Thank you Andy!  I had thought it was some sort of location setting...eg.. if you're connected to a LAN - disconnect any idle VPN sessions....

Not 100% sure about that, there might be, though Im not aware...

Thank you @josi , thats exact setting I was referring to.

Thanks Andy!  Please see my response to Josi above.  I'm a bit confused over what Idle session timeout is supposed to be used for...

Thank you Josi!  I'm confused about "idle session" 

If I look at a user that is working from home over the Check Point Mobile client, there is constant traffic being sent back and forth, even if the user isn't accessing the internet (all web traffic goes over our VPN) or not accessing our CIFS file shares.  The VPN Mobile tunnel is very chatty, constantly sending traffic back and forth with such traffic as DNS and Active Directory.  What is the Idle session setting meant to be used for?  For cases like in my original question where a user forgets to disconnect from their VPN client while working from home, then comes into the office within 2 hours, then connects to our corporate LAN?  Or is it meant to disconnect VPN sessions when their is no traffic going over the tunnel - which in my case never happens unless a user is still connected to their Check Point VPN, then gets disconnected from their Internet connectivity?

Thank you!

Hey Joe,

I believe that would constitute for situation like this...say, for example, user locks their computer and nothing happens for 15 mins, if that value is set to 15 mins, as long as endpoint does not detect any connectivity or attempts to connect to something internal, then would disconnect the session.

Hope that helps.

Thanks again Andy!

So I understand...Check Point is "smart enough" to know when user VPN traffic is actually "accessing" resources, and not just sending "chatty" Active Directory traffic? 

Do these "idle session timeout" settings, by either using guidbedit or the SmartConsolole Global settings apply to the Check Point Mobile client or just the SSL VPN?

Sorry for all the questions!  I've never understood this setting and I think If I'm able to use it successfully, It could make our auditing tools Smart Console logs & "all users" in SmartView Monitor) more reliable.  Currently there is a disconnect.

I believe it would apply to both, but I could be mistaken. Maybe someone else can confirm, for sure. No woirries man, happy to help.

It's not that smart... You need to exclude your "chatty" traffic (e.g. DNS, ICMP) using do_not_check_idleness_on_these_services parameter.

The idle session timeout works only on Check Point Mobile / Endpoint Security Client. SSL SNX applies only re-authentication timeout sk77380 - Can idle session timeout be configured for SNX? (or newer reference on that is here under Session Timeouts - Session Settings)

Thats true @josi . Now, I recall having to change those while back.

Hey Joe,

Please let us know once you sort this out.