GlobalProtect disconnects when Tunnel Login Lifetime is set to value 1 by the gateway

Why GlobalProtect App gets disconnected when authentication override cookie lifetime timer higher than tunnel login lifetime timer?

• Palo Alto Firewalls
• PAN-OS 11.0 or higher
• GlobalProtect (GP) app
• GlobalProtect Portal/Gateway with authentication override cookie enabled
• Authentication override cookie lifetime timer higher than tunnel login lifetime timer

1. When the tunnel login lifetime timer expires, GP users need to re-authenticate by authentication profile, “NOT” by authentication override cookie. This means GP app needs human interaction to physically enter their credentials and finish their authentication.
2. The reason behind this behavior is if the GP auth override cookie lifetime timer is higher than the tunnel login lifetime timer, then that scenario may lead to the tunnel being recreated based on Cookie authentication, which negates the requirement of human interaction; making the tunnel login lifetime timer meaningless.
3. Hence this behavior has been introduced in PAN-OS 11.0 or higher where if authentication override cookie lifetime timer is higher than the tunnel login lifetime timer, then the tunnel login lifetime will be set to value 1 second after it expires to enforce the user to re-authenticate using authentication profile.
4. To fix this issue, make sure the authentication override cookie lifetime timer is less than the tunnel login lifetime timer.