01-21-2025 04:54 AM
Hi Team,
• When a new user connects to the network, NAC takes approximately 10 minutes to identify the user and check compliance status.
• If the user is deemed non-compliant after the check, all new sessions are blocked by the firewall, as expected. However, existing sessions that were established before the compliance check continue to function and are not being terminated.
• This behavior allows non-compliant users to continue using their previously established sessions, which poses a security concern.
I would appreciate your guidance on the following:
1. Is there a way to configure the firewall to terminate all active sessions for non-compliant users immediately upon receiving the compliance status from NAC?
2. Are there any recommended best practices or configurations to reduce the delay in identifying and enforcing compliance policies?
• Firewall Model: PA-3250
• PAN-OS Version: 10.2.8-h15
• Integration Method: RADIUS, API, etc
Regards,
Chandrashekhar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
