Rollout Strategy: GlobalProtect Disconnect Comments + 12-Hour Auto-Reconnect

If these are issued devices, can we step back a second and ask why you're allowing users to disconnect at all? What is the business use-case that would require someone to disconnect from GlobalProtect? I would be asking the folks who are disconnecting why they are disconnecting and clearing that up first, because 99% of staff would have absolutely no reason to have this capability. If you're causing issues for staff and they're having inverse impact for whatever reason, you need to address that root issue. 

• The "Presentation" Risk: If the 24-hour timer hits during a live Zoom/Teams call or a VP's board presentation, does the auto-reconnect trigger a "handshake" that drops the active session?

I'm slightly confused on what exactly you're talking about when it comes to this 24-hour timer. If you're talking about setting a 1440 disconnect timeout, GlobalProtect is just going to attempt to connect at the expiration of that timer. Depending on your setup, this could prompt for credentials or MFA, it could authenticate using existing cookies, or it could just authenticate via certificate. I would actually caution against setting a disconnect timeout at 1440 simply because that's an extremely long duration for said feature. I would focus again on why people are disconnecting.

• Executive Friction: How do you handle VIPs who find the mandatory comment box and the "surprise" 24-hour reconnection a hindrance to their workflow?

Assuming that you have management support for this change, this aspect shouldn't matter. Again however, why are they disconnecting? I utilize a script that triggers off of the disconnect events to notify the user when they'll be reconnected just to provide more notice, but that's probably overkill. 

• Bandwidth & Capacity: With a global "Always-On" intent (via 24hr reset), how did you calculate the gateway overhead for video traffic vs. tunnel capacity?

We plan for everyone to work remotely and utilize our most bandwidth heavy scenarios for each business unit to ensure that we're scaled properly. This ensures that we are scaled for worst case scenario and it means that we didn't need to make any changes at the start of the pandemic since we were properly scaled. 

• Data Quality: Are the disconnect comments actually useful for troubleshooting, or are you just seeing "junk" text (e.g., ".", "asdf") from frustrated users?

As soon as users find out that they don't need to enter a valid reason, you're only going to get junk text entered unless you have a consequence associated with nonsense disconnect reasons. For the very few staff that we allow to disconnect without a ticket, abuse of the disconnect (such as not documenting the reason properly) will see us push them to a portal that disallows disconnect with comment functionality. You need something that has some teeth to force this to not turn into a cluster.