Security Policy Enforcement for Inactive GlobalProtect Sessions
Enforce a security policy to monitor traffic from endpoints
while connected to GlobalProtect and to quickly log out inactive
GlobalProtect sessions.
You can now enforce a security policy rule
to track traffic from endpoints while end users are connected to
GlobalProtect and to quickly log out inactive GlobalProtect sessions.
You can now enforce a shorter inactivity logout period. If a GlobalProtect
session remains inactive during the configured time period, the
session is automatically logged out and the VPN tunnel is terminated.
By enforcing a security policy, you can quickly gain visibility
into active user sessions, and better utilize the gateway resources
so that the tunnel IP address and memory assigned to sessions are
quickly available for reuse. When you configure an internal gateway
in non-tunnel mode, GlobalProtect will continue to enforce the
Inactivity
Logout
based on several missing HIP reports because
the gateway may not be in accordance with identifying active traffic
per user session.
Specify a shorter amount of time after which idle
users are logged out of GlobalProtect.
Specify the amount of time after which idle users
are logged out of GlobalProtect (range is 5 to 43200 minutes; default
is 180 minutes).
Users are logged out of GlobalProtect if the GlobalProtect
app has not routed traffic through the VPN tunnel or if the gateway
does not receive a HIP check from the endpoint within the configured
time period.
You must specify the
Inactivity Logout
period
to be greater than the
Automatic Restoration of VPN Connection Timeout
to
allow GlobalProtect to attempt to reestablish the connection after
the tunnel is disconnected (range is 0 to 180 minutes; default is
30 minutes). When you configure an internal gateway in non-tunnel
mode, the
Inactivity Logout
period must be
greater than the current HIP check interval value that the GlobalProtect
app waits before it sends the HIP report.