LSVPN Cookie Expiry Extension

The satellite administrator manually authenticates the satellite to the portal to establish the first connection. Upon successful authentication, the portal returns a satellite cookie to authenticate the satellite on subsequent connections. The satellite cookie that the portal issues has a lifetime of 6 months. The encrypted cookie stored on an LSVPN satellite expires after every 6 months. As soon as the cookie expires, the satellite administrator must re-authenticate by manually entering their credentials, and a new cookie will be issued by the portal.
This causes the VPN tunnels associated with the satellite to go down, causing an outage until the satellite is re-authenticated to the LSVPN portal or gateway and a new cookie is generated. A re-authentication every six months causes administrative overhead, affecting productivity, network stability, and resources of the company.
You can now configure the cookie expiry period from 1 to 5 years, while the default remains as 6 months (when set to 0). In other words, the cookie expiry period is now configurable up to 5 years.
While configuration is only done on the portal, you must upgrade both portal and satellite versions to PAN-OS 10.1.7 or later 10.1 releases to use this feature effectively.
Use the following operational commands to update or view the cookie expiration period:
Operational Command
Execute On
Description
username@hostname>
request global-protect-portal set-satellite-cookie-expiration
Portal
Changes the current satellite cookie expiration time (default is 0, range is 1 to 5 years).
For Example:
To configure the satellite cookie expiration time to 3 years, execute:
username@hostname>
request global-protect-portal set-satellite-cookie-expiration value 3
To configure the cookie expiration time from 1 to 5 years, configure the value from 1 to 5. To configure the cookie expiration time for 6 months, configure the value as 0.
username@hostname>
show global-protect-portal satellite-cookie-expiration
Portal
Displays current satellite cookie expiration time.
username@hostname>
show global-protect-satellite satellite
Satellite
Displays current satellite authentication cookie's generation time.
The
Satellite Cookie Generation Time
output field shows the updated time.
On the portal, select
Monitor
System
to view the system log for the updated satellite cookie expiration time.

Recommended For You