topic Is it possible to allow only one connection per user-ID in the Palo Alto firewall? in General Topics

Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

HilineISP_Tech — Tue, 11 Apr 2023 05:55:39 GMT

Basically, it is a state in which multiple users can be connected when User-ID is created.
How can I make this so that only one person can access a single User-ID?
You cannot build additional servers like LDAP, SAML, Kerberos, etc...

Re: Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

ABBASALI.S — Tue, 11 Apr 2023 09:57:22 GMT

You can create by creating a username and password and ensure that has a unique name so that it doesn't conflict. and enable user-id and this will allow the firewall to identify users and their ip address ,map the usernames with ip addresses in User Agent-ID.set or create the access policies like what are the actions that need to be allowed to that particular user.

note:the main thing is that the user should rely on keeping the credentials secure by not sharing to anybody.

Re: Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

BPry — Tue, 11 Apr 2023 12:43:19 GMT

@HilineISP_Tech,

The easiest path to accomplish this is to enforce GlobalProtect from client machines on the network and then use a script to ensure that each user-id is only ever associated once. There's a script example that @Remo shared years ago HERE that uses the API to ensure only a single mapping.

The problem that you'll run into if you don't use an enforced GlobalProtect connection is that there's certain situations where we'd expect to see someone map to multiple IPs. Keeping in mind that user-id isn't a User->IP mapping but rather an IP->User mapping, if you have an environment where someone would get a different IP address when they move around the building(s) having the user associated temporarily with multiple IPs wouldn't be unexpected.

Re: Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

HilineISP_Tech — Wed, 12 Apr 2023 01:10:34 GMT

It was the answer I was looking for.
Thanks so much for the link to the example😀

Re: Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

enginy — Thu, 29 Aug 2024 18:10:59 GMT

I know that this is an old post but I would like to share an update for anyone looking for a solution.

In order to achieve that I created a external & standalone program to limit concurrent GlobalProtect sessions/connections per unique user. It can be accessed here: https://github.com/enginy88/PAN-GPLimiter

This topic also discussed here: https://live.paloaltonetworks.com/t5/general-topics/pan-gplimiter-limit-concurrent-globalprotect-sessions/td-p/596293

Hope this helps!