https://live.paloaltonetworks.com/t5/general-topics/nac-causing-delayed-compliance-check-and-session-blocking/m-p/1204703#M122964 <P>Hi Team,</P> <P>&nbsp;</P> <P>• When a new user connects to the network, NAC takes approximately 10 minutes to identify the user and check compliance status.<BR />• If the user is deemed non-compliant after the check, all new sessions are blocked by the firewall, as expected. However, existing sessions that were established before the compliance check continue to function and are not being terminated.<BR />• This behavior allows non-compliant users to continue using their previously established sessions, which poses a security concern.<BR /><BR />I would appreciate your guidance on the following:<BR />1. Is there a way to configure the firewall to terminate all active sessions for non-compliant users immediately upon receiving the compliance status from NAC?<BR />2. Are there any recommended best practices or configurations to reduce the delay in identifying and enforcing compliance policies?</P> <P>• Firewall Model: PA-3250<BR />• PAN-OS Version: 10.2.8-h15<BR />• Integration Method: RADIUS, API, etc</P> <P>&nbsp;</P> <P>Regards,</P> <P>Chandrashekhar</P> Tue, 21 Jan 2025 12:54:04 GMT ChandrashekharD 2025-01-21T12:54:04Z https://live.paloaltonetworks.com/t5/general-topics/nac-causing-delayed-compliance-check-and-session-blocking/m-p/1204703#M122964 <P>Hi Team,</P> <P>&nbsp;</P> <P>• When a new user connects to the network, NAC takes approximately 10 minutes to identify the user and check compliance status.<BR />• If the user is deemed non-compliant after the check, all new sessions are blocked by the firewall, as expected. However, existing sessions that were established before the compliance check continue to function and are not being terminated.<BR />• This behavior allows non-compliant users to continue using their previously established sessions, which poses a security concern.<BR /><BR />I would appreciate your guidance on the following:<BR />1. Is there a way to configure the firewall to terminate all active sessions for non-compliant users immediately upon receiving the compliance status from NAC?<BR />2. Are there any recommended best practices or configurations to reduce the delay in identifying and enforcing compliance policies?</P> <P>• Firewall Model: PA-3250<BR />• PAN-OS Version: 10.2.8-h15<BR />• Integration Method: RADIUS, API, etc</P> <P>&nbsp;</P> <P>Regards,</P> <P>Chandrashekhar</P> Tue, 21 Jan 2025 12:54:04 GMT https://live.paloaltonetworks.com/t5/general-topics/nac-causing-delayed-compliance-check-and-session-blocking/m-p/1204703#M122964 ChandrashekharD 2025-01-21T12:54:04Z