DIfference between Inactivity Logout and Disconnect on Idle

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DIfference between Inactivity Logout and Disconnect on Idle

L3 Networker

Hi All,

 

We want GP users to get automatically logged out after 30 minutes.

 

We had changed the "disconnect on idle" value in the connection tab to 30 minutes and then checked after 30 mins for GP Client logout. But the GP Client is still connected to the gateway(Using on-demand user logon).

 

After going through the Palo Docs we found out that no traffic should pass through tunnel then only the "disconnect on idle" case will be executed(which is not possible literally).

 

Is there any way we can make an GP Client logout after 30 mins of no activity by end system user where GP Client is installed.

 

Thanks in advance.

 

Troubleshooting GlobalProtect 

12 REPLIES 12

Cyber Elite
Cyber Elite

@tamilvanan 

 

Please read below for inactivity timer log out.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClxFCAS

Users are logged out of GlobalProtect when the gateway does not receive a HIP check from the GlobalProtect app in the specified amount of time.

GP agent connects to GW for hip check after every 60 mins.

**************************************

Disconnect on Idle

Users are logged out of GlobalProtect when the GlobalProtect app has not sent traffic through the VPN tunnel in the specified amount of time. (This setting is only applicable to clients using the on-demand Connect Method to connect to GlobalProtect).

 

Example of this is if your Internet connection is down then only this timer will be triggered.

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

Is there any way we can make an GP Client logout after 30 mins of no activity by end system user where GP Client is installed.

 

hmmm...   it depends on your setup. If your default route is via the vpn then on a Windoze device....  no chance...  a constant droll of netbios smb dns av updates email refresh blahdy blahhh. Will certainly keep the timer in check.

 

it would be more likely to work if you use split tunnel and only had access routes to your internal servers then all the other junk would stay local.

 

i do not use this as we are set to always on... so i just set inactivity timer to 3 hours so it will boot off those who just power off their devices without logging off first.  With almost 8k user base this helps keep license count down and prevent duplicate user sessions across multiple gateways...   but....   somebody may have a better solution with one of those API calls...

 

 

 

Hi @Mick_Ball, thanks for the reply. The GP is configured with the Split tunnel and only one internal server subnet range is specified in the include access route domain. We had done packet capture on GP Tunnel at the client side for around 10 mins and had seen only the ICMP packets being send between the GP Client and Gateway which is used to keep the tunnel alive.

 

In this case i am wondering will the ICMP traffic send between GP Client and gateway keeps the user logged in and the Disconnect on Idle action is not triggered.

 

 

Are you capturing on pangps adapter or lan/wifi adapter. Are those icmp packets going down the tunnel or directly to the external gateway. The source and destination of the icmp will show route takem.

@Mick_Ball The packet capture is done on PAN GP adapter at client side and the source ip is GP Client Private IP and destination IP is GP Gateway Public IP. So the packet is going thru GP Tunnel only.

OK something odd here...  i did a test connection with traffic back to 1 server in split tunnel address.  all other traffic including dns was local.  set to 5 mins but stayed idle for over 1 hour until i killed it myself...

 

all of the show options in CLI show all other timers but not the idle disconnect one.  I can also see them counting down but still no idle disconnect....  as per below

MickBall_0-1622554366416.png

 

@Mick_Ball 

 

Seems from my experience disable on idle does not come into picture unless your home wifi or ISP is down.

Then the GP agent on your PC will be disconnected and then gateway will still show you as connected untill Inactivity 

logout times expires.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Sure @MP18 but which one kicks in, is it the no HIP inactivity timer or the disconnect on idle that kicks you off. i'm going to power off laptop later and see how long session stays up on gateway... will it be the 5 min disconnect on idle or the inactivity logout...   2 hours...  

 

it should be the disconnect on idle as using on demand and not always on...

@Mick_Ball 

 

As per my testing it is hip inactivity.

Let us know how your testing goes.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

This is my experience with windows endpoints too. They are just to chatty. If the users powers off or closes the lid then yeah they might go "idle". 

 

When you refer to license count, what do you mean? As I understand it the global protect license is for the whole box not per user. 

@MP18 ,yes , sorry misread your post. I had the same result. I even added a /32 address only to the included network and still had packets via the tunnel for the various protocols that float around looking for auto configs etc.... so i doubt very much this will ever work and only the inactivity will actually work but thats min 2 hours...  @ccscott , sorry wrong terminology, ... 3020 devices have a max of 1024 concurrent users, this is what i was referring to....

L2 Linker

I've had some luck with the "logon lifetime" config on the GP gateways, although it can be annoying for users who just leave the machine up and actually connected. I know It's not actually the same, but it can force reauth. 

 

I think the original poster is best off using the HIP check timeout "Inactivity Logout" and maybe seeing if something else is available down the road feature-wise.

  • 18696 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!