How does extend user session works ?

How does extend user session works ? 

• Palo Alto Firewalls
• PAN-OS 11.0.2 or later
• GlobalProtect (GP) App version 6.2 or later

For configuring this new feature, The firewall should be on 11.0.2 or higher version and GlobalProtect App must be 6.2.2 or higher. Details can be found at Customize Endpoint Session Timeout Settings

1. Network > GlobalProtect > Gateways >Agent >Connection Settings Notify before lifetime expiration

1. Network > GlobalProtect > Portal > Agent > App >Allow user to extend session> yes 

• If the portal setting is not enabled, user will only see the notification for expiring session and they need to refresh connection in order to avoid disconnect.
  
  .
• If the portal setting is enabled, user will see the bottom to extend the session instead of refreshing connection : 
  
  
• If the loginlifetime is set for 120 min, ttl start as 7200 as seen in the Firewall CLI

admin@Lab40-225-PA-VM> show global-protect-gateway current-user

GlobalProtect Gateway: test (1 users)
Tunnel Name          : test
        Domain-User Name           : \admin
        Computer                   : user1’s Mac (123)
        Primary Username           : admin
        Region for Config          : 172.16.0.0-172.31.255.255
        Source Region              : 172.16.0.0-172.31.255.255
        Client                     : Apple Mac OS X 14.1.0
        VPN Type                   : Device Level VPN
        Host ID                    : 00:00:00:00:00:00
        Client App Version         : 6.2.2-259
        Mobile ID                  : 
        Client OS                  : Mac
        Private IP                 : 10.10.10.1
        Private IPv6               : ::
        Public IP (connected)      : 172.16.225.12
        Public IPv6                : ::
        Client IP                  : 172.16.225.12
        ESP                        : exist
        SSL                        : none
        Login Time                 : Dec.01 20:49:33
        Logout/Expiration          : Dec.01 22:49:33
        TTL                        : 7192
        Inactivity TTL             : 10798
        Request - Login            : 2023-12-01 20:49:33.075 (1701492573075), 172.16.225.12
        Request - GetConfig        : 2023-12-01 20:49:33.086 (1701492573086), 172.16.225.12
        Request - SSLVPNCONNECT    :  (0), ::

• Also on GP UA setting , you can see the login life time : 

• after click on extend session :

• You can see the session extend on firewall properly for the exact time of login lifetime: 

admin@Lab40-225-PA-VM> show global-protect-gateway current-user

GlobalProtect Gateway: test(1 users)
Tunnel Name          : test
        Domain-User Name           : \admin
        Computer                   : user1’s Mac (123)
        Primary Username           : admin
        Region for Config          : 172.16.0.0-172.31.255.255
        Source Region              : 172.16.0.0-172.31.255.255
        Client                     : Apple Mac OS X 14.1.0
        VPN Type                   : Device Level VPN
        Host ID                    : 00:00:00:00:00:00
        Client App Version         : 6.2.2-259
        Mobile ID                  : 
        Client OS                  : Mac
        Private IP                 : 10.10.10.1
        Private IPv6               : ::
        Public IP (connected)      : 172.16.225.12
        Public IPv6                : ::
        Client IP                  : 172.16.225.12
        ESP                        : exist
        SSL                        : none
        Login Time                 : Dec.01 21:50:25
        Logout/Expiration          : Dec.01 23:50:25
        TTL                        : 7195
        Inactivity TTL             : 10790
        Request - Login            : 2023-12-01 21:50:25.640 (1701496225640), 172.16.225.12
        Request - GetConfig        :  (0), ::
        Request - SSLVPNCONNECT    :  (0), ::