Changes to GlobalProtect Gateway Timeout Configurations in PAN-OS 10.1 and above versions

In PAN-OS 10.1, the following changes have been made to the GlobalProtect Gateway timeouts.

• “Disconnect on Idle” timeout from a-OS 10.0 config has been renamed to “Inactivity Logout” timer in PAN-OS 10.1 version.
• The existing “Inactivity Logout” timer in PAN-OS 10.0 config will be removed in PAN-OS 10.1 config. 

Because of the above 2 changes, the definition of “Inactivity Logout” timer has also been changed. 

• In PAN-OS 10.1.0, if “Inactivity Logout” timer is configured, Users will be logged out of GlobalProtect when the GlobalProtect App has not sent traffic through the VPN tunnel in the specified amount of minutes. 
• In PAN-OS 10.0 and below versions, “Inactivity Logout” timer would kick in if a HIP report was not received by the Gateway in the specified time. 

Below screenshots show the GlobalProtect Gateway timeout configuration on PAN-OS 10.1 vs 10.0. 

PAN-OS 10.1


PAN-OS 10.0
 
 

Upgrade/Downgrade:

Upon upgrade of the Firewall / Panorama to PAN-OS 10.1 version,

• The “Inactivity Logout” entry in 10.1 config will take the value of “Disconnect On Idle” from 10.0 config.
• The “Inactivity Logout” value from 10.0 config will be dropped.

Upon downgrading the Firewall/Panorama from 10.1 version to 10.0 version, 

• The value of “Inactivity Logout” from 10.1 config will be moved to “Disconnect On Idle” in 10.0 config.
• In 10.0 config, “Inactivity Logout” will have the default value instead of the “Inactivity Logout” value from 10.1 config.

Starting from PAN-OS versions 11.1.0, 11.0.5, 11.2.0, 10.2.8, 10.1.14, 10.1.13-h1, and later, there has been a significant behavioral change in how Global Protect user IP mapping is managed on the firewall. Previously, we used the Inactivity Logout Timeout for the GP user-to-IP mappings entry lifetime to refresh the user login. Now, the mapping mechanism relies on periodic HIP reports sent by the Global Protect client.

With this change, the IP-to-user mapping entry now has a fixed lifetime of 3 hours. Once a user connects to Global Protect, the firewall starts a TTL countdown for the mapping. If the firewall does not receive an updated HIP report from the client within 3 hours, the TTL expires, and the mapping is automatically removed from the firewall. This ensures that mappings are refreshed regularly based on active HIP report for the GP user mappings.

If the firewall does not receive HIP data within this timeframe, the mapping expires, which may impact user access. The default interval for HIP data transmission is 3600 seconds (1 hour). However, if this interval is set to a value greater than 3 hours, it may lead to user-to-IP mapping issues.

To check the current HIP data interval, run the following command:

> debug global-protect portal show