GlobalProtect Tunnel Preservation on User Logout

You can now configure GlobalProtect to preserve the existing VPN tunnel when users log out of their endpoint.
Software Support
: PAN-OS® 8.1 and later releases
OS Support
: Windows 10
This feature requires Content Release version _________ and later.
You can now configure GlobalProtect to preserve the existing VPN tunnel when users log out of their endpoint. With this enhancement, you can specify a logoff timeout period to indicate the amount of time for which the GlobalProtect session remains active during user logout. For example, if certain updates (such as Group Policy Object updates) require remote endpoints to be connected to the network and users to log out then log back in to the endpoint, you can configure GlobalProtect to preserve the VPN tunnel for a specified period of time after user logout.
Consider the following GlobalProtect connection behaviors when you configure GlobalProtect to preserve the VPN tunnel:
  • If the same user logs out and then logs back in to an endpoint within the specified timeout period in either Always On or On-Demand mode, GlobalProtect remains connected without requiring any user interaction (including portal and gateway authentication). If the user does not log back in within the specified timeout period, the tunnel disconnects and he or she must reestablish the GlobalProtect connection.
  • If a user logs out of an endpoint and then a different user logs in to the same endpoint in either Always On or On-Demand mode, the existing tunnel is renamed for the new user only if the new user authenticates to GlobalProtect successfully within the specified timeout period. If the new user does not log in and authenticate successfully within the specified timeout period, the existing tunnel disconnects and a new GlobalProtect connection must be established. If the new user is in Always On mode, GlobalProtect attempts to establish a new connection automatically. If the new user is in On-Demand mode, he or she must establish a new GlobalProtect connection manually.
Use the following steps to configure GlobalProtect to preserve the VPN tunnel following user log out:
    • Specify a
      Preserve Tunnel on User Logoff Timeout
      value (range is 0 to 600 seconds; default is 0 seconds). This value indicates the amount of time during which GlobalProtect preserves the VPN tunnel after users log out of their endpoint. If you accept the default value of
      0
      , GlobalProtect does not preserve the tunnel following user logout.
  1. Commit
    your changes.

Recommended For You