This Nominated Discussion Article is based on the post "Allow a single user logon for each session via GUI/SSH" by @Kevin_Ncs and responded to by @reaper and @BPry . Read on to see the discussion and solution
I want to check when each admin account logs into its own session via GUI and SSH.
If either one login to a 2nd session then it will be denied.
Is it achievable? I can't find any article from Palo Alto regards to this.
By default, admins are allowed to log in multiple times. If you're worried they have too many 'sleeping' sessions open you can limit their idle timeout in "device > setup > management > authentication settings"
Referring to this article it is absolutely feasible:
CLI:
admin@FW# set deviceconfig setting management admin-session max-session-count
<value> <0-4> Set the maximum number of sessions administrators are allowed
However I'd really caution thinking through setting this value to 1.
Admin sessions are tracked whenever they access the GUI/CLI/API; so say that you have an admin who is making a change in the GUI and loses access to the device due to the change, if restricted to a single session they've now effectively locked out of the device. You'll need to wait for the established session to be removed prior to being allowed access via another session.
