Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Won
Contributor
Jump to solution

How to increase VPN timeout limits?

We currently have our VPN users set to an 8 hour timeout. We have one supplier that needs this to be longer though. Is there any way to increase the length of time without doing it for all users?

Currently running E80.81 for the client and R77.30 on our gateways.

1 Solution

Accepted Solutions
David_Won
Contributor

I must be reading his comment wrong. I see it saying I have an 8 hour max. He also says I can only change it in the gui or guidbedit. 

The doc I posted says I can go to 1440 so I'll assume that is still the max.

So you are saying that my change below looks ok?

:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)

View solution in original post

0 Kudos
23 Replies
XBensemhoun
Employee
Employee

I think that this 8 hours is not a sort of timeout but concretely the Re-Authentication period.

In the Remote Access Clients for Windows 32/64-bit Administration Guide E80.72 and Higher we can learn that we can change the value in In Authentication Settings of Global Properties > Remote Access > Endpoint Connect

But this can be also change more specifically per Security Gateway or per client using the trac.defaults neo_user_re_auth_timeout variable.

Could you try changing this value and telling us if that answer to your needs?

Information Security enthusiast, CISSP, CCSP
0 Kudos
PhoneBoy
Admin
Admin

If you want to do it per user group: Remote Access clients configuration based on group membership 

0 Kudos
David_Won
Contributor

That's exactly what I was looking for. Putting int he required paperwork now to test this next week. Will update with results.

Thanks

David_Won
Contributor

Will this work when the user belongs to multiple groups and is there anything I should be wary of regarding this.

The user currently is currently in 4 different user groups. These are used in 4 different VPN rules.

Was thinking of making a new group called ExtendedTimeout and making the ExtendedTimeout.ttf with a 24 hour timeout. Would I just add the user to this group along with the groups they already have? Does this new group need to be used in an access rule anywhere?

0 Kudos
PhoneBoy
Admin
Admin

I don't believe the group has to be used in the rulebase, the group just needs to exist and users need to be members of it.

0 Kudos
David_Won
Contributor

Went to make the change this morning but can't find how to properly change the value in the ttm file.

I assume that the section we want to change is the neo_user_re_auth_timeout

From this doc I found the max is 24 hours though. We wanted to change it something closer to a week for this one specific account.

This screenshot is from an older doc I found.

https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/7262/FILE/Integrity_SecureClient_Mobile... 

Do these values still hold true for max? And if I am able to change it to something else what is the proper syntax?

Currently running R77.30

Finding the docs confusing.

Would I change

:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (client_decide)

to

:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)

Really want 10080 instead of 1440.

Help please!!   

G_W_Albrecht
Legend
Legend

In sk75221 Remote Access TTM Configuration relevant for the used version, we find that:

Attributes that were defined in the Security Management (SmartCenter) database schema cannot be changed in the TTM file. They can only be changed via SmartDashboard or via the GuiDBEdit tool. Examples: tunnel_idleness_ignored_tcp_ports, tunnel_idleness_timeout, location_awareness_dc_check, location_awareness_enabled etc. More information on these attributes can be found in the Admin Guide. Parameter tunnel_idleness_timeout is listed in sk42850 with a similar comment.

But i think i have found your 8 hours limit:

CCSE CCTE CCSM SMB Specialist
0 Kudos
David_Won
Contributor

If you look at my message you see that there is a limit of up to 1440 minutes from what I'm seeing. That is 24 hours. 

I was asking how to modify the ttm file correctly to use this value. Also the screenshot you showed is from the new version which is different from what I understand. 

0 Kudos
PhoneBoy
Admin
Admin

According to what I'm reading, this should be the correct approach (your modifications to trac_client_1.ttm).

Note while Guenther is showing a screenshot from R80.x, it's the same in R77.30 as well (just "looks" different).

0 Kudos
David_Won
Contributor

I must be reading his comment wrong. I see it saying I have an 8 hour max. He also says I can only change it in the gui or guidbedit. 

The doc I posted says I can go to 1440 so I'll assume that is still the max.

So you are saying that my change below looks ok?

:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)

0 Kudos
PhoneBoy
Admin
Admin

All of those things are true.

Your change looks ok

0 Kudos
G_W_Albrecht
Legend
Legend

The only document refering to neo_user_re_auth_timeout is R70 VPN Administration Guide, so i am really eager to know if this works !

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

I found the answer: endpoint_vpn_user_re_auth_timeout is refered to in sk62581 EndPoint Connect users required to re-authenticate every 480 minutes

CCSE CCTE CCSM SMB Specialist
David_Won
Contributor

Seems to have worked guys. I have made the changes and added myself to the group. VPN'd in and I have the 1440 timeout in my settings now.

Still need to leave things connected for a day and double test though.

Thanks

0 Kudos
CyberBreaker
Contributor

Hi @David_Won , how did you change it, via the ttm file or you follow the screenshot of @G_W_Albrecht? Thanks

0 Kudos
morris
Contributor

Hi all,

I just add my question to this thread, because I think the topic is fitting.

How to increase the session length when using "Check Point Capsule VPN" from Microsoft Windows Store?
At the moment the connection drops after 8 hours.

Best regards,
morris

0 Kudos
Timothy_Hall
Champion
Champion

Pretty sure it is these three settings, they are linked so if you change one of them it automatically changes the other two:

 

timeout1.jpgtimeout3.jpgtimeout2.jpg

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
gilad-mn
Explorer

Dear IT and security guy , after you changed the minutes in Global Properties => remote Access => Endpoint Security VPN or End point Connect

please shutdown client on the computer that using remote access and turn it on again .

its impotent to make it active.

 

i am using Gaia 80.10

 

0 Kudos
gilad-mn
Explorer

Dear IT and Security Guys

for make sure the time expire will increase , you have to turn off (shutdown) the client end point connect

and turn on , on the workstation.

 

i am using gaia R80.10

0 Kudos
_Val_
Admin
Admin

Is there a reason to post twice?

0 Kudos
Thomas_Eichelbu
Advisor

Hello Guys,

has anybody achived this to get it working? to set a specific duration without getting asked for re-authentication?
there are so many parameters to try here ...

i have exactly the opposite usecase, the customer wants to limit the time the user can stay connected with Client VPN!
the re-authentication timeout in SmartConsole only triggers a pop-up to reauthenticate ... of course the user enters a password.

did anybody made it working with this setting?

neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)

i also saw, when a user has set specific timeslot for allowing a VPN connection, this settins only prevent NEW connections after the timeslot has expired, but running connection doesnt time out ... ;-(

how can you kick out a remote user when the time is up?
automatically not manually of course ... 

i fear this is only possible with some scripting to collectt all expired time objects from the rulebase, search for the users which are using this affecting rules and kick them from Clienbt VPN ...
please keep in mind every user has different time objects, i cannot globaly say time is up at 05:00pm

this is also an awesome idea: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
to have different trac_client_1.ttm for different groups ... (employes / external)

 

best regards

 

 

0 Kudos
Thomas_Eichelbu
Advisor

Hello again, 

has anybody tried this options?


)
:neo_implicit_disconnect (
:gateway (endpoint_vpn_implicit_disconnect
:default (client_decide)
)
)
:neo_implicit_disconnect_timeout (
:gateway (endpoint_vpn_implicit_disconnect_timeout
:default (client_decide

would be interessting to know how the work in real world

0 Kudos
Chris_Butler
Collaborator

In my environment, there are two places where the SNX Timeout is defined, and they are not linked..

Our environment is still using the Legacy Mobile Access Policy for managing the Mobile Access, so perhaps that is why these two settings do not agree, but our timeout is the intended 12 hours:

 

GlobalSettingsSNXTimeout_R80_40.JPG

SmartDashboard_MobileAccessSNXTimeout_R80_40.JPG

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events