Tips & Tricks: Allow a Single User Logon For Each Session Via GUI/SSH

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Allow a single user logon for each session via GUI/SSH" by @Kevin_Ncs  and responded to by @reaper  and @BPry . Read on to see the discussion and solution

 

I want to check when each admin account logs into its own session via GUI and SSH.
If either one login to a 2nd session then it will be denied.

 

Is it achievable? I can't find any article from Palo Alto regards to this.

 

By default, admins are allowed to log in multiple times. If you're worried they have too many 'sleeping' sessions open you can limit their idle timeout in "device > setup > management > authentication settings"

 

Referring to this article it is absolutely feasible:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEhWCAU&lang=en_US%E2%80%A...

 

 
 

rtaImage.jpeg

 

 CLI:

admin@FW# set deviceconfig setting management admin-session max-session-count
  <value>  <0-4> Set the maximum number of sessions administrators are allowed

 

However I'd really caution thinking through setting this value to 1.

 

Admin sessions are tracked whenever they access the GUI/CLI/API; so say that you have an admin who is making a change in the GUI and loses access to the device due to the change, if restricted to a single session they've now effectively locked out of the device. You'll need to wait for the established session to be removed prior to being allowed access via another session.

 

Rate this article:
  • 2658 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎07-13-2023 06:12 PM
Updated by: