Resilient VPN Connection
Software support: GlobalProtect agent 4.0.3 and later releases and PAN-OS with content release 731 or a later release
OS support: Android, iOS, Windows, Mac
To improve the resiliency of the GlobalProtect connection, GlobalProtect agents can now automatically try to resurrect the tunnel when the connection is lost due to network instability or endpoint state changes. Examples of scenarios where the endpoint can disconnect from the network include locking and unlocking an endpoint, putting an endpoint to sleep and waking it back up, switching between wireless networks, and switching from a wired network to a wireless network. By enabling GlobalProtect to resurrect the tunnel in these common scenarios, you can reduce the effort required by the user to maintain the connection thus ensuring consistent enforcement of security policies.
With resilient VPN, the GlobalProtect agent can resurrect the tunnel to previously-connected manual or auto-discovery gateways. If the GlobalProtect agent successfully resurrects the tunnel, the user is not required to authenticate again. If the GlobalProtect agent cannot resurrect the tunnel, the GlobalProtect agent disconnects the tunnel and reverts to the behavior of the connect method you define in your GlobalProtect portal agent configuration:
- On-demand—If the GlobalProtect agent cannot resurrect the tunnel, the agent does not try to connect again until the user initiates the connection. The GlobalProtect portal and gateway will then require the user to authenticate.
- User-logon (Always On) or Pre-logon (Always On)—If the GlobalProtect agent cannot resurrect the tunnel, the agent starts the network discovery process. When the network is reachable, the agent connects to the best available gateway. The GlobalProtect portal and gateway will then require the user to authenticate.
To customize resilient VPN for your end users, you can configure two new options in your GlobalProtect portal agent configuration:
- Automatic Restoration of VPN Connection Timeout —Enables or disables the resilient VPN behavior. A value of 0 disables the resilient VPN feature meaning the GlobalProtect agent does not attempt to resurrect the tunnel. When you specify a value other than 0, the GlobalProtect agent attempts to resurrect the tunnel with the last-connected manual or automatic gateway within the specified timeout period. For example, with a timeout value of 30 minutes, the agent does not attempt to resurrect the tunnel if the tunnel is disconnected for 45 minutes. However, if the tunnel is disconnected for 15 minutes, the agent attempts to resurrect the tunnel because the number of minutes has not exceeded the timeout value.GlobalProtect will not resurrect the tunnel if any of the following conditions occur:
With always-on VPN, if a user switches from an external network to an internal network before the timeout value expires, GlobalProtect does not perform network discovery. As a result, GlobalProtect restores the connection to the last known external gateway. To trigger an immediate internal host detection, the user must select Rediscover Network from the GlobalProtect console.
- GlobalProtect did not previously establish a tunnel to a gateway (for example when a user first logs in and has not yet connected to a gateway)
- The user manually disconnected
- The timeout to disconnect on idle expired
- The timeout to switch the tunnel from a pre-logon user to a logged-in user expired
- The endpoint rebooted
- The user logged off of the endpoint
- The tunnel is down for a period of time which exceeds the timeout value
- Wait Time Between VPN Connection Restore Attempts—Specifies the time between resilient VPN connection attempts to restore the connection to the gateway. By default, the wait time between the resilient VPN connection attempts is five seconds. If necessary, you can specify a longer or shorter wait time depending on your network conditions.
Configure GlobalProtect to automatically reconnect:
- Configure the GlobalProtect portal.Select NetworkGlobalProtectPortals and select the portal configuration for which you want to add a client configuration or Add a new one.
- Add or modify an agent configuration.
- From the Agent tab, select the agent configuration you want to modify or Add a new one.
- Select the App tab.
- Define the action GlobalProtect takes when the tunnel
is disconnected.In the App Configurations area, set the Automatic Restoration of VPN Connection Timeout. The range is 0-180 minutes; the default is 30.To disable this feature so that GlobalProtect does not attempt to resurrect the tunnel after the tunnel is disconnected, set the timeout value to 0.
- (Optional) Configure the time between attempts
to restore the connection to the gateway.In the App Configurations area, configure the Wait Time Between VPN Connection Restore Attempts in seconds. The range is 1-60 seconds; the default is 5.
- Save your configuration changes.
- Click OK twice.
- Commit your changes.
Customize the GlobalProtect Agent
Customize the GlobalProtect Agent The portal agent configuration allows you to customize how your end users interact with the GlobalProtect agents installed on their systems ...
GlobalProtect Features Clientless VPN IPv6 for GlobalProtect Split Tunnel to Exclude by Access Route External Gateway Priority by Source Region Internal Gateway Selection by Source ...
GlobalProtect Portals Agent App Tab
GlobalProtect Portals Agent App Tab Select Network GlobalProtect Portals Agent App to specify how end users interact with the GlobalProtect agents installed on their systems. ...
GlobalProtect Portals Agent External Tab
GlobalProtect Portals Agent External Tab Select Network GlobalProtect Portals Agent External to configure the settings for external gateways for an agent configuration. GlobalProtect Portal External ...
Timeout Settings Tab
Timeout Settings Tab Select Network GlobalProtect Gateways Agent Timeout Settings to define the maximum value that a user session or tunnel connection can be idle. ...
Configure the GlobalProtect App for Android
Configure the GlobalProtect App for Android You can deploy and configure the GlobalProtect app on Android For Work devices from any third-party mobile device management ...
GlobalProtect Gateways Agent Tab
GlobalProtect Gateways Agent Tab Select Network GlobalProtect Gateways Agent to configure the tunnel settings that enable an agent or app to establish a VPN tunnel ...
Components of the GlobalProtect Infrastructure
Components of the GlobalProtect Infrastructure To block risky applications and protect mobile users from malware, you must set up the GlobalProtect infrastructure, which includes the ...
Deploy Scripts Using the Windows Registry
Deploy Scripts Using the Windows Registry You can enable deployment of custom scripts to Windows endpoints using the Windows registry. You can configure the GlobalProtect ...