08-12-2020 04:58 AM
Hi folks,
We have a number of users trialling our new Global Protect setup and it appears a small number are workaholics.
We have the authentication window set at 10hrs (its Radius with TOTP) - and the authentication cookie also expires after 10hrs.
From the user perspective, at the 10hr mark, all connectivity is cut and interactive apps (ssh for instance) are dropped. They can re-authenticate and return to work, so the setup is fine for most day-of-work use. But the user experience is poor for those working longer.
Coming from Checkpoint and ASA, both these products offer a re-authentication window, 5-10 mins before connectivity expires, to allow the user to reauthenticate and gain another 10hrs of tunnel time, without any hard cut off.
Is this possible in GP and if so, how? Are we missing a setting or confusing the way expiry works on the certs, etc?
08-13-2020 01:57 PM
Hi @GN_ROS
Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?
08-13-2020 01:57 PM
Hi @GN_ROS
Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?
08-17-2020 03:11 AM
Thanks for the confirmation,
Yes login lifetime increase is not a recommended way round this. We want the users to be regularly checked, zero trust model.
The solution we are looking for (and pursuing through our SE) is a 5 min warning and option to re authenticate before the tunnel dies.
This means existing TCP sessions, like SSH sessions, etc. do not drop, assuming the user wants to keep the tunnel up.
06-04-2021 03:38 AM
This seems like a really good option, we've been struggling with this same requirement for shorter session lengths for VPN to ensure the user is re-authenticated regularly, but don't want to interrupt someone in the middle of a session.
Did you get anywhere with your SE? Do they have a feature request we could tag on to as well?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
