You can now configure GlobalProtect to preserve the existing
VPN tunnel when users log out of their endpoint.
: PAN-OS® 8.1 and later
: Windows 10
requires Content Release version _________ and later.
can now configure GlobalProtect to preserve the existing VPN tunnel
when users log out of their endpoint. With this enhancement, you
can specify a logoff timeout period to indicate the amount of time for
which the GlobalProtect session remains active during user logout.
For example, if certain updates (such as Group Policy Object updates)
require remote endpoints to be connected to the network and users to
log out then log back in to the endpoint, you can configure GlobalProtect
to preserve the VPN tunnel for a specified period of time after
Consider the following GlobalProtect connection
behaviors when you configure GlobalProtect to preserve the VPN tunnel:
If the same user logs out and then logs back in to an endpoint
within the specified timeout period in either Always On or On-Demand
mode, GlobalProtect remains connected without requiring any user
interaction (including portal and gateway authentication). If the
user does not log back in within the specified timeout period, the
tunnel disconnects and he or she must reestablish the GlobalProtect connection.
If a user logs out of an endpoint and then a different user
logs in to the same endpoint in either Always On or On-Demand mode,
the existing tunnel is renamed for the new user only if the new user
authenticates to GlobalProtect successfully within the specified
timeout period. If the new user does not log in and authenticate
successfully within the specified timeout period, the existing tunnel
disconnects and a new GlobalProtect connection must be established.
If the new user is in Always On mode, GlobalProtect attempts to
establish a new connection automatically. If the new user is in
On-Demand mode, he or she must establish a new GlobalProtect connection
Use the following steps to configure GlobalProtect
to preserve the VPN tunnel following user log out:
value (range is 0 to 600 seconds; default is
0 seconds). This value indicates the amount of time during which
GlobalProtect preserves the VPN tunnel after users log out of their
endpoint. If you accept the default value of
GlobalProtect does not preserve the tunnel following user logout.