How to limit concurrent GlobalProtect connections per user

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

How to run this script when? 

 

 

Highlighted

Sorry, I’m not sure what do you mean.
Highlighted
L3 Networker

Hi @bernardo.hernandez

 

Sorry to confuse I mean how to deploy the script  I should deploy script on the client as install agent GP?

Highlighted

As @vsys_remo mentioned, you should run it on any server or machine that has access to the API of the firewall where you have configured Global Protect.


A few considerations before you can run the script:

 

  1. You are going to need your API key from the firewall. You can get it by replacing the HOSTNAME, USERNAME and PASSWORD fields with your particular information and then copy-paste it in your browser like this:
https://HOSTNAME/api/?type=keygen&user=USERNAME&password=PASSWORD

If everything goes as planned you should get a response like this:

 

<response status="success">
<result>
<key>gJlQWE56987nBxIqyfa62sZeRtYuIo2BgzEA9UOnlZBhU</key>
</result>
</response>

This will be the value of the $apikey variable on the script. 

 

2.- You might need to change the powershell execution policy on your client machine. In my case it was set to "Restricted" which is the default. 

 

To find out what is your current execution policy run the following command:

Get-ExecutionPolicy

To change it, run:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

This will change the execution policy for the curent user on the client machine and will allow you to run the script.

 

Good luck!

 

 

 

 

 

 

 

Tags (1)
Highlighted
L1 Bithead

The script works ver well. How can I exclude some usernames from logging out?

Highlighted
L0 Member

which API area i can implement this code ?
API> Operational Commands> set> global-protect

Highlighted
L1 Bithead

Will this work for a single portal that has multiple gateways?  We have an Always-On configuration where if a client disconnects from one gateway and doesn't connect back to that gateway, we end up having duplicates.  If this is the solution to that problem...OMG!!

Highlighted
L0 Member

@vsys_remo 

Hi, the script works in 2 appiances and in one does not. just print in a screen the users with multiple logging but does not take the action of disconect that users.


the diference between the working devices and the one that does not work is that the last one is managed by panorama and hace 3 Vsys. Any suggetions?

Highlighted
Cyber Elite

@miguelgzz 

You made sure that there isn't a type right? Are the same PAN-OS versions installed on the firewall? And you connect to the firewall and not the panorama?

Because it actually does not matter if there is one or more vsys on the firewall. Also if it is managed by panorama or not doesn't matter.

Highlighted
L0 Member

I am able to successfully execute the script and detect / remove duplicate users. However when we are running in production environment, PA-5220 based setup with ~10K active VPN users, its taking 45+ minutes to complete. Which feels odd to me and defeats the purpose. Has any one experience similar issue & suggest ways to improvise?

Script is running from a dedicated machine, a VM. I will increasing the resource of VM to check if it improves. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!