topic Re: Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect in GlobalProtect Discussions

Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

mwunder — Tue, 02 Jun 2020 02:20:27 GMT

We run a Solarwinds script to count panGPGWUtilizationActiveTunnels from each of our active gateways (2 different firewalls). Currently we have 900 Global Protect clients installed, but there are 1,355 active tunnels due to the fact that we use Always-On with a Login Lifetime of 5 days. Essentially, if a user connects to gateway A, then disconnects for any reason, and then connects to gateway B, the first connection on gateway A remains for 5 days and is in essence, double counted in the Solarwinds report. Is anyone else having this issue?? It seems that the portal would be smart enough to know that there was a session at gateway A and send the user back there....or better yet, Palo Alto and all it's sophistication, could give me a reliable count as to how many actual active users are connected to my firewalls.

Any ideas would be appreciated.

Re: Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

Mick_Ball — Wed, 03 Jun 2020 08:08:19 GMT

We did have a similar issue with PRTG monitoring and with over 5k users this also gave ridiculous connection stats... we just reduced the gateway idle timeout to 2 hours as we do not need to know the exact number of connections, just approx for monitoring.

There are many calls logged regarding duplicate user connections and am pretty sure someone has it as a feature release somewhere...

HTH.

Mick.

Re: Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

mwunder — Wed, 03 Jun 2020 14:41:38 GMT

Thanks for the response Mick. Are you talking about the Gateway > Agent > Connection Settings > Inactivity Logout? If so, are you using HIP checks with the GlobalProtect Gateway license? I believe I messed with this setting but since I'm not using HIP checks, All clients were getting disconnected after 12 hours (I believe that's what I set it to at the time). If you're not using the GP Gateway license and HIP checks, maybe this is a direction for me to start looking.

Thanks for the lead!

Re: Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

Mick_Ball — Wed, 03 Jun 2020 20:33:04 GMT

@mwunder , hi. No problem...

i’m not sure i can give the exact reasons behind the settings but yes they are within the area of gateway agent connection settings.

i use...

inactivity timeout 2 hours

disconnect on idle 180 minutes

we do have gateway license that covers HIP but even the login lifetime of 12 hours will make your stats more accurate.

not sure why it would be set to 5 days, ... perhaps ok for a branch office but do your users never sleep...

the help file is not much use...

Re: Global Protect, 1 Portal - 2 gateways - AlwaysOn users don't disconnect

mwunder — Thu, 04 Jun 2020 18:22:08 GMT

@Mick_Ball

New to Always-On I guess. The management decision was made to allow the user to remain connected for forever, thus the settings being so long. I am going to bump down to 14 hours and 2 hours. The inactivity timer means nothing when the connect method is Always-On, so I'm not going to touch that one.

Thanks again for leading me down the path. I forgot that I had turned off HIP check when I noticed that it was booting active sessions, but what I missed at the time was that I was blocking those sessions as seen here: https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-err-http2-inadequate-transport-security/td-p/306467