Security Policy Enforcement for Inactive GlobalProtect Sessions

Enforce a security policy to monitor traffic from endpoints while connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions.
You can now enforce a security policy rule to track traffic from endpoints while end users are connected to GlobalProtect and to quickly log out inactive GlobalProtect sessions. You can now enforce a shorter inactivity logout period. If a GlobalProtect session remains inactive during the configured time period, the session is automatically logged out and the VPN tunnel is terminated. By enforcing a security policy, you can quickly gain visibility into active user sessions, and better utilize the gateway resources so that the tunnel IP address and memory assigned to sessions are quickly available for reuse. When you configure an internal gateway in non-tunnel mode, GlobalProtect will continue to enforce the
Inactivity Logout
based on several missing HIP reports because the gateway may not be in accordance with identifying active traffic per user session.
  1. Specify a shorter amount of time after which idle users are logged out of GlobalProtect.
    1. Select
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      Agent
      Connection Settings
      .
    2. Specify the amount of time after which idle users are logged out of GlobalProtect (range is 5 to 43200 minutes; default is 180 minutes).
      Users are logged out of GlobalProtect if the GlobalProtect app has not routed traffic through the VPN tunnel or if the gateway does not receive a HIP check from the endpoint within the configured time period.
      You must specify the
      Inactivity Logout
      period to be greater than the
      Automatic Restoration of VPN Connection Timeout
      to allow GlobalProtect to attempt to reestablish the connection after the tunnel is disconnected (range is 0 to 180 minutes; default is 30 minutes). When you configure an internal gateway in non-tunnel mode, the
      Inactivity Logout
      period must be greater than the current HIP check interval value that the GlobalProtect app waits before it sends the HIP report.
  2. Click
    OK
    twice.
  3. Commit
    the configuration.

Recommended For You