Up until the time of writing this (PAN-OS 6.1.1, GP 2.1.1) neither GP client nor Portal are unable to change the password for the user. Typically customer with this type of requirement for password expiration would rely on external authentication like Active Directory and use that channel for change password. The most offering we have at the moment is when integrating authentication with Microsoft AD, GlobalProtect, if configured, will be able to give a "warning" that password will soon to be expired. To be cleared, this is just a display notification for customer to change their AD password via other method (Windows change password, Outlook OWA webmail, etc) but not by GlobalProtect. this option of warning is also not available for local user authentication. Password Expiry Warning on the GlobalProtect Client
... View more