1. Home
    2. GlobalProtect
    3. GlobalProtect™ App New Features Guide
    4. New Features Released in GlobalProtect App 6.1
    5. End-user Notification about GlobalProtect Session Logout

    End-user Notification about GlobalProtect Session Logout

    Software Support
    : Starting with GlobalProtect™ app 6.1; Requires PAN-OS 11.0 or later.
    OS Support
    :
    Linux
    , Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases.
    You can now configure end-user notifications about expiry of GlobalProtect app sessions on the gateway. These notifications inform the end users in advance when their app sessions are about to expire due to inactivity or expiry of the login lifetime. The messages notify the users about the remaining time left before the app gets disconnected and prevents unexpected and abrupt app logout. Through the gateway, you can also schedule the display of these custom notifications on the app.
    You can also configure end-user notifications for administrator initiated logout on the gateway. The GlobalProtect app displays the notification to users after the administrator initiated logout happens and the users are logged out of the session.
    After you configure the notifications on the gateway, the gateway sends these notifications to the GlobalProtect app to display them on the app according to the configured timeout settings.
    1. Ensure that a GlobalProtect gateway is configured.
    2. Enable login lifetime notifications.
      Login Lifetime indicates the validity period of a single gateway session where the users stay logged in to the app (maximum lifetime is 30 days).
      1. (
        Optional
        ) Modify the default Login Lifetime on the gateway for endpoints.
        • Select
          Network
          GlobalProtect
          Gateways.
        • Select the gateway configuration to which you want to add or modify the agent configuration, and then select the
          Agent
           tab.
        • On the
          Agent
           tab, select
          Connections Settings
           and then set the
          Login Lifetime
           in days (default is 30 days).
      2. Set the
        Notify Before Lifetime Expires
         time in minutes (default is 30 minutes) to schedule the display of login lifetime expiry notifications on the GlobalProtect app. The
        Notify Before Lifetime Expires
         must be lesser than the
        Login Lifetime
        . For example, if you set the
        Notify Before Lifetime Expires
         as 120 minutes, the app will display the notification to the user 2 hours before the expiry of the login lifetime. If you do not want the notification to be displayed, set the value to 0.
      3. (
        Optional
        ) Modify the
        Login Lifetime Expiration Message
         to create a custom message that you want to display to users when their login lifetime sessions are about to expire. The maximum message length is 127 characters.
      For login lifetime, the app also displays the count down timer for the session.
    3. Enable inactivity logout notifications.
      Inactivity Logout period indicates the time after which the idle users are logged out of GlobalProtect app (range for tunnel mode is 5 to 43200 and for non-tunnel mode 120 to 43200 minutes; default is 180 minutes).
      1. (
        Optional
        ) Modify the default Inactivity Logout period on the gateway for endpoints.
        • Select
          Network
          GlobalProtect
          Gateways.
        • Select the gateway configuration to which you want to add or modify the agent configuration, and then select the
          Agent
           tab.
        • On the
          Agent
           tab, select
          Connections Settings
           and then set the
          Inactivity Logout
           period.
      2. Set the
        Notify Before Inactivity Logout
         time in minutes (default is 30 minutes) to schedule the display of inactivity logout notification on the app. The
        Notify Before Inactivity Logout
        must be lesser than the
        Inactivity Logout period
        . For example, if you set the
        Notify Before Inactivity Logout
         as 20 minutes, the app will display the notification to the user 20 minutes before the inactive session expires. If you do not want the notification to be displayed, set the value to 0.
      3. (
        Optional
        ) Modify the
        Inactivity Logout Message
         to create a custom message that you want to display to users when their inactive sessions are about to expire. The maximum message length is 127 characters.
    4. Enable administrator-initiated logout notifications.
      1. Enable
        Notify users on administrator initiated logout
        if you want the app to display notification to users after the administrator initiated logout happens.
      2. (
        Optional
        ) Modify the
        Administrator Logout Message
         to create a custom message that you want to display to users after the administrator initiated logout happens. The maximum message length is 127 characters.
    5. Click
      OK
       and
      Commit
       the changes.
      After you commit the changes on the gateway, refresh the GlobalProtect app connection to get the latest configuration.
    6. Verify the GlobalProtect log events for the timeout notifications.
      GlobalProtect Logs are created every time the app displays the end-user notification about the session logout. To view the event:
      1. From the firewall hosting the gateway, select
        Monitor
        Logs
        GlobalProtect.
      2. Filter for
        eventid eq gateway-tunnel-notify
         and view the events on the GlobalProtect logs page.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo