https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202096#M59658 <P>Hello all,</P><P>&nbsp;</P><P>I have a requirement for the following and short of any draconian methods, I'm hoping that the PA GP will be able to answer.&nbsp;&nbsp;</P><P>These are PAN8.0.7 on 5520's in Active/Passive</P><P>&nbsp;</P><P>I have a req to ensure that a user of GP is only allowed one GP session at a time.&nbsp; No sharing sessions or passwords.&nbsp; Options explored inlude a unique ldap group or unique tunnel to every user.&nbsp; This will scale poorly and create a nigthmare for management.&nbsp; Is there a better way?&nbsp; I've seen one thread discussing a Feature Request #4603 but I dont see any public ledger for this&nbsp;&nbsp;</P><P>Along with that, I'm looking for a way to generate a unique user ID per vpn session.&nbsp; I see there are timestamps for logins but these are granular to HHMMSS. I've chekced with PA TAC that they cannot be modified to display miliseconds, so using this as a unique ID is a hard sell, so I'd like to see a proper implementation.</P><P>&nbsp;</P><P>I'm totally ready ti move to 8.1.0 when available, perhaps this release has the capabilities if not already there?</P> Fri, 23 Feb 2018 23:17:39 GMT Solomonsands 2018-02-23T23:17:39Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202096#M59658 <P>Hello all,</P><P>&nbsp;</P><P>I have a requirement for the following and short of any draconian methods, I'm hoping that the PA GP will be able to answer.&nbsp;&nbsp;</P><P>These are PAN8.0.7 on 5520's in Active/Passive</P><P>&nbsp;</P><P>I have a req to ensure that a user of GP is only allowed one GP session at a time.&nbsp; No sharing sessions or passwords.&nbsp; Options explored inlude a unique ldap group or unique tunnel to every user.&nbsp; This will scale poorly and create a nigthmare for management.&nbsp; Is there a better way?&nbsp; I've seen one thread discussing a Feature Request #4603 but I dont see any public ledger for this&nbsp;&nbsp;</P><P>Along with that, I'm looking for a way to generate a unique user ID per vpn session.&nbsp; I see there are timestamps for logins but these are granular to HHMMSS. I've chekced with PA TAC that they cannot be modified to display miliseconds, so using this as a unique ID is a hard sell, so I'd like to see a proper implementation.</P><P>&nbsp;</P><P>I'm totally ready ti move to 8.1.0 when available, perhaps this release has the capabilities if not already there?</P> Fri, 23 Feb 2018 23:17:39 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202096#M59658 Solomonsands 2018-02-23T23:17:39Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202103#M59659 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83714">@Solomonsands</a></P><P>&nbsp;</P><P>So far this is still not possible. You can vote for the FR, but at the moment thats all - unfortunately.</P><P>There is an (ugly) workaround with kicking out users that are logged in more than once, but thats not what what you're searching for.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Fri, 23 Feb 2018 23:39:09 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202103#M59659 Remo 2018-02-23T23:39:09Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202104#M59660 Your suggested solution would be satisfactory, actually. Is There a knowledge base or article available to aid me in configuring this?<BR /><BR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a> Sat, 24 Feb 2018 00:04:03 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202104#M59660 Solomonsands 2018-02-24T00:04:03Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202105#M59661 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83714">@Solomonsands</a></P><P>&nbsp;</P><P>As far as I know there is no knowledgebase article for this. This is a workaround I created by myself and also used on our GP gateways, because we also did not want to have the same users logged in more than once.</P><P>Anyway what I did is writing this powershell script. This script can then run every 10s, 30, 60s or whatever you chose. Every time the script runs, it checks the logged in users and if a user is logged in more than once only the current session remains and the other GP sessions will be terminated.</P><P>As I said ... ugly ... but for me it was sufficient, maybe also for you ...</P><P>&nbsp;</P><P>Edit: I deleted the script here because I created a ned topic specially for this:&nbsp;<A href="https://live.paloaltonetworks.com/t5/General-Topics/How-to-limit-concurrent-GlobalProtect-connections-per-user/m-p/202128#M59665" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/How-to-limit-concurrent-GlobalProtect-connections-per-user/m-p/202128#M59665</A></P> Sat, 24 Feb 2018 11:10:04 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202105#M59661 Remo 2018-02-24T11:10:04Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202107#M59662 Got it. Makes sense to just use the API instead. I can't use MS systems in my environment so this will have to be re written for bash or python. Thank for the perspective Sat, 24 Feb 2018 00:40:56 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-unique-id-s-and-one-user-allowed/m-p/202107#M59662 Solomonsands 2018-02-24T00:40:56Z