I was teaching a class and was asked a simple question:
Is there a max number of FW administrators that can be concurrently logged into the FW at the same time?
I have a large customer (a Managed Service Provider) with a large number of FWs, as well as a international team supporting the customers.
It is possible to have many admins logged into the box at the same time.
Do we have a reasonable number (25, 30, 50?) that reaches the max number, or can I go back and state that 25 or 50 admins could be logged in, but Palo Alto Networks does not recommend it?
Solved! Go to Solution.
There is currently no limit for admins to login concurrently.However, you may experience a performance impact with the more admins logged in.For example : If the host of admins start generating reports,simultaneously , there could be some issues.
But there should not be any issues configuring multiple admins as this is not limited by the Software.
when managing the firewalls via Panorama ( considering the larger scope of admins who are managing all these firewalls ), the admins managing older versions of Panorama ( 5.0 and older ) would experience bottlenecks when more than 5 users were logged in concurrently, and managing the devices. With the Panorama 5.1 and above, we support more than 20+ concurrently logged in admins, and managing the firewalls ( config changes, reports, log queries, context switch all happening at once with no slowdown ), and we have seen good results with 15 concurrently logged in users
Hope that helps!
Technically, no problem for 25 or 50 admins in palo in same time. Just keep in mind:
- All admin have to use a different account else performence will be very low.
- Does it make sense to have 50 admins for palo ? Generally main part of admin just want to have access to report then should be better to schedule sending custom report.
Well you can have 225 VSYS on the PA-5000 series so at least 226 concurrent admins should be possible (one per VSYS + at least one superadmin).
Sorry I connecting on this thread so late, but I have faced with following problem and no other thread has no discussion of this issue. I was tested something in configuration of LDAP auth profiles for admins and make several log in's and out from same client IP to web interface. After 15 or 20 log in's and out's, I have faced with automatic log off from web interface after successful login. Some of them was unsuccessful due to miss-configuration in auth profiles. Is that treated like some kind of BF attack? In CLI everything goes fine and with "show admins" I saw that have about 20 active sessions even if I loged out from web interface....
I would like for you to go back and test the number of users and logins.
Your comment about After 15 or 20 log in's and out's, I have faced with automatic log off from web interface after successful login..... I have seen this before (automatic log off when you logged in...) and I see this as a bug in 6.x version of software. I have talked to PAN about this, but I do not think a bug tracker has been identified on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!