GlobalProtect
Customize Endpoint Session Timeout Settings
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
-
- 6.1
- 6.0
- 5.2
- 5.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
Customize Endpoint Session Timeout Settings
Learn how to customize endpoint session timeout settings.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
GlobalProtect user sessions are created when a user connects to the GlobalProtect
gateway and successfully authenticates. The session is then assigned to a specific
gateway that determines which traffic to tunnel based on any defined split tunnel
rules. The session can be customized in a number of ways, including the
following:
- Configure the types of applications that are allowed to be used during the session.
- Set the security policies that are applied to the session.
- Schedule the display of end-user notifications about GlobalProtect session logout.
- Create custom messages that you want to display to users when the sessions are about to expire.
By customizing the user sessions, you can ensure that users have the access they need
to get their work done, while also protecting your network from unauthorized
access.
Modify Endpoint Session Timeout Settings
Learn how to modify the timeout configuration.
- Select.NetworkGlobalProtectGatewaysAgentConnection Settings
- In the Timeout Configuration area:
- Modify the maximumLogin Lifetimefor a single gateway login session (the default is 30 days). During the lifetime, the user stays logged in as long as the gateway receives a HIP check from the endpoint within theInactivity Logoutperiod. After this time, the login session ends automatically.
- Modify theInactivity Logoutperiod to specify the amount of time after which idle users are logged out of GlobalProtect. You can enforce a security policy to monitor traffic from endpoints while connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. You can enforce a shorter inactivity logout period. Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.TheInactivity Logoutperiod must be greater than the Automatic Restoration of VPN Connection Timeout to allow GlobalProtect to attempt to reestablish the connection after the tunnel is disconnected (range is 0 to 180 minutes; default is 30 minutes). When you configure an internal gateway in non-tunnel mode, theInactivity Logoutperiod must be greater than the current HIP check interval value that the GlobalProtect app waits before it sends the HIP report.
- (Optional) Enable end-user notifications about GlobalProtect session and create custom messages.
- ClickOKto save the session timeout settings.
- Committhe changes.
Enable End User Notifications about GlobalProtect
Session Logout
To enable end-user notifications about GlobalProtect
session logout and create custom messages:
- Select.NetworkGlobalProtectGatewaysAgentConnection Settings
- In the Timeout Configuration area, you can schedule the display of end-user notifications about GlobalProtect session logout and create custom messages:
- Set theNotify Before Lifetime Expirestime in minutes (default is 30 minutes) to schedule the display of login lifetime expiry notifications on the GlobalProtect app. TheNotify Before Lifetime Expiresmust be lesser than theLogin Lifetime. For example, if you set theNotify Before Lifetime Expiresas 120 minutes, the app will display the notification to the user 2 hours before the expiry of the login lifetime. If you don't want the notification to be displayed, set the value to 0. If you configure the extend user session feature through the app settings of the GlobalProtect portal, the login lifetime expiry notification pop-up displays the option to extend the duration of user session so that users are not logged out of their session abruptly.
- (Optional) Modify the defaultLogin Lifetime Expiration Messageto create a custom login lifetime expiration message. The maximum message length is 127 characters.
- Set theNotify Before Inactivity Logouttime in minutes (default is 30 minutes) to schedule the display of inactivity logout notification on the app. TheNotify Before Inactivity Logoutmust be lesser than theInactivity Logoutperiod. For example, if you set theNotify Before Inactivity Logoutas 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you don't want the notification to be displayed, set the value to 0.
- (Optional) Modify theInactivity Logout Messageto create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
- EnableNotify users on administrator initiated logoutif you want the app to display notification to users after the administrator initiated logout happens.
- (Optional) Modify theAdministrator Logout Messageto create a custom message that you want to display to users after the administrator initiated logout happens. The maximum message length is 127 characters.
- ClickOKto save the notification settings.
- Committhe changes.