Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Force GlobalProtect client logout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Force GlobalProtect client logout

L0 Member
Warning, this is a first post from a newbie user!  We are using cloud-managed Prisma Access and have GlobalProtect configured to use machine certificate and Azure SAML authentication for our users.  We configured the GlobalProtect App to use pre-logon, always-on access.  For most of our users this has worked with no issues.  There is one Windows laptop in a weird situation.  This client shows two different connections active at the same time in the Insights > Mobile Users - GlobalProtect > Devices of Connected Users list.  One of the logged-on users is the actual user's account, the other is pre-logon.  We think the way this happened is that last week the user established a GP session with his normal account and then, to test what happens when a new user logs in for the first time, did a switch-user logon on the laptop and logged on with a different account.  After doing so the user discovered that when he switched back to his normal account session on the laptop, he wasn't able to connect to connect to any internet resources.  Neither logging the test user account out of the laptop, refreshing the GP connection from his normal user account, signing out of GP from his normal user account, nor rebooting the laptop fixed his connection problem or removed the duplicate GP connections from the list on Prisma.   He left his laptop powered off over the weekend and tried again this morning.  After his first logon using his normal account he experienced the same issue, but then tried a reboot and after that was able to login and access resources as expected.  Prisma still shows two different connections for this laptop.
 
All of that leads to my question.  I figured there has to be a way to force a specific client to disconnect/logout of GlobalProtect from cloud-managed Prisma, but I can't find it.  There are documents describing how to do that from Panorama-managed Prisma, but when I look at the equivalent location in the cloud-managed UI there is no logout option.  Is it hidden somewhere else, am I (a superuser) lacking some permission, or is forcing GP logouts not possible in cloud-managed Prisma at this time? 
 
1 REPLY 1

L6 Presenter

This sound like a RFE as Palo Alto may have just forgoten to expose this option in the cloud only managment interface. Please see:

 

https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40...

 

 

 

Outside of that it sounds like your pre-logon window is not terminated right after the user logs in  as if "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" to be a value of "0" this may fix the issue as mentioned in the official aricle below:

 

The gateway client settings is not properly selected when switching from pre-logon user to the logged on user

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBx0CAG&lang=en_US%E2%80%A...

 

  • 2588 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!