>
    Customize Prisma Access Agent Session Timeout Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up the Prisma Access Agent
    6. Configure Agent Settings for the Prisma Access Agent
    7. Customize Prisma Access Agent Session Timeout Settings
    Download PDF
    Prisma Access Agent

    Customize Prisma Access Agent Session Timeout Settings

    Table of Contents

    Customize Prisma Access Agent Session Timeout Settings

    Learn how to configure session timeout and inactivity logout settings for Prisma Access Agent to improve user experience and productivity.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum required Prisma Access Agent version: 25.3.0.43
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    To address the common issue of unexpected session disconnections due to timeouts or inactivity, which can lead to productivity loss and increased helpdesk tickets, configure session timeout notifications to enhance the user experience for Prisma Access Agent users. By configuring session timeouts and notifications, the agent can inform users before their sessions expire or are terminated, enabling them to take action to maintain their connections.
    Prisma Access Agent user sessions are created when a user connects to the Prisma Access location and successfully authenticates. The session is then assigned to a specific gateway that determines which traffic to tunnel based on any defined forwarding profile rules.
    You can customize the duration of a gateway session and when to notify the user before the session expires. You can also customize the period of inactivity after which the session is logged out automatically, and when to notify the user before the session logs out due to inactivity. These notifications appear in the Prisma Access Agent app and also in system notification pop-ups, ensuring they are visible and consistent across various operating systems. Session timeout settings are configured on a per-user or per-user group basis while inactivity settings are configured globally and apply to all agents.

    Configure Endpoint Session Timeout Settings

    Learn how to modify the duration of a single gateway session for Prisma Access Agent.
    Session timeouts are enforced by the gateway starting with PAN-OS version 11.2.x. Prior to that version, session timeouts are enforced by the Prisma Access Agent itself.
    1. Navigate to the Agent Settings page.
      • For Strata Cloud Manager Managed Prisma Access deployments:
        1. Log in to Strata Cloud Manager as the administrator.
        2. Select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
      • For Panorama Managed Prisma Access deployments:
        1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access Agent.
        2. Click Launch Prisma Access Agent.
        3. Select WorkflowsPrisma Access AgentSetupPrisma Access Agent.
      • For NGFW (Managed by Panorama) deployments:
        1. Log in to Strata Cloud Manager as the administrator.
        2. Select WorkflowsPrisma Access AgentSetupPrisma Access Agent.
    2. Add an agent setting or edit an existing agent setting.
      1. Select the criteria that match the user or user group for which you want to enable the default system browser.
        • For Strata Cloud Manager Managed deployments:
          Select the criteria (OS or User Entities) that match the user or user group to send the configuration to.
        • For Panorama Managed deployments:
          Select the User Entities to select the users to whom you want to deploy the configuration.
      2. In the App Configuration section, modify the maximum Session Timeout for a single gateway login session.
        Default: Ten days.
        During the session, the user stays logged in as long as the gateway receives a HIP check from the endpoint within the Inactivity Logout period. After this time, the login session ends automatically.
      3. To notify users before the Prisma Access Agent session expires, enter a value between 0-120 minutes in Notify Before Session Expires (min).
        Default: 0 (no notification is displayed).
        The Notify Before Session Expires (min) value must be less than the Session Timeout value. For example, if you set the Notify Before Session Expires (min) to 120 minutes, the Prisma Access Agent app will display the notification to the user two hours before the session expires.
        When the session expiry notification pop-up displays on the endpoint, users can extend the duration of the user session so that they are not logged out of their session abruptly.
        For the notification to appear on the endpoint, PAN-OS must be at version 11.2 or later.
      4. (Optional) Customize the user notification by entering the Session Timeout Expiration Message.
        Enter a message to display to the users when their sessions are about to expire. The maximum length for the message is 127 alphanumeric characters.
      5. Configure other agent settings if needed and Save the settings.
      6. Push the Prisma Access Agent Configuration.

    Configure Endpoint Inactivity Logout Settings

    (Prisma Access (Managed by Strata Cloud Manager) only) Configure the inactivity logout settings for your endpoints by specifying the amount of time after which idle users are logged out of the Prisma Access Agent. Inactivity logout notifications are configured globally and apply to all agents.
    You can use the inactivity logout period to enforce a security policy to monitor traffic from endpoints while connected to Prisma Access and to quickly log out inactive Prisma Access Agent sessions. You can enforce a shorter inactivity logout period. Users are logged out if the Prisma Access Agent has not routed traffic through the tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
    1. From Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
    2. Edit the Global Agent Settings.
    3. In the Timeout section, modify the Inactivity Logout period to specify the amount of time after which idle users are logged out of the Prisma Access Agent.
      Default: 180 seconds. The range is 5-43200 seconds.
      If your tenant is a Prisma Access Agent and GlobalProtect™ coexistence-enabled tenant, the timeout settings also apply to GlobalProtect apps.
    4. Set the Notify Before Inactivity Logout time in minutes to schedule the display of inactivity logout notification on the Prisma Access Agent app. The Notify Before Inactivity Logout must be lesser than the Inactivity Logout period. For example, if you set the Notify Before Inactivity Logout as 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you don't want to display any notification, set the value to 0.
      Default: 30 minutes. The range is 0-60 minutes.
    5. (Optional) Modify the Inactivity Logout Message to create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
    6. Save the global agent settings.
    7. Push the Prisma Access Agent Configuration.

    Verify Session Timeout

    You can verify whether the session timeout and session timeout notifications are working by observing the timeout notification on the Prisma Access Agent window and checking the agent status using the Prisma Access Agent command-line tool (PACli).
    • To verify session timeout using the Prisma Access Agent app:
      1. Observe the system notification for session timeout (if configured). For example, on macOS:
      2. Open the Prisma Access Agent on the endpoint and observe the timeout notification (if configured) on the Prisma Access Agent window.
    • To verify the session timeout using the PACli tool:
      1. Run the following command on the endpoint:
        pacli status
      2. The Gateway Session Expiry field will show when the user session will expire. For example, on Windows:
        You can compare the session expiry with the expiry shown on the Prisma Access Agent window to make sure that they match.

    © 2025 Palo Alto Networks, Inc. All rights reserved.