GlobalProtect Administrator's Guide
  • GlobalProtect Administrator's Guide
  • GlobalProtect Documentation
  • All Documentation
>
Customize Endpoint Session Timeout Settings
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. GlobalProtect Gateways
  4. Customize Endpoint Session Timeout Settings
Download PDF
GlobalProtect

Customize Endpoint Session Timeout Settings

Table of Contents

Customize Endpoint Session Timeout Settings

Learn how to customize endpoint session timeout settings.
Where Can I Use This?What Do I Need?
  • GlobalProtect Subscription
  • Prisma Access
  • Prisma Access License
  • GlobalProtect app version 6.2 or later and PAN-OS version 11.0.2 or later for Extend User session
    OS Support: Windows and macOS
    Content release version: 8692-16961
  • GlobalProtect app version 6.1 or later and PAN-OS version 11.0 or later for end user Notification about GlobalProtect Session Logout
    OS Support: Linux, Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases
GlobalProtect user sessions are created when a user connects to the GlobalProtect gateway and successfully authenticates. The session is then assigned to a specific gateway that determines which traffic to tunnel based on any defined split tunnel rules. The session can be customized in a number of ways, including the following:
  • Set the
    amount of time the session is valid for
    .
  • Configure the types of applications that are allowed to be used during the session.
  • Set the security policies that are applied to the session.
  • Schedule the
    display of end-user notifications
    about GlobalProtect session logout.
  • Create
    custom messages
    that you want to display to users when the sessions are about to expire.
  • Extend the login lifetime user session
    for GlobalProtect users.
By customizing the user sessions, you can ensure that users have the access they need to get their work done, while also protecting your network from unauthorized access.

Modify Endpoint Session Timeout Settings

Learn how to modify the timeout configuration.
  1. Select NetworkGlobalProtectGatewaysAgentConnection Settings.
  2. In the Timeout Configuration area:
    1. Modify the maximum Login Lifetime for a single gateway login session (the default is 30 days). During the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the Inactivity Logout period. After this time, the login session ends automatically.
    2. Modify the Inactivity Logout period to specify the amount of time after which idle users are logged out of GlobalProtect. You can enforce a security policy to monitor traffic from endpoints while connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. You can enforce a shorter inactivity logout period. Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
      The Inactivity Logout period must be greater than the Automatic Restoration of VPN Connection Timeout to allow GlobalProtect to attempt to reestablish the connection after the tunnel is disconnected (range is 0 to 180 minutes; default is 30 minutes). When you configure an internal gateway in non-tunnel mode, the Inactivity Logout period must be greater than the current HIP check interval value that the GlobalProtect app waits before it sends the HIP report.
  3. (Optional) Enable end-user notifications about GlobalProtect session and create custom messages.
  4. Click OK to save the session timeout settings.
  5. Commit the changes.

Enable End User Notifications about GlobalProtect Session Logout

To enable end-user notifications about GlobalProtect session logout and create custom messages:
  1. Select NetworkGlobalProtectGatewaysAgentConnection Settings.
  2. In the Timeout Configuration area, you can schedule the display of end-user notifications about GlobalProtect session logout and create custom messages:
    1. Set the Notify Before Lifetime Expires time in minutes (default is 30 minutes) to schedule the display of login lifetime expiry notifications on the GlobalProtect app. The Notify Before Lifetime Expires must be lesser than the Login Lifetime. For example, if you set the Notify Before Lifetime Expires as 120 minutes, the app will display the notification to the user 2 hours before the expiry of the login lifetime. If you don't want the notification to be displayed, set the value to 0. If you configure the extend user session feature through the app settings of the GlobalProtect portal, the login lifetime expiry notification pop-up displays the option to extend the duration of user session so that users are not logged out of their session abruptly.
    2. (Optional) Modify the default Login Lifetime Expiration Message to create a custom login lifetime expiration message. The maximum message length is 127 characters.
    3. Set the Notify Before Inactivity Logout time in minutes (default is 30 minutes) to schedule the display of inactivity logout notification on the app. The Notify Before Inactivity Logout must be lesser than the Inactivity Logout period. For example, if you set the Notify Before Inactivity Logout as 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you don't want the notification to be displayed, set the value to 0.
    4. (Optional) Modify the Inactivity Logout Message to create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
    5. Enable Notify users on administrator initiated logout if you want the app to display notification to users after the administrator initiated logout happens.
    6. (Optional) Modify the Administrator Logout Message to create a custom message that you want to display to users after the administrator initiated logout happens. The maximum message length is 127 characters.
    7. Click OK to save the notification settings.
    8. Commit the changes.

Configure Extend User Session

To configure Extend User Session for GlobalProtect users:
  1. Select NetworkGlobalProtectPortals.
  2. Select the portal configuration to which you're adding the agent configuration, and then select the Agent tab.
  3. On the Agent tab, select AppApp.
  4. In the App Configurations area, set Allow User to Extend GlobalProtect User Session to Yes to allow users to extend the login lifetime session of the GlobalProtect app before it expires to prevent abrupt app session logout. Select No (default) if you don't want users to be able to extend the login lifetime session of the GlobalProtect app before it expires.
  5. Set the Notify Before Lifetime Expires time in minutes to schedule the display of login lifetime expiry notifications on the GlobalProtect app.
  6. (Optional) Modify the default Login Lifetime Expiration Message to create a custom login lifetime expiration message.
  7. Click OK and Commit the changes.
    After you configure the Extend GlobalProtect User Session app settings through the GlobalProtect portal, the end-user notification for login lifetime expiry displays the Extend GlobalProtect User Session option on the notification pop-up. The end user can select the Extend GlobalProtect User Session to extend the login lifetime session.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.

xThanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.