Article Intended For
Penn State faculty, staff, students, and affiliates who utilize the GlobalProtect Remote Access VPN Service.
Introduction
Use this article to understand the various types of timers that are configured on the GlobalProtect VPN.
Article Body
Definitions for configured GlobalProtect agent timers
Login Lifetime
The login Lifetime is the maximum length of time that a session is allowed to continue before the user is required to log in again. See the table below for the Login Lifetimes for each gateway.
Of all the GlobalProtect timers, this is the one that users are most likely to experience. There is no notification possible on the expiration of this time. However, users can do the following to check how long their session has been connected:
- Open GlobalConnect.
For example, on a Windows machine, click the triangle to open the system tray, then click the GlobalProtect icon:
- Click the menu and choose Settings:
- Click the Connection tab and look for Uptime:
Disconnect on Idle
This value is not applicable to Faculty/Staff-Managed & Prelogon gateway connections.
Users are logged out of GlobalProtect when the agent has not sent traffic through the VPN tunnel in the specified amount of time (see table below). This could be triggered by the computer going into a sleep state or Internet connection being interrupted for the duration of the value listed in the table below.
Inactivity Logout
The GP agent automatically sends a HIP report to the GP gateway every 60 minutes. Users are logged out of GlobalProtect when the gateway does not receive a HIP report from the GP agent in the specified Inactivity Logout time. (See the table below.)
Authentication Cookie
The Authentication Cookie is an encrypted token that is generated and cached in the GP agent after a user successfully performs a manual authentication. This cookie is then used for subsequent authentications to the VPN without manually entering Username and Password until expired. The table below details the different cookies and their lifetimes. The authentication cookie is good while connecting using the original source IP for which the cookie was issued.
Configured GlobalProtect agent timer values
Type |
Login Lifetime |
Inactivity Logout |
Disconnect on Idle |
Authentication Cookie |
Azure SSO Authentication Token |
Fac/Staff Managed | 21 Days | 2 Hours | N/A | 21 Days | 1 Hour |
Fac/Staff Unmanaged | 72 Hours | 2 Hours | 5 minutes | 1 Hour | 1 Hour |
Fac/Staff Internal | 21 Days | 2 Hours | 120 minutes |
Managed = 21 Days Unmanaged = 1 Hour | 1 Hour |
Student External | 12 Hours | 2 Hours | 5 minutes | 1 Hour | 1 Hour |
Student Internal | 21 Days | 2 Hours | 120 minutes | 1 Hour | 1 Hour |
Affiliate External | 12 Hours | 2 Hours | 5 minutes | 1 Hour | 1 Hour |
Affiliate Internal | 12 Hours | 2 Hours | 5 minutes | 1 Hour | 1 Hour |
Prelogon | 21 Days | 2 Hours | N/A | 20 Days | N/A |
How to Get Help with the GlobalProtect Remote Access VPN
If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help:
- Visit the IT Help Portal
- Call us at 814-865-HELP (4357)
- Email us at ITservicedesk@psu.edu