How Inactivity Logout Triggers in GlobalProtect
Inactivity Logout can be configured for GlobalProtect under the Client Configuration tab of the GlobalProtect Gateway configuration dialogue (in Network > GlobalProtect > Gateways>Agent tab >Connection Settings tab):
When a user logs in with GlobalProtect, an IPSec tunnel is created. This can be seen on the CLI:
The time to live (TTL) value for inactivity logout refreshes once every hour, as long as the Global Protect user is logged in. This refresh occurs when the GlobalProtect client sends a hipreportcheck.esp to the firewall. Due to this behavior, the inactivity TTL will continue to decrement until it is refreshed which occurs hourly.
Run the following command to see the hip report check event:
> tail follow yes webserver-log sslvpn-access.log
Whether the traffic is passing or not, the tunnel will stay up unless it gets broken by a system activity, such as, a pc hibernating or shutting down. In this case, the tunnel will be broken and no new hipreportcheck.esp messages will reach the Palo Alto Networks device. As a result, the Inactivity TTL will keep decrementing and will not refresh after the configured Inactivity Logout timer expires, at which point the user will be logged out.