This site requires JavaScript to be enabled
An updated version of this article is available

GlobalProtect Remote Access VPN - Agent connection and authentication timers

508 views

6.0 - Updated on 05-04-2023 by Tom Bayly (txb151)

5.0 - Updated on 02-14-2022 by Gregory Fox (gdf24)

4.0 - Updated on 05-21-2021 by Michael Giornesto (mcg12)

3.0 - Updated on 05-12-2021 by Gregory Fox (gdf24)

Article Intended For

Penn State faculty, staff, students, and affiliates who utilize the GlobalProtect Remote Access VPN Service.

Introduction

Use this article to understand the various types of timers that are configured on the GlobalProtect VPN. 

For more information about GlobalProtect, and a list of related articles, see KB0013431, GlobalProtect Remote Access VPN - Overview.

Note to authors: Formatting for this article is partially defined/set in a <style> element in the HTML of the main section. (This note is automatically hidden when published [but portions may still appear in search results].)

Article Body

Ignore this div. It prevents minor issues that seem to occur when style is the first element.

Definitions for configured GlobalProtect agent timers

Login Lifetime

The login Lifetime is the maximum length of time that a session is allowed to continue before the user is required to log in again. See the table below for the Login Lifetimes for each gateway.

Of all the GlobalProtect timers, this is the one that users are most likely to experience. There is no notification possible on the expiration of this time. However, users can do the following to check how long their session has been connected:

  1. Open GlobalConnect.
    For example, on a Windows machine, click the triangle to open the system tray, then click the GlobalProtect icon:
     
  2. Click the menu and choose Settings:
  3. Click the Connection tab and look for Uptime:
Disconnect on Idle

This value is not applicable to Faculty/Staff-Managed & Prelogon gateway connections.

Users are logged out of GlobalProtect when the agent has not sent traffic through the VPN tunnel in the specified amount of time (see table below). This could be triggered by the computer going into a sleep state or Internet connection being interrupted for the duration of the value listed in the table below.

Inactivity Logout

The GP agent automatically sends a HIP report to the GP gateway every 60 minutes. Users are logged out of GlobalProtect when the gateway does not receive a HIP report from the GP agent in the specified Inactivity Logout time. (See the table below.)

Authentication Cookie

The Authentication Cookie is an encrypted token that is generated and cached in the GP agent after a user successfully performs a manual authentication.  This cookie is then used for subsequent authentications to the VPN without manually entering Username and Password until expired. The table below details the different cookies and their lifetimes. The authentication cookie is good while connecting using the original source IP for which the cookie was issued.

Configured GlobalProtect agent timer values

Type

Login Lifetime

Inactivity Logout

Disconnect on Idle

Authentication Cookie

Azure SSO Authentication Token

Fac/Staff Managed21 Days2 HoursN/A21 Days1 Hour
Fac/Staff Unmanaged72 Hours2 Hours5 minutes1 Hour1 Hour
Fac/Staff Internal21 Days2 Hours120 minutes

Managed = 21 Days

Unmanaged = 1 Hour

1 Hour
Student External12 Hours2 Hours5 minutes1 Hour1 Hour
Student Internal21 Days2 Hours120 minutes1 Hour1 Hour
Affiliate External12 Hours2 Hours5 minutes1 Hour1 Hour
Affiliate Internal12 Hours2 Hours5 minutes1 Hour1 Hour
Prelogon21 Days2 HoursN/A20 DaysN/A

How to Get Help with the GlobalProtect Remote Access VPN 

If you have questions or experience any difficulties, use any of the following methods to contact the IT Service Desk for help: 

Revised by Gregory Fox (gdf24)
Last modified 02-14-2022 05:36:03 PM