https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/597327#M118806 <P>We had max session count set to 3. FIPS standard is 4.&nbsp;<BR />We have 2 administrators and we constantly lock ourselves out of the PA when we are more actively engaged.&nbsp;<BR />Session Count default is 0(Unlimited) and Session Time default is 0 which translate to 30 days.</P> Mon, 09 Sep 2024 16:17:08 GMT J.Kim530884 2024-09-09T16:17:08Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548782#M112023 <P>hi All,</P> <P>&nbsp;</P> <P>I want to check when each admin account logs into its own session via GUI and SSH.<BR />If either one login to a 2nd session then it will be denied.</P> <P>&nbsp;</P> <P>Is it achievable? I can't find any article from Palo Alto regards to this.</P> Mon, 10 Jul 2023 14:53:40 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548782#M112023 Kevin_Ncs 2023-07-10T14:53:40Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548786#M112024 <P>No, admins are allowed to log in multiple times</P> <P>you can limit their idle timeout in "device &gt; setup &gt; management &gt; authentication settings" if you're worried they have too many 'sleeping' sessions open</P> Mon, 10 Jul 2023 15:14:09 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548786#M112024 reaper 2023-07-10T15:14:09Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548787#M112025 <P>Does this article works?</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEhWCAU&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEhWCAU&amp;lang=en_US%E2%80%A9</A></P> <P>&nbsp;</P> Mon, 10 Jul 2023 15:15:30 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548787#M112025 Kevin_Ncs 2023-07-10T15:15:30Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548923#M112040 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/300749">@Kevin_Ncs</a>,</P> <P>The option works perfectly fine, however I'd really caution thinking through setting this value to 1.</P> <P>&nbsp;</P> <P>Admin sessions are tracked whenever they access the GUI/CLI/API; so say that you have an admin who is making a change in the GUI and loses access to the device due to the change, if restricted to a single session they've now effectively locked out of the device. You'll be waiting for the established session to be removed prior to it allowing access via another session.</P> Tue, 11 Jul 2023 13:11:57 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/548923#M112040 BPry 2023-07-11T13:11:57Z https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/597327#M118806 <P>We had max session count set to 3. FIPS standard is 4.&nbsp;<BR />We have 2 administrators and we constantly lock ourselves out of the PA when we are more actively engaged.&nbsp;<BR />Session Count default is 0(Unlimited) and Session Time default is 0 which translate to 30 days.</P> Mon, 09 Sep 2024 16:17:08 GMT https://live.paloaltonetworks.com/t5/general-topics/allow-a-single-user-logon-for-each-session-via-gui-ssh/m-p/597327#M118806 J.Kim530884 2024-09-09T16:17:08Z