Unable to delete users sessions on the firewalls (using Panorama API or FW cli) that managed by Panorama when the client=Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to delete users sessions on the firewalls (using Panorama API or FW cli) that managed by Panorama when the client=Panorama

L1 Bithead

Hi Everyone,
We have a problem when we try to close/delete user session on the firewalls managed by Panorama
We have multiple FWs under Panorama

Issue:
Unable to close Admin (or any user) session (i.e. delete) as Panorama client on the managed Firewalls.
The same status using Panorama API, for example:
https://<Panorama_IP>/api/?type=op&cmd=<delete><admin-sessions><username>User_Name</username></admin-sessions></delete>&target=<FW_SerialNumber>
or
Using FW cli (direct cmd)
The operation succeeds according to response message but Panorama session as client with user name on the FWs are not deleted as expected.
for example we got the following message:

<response status="success">
    <result>User1 administrative session deleted</result>
</response>

But the session is not being deleted at all, the same behavior using the FW directly via CLI 

Platforms:
Panorama (VM, v10.1.0)

Managed FWs:
VM-(v10.0.0)
VM-(cluster1, v10.1.0)
VM-(cluster1, v10.1.0)

VM-(cluster2, v10.0.0)
VM-(clsuter2, v10.0.0)

Is there anyone who can help in this matter?

Thanks

9 REPLIES 9

L6 Presenter

Hi,

I have same issue and on dashboard I see huge list of sessions from same user related to Panorama.

I can only restart management-server to clear them but I need another solution.

 

Regards

L5 Sessionator

Hi @NirI, if you get a message that the CLI or API command succeeded, but the operation didn't actually work, that is something TAC needs to investigate. Please raise a ticket via your usual method (direct with Palo Alto Networks, or via your reseller if applicable).

Hi @panos, same as above regarding the CLI/API command not working. But if your query is more around expiring the stale administrator sessions in general, consider using the "Idle Timeout" feature found under the "Authentication Settings" in "Device > Setup > Management" and/or "Panorama > Setup > Management". Ref: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-setup-manageme...

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi,

 

idle timeout unfortunately does not clear these sessions.Already tried that.

 

Regards

Hi @panos, it should do, maybe there is something stopping the idle timeout being reached. Again, that sounds like something not working as expected so the best way to proceed is to get Support/TAC to assist you.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Thanks Jimmy, 
Is it possible to let someone to do small check internally and get confirmation about the issue ?

Br,

If you can give me the exact details of what you want checking, I will see what is feasible

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Yes please, the scenario as follows,
To check if the following API is working or not, i mean if the session is closed in actual, even if the response is success:

<response status="success">
    <result>User1 administrative session deleted</result>
</response>

in our VM machines(Panorama and FWs) it's not working, success but the session is not deleted at all:
The User_Name should be used by Panorama as console on the target firewall, i.e. in target firewall: Dashboard > Logged in Admin window 
Admin=User_Name and Client=Panorama, it's kind of opened session by Panorama itself on the managed FW by User_Name


https://<Panorama_IP>/api/?type=op&cmd=<delete><admin-sessions><username>User_Name</username></admin-sessions></delete>&target=<FW_SerialNumber>

Thank you!

Hi @NirI, I used this in Postman:

https://{{host}}/api/?key={{key}}&type=op&cmd=<delete><admin-sessions><username>{{admin-username}}</username></admin-sessions></delete>&target={{ngfw-serial-number}}

 

It deleted the direct SSH and web GUI sessions for {{admin-username}} on {{ngfw-serial-number}} (SSH session shown in screenshot):

Screenshot 2021-10-02 at 12.16.29.png

The Panorama context-switch session (which is what you're describing when you see admin={{admin-username}}, from=console, client=Panorama in the sessions list on the firewall) was also cleared, and I got this in the browser when I refreshed the screen of the context-switched sessions, showing my context-switched session to the firewall was now invalid, and I only had the option to switch back to Panorama:

Screenshot 2021-10-02 at 12.29.06.png

All my testing was done with 10.1.2. on Panorama and firewall. 

Hope that helps.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

@NirI - wondering if this was fixed for you in v10.1.2 or above by any chance?

@JimmyHolland - thanks for the example - very easy to walk through that one.

 

For me, I'm using Panorama v10.0.8-h8 and a VM-300 v10.0.5 and experiencing the same issues @NirI was last year. There was also an upgrade done on Panorama either late December or early January also, so I'm a bit confused as to why the idle sessions are still in place prior to the upgrade.

 

Also, I've tried just putting in random non-existing usernames into the command line or API, and found that the command seems to accept and work, however no actual user exists. e.g.

 

admin@NGFW> delete admin-sessions username this-user-does-not-exist

this-user-does-not-exist administrative session deleted

 

admin@NGFW>

 

I've got a TAC case open where I think the TAC engineer has advised he is checking with his internal colleagues. Wondering if anyone in the community has also seen this kind of behaviour/behavior?

  • 8801 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!