https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447773#M2147 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132469">@MichaelMedwid</a> ,</P><P>&nbsp;</P><P>I don't think the firewall records the peak users, but you can check current or previous -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC</A>.&nbsp; Previous should show the "peak" from a unique username count.&nbsp; I would hope that an NMS could graph GP users via SNMP.</P><P>&nbsp;</P><P>The maximum GP users is a hardware limit.&nbsp; If it is exceeded the gateway will refuse the connection.&nbsp; See the picture in this thread -&gt; <A href="https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/td-p/310408" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/td-p/310408</A>.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P> Mon, 15 Nov 2021 23:37:12 GMT TomYoung 2021-11-15T23:37:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447729#M2146 <P>How can you view the peak number of global protect licenses are being consumed</P><P>on a PAN? And when those licenses are consumed, what is the behavior of the GP</P><P>clients that connect beyond the limit? For example the 3220 allows for 1024 GP</P><P>connections simultaneously from what I understand. What happens to the 1025th</P><P>GP client that attempts to connect? TY</P> Mon, 15 Nov 2021 19:24:46 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447729#M2146 MichaelMedwid 2021-11-15T19:24:46Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447773#M2147 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132469">@MichaelMedwid</a> ,</P><P>&nbsp;</P><P>I don't think the firewall records the peak users, but you can check current or previous -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC</A>.&nbsp; Previous should show the "peak" from a unique username count.&nbsp; I would hope that an NMS could graph GP users via SNMP.</P><P>&nbsp;</P><P>The maximum GP users is a hardware limit.&nbsp; If it is exceeded the gateway will refuse the connection.&nbsp; See the picture in this thread -&gt; <A href="https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/td-p/310408" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/td-p/310408</A>.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tom</P> Mon, 15 Nov 2021 23:37:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447773#M2147 TomYoung 2021-11-15T23:37:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447785#M2148 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132469">@MichaelMedwid</a>&nbsp;<BR /><BR /></P><P>I presumed that the 1025th session would be dropped due to the hardware limitation.<BR />Here are the SNMP OIDs that you can draw SNMP graphs for the GlobalProtect sessions, and you may set up a threshold alert when it reaches a specific value like 800 sessions.</P><P>&nbsp;</P><DIV><TABLE border="1" cellspacing="0" cellpadding="0"><TBODY><TR><TD><P>GlobalProtect gateway % utilization</P></TD><TD><P>panGPGWUtilizationPct.0</P></TD><TD><P>1.3.6.1.4.1.25461.2.1.2.5.1.1</P></TD><TD><P>PAN-COMMON-MIB</P></TD></TR><TR><TD><P>GlobalProtect gateway max tunnels</P></TD><TD><P>panGPGWUtilizationMaxTunnels.0</P></TD><TD><P>1.3.6.1.4.1.25461.2.1.2.5.1.2</P></TD><TD><P>PAN-COMMON-MIB</P></TD></TR><TR><TD><P>GlobalProtect gateway active tunnels</P></TD><TD><P>panGPGWUtilizationActiveTunnels.0</P></TD><TD><P>1.3.6.1.4.1.25461.2.1.2.5.1.3</P></TD><TD><P>PAN-COMMON-MIB</P></TD></TR></TBODY></TABLE></DIV><P>&nbsp;</P><P>You can simply test with a snmpwalk query for the active GP connections.<BR />snmpwalk -v3 -l authPriv -u SNMPUser -a SHA -A "Auth_Password" -x AES -X "Priv_Password" 192.168.1.1 .1.3.6.1.4.1.25461.2.1.2.5.1.3</P><P>&nbsp;</P><P>FYI, for the SNMP setup<BR />Device -&gt; Setup -&gt; Operations -&gt; Miscellaneous -&gt; SNMP Setup</P><P>&nbsp;</P><P>Thanks,</P> Tue, 16 Nov 2021 00:34:29 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-license-usage-and-behavior-on-running-out/m-p/447785#M2148 AnalysisMan 2021-11-16T00:34:29Z