Security Policy Enforcement for Inactive GlobalProtect Sessions
Focus
Focus
GlobalProtect

Security Policy Enforcement for Inactive GlobalProtect Sessions

Table of Contents

Security Policy Enforcement for Inactive GlobalProtect Sessions

Software Support: Starting with GlobalProtect™ app 6.0 and running PAN-OS 10.1.0 release
You can now enforce a security policy rule to track traffic from endpoints while end users are connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. You can now enforce a shorter inactivity logout period. If a GlobalProtect session remains inactive during the configured time period, the session is automatically logged out and the VPN tunnel is terminated. By enforcing a security policy, you can quickly gain visibility into active user sessions, and better utilize the gateway resources so that the tunnel IP address and memory assigned to sessions are quickly available for reuse. When you configure an internal gateway in non-tunnel mode, GlobalProtect will continue to enforce the Inactivity Logout based on several missing HIP reports because the gateway may not be in accordance with identifying active traffic per user session.
  1. Specify a shorter amount of time after which idle users are logged out of GlobalProtect.
    1. Launch the Web Interface.
    2. Select NetworkGlobalProtectGateways<gateway-config> AgentConnection Settings.
    3. Specify the amount of time after which idle users are logged out of GlobalProtect (range is 5 to 43200 minutes; default is 180 minutes).
      Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
      You must specify the Inactivity Logout period to be greater than the Automatic Restoration of VPN Connection Timeout to allow GlobalProtect to attempt to reestablish the connection after the tunnel is disconnected (range is 0 to 180 minutes; default is 30 minutes). When you configure an internal gateway in non-tunnel mode, the Inactivity Logout period must be greater than the current HIP check interval value that the GlobalProtect app waits before it sends the HIP report.
  2. Click OK twice.
  3. Commit the configuration.