End-user Notification about GlobalProtect Session Logout
Software Support: Starting with GlobalProtect™
app 6.1; Requires PAN-OS 11.0 or later.
OS Support: Linux, Windows 10, ARM64-Based Windows 10, macOS 11
and later releases, and ARM-Based macOS 11 and later releases, iOS, and Android.
You can now configure
end-user notifications about expiry of GlobalProtect app sessions
on the gateway. These notifications inform the end users in advance
when their app sessions are about to expire due to inactivity or
expiry of the login lifetime. The messages notify the users about
the remaining time left before the app gets disconnected and prevents
unexpected and abrupt app logout. Through the gateway, you can also
schedule the display of these custom notifications on the app.
You can
also configure end-user notifications for administrator initiated
logout on the gateway. The GlobalProtect app displays the notification
to users after the administrator initiated logout happens and the
users are logged out of the session.
After you configure the
notifications on the gateway, the gateway sends these notifications
to the GlobalProtect app to display them on the app according to
the configured timeout settings.
Login Lifetime indicates
the validity period of a single gateway session where the users stay
logged in to the app (maximum lifetime is 30 days).
(Optional) Modify the default Login
Lifetime on the gateway for endpoints.
Select NetworkGlobalProtectGateways.
Select the gateway configuration to which you want to add
or modify the agent configuration, and then select the Agent tab.
On the Agent tab, select Connections
Settings and then set the Login Lifetime in
days (default is 30 days).
Set the Notify Before Lifetime Expires time
in minutes (default is 30 minutes) to schedule the display of login
lifetime expiry notifications on the GlobalProtect app. The Notify
Before Lifetime Expires must be lesser than the Login
Lifetime. For example, if you set the Notify
Before Lifetime Expires as 120 minutes, the app will
display the notification to the user 2 hours before the expiry of
the login lifetime. If you do not want the notification to be displayed,
set the value to 0.
(Optional) Modify the Login Lifetime
Expiration Message to create a custom message that you
want to display to users when their login lifetime sessions are
about to expire. The maximum message length is 127 characters.
For login lifetime, the app also displays the count down
timer for the session.
Enable inactivity logout notifications.
Inactivity Logout period
indicates the time after which the idle users are logged out of GlobalProtect
app (range for tunnel mode is 5 to 43200 and for non-tunnel mode
120 to 43200 minutes; default is 180 minutes).
(Optional) Modify the default Inactivity
Logout period on the gateway for endpoints.
Select NetworkGlobalProtectGateways.
Select the gateway configuration to which you want to add
or modify the agent configuration, and then select the Agent tab.
On the Agent tab, select Connections
Settings and then set the Inactivity Logout period.
Set the Notify Before Inactivity Logout time
in minutes (default is 30 minutes) to schedule the display of inactivity
logout notification on the app. The Notify Before Inactivity
Logout must be lesser than the Inactivity
Logout period. For example, if you set the Notify
Before Inactivity Logout as 20 minutes, the app will display
the notification to the user 20 minutes before the inactive session
expires. If you do not want the notification to be displayed, set
the value to 0.
(Optional) Modify the Inactivity
Logout Message to create a custom message that you want
to display to users when their inactive sessions are about to expire.
The maximum message length is 127 characters.
Enable Notify users on administrator
initiated logout if you want the app to display notification
to users after the administrator initiated logout happens.
(Optional) Modify the Administrator
Logout Message to create a custom message that you want
to display to users after the administrator initiated logout happens.
The maximum message length is 127 characters.
Click OK and Commit the
changes.
After you commit the changes on the gateway, refresh the
GlobalProtect app connection to get the latest configuration.
Verify the GlobalProtect log events for the timeout notifications.
GlobalProtect Logs are
created every time the app displays the end-user notification about
the session logout. To view the event:
From the firewall hosting the gateway, select MonitorLogsGlobalProtect.
Filter for eventid eq gateway-tunnel-notify and view the events on the
GlobalProtect logs page.