Limited Role to disable GP

Showing results for 
Search instead for 
Did you mean: 

Limited Role to disable GP

L1 Bithead

We are using GP in an always on state.  From time to time our users need to disable it to user another VPN or when things just aren't working.


I would like to be able to allow our help desk to log in to our firewall and only be able to go to Network - Portals and Generate Ticket option.  This way a user calls in, they log in and generate the key/code to disable GP for whatever duration needed.


I figured out how to add a role that only shows portals in read only mode, but they can't generate a ticket.  If I change it to enable, then they can generate tickets, but they can also make configuration changes.  Good part is they can't commit them, but the changes do stick and then when an admin logs in it shows a commit waiting.


I also wouldn't care if this could be done using SSH.  I just need the option of say Teir 1 help desk to generate tickets to allow users to disable GP.


Anyone else figure this out or a work around?





L7 Applicator

We keep our helpdesk away from exactly this usage.

similar issues so maybe someone has the answer.....


we do it by copying the portal client config and move the copy to the top.


in this copy the agent is set to allow disable client but you only get this config if you are in the ad group "disable globalprotect" as this group is also in the copy.


bit clunky i know but the user calls the helpdesk, the helpdesk copies them into the disable group and tells them to rediscover network.


the only downside is that they have to wait until group mapping is updated or if an emergency we update it via cli.


it works for us as only happens now and again even with over 4k users. May not suit you but does the job.


i probably didnt explain that very well.......



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!