We are having an issue where our internal GP agent is authenticating to both of our internal gateways normally, but after the period set for "Login Lifetime" - the firewall is clearing the IP to username mapping, even though the GP agent still shows logged in, AND authenticated to both of our internal gateways.... Is the login lifetime the MAX time a user can be signed in period? and what correlation does this have to the IP/User mapping on the firewall itself?
Login Lifetime is the maximum amount of time a session is allowed to be open, barring any other timeouts, until the session is force logged out. This method of clearing the connection isn't exactly 'clean' from an agent perspective. I would guess that if you tried to actually use the associated client, you would find that you don't actually have a connection through GP anymore.
As for the IP/User mapping on the firewall, GlobalProtect is slightly different than normal User-ID mappings because it knows all of the information itself. As soon as the session is cleared when it hits the Login Lifetime value you have configured, the User-ID mapping would be cleared as it knows that the user is no longer mapped to that IP address.
Many thanks BPry! That is the answer I was looking for. A few questions regarding the finer details below:
The GP agent itself doesn't show logged out when this happens. It actually still shows logged in, and authenticated to either gateway. But yes, you are correct, if I try to get to the internet, our FW isn't letting traffic through, as it no longer knows about that user to IP mapping. A "show user ip-user-mapping all " doesn't show a mapping on the FW for that user.
running the CLI command "show log userid direction equal backward ip in 192.x.x.x" actually shows that ip address and user as "USERID, logout, 3505" - I've noticed that this directly coincides with the timeout values that are placed in the "login lifetime" on the Gateways.
Is there any way around this to keep the user logged in (we are using internal only)? If not, maybe the idea would be to set it for a long timeout period, as hopefully the user would manually logout of their computer, prompting the GP agent to restart the timer on the "login lifetime" events? I've also noticed that after exactly 1 hour, the agent will reauthenticate itself, and remap that user to the firewall. We are using cookies, so my guess is the HIP check is doing something in the background to remap that IP to username using a cookie? Running the "show log userid direction equal backward ip in 192.x.x.x" after 1 hour, will actually show that the user to IP address mapping is added back, and I can get internet again....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!