How to limit concurrent GlobalProtect connections per user

Hi communit

So far it isn't possible to limit the concurrent GlobalProtect connections per user directly in PAN-OS. There is a feature request #4603 for which you can vote and wait/hope that this will be implemented.

If you need a solution (workaround) right now, once more the PAN-OS API is your friend. Because we (like probably some or a lot og admins here) had the problem, that we had users, specially from external suppliers, who shared their accounts and so they logged in multiple times. So I wrote this little powershell script. The script needs to be configured as scheduled task to run every minute for example. Every time the script runs it checks the connected Global Protect users and then kicks out users that are logged in multiple times. If you want, you can also specify the number of allowed concurrent logins per user with the variable $maxlogins. This way you're able to kick out users that are logged in more than 3 times for example.

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

$apikey = "INSERT_API_KEY_HERE"
$firewall = "FIREWALL_HOSTNAME_OR_IP"
$gpgateway = "GLOBAL_PROTECT_GATEWAY_NAME"
$maxlogins = 1

Function callApiOp ($firewall, $param) {
    $request = New-Object System.Net.WebClient
    $apiurl = "https://" + $firewall + "/api/?key=" + $apikey + "&type=op&cmd=" + $param
    return [xml]$request.DownloadString($apiurl)
}

$param = "<show><global-protect-gateway><current-user><gateway>" + $gpgateway + "</gateway></current-user></global-protect-gateway></show>"
$logins = callApiOp $firewall $param
$logins = $logins.response.result.entry | sort 'login-time-utc'
$loginevents = @{}
foreach ($event in $logins) {
    $username = $event.username
    if ($loginevents.ContainsKey($username)) {
        $loginevents.($username) = $loginevents.($username) + 1

    }
    else {
        $loginevents.Add($username,1)
    }
}
foreach ($user in $loginevents.GetEnumerator()) {
    $forcelogout = $logins | Where-Object {$_.username -eq $user.key}
    $userstologout = $user.Value - $maxlogins
    for ($i=0;$i -lt $userstologout; $i++) {
        if ($forcelogout.count -eq $null) {
            $domain = $forcelogout.domain
            $computer = $forcelogout.computer
            $username = $forcelogout.username
        }
        else {
            $domain = $forcelogout[$i].domain
            $computer = $forcelogout[$i].computer
            $username = $forcelogout[$i].username
        }
        $logoutparam = "<request><global-protect-gateway><client-logout><gateway>" + $gpgateway + "-N</gateway><reason>force-logout</reason><user>" + $username + "</user><computer>" + $computer + "</computer>"
        if ($domain -ne "") {
            $logoutparam += "<domain>" + $domain + "</domain>"
        }
        $logoutparam += "</client-logout></global-protect-gateway></request>"

        $status = callApiOp $firewall $logoutparam
        if ($status.response.result.response.status -eq "success") {
            write-host "Logged out user $username from computer $computer"
        }
        else {
            $msg = "Could not logout " + $username + " from computer " + $computer + " because of the following error: " + $status.response.result.response.error
            Write-Host $msg
        }

    }
}

Maybe this helps at least some of you, or at least gives another idea for the almost countless use cases of the PAN-OS API.

Feedback is appreciated 😉

Regards,

Remo