End-user Notification about GlobalProtect Session Logout
Focus
Focus
GlobalProtect

End-user Notification about GlobalProtect Session Logout

Table of Contents

End-user Notification about GlobalProtect Session Logout

Software Support: Starting with GlobalProtect™ app 6.1; Requires PAN-OS 11.0 or later.
OS Support: Linux, Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases, iOS, and Android.
You can now configure end-user notifications about expiry of GlobalProtect app sessions on the gateway. These notifications inform the end users in advance when their app sessions are about to expire due to inactivity or expiry of the login lifetime. The messages notify the users about the remaining time left before the app gets disconnected and prevents unexpected and abrupt app logout. Through the gateway, you can also schedule the display of these custom notifications on the app.
You can also configure end-user notifications for administrator initiated logout on the gateway. The GlobalProtect app displays the notification to users after the administrator initiated logout happens and the users are logged out of the session.
After you configure the notifications on the gateway, the gateway sends these notifications to the GlobalProtect app to display them on the app according to the configured timeout settings.
  1. Ensure that a GlobalProtect gateway is configured.
  2. Enable login lifetime notifications.
    Login Lifetime indicates the validity period of a single gateway session where the users stay logged in to the app (maximum lifetime is 30 days).
    1. (Optional) Modify the default Login Lifetime on the gateway for endpoints.
      • Select NetworkGlobalProtectGateways.
      • Select the gateway configuration to which you want to add or modify the agent configuration, and then select the Agent tab.
      • On the Agent tab, select Connections Settings and then set the Login Lifetime in days (default is 30 days).
    2. Set the Notify Before Lifetime Expires time in minutes (default is 30 minutes) to schedule the display of login lifetime expiry notifications on the GlobalProtect app. The Notify Before Lifetime Expires must be lesser than the Login Lifetime. For example, if you set the Notify Before Lifetime Expires as 120 minutes, the app will display the notification to the user 2 hours before the expiry of the login lifetime. If you do not want the notification to be displayed, set the value to 0.
    3. (Optional) Modify the Login Lifetime Expiration Message to create a custom message that you want to display to users when their login lifetime sessions are about to expire. The maximum message length is 127 characters.
    For login lifetime, the app also displays the count down timer for the session.
  3. Enable inactivity logout notifications.
    Inactivity Logout period indicates the time after which the idle users are logged out of GlobalProtect app (range for tunnel mode is 5 to 43200 and for non-tunnel mode 120 to 43200 minutes; default is 180 minutes).
    1. (Optional) Modify the default Inactivity Logout period on the gateway for endpoints.
      • Select NetworkGlobalProtectGateways.
      • Select the gateway configuration to which you want to add or modify the agent configuration, and then select the Agent tab.
      • On the Agent tab, select Connections Settings and then set the Inactivity Logout period.
    2. Set the Notify Before Inactivity Logout time in minutes (default is 30 minutes) to schedule the display of inactivity logout notification on the app. The Notify Before Inactivity Logout must be lesser than the Inactivity Logout period. For example, if you set the Notify Before Inactivity Logout as 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you do not want the notification to be displayed, set the value to 0.
    3. (Optional) Modify the Inactivity Logout Message to create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
  4. Enable administrator-initiated logout notifications.
    1. Enable Notify users on administrator initiated logout if you want the app to display notification to users after the administrator initiated logout happens.
    2. (Optional) Modify the Administrator Logout Message to create a custom message that you want to display to users after the administrator initiated logout happens. The maximum message length is 127 characters.
  5. Click OK and Commit the changes.
    After you commit the changes on the gateway, refresh the GlobalProtect app connection to get the latest configuration.
  6. Verify the GlobalProtect log events for the timeout notifications.
    GlobalProtect Logs are created every time the app displays the end-user notification about the session logout. To view the event:
    1. From the firewall hosting the gateway, select MonitorLogsGlobalProtect.
    2. Filter for eventid eq gateway-tunnel-notify and view the events on the GlobalProtect logs page.