topic Global Protect Agent GW Login Lifetime in General Topics

Global Protect Agent GW Login Lifetime

Sec101 — Mon, 17 Jun 2019 16:28:40 GMT

We are having an issue where our internal GP agent is authenticating to both of our internal gateways normally, but after the period set for "Login Lifetime" - the firewall is clearing the IP to username mapping, even though the GP agent still shows logged in, AND authenticated to both of our internal gateways.... Is the login lifetime the MAX time a user can be signed in period? and what correlation does this have to the IP/User mapping on the firewall itself?

Re: Global Protect Agent GW Login Lifetime

BPry — Tue, 18 Jun 2019 02:40:44 GMT

@Sec101,

Login Lifetime is the maximum amount of time a session is allowed to be open, barring any other timeouts, until the session is force logged out. This method of clearing the connection isn't exactly 'clean' from an agent perspective. I would guess that if you tried to actually use the associated client, you would find that you don't actually have a connection through GP anymore.

As for the IP/User mapping on the firewall, GlobalProtect is slightly different than normal User-ID mappings because it knows all of the information itself. As soon as the session is cleared when it hits the Login Lifetime value you have configured, the User-ID mapping would be cleared as it knows that the user is no longer mapped to that IP address.

Re: Global Protect Agent GW Login Lifetime

Sec101 — Tue, 18 Jun 2019 13:29:47 GMT

Many thanks BPry! That is the answer I was looking for. A few questions regarding the finer details below:

The GP agent itself doesn't show logged out when this happens. It actually still shows logged in, and authenticated to either gateway. But yes, you are correct, if I try to get to the internet, our FW isn't letting traffic through, as it no longer knows about that user to IP mapping. A "show user ip-user-mapping all " doesn't show a mapping on the FW for that user.

running the CLI command "show log userid direction equal backward ip in 192.x.x.x" actually shows that ip address and user as "USERID, logout, 3505" - I've noticed that this directly coincides with the timeout values that are placed in the "login lifetime" on the Gateways.

Is there any way around this to keep the user logged in (we are using internal only)? If not, maybe the idea would be to set it for a long timeout period, as hopefully the user would manually logout of their computer, prompting the GP agent to restart the timer on the "login lifetime" events? I've also noticed that after exactly 1 hour, the agent will reauthenticate itself, and remap that user to the firewall. We are using cookies, so my guess is the HIP check is doing something in the background to remap that IP to username using a cookie? Running the "show log userid direction equal backward ip in 192.x.x.x" after 1 hour, will actually show that the user to IP address mapping is added back, and I can get internet again....