02-23-2018 03:17 PM
Hello all,
I have a requirement for the following and short of any draconian methods, I'm hoping that the PA GP will be able to answer.
These are PAN8.0.7 on 5520's in Active/Passive
I have a req to ensure that a user of GP is only allowed one GP session at a time. No sharing sessions or passwords. Options explored inlude a unique ldap group or unique tunnel to every user. This will scale poorly and create a nigthmare for management. Is there a better way? I've seen one thread discussing a Feature Request #4603 but I dont see any public ledger for this
Along with that, I'm looking for a way to generate a unique user ID per vpn session. I see there are timestamps for logins but these are granular to HHMMSS. I've chekced with PA TAC that they cannot be modified to display miliseconds, so using this as a unique ID is a hard sell, so I'd like to see a proper implementation.
I'm totally ready ti move to 8.1.0 when available, perhaps this release has the capabilities if not already there?
02-23-2018 04:23 PM - edited 02-24-2018 03:10 AM
As far as I know there is no knowledgebase article for this. This is a workaround I created by myself and also used on our GP gateways, because we also did not want to have the same users logged in more than once.
Anyway what I did is writing this powershell script. This script can then run every 10s, 30, 60s or whatever you chose. Every time the script runs, it checks the logged in users and if a user is logged in more than once only the current session remains and the other GP sessions will be terminated.
As I said ... ugly ... but for me it was sufficient, maybe also for you ...
Edit: I deleted the script here because I created a ned topic specially for this: https://live.paloaltonetworks.com/t5/General-Topics/How-to-limit-concurrent-GlobalProtect-connection...
02-23-2018 03:39 PM
So far this is still not possible. You can vote for the FR, but at the moment thats all - unfortunately.
There is an (ugly) workaround with kicking out users that are logged in more than once, but thats not what what you're searching for.
Regards,
Remo
02-23-2018 03:46 PM - edited 02-23-2018 04:04 PM
02-23-2018 04:23 PM - edited 02-24-2018 03:10 AM
As far as I know there is no knowledgebase article for this. This is a workaround I created by myself and also used on our GP gateways, because we also did not want to have the same users logged in more than once.
Anyway what I did is writing this powershell script. This script can then run every 10s, 30, 60s or whatever you chose. Every time the script runs, it checks the logged in users and if a user is logged in more than once only the current session remains and the other GP sessions will be terminated.
As I said ... ugly ... but for me it was sufficient, maybe also for you ...
Edit: I deleted the script here because I created a ned topic specially for this: https://live.paloaltonetworks.com/t5/General-Topics/How-to-limit-concurrent-GlobalProtect-connection...
02-23-2018 04:40 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
