Global Protect VPN Unique ID's and one user allowed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect VPN Unique ID's and one user allowed

L1 Bithead

Hello all,

 

I have a requirement for the following and short of any draconian methods, I'm hoping that the PA GP will be able to answer.  

These are PAN8.0.7 on 5520's in Active/Passive

 

I have a req to ensure that a user of GP is only allowed one GP session at a time.  No sharing sessions or passwords.  Options explored inlude a unique ldap group or unique tunnel to every user.  This will scale poorly and create a nigthmare for management.  Is there a better way?  I've seen one thread discussing a Feature Request #4603 but I dont see any public ledger for this  

Along with that, I'm looking for a way to generate a unique user ID per vpn session.  I see there are timestamps for logins but these are granular to HHMMSS. I've chekced with PA TAC that they cannot be modified to display miliseconds, so using this as a unique ID is a hard sell, so I'd like to see a proper implementation.

 

I'm totally ready ti move to 8.1.0 when available, perhaps this release has the capabilities if not already there?

1 accepted solution

Accepted Solutions

Hi @Solomonsands

 

As far as I know there is no knowledgebase article for this. This is a workaround I created by myself and also used on our GP gateways, because we also did not want to have the same users logged in more than once.

Anyway what I did is writing this powershell script. This script can then run every 10s, 30, 60s or whatever you chose. Every time the script runs, it checks the logged in users and if a user is logged in more than once only the current session remains and the other GP sessions will be terminated.

As I said ... ugly ... but for me it was sufficient, maybe also for you ...

 

Edit: I deleted the script here because I created a ned topic specially for this: https://live.paloaltonetworks.com/t5/General-Topics/How-to-limit-concurrent-GlobalProtect-connection...

View solution in original post

4 REPLIES 4

L7 Applicator

Hi @Solomonsands

 

So far this is still not possible. You can vote for the FR, but at the moment thats all - unfortunately.

There is an (ugly) workaround with kicking out users that are logged in more than once, but thats not what what you're searching for.

 

Regards,

Remo

Your suggested solution would be satisfactory, actually. Is There a knowledge base or article available to aid me in configuring this?

@Remo

Hi @Solomonsands

 

As far as I know there is no knowledgebase article for this. This is a workaround I created by myself and also used on our GP gateways, because we also did not want to have the same users logged in more than once.

Anyway what I did is writing this powershell script. This script can then run every 10s, 30, 60s or whatever you chose. Every time the script runs, it checks the logged in users and if a user is logged in more than once only the current session remains and the other GP sessions will be terminated.

As I said ... ugly ... but for me it was sufficient, maybe also for you ...

 

Edit: I deleted the script here because I created a ned topic specially for this: https://live.paloaltonetworks.com/t5/General-Topics/How-to-limit-concurrent-GlobalProtect-connection...

Got it. Makes sense to just use the API instead. I can't use MS systems in my environment so this will have to be re written for bash or python. Thank for the perspective
  • 1 accepted solution
  • 3380 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!