New user here.
We are setting up a dedicated VPN server using PA-200 for our small office (30 people). We are running software version 6.0 and GlobalProtect Agent 2.0.1.
Here's our setup for the VPN:
1. Local user database
2. When the user is created, a temporary password is set.
What we want to do:
1. Force the user to change the password on first connect.
2. Have the password expire in 180 days. Make the user change the password via the GlobalProtect client when the password expires.
How do I set this up?
In my opinion password changing for local users it's possible only by API How to update the local-user-database user password
and additional web based system that You have to build.
According to my knowelage there is no such options (1 and 2) at the moment, You can talk with Your SE.
Maybe You have ActiveDirectory or any other LDAP/Radius system and by this way You can solve Your problem.
Up until the time of writing this (PAN-OS 6.1.1, GP 2.1.1) neither GP client nor Portal are unable to change the password for the user. Typically customer with this type of requirement for password expiration would rely on external authentication like Active Directory and use that channel for change password.
The most offering we have at the moment is when integrating authentication with Microsoft AD, GlobalProtect, if configured, will be able to give a "warning" that password will soon to be expired. To be cleared, this is just a display notification for customer to change their AD password via other method (Windows change password, Outlook OWA webmail, etc) but not by GlobalProtect. this option of warning is also not available for local user authentication.
User can't change the password. Only For Domain:- As a best practice, consider configuring the agents to use a pre-logon connect method. This will allow users to connect to the domain to change their passwords even after the password has expired.
Note: Please mark any helpful or Correct answers!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!