https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-allow-a-single-user-logon-for-each-session-via/ta-p/549221 <P><SPAN>This Nominated Discussion Article is based on the post "</SPAN><STRONG><A href="https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548782" target="_blank" rel="noopener">Allow a single user logon for each session via GUI/SSH</A></STRONG><SPAN>" by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300749">@Kevin_Ncs</a>&nbsp;</SPAN><SPAN> and responded to by</SPAN><SPAN>&nbsp;</SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp; and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> .<SPAN> Read on to see the discussion and solution</SPAN></P> <P>&nbsp;</P> <DIV class="lia-message-template-content-zone"> <BLOCKQUOTE> <P>I want to check when each admin account logs into its own session via GUI and SSH.<BR />If either one login to a 2nd session then it will be denied.</P> <P>&nbsp;</P> <P>Is it achievable? I can't find any article from Palo Alto regards to this.</P> </BLOCKQUOTE> <P>&nbsp;</P> <P>By default, admins are allowed to log in multiple times. If you're worried they have too many 'sleeping' sessions open you can limit their idle timeout in "device &gt; setup &gt; management &gt; authentication settings"</P> <P>&nbsp;</P> <P>Referring to this article it is absolutely feasible:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEhWCAU&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEhWCAU&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> <DIV id="tinyMceEditorkiwi_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorkiwi_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="rtaImage.jpeg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51553i084C8F6927393187/image-size/medium?v=v2&amp;px=400" role="button" title="rtaImage.jpeg" alt="rtaImage.jpeg" /></span></P> <P>&nbsp;</P> <P><STRONG>&nbsp;CLI:</STRONG></P> <LI-CODE lang="markup">admin@FW# set deviceconfig setting management admin-session max-session-count &lt;value&gt; &lt;0-4&gt; Set the maximum number of sessions administrators are allowed</LI-CODE> <P>&nbsp;</P> <P>However I'd really caution thinking through setting this value to 1.</P> <P>&nbsp;</P> <P>Admin sessions are tracked whenever they access the GUI/CLI/API; so say that you have an admin who is making a change in the GUI and loses access to the device due to the change, if restricted to a single session they've now effectively locked out of the device. You'll need to wait for the established session to be removed prior to being allowed access via another session.</P> <P>&nbsp;</P> </DIV> Fri, 14 Jul 2023 01:12:09 GMT kiwi 2023-07-14T01:12:09Z https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-allow-a-single-user-logon-for-each-session-via/ta-p/549221 <P><SPAN>This Nominated Discussion Article is based on the post "</SPAN><STRONG><A href="https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548782" target="_blank" rel="noopener">Allow a single user logon for each session via GUI/SSH</A></STRONG><SPAN>".</SPAN></P> Fri, 14 Jul 2023 01:12:09 GMT https://live.paloaltonetworks.com/t5/general-articles/tips-amp-tricks-allow-a-single-user-logon-for-each-session-via/ta-p/549221 kiwi 2023-07-14T01:12:09Z