09-14-2021 04:24 AM - edited 09-14-2021 04:25 AM
Hi Everyone,
We have a problem when we try to close/delete user session on the firewalls managed by Panorama
We have multiple FWs under Panorama
Issue:
Unable to close Admin (or any user) session (i.e. delete) as Panorama client on the managed Firewalls.
The same status using Panorama API, for example:
https://<Panorama_IP>/api/?type=op&cmd=<delete><admin-sessions><username>User_Name</username></admin-sessions></delete>&target=<FW_SerialNumber>
or
Using FW cli (direct cmd)
The operation succeeds according to response message but Panorama session as client with user name on the FWs are not deleted as expected.
for example we got the following message:
But the session is not being deleted at all, the same behavior using the FW directly via CLI
Platforms:
Panorama (VM, v10.1.0)
Managed FWs:
VM-(v10.0.0)
VM-(cluster1, v10.1.0)
VM-(cluster1, v10.1.0)
VM-(cluster2, v10.0.0)
VM-(clsuter2, v10.0.0)
Is there anyone who can help in this matter?
Thanks
09-14-2021 05:47 AM
Hi,
I have same issue and on dashboard I see huge list of sessions from same user related to Panorama.
I can only restart management-server to clear them but I need another solution.
Regards
09-14-2021 06:32 AM
Hi @NirI, if you get a message that the CLI or API command succeeded, but the operation didn't actually work, that is something TAC needs to investigate. Please raise a ticket via your usual method (direct with Palo Alto Networks, or via your reseller if applicable).
Hi @panos, same as above regarding the CLI/API command not working. But if your query is more around expiring the stale administrator sessions in general, consider using the "Idle Timeout" feature found under the "Authentication Settings" in "Device > Setup > Management" and/or "Panorama > Setup > Management". Ref: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-setup-manageme...
09-14-2021 06:37 AM
Hi,
idle timeout unfortunately does not clear these sessions.Already tried that.
Regards
09-14-2021 06:59 AM
Hi @panos, it should do, maybe there is something stopping the idle timeout being reached. Again, that sounds like something not working as expected so the best way to proceed is to get Support/TAC to assist you.
09-21-2021 10:29 AM
If you can give me the exact details of what you want checking, I will see what is feasible
09-30-2021 05:14 AM
Yes please, the scenario as follows,
To check if the following API is working or not, i mean if the session is closed in actual, even if the response is success:
in our VM machines(Panorama and FWs) it's not working, success but the session is not deleted at all:
The User_Name should be used by Panorama as console on the target firewall, i.e. in target firewall: Dashboard > Logged in Admin window
Admin=User_Name and Client=Panorama, it's kind of opened session by Panorama itself on the managed FW by User_Name
https://<Panorama_IP>/api/?type=op&cmd=<delete><admin-sessions><username>User_Name</username></admin-sessions></delete>&target=<FW_SerialNumber>
Thank you!
10-02-2021 04:35 AM
Hi @NirI, I used this in Postman:
https://{{host}}/api/?key={{key}}&type=op&cmd=<delete><admin-sessions><username>{{admin-username}}</username></admin-sessions></delete>&target={{ngfw-serial-number}}
It deleted the direct SSH and web GUI sessions for {{admin-username}} on {{ngfw-serial-number}} (SSH session shown in screenshot):
The Panorama context-switch session (which is what you're describing when you see admin={{admin-username}}, from=console, client=Panorama in the sessions list on the firewall) was also cleared, and I got this in the browser when I refreshed the screen of the context-switched sessions, showing my context-switched session to the firewall was now invalid, and I only had the option to switch back to Panorama:
All my testing was done with 10.1.2. on Panorama and firewall.
Hope that helps.
01-18-2022 05:49 PM
@NirI - wondering if this was fixed for you in v10.1.2 or above by any chance?
@JimmyHolland - thanks for the example - very easy to walk through that one.
For me, I'm using Panorama v10.0.8-h8 and a VM-300 v10.0.5 and experiencing the same issues @NirI was last year. There was also an upgrade done on Panorama either late December or early January also, so I'm a bit confused as to why the idle sessions are still in place prior to the upgrade.
Also, I've tried just putting in random non-existing usernames into the command line or API, and found that the command seems to accept and work, however no actual user exists. e.g.
admin@NGFW> delete admin-sessions username this-user-does-not-exist
this-user-does-not-exist administrative session deleted
admin@NGFW>
I've got a TAC case open where I think the TAC engineer has advised he is checking with his internal colleagues. Wondering if anyone in the community has also seen this kind of behaviour/behavior?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
