GlobalProtect client password change help

Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect client password change help

Not applicable


New user here.

We are setting up a dedicated VPN server using PA-200 for our small office (30 people).  We are running software version 6.0 and GlobalProtect Agent 2.0.1.

Here's our setup for the VPN:

1.  Local user database

2.  When the user is created, a temporary password is set.

What we want to do:

1.  Force the user to change the password on first connect.

2.  Have the password expire in 180 days.  Make the user change the password via the GlobalProtect client when the password expires.

How do I set this up?




L4 Transporter


In my opinion password changing for local users  it's possible only by API How to update the local-user-database user password

and additional web based system that You have to build.

According to my knowelage there is no such options (1 and 2) at the moment, You can talk with Your SE.

Maybe You have ActiveDirectory or any other LDAP/Radius system and by this way You can solve Your problem.



L4 Transporter

Up until the time of writing this (PAN-OS 6.1.1, GP 2.1.1) neither GP client nor Portal are unable to change the password for the user. Typically customer with this type of requirement for password expiration would rely on external authentication like Active Directory and use that channel for change password.

The most offering we have at the moment is when integrating authentication with Microsoft AD, GlobalProtect, if configured, will be able to give a "warning" that password will soon to be expired. To be cleared, this is just a display notification for customer to change their AD password via other method (Windows change password, Outlook OWA webmail, etc) but not by GlobalProtect. this option of warning is also not available for local user authentication.

Password Expiry Warning on the GlobalProtect Client

L4 Transporter

Hi Skip,

User can't change the password. Only For Domain:- As a best practice, consider configuring the agents to use a pre-logon connect method. This will allow users to connect to the domain to change their passwords even after the password has expired.

Note: Please mark any helpful or Correct answers!



  • 3 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!