- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
We currently have our VPN users set to an 8 hour timeout. We have one supplier that needs this to be longer though. Is there any way to increase the length of time without doing it for all users?
Currently running E80.81 for the client and R77.30 on our gateways.
I must be reading his comment wrong. I see it saying I have an 8 hour max. He also says I can only change it in the gui or guidbedit.
The doc I posted says I can go to 1440 so I'll assume that is still the max.
So you are saying that my change below looks ok?
:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)
I think that this 8 hours is not a sort of timeout but concretely the Re-Authentication period.
In the Remote Access Clients for Windows 32/64-bit Administration Guide E80.72 and Higher we can learn that we can change the value in In Authentication Settings of Global Properties > Remote Access > Endpoint Connect
But this can be also change more specifically per Security Gateway or per client using the trac.defaults neo_user_re_auth_timeout variable.
Could you try changing this value and telling us if that answer to your needs?
If you want to do it per user group: Remote Access clients configuration based on group membership
That's exactly what I was looking for. Putting int he required paperwork now to test this next week. Will update with results.
Thanks
Will this work when the user belongs to multiple groups and is there anything I should be wary of regarding this.
The user currently is currently in 4 different user groups. These are used in 4 different VPN rules.
Was thinking of making a new group called ExtendedTimeout and making the ExtendedTimeout.ttf with a 24 hour timeout. Would I just add the user to this group along with the groups they already have? Does this new group need to be used in an access rule anywhere?
I don't believe the group has to be used in the rulebase, the group just needs to exist and users need to be members of it.
Went to make the change this morning but can't find how to properly change the value in the ttm file.
I assume that the section we want to change is the neo_user_re_auth_timeout
From this doc I found the max is 24 hours though. We wanted to change it something closer to a week for this one specific account.
This screenshot is from an older doc I found.
Do these values still hold true for max? And if I am able to change it to something else what is the proper syntax?
Currently running R77.30
Finding the docs confusing.
Would I change
:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (client_decide)
to
:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)
Really want 10080 instead of 1440.
Help please!!
In sk75221 Remote Access TTM Configuration relevant for the used version, we find that:
Attributes that were defined in the Security Management (SmartCenter) database schema cannot be changed in the TTM file. They can only be changed via SmartDashboard or via the GuiDBEdit tool. Examples: tunnel_idleness_ignored_tcp_ports, tunnel_idleness_timeout, location_awareness_dc_check, location_awareness_enabled etc. More information on these attributes can be found in the Admin Guide. Parameter tunnel_idleness_timeout is listed in sk42850 with a similar comment.
But i think i have found your 8 hours limit:
If you look at my message you see that there is a limit of up to 1440 minutes from what I'm seeing. That is 24 hours.
I was asking how to modify the ttm file correctly to use this value. Also the screenshot you showed is from the new version which is different from what I understand.
According to what I'm reading, this should be the correct approach (your modifications to trac_client_1.ttm).
Note while Guenther is showing a screenshot from R80.x, it's the same in R77.30 as well (just "looks" different).
I must be reading his comment wrong. I see it saying I have an 8 hour max. He also says I can only change it in the gui or guidbedit.
The doc I posted says I can go to 1440 so I'll assume that is still the max.
So you are saying that my change below looks ok?
:neo_user_re_auth_timeout (
:gateway (endpoint_vpn_user_re_auth_timeout
:default (1440)
All of those things are true.
Your change looks ok
The only document refering to neo_user_re_auth_timeout is R70 VPN Administration Guide, so i am really eager to know if this works !
I found the answer: endpoint_vpn_user_re_auth_timeout is refered to in sk62581 EndPoint Connect users required to re-authenticate every 480 minutes
Seems to have worked guys. I have made the changes and added myself to the group. VPN'd in and I have the 1440 timeout in my settings now.
Still need to leave things connected for a day and double test though.
Thanks
Hi @David_Won , how did you change it, via the ttm file or you follow the screenshot of @G_W_Albrecht? Thanks
Hi all,
I just add my question to this thread, because I think the topic is fitting.
How to increase the session length when using "Check Point Capsule VPN" from Microsoft Windows Store?
At the moment the connection drops after 8 hours.
Best regards,
morris
Pretty sure it is these three settings, they are linked so if you change one of them it automatically changes the other two:
Dear IT and security guy , after you changed the minutes in Global Properties => remote Access => Endpoint Security VPN or End point Connect
please shutdown client on the computer that using remote access and turn it on again .
its impotent to make it active.
i am using Gaia 80.10
Dear IT and Security Guys
for make sure the time expire will increase , you have to turn off (shutdown) the client end point connect
and turn on , on the workstation.
i am using gaia R80.10
Is there a reason to post twice?
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY