https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/344181#M348 <P>Thanks for the confirmation,</P><P>&nbsp;</P><P>Yes login lifetime increase is not a recommended way round this. We want the users to be regularly checked, zero trust model.</P><P>&nbsp;</P><P>The solution we are looking for (and pursuing through our SE) is a 5 min warning and option to re authenticate before the tunnel dies.&nbsp;<BR />This means existing TCP sessions, like SSH sessions, etc. do not drop, assuming the user wants to keep the tunnel up.</P> Mon, 17 Aug 2020 10:11:23 GMT GN_ROS 2020-08-17T10:11:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/343514#M338 <P>Hi folks,</P><P>We have a number of users trialling our new Global Protect setup and it appears a small number are workaholics.<BR />We have the authentication window set at 10hrs (its Radius with TOTP) - and the authentication cookie also expires after 10hrs.</P><P>&nbsp;</P><P>From the user perspective, at the 10hr mark, all connectivity is cut and interactive apps (ssh for instance) are dropped. They can re-authenticate and return to work, so the setup is fine for most day-of-work use. But the user experience is poor for those working longer.</P><P>&nbsp;</P><P>Coming from Checkpoint and ASA, both these products offer a re-authentication window, 5-10 mins before connectivity expires, to allow the user to reauthenticate and gain another 10hrs of tunnel time, without any hard cut off.&nbsp;</P><P>&nbsp;</P><P>Is this possible in GP and if so, how? Are we missing a setting or confusing the way expiry works on the certs, etc?</P> Wed, 12 Aug 2020 11:58:41 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/343514#M338 GN_ROS 2020-08-12T11:58:41Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/343823#M341 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132903">@GN_ROS</a>&nbsp;</P> <P>Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?</P> Thu, 13 Aug 2020 20:57:31 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/343823#M341 Remo 2020-08-13T20:57:31Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/344181#M348 <P>Thanks for the confirmation,</P><P>&nbsp;</P><P>Yes login lifetime increase is not a recommended way round this. We want the users to be regularly checked, zero trust model.</P><P>&nbsp;</P><P>The solution we are looking for (and pursuing through our SE) is a 5 min warning and option to re authenticate before the tunnel dies.&nbsp;<BR />This means existing TCP sessions, like SSH sessions, etc. do not drop, assuming the user wants to keep the tunnel up.</P> Mon, 17 Aug 2020 10:11:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/344181#M348 GN_ROS 2020-08-17T10:11:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/411138#M1395 <P>This seems like a really good option, we've been struggling with this same requirement for shorter session lengths for VPN to ensure the user is re-authenticated regularly, but don't want to interrupt someone in the middle of a session.</P><P>Did you get anywhere with your SE? Do they have a feature request we could tag on to as well?</P> Fri, 04 Jun 2021 10:38:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/friendly-re-authentication/m-p/411138#M1395 kmuellercm 2021-06-04T10:38:45Z