Prisma Access Agent
Configure Re-authentication Timers for Prisma Access Agent
Table of Contents
Configure Re-authentication Timers for Prisma Access Agent
Configure periodic re-authentication to maintain security compliance for Prisma
Access Agent deployments.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma Access Agent continuously validates user trust through background
authentication processes that do not interrupt user activity. Customizable
authentication timers extend this capability by giving you control over when users
must explicitly re-authenticate by providing their credentials. This allows you to
align authentication intervals with your organizational security policies and
compliance requirements.
Re-authentication Frequency
You can define the frequency that determines how often users must provide their
credentials. This frequency applies globally across your deployment and directly
controls the user refresh token lifetime. You set this interval between 10 hours and
30 days, with a default of 7 days.
Notification Settings
To prevent workflow disruption, you configure notification timers that alert users
before their authentication expires. You specify how many minutes in advance users
receive warnings, with a range of 5 to 120 minutes and a default of 60 minutes. You
can also customize the notification message that displays to users. If you leave the
re-authentication notification message empty, the agent displays a default
message.
Gateway Session Timeout
The gateway session timeout operates separately from re-authentication frequency and
controls how long an established connection to the gateway remains valid. You
configure this timeout at the Agent Settings level, with values ranging from 2 hours
to 30 days and a default of 10 days. This setting was previously named
Session Timeout and has been renamed to
Gateway Session Timeout for clarity. The notification
settings that were previously configurable at the agent level now map from the
Global Agent Settings.
Gateway Session Extension Behavior
When the Gateway Session Timeout is reached, the gateway
session extends automatically in the background. No user action or notification is
required.
Dynamic Privilege Access tenants provide the
Aggressive Authentication setting for stricter security
enforcement. For Dynamic Privilege Access-enabled Prisma Access Agents, the gateway session extension behavior depends
on the Aggressive Authentication configuration.
User Experience
When users reach the re-authentication threshold, their
experience varies based on your configuration and their current connection state.
Connected users receive notifications at the configured time before
re-authentication. When users click on the notification, the agent initiates the
login workflow while the existing tunnel remains up and backend jobs continue
uninterrupted. If users do not complete re-authentication before the deadline, the
user interface signs out from Endpoint Manager and users must re-authenticate to
restore access.
For authentication methods using LDAP with saved credentials or client certificates,
re-authentication notification does not apply. The agent automatically authenticates
and refreshes tokens without explicit user prompts.
Complete the following steps to maintain security compliance for your Prisma Access
Agent deployment.
- Configure global re-authentication settings that apply to all Prisma Access Agent users in your deployment.
- Go to the Prisma Access Agent Settings page.
- Strata Cloud Manager Managed Prisma Access deployments:
- Log in to Strata Cloud Manager as the administrator.
- Select .
- Panorama Managed
Prisma Access deployments:
- From the Cloud Services plugin in Panorama, select .
- Click Launch Prisma Access Agent.
- Select .
- NGFW (Managed by Panorama) deployments:
- Log in to Strata Cloud Manager as the administrator.
- Select .
Edit the Global Agent Settings by selecting the gear icon.In the Authentication Timers section, configure the Re-authentication Frequency by entering a value between 10 hours and 30 days. (Default: 7 days)![]()
Configure the Notify Before Re-authentication timer by entering a value in minutes between 5 and 120. (Default: 60 minutes)(Optional) Configure the Re-authentication Notification Message by taking one of the following actions:- Enter custom text with a maximum of 127 characters.
- Leave the field empty to use the default agent message ("User Session Expiring")
Save your configuration.Configure the gateway session timeout at the agent settings level to control how long an established connection remains valid.- Go to the Agent Settings.
- Strata Cloud Manager Managed Prisma Access deployments:Select .
- Panorama Managed deployments:Select .
Select the agent setting you want to configure.In the App Configuration section, configure the Gateway Session Timeout by entering a value between 2 hours and 30 days. (Default: 10 days)![]()
Save your configuration.Push your configuration to the gateway.Verify that agents receive and apply the re-authentication timer and gateway session timeout settings.- On an endpoint running Prisma Access Agent version 26.1.1 or later, open a terminal or command prompt.Run the following command to check the Endpoint Manager status:
pacli epm status
Verify the User Refresh Token Expiry field in the output. Ensure that the value reflects your configured re-authentication frequency.The following is an example output from a macOS device:![]()
Monitor agent logs for authentication timestamps, session establishment timestamps, re-authentication timer values, and authentication status.
- Strata Cloud Manager Managed Prisma Access deployments:
- Strata Cloud Manager Managed Prisma Access deployments:
