>
    Customize Endpoint Session Timeout Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Gateways
    4. Customize Endpoint Session Timeout Settings
    Download PDF
    GlobalProtect

    Customize Endpoint Session Timeout Settings

    Table of Contents

    Customize Endpoint Session Timeout Settings

    Learn how to customize endpoint session timeout settings.
    Where Can I Use This?
    What Do I Need?
    • GlobalProtect Subscription
    • Prisma Access
    • Prisma Access License
    • GlobalProtect app version 6.2 or later and PAN-OS version 11.0.2 or later for Extend User session
      OS Support: Windows and macOS
      Content release version: 8692-16961
    • GlobalProtect app version 6.1 or later and PAN-OS version 11.0 or later for end user Notification about GlobalProtect Session Logout
      OS Support: Linux, Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases
    GlobalProtect user sessions are created when a user connects to the GlobalProtect gateway and successfully authenticates. The session is then assigned to a specific gateway that determines which traffic to tunnel based on any defined split tunnel rules. The session can be customized in a number of ways, including the following:
    By customizing the user sessions, you can ensure that users have the access they need to get their work done, while also protecting your network from unauthorized access.

    Modify Endpoint Session Timeout Settings

    Learn how to modify the timeout configuration.
    1. Select
      Network
      GlobalProtect
      Gateways
      Agent
      Connection Settings
      .
    2. In the Timeout Configuration area:
      1. Modify the maximum
        Login Lifetime
         for a single gateway login session (the default is 30 days). During the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the
        Inactivity Logout
         period. After this time, the login session ends automatically.
      2. Modify the
        Inactivity Logout
         period to specify the amount of time after which idle users are logged out of GlobalProtect. You can enforce a security policy to monitor traffic from endpoints while connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. You can enforce a shorter inactivity logout period. Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
        The
        Inactivity Logout
         period must be greater than the Automatic Restoration of VPN Connection Timeout to allow GlobalProtect to attempt to reestablish the connection after the tunnel is disconnected (range is 0 to 180 minutes; default is 30 minutes). When you configure an internal gateway in non-tunnel mode, the
        Inactivity Logout
        period must be greater than the current HIP check interval value that the GlobalProtect app waits before it sends the HIP report.
    3. (
      Optional
      ) Enable end-user notifications about GlobalProtect session and create custom messages.
    4. Click
      OK
       to save the session timeout settings.
    5. Commit
       the changes.

    Enable End User Notifications about GlobalProtect Session Logout

    To enable end-user notifications about GlobalProtect session logout and create custom messages:
    1. Select
      Network
      GlobalProtect
      Gateways
      Agent
      Connection Settings
      .
    2. In the Timeout Configuration area, you can schedule the display of end-user notifications about GlobalProtect session logout and create custom messages:
      1. Set the
        Notify Before Lifetime Expires
         time in minutes (default is 30 minutes) to schedule the display of login lifetime expiry notifications on the GlobalProtect app. The
        Notify Before Lifetime Expires
         must be lesser than the
        Login Lifetime
        . For example, if you set the
        Notify Before Lifetime Expires
         as 120 minutes, the app will display the notification to the user 2 hours before the expiry of the login lifetime. If you don't want the notification to be displayed, set the value to 0. If you configure the extend user session feature through the app settings of the GlobalProtect portal, the login lifetime expiry notification pop-up displays the option to extend the duration of user session so that users are not logged out of their session abruptly.
      2. (
        Optional
        ) Modify the default
        Login Lifetime Expiration Message
         to create a custom login lifetime expiration message. The maximum message length is 127 characters.
      3. Set the
        Notify Before Inactivity Logout
         time in minutes (default is 30 minutes) to schedule the display of inactivity logout notification on the app. The
        Notify Before Inactivity Logout
        must be lesser than the
        Inactivity Logout
        period. For example, if you set the
        Notify Before Inactivity Logout
        as 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you don't want the notification to be displayed, set the value to 0.
      4. (
        Optional
        ) Modify the
        Inactivity Logout Message
         to create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
      5. Enable
        Notify users on administrator initiated logout
         if you want the app to display notification to users after the administrator initiated logout happens.
      6. (
        Optional
        ) Modify the
        Administrator Logout Message
         to create a custom message that you want to display to users after the administrator initiated logout happens. The maximum message length is 127 characters.
      7. Click
        OK
         to save the notification settings.
      8. Commit
         the changes.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.