This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
‎2026-03-03 10:23 AM

Need to configure Mobile VPN client to timeout and disconnect.

Afternoon everyone.

 

Running R81.20 and will be getting everyone on Check Point Mobile VPN - 89.10.

We're seeing an issue where if a user logs into their Mobile VPN client while at home, closes their laptop lid (or doesn't disconnect from the Mobile client), then comes into the office and connects to the LAN via CAT5, the CP Mobile Access logs do not show their prior Mobile VPN session as disconnected, even though it is no longer in use.  If you look at "All Users" in Tunnel & User Monitoring in SmartView Monitor, the "Stale" session does not appear.  There is a disconnect between these two tools (SmartView Monitor & Logs)

Is there a way to change this behavior of the Mobile IPsec client so if a user forgets to disconnect from the VPN, their session is terminated?

Thank you!

 

 

 

 

0 Kudos
13 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-03-03 10:45 AM

Hey brother,

I cant find that link now I sent you some time ago, but there is guidbedit setting for disconnect on idle, if you just search disconnect_on_idle (I believe is a flag name), you can try set it to any desired value.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Joe_Kanaszka
Advisor
‎2026-03-03 11:18 AM
In response to the_rock

Thank you Andy!  I had thought it was some sort of location setting...eg.. if you're connected to a LAN - disconnect any idle VPN sessions....

the_rock
MVP Diamond
MVP Diamond
‎2026-03-03 12:07 PM
In response to Joe_Kanaszka

Not 100% sure about that, there might be, though Im not aware...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
josi
Participant
Participant
‎2026-03-04 02:41 AM

You can enforce idle client disconnection in SmartConsole in Menu - Global Properties - Remote Access - Endpoint Connect

Or check guidbedit settings that @the_rock mentioned - Idle VPN Tunnel (i think it's same setting as in SmartConsole, but with more options to set up)

the_rock
MVP Diamond
MVP Diamond
‎2026-03-04 04:03 AM
In response to josi

Thank you @josi , thats exact setting I was referring to.

Best,
Andy
"Have a great day and if its not, change it"
Joe_Kanaszka
Advisor
‎2026-03-04 04:43 AM
In response to the_rock

Thanks Andy!  Please see my response to Josi above.  I'm a bit confused over what Idle session timeout is supposed to be used for...

0 Kudos
Joe_Kanaszka
Advisor
‎2026-03-04 04:42 AM
In response to josi

Thank you Josi!  I'm confused about "idle session" 

If I look at a user that is working from home over the Check Point Mobile client, there is constant traffic being sent back and forth, even if the user isn't accessing the internet (all web traffic goes over our VPN) or not accessing our CIFS file shares.  The VPN Mobile tunnel is very chatty, constantly sending traffic back and forth with such traffic as DNS and Active Directory.  What is the Idle session setting meant to be used for?  For cases like in my original question where a user forgets to disconnect from their VPN client while working from home, then comes into the office within 2 hours, then connects to our corporate LAN?  Or is it meant to disconnect VPN sessions when their is no traffic going over the tunnel - which in my case never happens unless a user is still connected to their Check Point VPN, then gets disconnected from their Internet connectivity?

 

Thank you!

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-04 05:15 AM
In response to Joe_Kanaszka

Hey Joe,

I believe that would constitute for situation like this...say, for example, user locks their computer and nothing happens for 15 mins, if that value is set to 15 mins, as long as endpoint does not detect any connectivity or attempts to connect to something internal, then would disconnect the session.

Hope that helps.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Joe_Kanaszka
Advisor
‎2026-03-04 05:22 AM
In response to the_rock

Thanks again Andy!

 

So I understand...Check Point is "smart enough" to know when user VPN traffic is actually "accessing" resources, and not just sending "chatty" Active Directory traffic? 

Do these "idle session timeout" settings, by either using guidbedit or the SmartConsolole Global settings apply to the Check Point Mobile client or just the SSL VPN?

Sorry for all the questions!  I've never understood this setting and I think If I'm able to use it successfully, It could make our auditing tools Smart Console logs & "all users" in SmartView Monitor) more reliable.  Currently there is a disconnect.

the_rock
MVP Diamond
MVP Diamond
‎2026-03-04 05:36 AM
In response to Joe_Kanaszka

I believe it would apply to both, but I could be mistaken. Maybe someone else can confirm, for sure. No woirries man, happy to help.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
josi
Participant
Participant
‎2026-03-05 01:05 AM
In response to Joe_Kanaszka

It's not that smart... You need to exclude your "chatty" traffic (e.g. DNS, ICMP) using do_not_check_idleness_on_these_services parameter.

The idle session timeout works only on Check Point Mobile / Endpoint Security Client. SSL SNX applies only re-authentication timeout sk77380 - Can idle session timeout be configured for SNX? (or newer reference on that is here under Session Timeouts - Session Settings)

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-05 06:06 AM
In response to josi

Thats true @josi . Now, I recall having to change those while back.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-05 08:30 AM
In response to Joe_Kanaszka

Hey Joe,

Please let us know once you sort this out.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events