02-24-2018 03:06 AM - edited 05-17-2021 02:13 PM
Hi communit
So far it isn't possible to limit the concurrent GlobalProtect connections per user directly in PAN-OS. There is a feature request #4603 for which you can vote and wait/hope that this will be implemented.
If you need a solution (workaround) right now, once more the PAN-OS API is your friend. Because we (like probably some or a lot og admins here) had the problem, that we had users, specially from external suppliers, who shared their accounts and so they logged in multiple times. So I wrote this little powershell script. The script needs to be configured as scheduled task to run every minute for example. Every time the script runs it checks the connected Global Protect users and then kicks out users that are logged in multiple times. If you want, you can also specify the number of allowed concurrent logins per user with the variable $maxlogins. This way you're able to kick out users that are logged in more than 3 times for example.
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
$apikey = "INSERT_API_KEY_HERE"
$firewall = "FIREWALL_HOSTNAME_OR_IP"
$gpgateway = "GLOBAL_PROTECT_GATEWAY_NAME"
$maxlogins = 1
Function callApiOp ($firewall, $param) {
$request = New-Object System.Net.WebClient
$apiurl = "https://" + $firewall + "/api/?key=" + $apikey + "&type=op&cmd=" + $param
return [xml]$request.DownloadString($apiurl)
}
$param = "<show><global-protect-gateway><current-user><gateway>" + $gpgateway + "</gateway></current-user></global-protect-gateway></show>"
$logins = callApiOp $firewall $param
$logins = $logins.response.result.entry | sort 'login-time-utc'
$loginevents = @{}
foreach ($event in $logins) {
$username = $event.username
if ($loginevents.ContainsKey($username)) {
$loginevents.($username) = $loginevents.($username) + 1
}
else {
$loginevents.Add($username,1)
}
}
foreach ($user in $loginevents.GetEnumerator()) {
$forcelogout = $logins | Where-Object {$_.username -eq $user.key}
$userstologout = $user.Value - $maxlogins
for ($i=0;$i -lt $userstologout; $i++) {
if ($forcelogout.count -eq $null) {
$domain = $forcelogout.domain
$computer = $forcelogout.computer
$username = $forcelogout.username
}
else {
$domain = $forcelogout[$i].domain
$computer = $forcelogout[$i].computer
$username = $forcelogout[$i].username
}
$logoutparam = "<request><global-protect-gateway><client-logout><gateway>" + $gpgateway + "-N</gateway><reason>force-logout</reason><user>" + $username + "</user><computer>" + $computer + "</computer>"
if ($domain -ne "") {
$logoutparam += "<domain>" + $domain + "</domain>"
}
$logoutparam += "</client-logout></global-protect-gateway></request>"
$status = callApiOp $firewall $logoutparam
if ($status.response.result.response.status -eq "success") {
write-host "Logged out user $username from computer $computer"
}
else {
$msg = "Could not logout " + $username + " from computer " + $computer + " because of the following error: " + $status.response.result.response.error
Write-Host $msg
}
}
}
Maybe this helps at least some of you, or at least gives another idea for the almost countless use cases of the PAN-OS API.
Feedback is appreciated 😉
Regards,
Remo
11-22-2018 04:26 PM
Nice!
I can see the user and computer names now.
It doesn't seem to disconnect them tho, but at least I can now know who has multiple sessions and disconnect them manually.
Thanks again!
11-22-2018 04:29 PM
What PAN-OS Version do you use?
11-22-2018 04:44 PM
I'll check that again ... I think thats a task you don't want to do manually 😛
11-22-2018 04:51 PM
Absolutely!
It's the hard knock life for us, sysadmins!
Thanks again!
11-22-2018 05:28 PM
How to run this script when?
11-22-2018 06:12 PM
11-22-2018 06:16 PM
Sorry to confuse I mean how to deploy the script I should deploy script on the client as install agent GP?
11-22-2018 07:01 PM
As @Remo mentioned, you should run it on any server or machine that has access to the API of the firewall where you have configured Global Protect.
A few considerations before you can run the script:
https://HOSTNAME/api/?type=keygen&user=USERNAME&password=PASSWORD
If everything goes as planned you should get a response like this:
<response status="success"> <result> <key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU</key> </result> </response>
This will be the value of the $apikey variable on the script.
2.- You might need to change the powershell execution policy on your client machine. In my case it was set to "Restricted" which is the default.
To find out what is your current execution policy run the following command:
Get-ExecutionPolicy
To change it, run:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
This will change the execution policy for the curent user on the client machine and will allow you to run the script.
Good luck!
04-15-2020 12:30 AM
The script works ver well. How can I exclude some usernames from logging out?
04-30-2020 06:39 PM
which API area i can implement this code ?
API> Operational Commands> set> global-protect
06-01-2020 07:03 PM
Will this work for a single portal that has multiple gateways? We have an Always-On configuration where if a client disconnects from one gateway and doesn't connect back to that gateway, we end up having duplicates. If this is the solution to that problem...OMG!!
06-08-2020 04:17 PM
Hi, the script works in 2 appiances and in one does not. just print in a screen the users with multiple logging but does not take the action of disconect that users.
the diference between the working devices and the one that does not work is that the last one is managed by panorama and hace 3 Vsys. Any suggetions?
06-09-2020 02:16 PM
You made sure that there isn't a type right? Are the same PAN-OS versions installed on the firewall? And you connect to the firewall and not the panorama?
Because it actually does not matter if there is one or more vsys on the firewall. Also if it is managed by panorama or not doesn't matter.
07-15-2020 02:46 AM
I am able to successfully execute the script and detect / remove duplicate users. However when we are running in production environment, PA-5220 based setup with ~10K active VPN users, its taking 45+ minutes to complete. Which feels odd to me and defeats the purpose. Has any one experience similar issue & suggest ways to improvise?
Script is running from a dedicated machine, a VM. I will increasing the resource of VM to check if it improves.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
