Reset Search
 

 

Article

KB40165 - Delay in removal of user session from Palo Alto Firewall after termination of session on Pulse Policy Secure (PPS)

« Go Back

Information

 
Last Modified Date2/22/2016 10:10 PM
Synopsis
In role based user sessions, there is a delay in the removal of the user session from Palo Alto Firewalls after termination of session on Pulse Policy Secure (PPS).
Problem or Goal
How to eliminate the delay in the removal of the user session from Palo Alto Firewalls after termination of session on Pulse Policy Secure (PPS).
Cause
Pulse Policy Secure authenticates users, ensures that endpoints meet security policies and then dynamically informs the Palo Alto Networks (PAN) Firewall with the updated User information such as IP Address and role names, so that PAN FW can apply granular level access policies.
 
There are two types of session entries that are used on PAN firewalls; User-ID entries and Role-Based entries.
 
On PAN Firewall, User-ID entries are synced immediately and there won’t be any delay when IP/User binding  is established or removed.  However, if role-based information is used, there might be a delay in clearing the end user session from the authentication table on the firewall.

Since role-based information takes the form of a "Tag" that is attached to a Dynamic Address Group, it can take up to a minute before the change is fully synced. 

 
Solution
In order to eliminate the delay in the removal of the user session from Palo Alto Firewalls after termination of session on Pulse Policy Secure (PPS) with role-based information, use the “known-user” option while selecting policies on the PAN firewall. This will revoke user access immediately once a user disconnects from PPS.

User-added image
 
Related Links
Attachment 1 
Created ByCraig Brauckmiller

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255