End-user Notification about GlobalProtect Session Logout
Software Support
: Starting with GlobalProtect™
app 6.1; Requires PAN-OS 11.0 or later.OS Support
: Linux
, Windows 10, ARM64-Based Windows 10, macOS 11
and later releases, and ARM-Based macOS 11 and later releases.You can now configure
end-user notifications about expiry of GlobalProtect app sessions
on the gateway. These notifications inform the end users in advance
when their app sessions are about to expire due to inactivity or
expiry of the login lifetime. The messages notify the users about
the remaining time left before the app gets disconnected and prevents
unexpected and abrupt app logout. Through the gateway, you can also
schedule the display of these custom notifications on the app.

You can
also configure end-user notifications for administrator initiated
logout on the gateway. The GlobalProtect app displays the notification
to users after the administrator initiated logout happens and the
users are logged out of the session.
After you configure the
notifications on the gateway, the gateway sends these notifications
to the GlobalProtect app to display them on the app according to
the configured timeout settings.
- Ensure that a GlobalProtect gateway is configured.
- Enable login lifetime notifications.Login Lifetime indicates the validity period of a single gateway session where the users stay logged in to the app (maximum lifetime is 30 days).
- (Optional) Modify the default Login Lifetime on the gateway for endpoints.
- SelectNetworkGlobalProtectGateways.
- Select the gateway configuration to which you want to add or modify the agent configuration, and then select theAgenttab.
- On theAgenttab, selectConnections Settingsand then set theLogin Lifetimein days (default is 30 days).
- Set theNotify Before Lifetime Expirestime in minutes (default is 30 minutes) to schedule the display of login lifetime expiry notifications on the GlobalProtect app. TheNotify Before Lifetime Expiresmust be lesser than theLogin Lifetime. For example, if you set theNotify Before Lifetime Expiresas 120 minutes, the app will display the notification to the user 2 hours before the expiry of the login lifetime. If you do not want the notification to be displayed, set the value to 0.
- (Optional) Modify theLogin Lifetime Expiration Messageto create a custom message that you want to display to users when their login lifetime sessions are about to expire. The maximum message length is 127 characters.
For login lifetime, the app also displays the count down timer for the session. - Enable inactivity logout notifications.Inactivity Logout period indicates the time after which the idle users are logged out of GlobalProtect app (range for tunnel mode is 5 to 43200 and for non-tunnel mode 120 to 43200 minutes; default is 180 minutes).
- (Optional) Modify the default Inactivity Logout period on the gateway for endpoints.
- SelectNetworkGlobalProtectGateways.
- Select the gateway configuration to which you want to add or modify the agent configuration, and then select theAgenttab.
- On theAgenttab, selectConnections Settingsand then set theInactivity Logoutperiod.
- Set theNotify Before Inactivity Logouttime in minutes (default is 30 minutes) to schedule the display of inactivity logout notification on the app. TheNotify Before Inactivity Logoutmust be lesser than theInactivity Logout period. For example, if you set theNotify Before Inactivity Logoutas 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you do not want the notification to be displayed, set the value to 0.
- (Optional) Modify theInactivity Logout Messageto create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
- Enable administrator-initiated logout notifications.
- EnableNotify users on administrator initiated logoutif you want the app to display notification to users after the administrator initiated logout happens.
- (Optional) Modify theAdministrator Logout Messageto create a custom message that you want to display to users after the administrator initiated logout happens. The maximum message length is 127 characters.
- ClickOKandCommitthe changes.After you commit the changes on the gateway, refresh the GlobalProtect app connection to get the latest configuration.
- Verify the GlobalProtect log events for the timeout notifications.GlobalProtect Logs are created every time the app displays the end-user notification about the session logout. To view the event:
- From the firewall hosting the gateway, selectMonitorLogsGlobalProtect.
- Filter foreventid eq gateway-tunnel-notifyand view the events on the GlobalProtect logs page.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.