How Inactivity Logout Triggers in GlobalProtect

How Inactivity Logout Triggers in GlobalProtect

47405
Created On 09/26/18 13:53 PM - Last Modified 01/29/21 19:01 PM


Resolution

Overview

Inactivity Logout can be configured for GlobalProtect under the Client Configuration tab of the GlobalProtect Gateway configuration dialogue (in Network > GlobalProtect > Gateways>Agent tab >Connection Settings tab):
Timeout Connection Settings

 

When a user logs in with GlobalProtect, an IPSec tunnel is created. This can be seen on the CLI:

2.png

3.png

4.png

 

Details

The time to live (TTL) value for inactivity logout refreshes once every hour, as long as the Global Protect user is logged in. This refresh occurs when the GlobalProtect client sends a hipreportcheck.esp to the firewall. Due to this behavior, the inactivity TTL will continue to decrement until it is refreshed which occurs hourly.

5.png

 

Run the following command to see the hip report check event:

> tail follow yes webserver-log sslvpn-access.log

6.JPG

Whether the traffic is passing or not, the tunnel will stay up unless it gets broken by a system activity, such as, a pc hibernating or shutting down. In this case, the tunnel will be broken and no new hipreportcheck.esp messages will reach the Palo Alto Networks device. As a result, the Inactivity TTL will keep decrementing and will not refresh after the configured Inactivity Logout timer expires, at which point the user will be logged out.

 

owner: mbutt



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxFCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language