sign the certificates on the web server)

 

It is part of the system configuration, not part of the ticket transaction

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 12271 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!