- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-10-2023 10:55 PM
Basically, it is a state in which multiple users can be connected when User-ID is created.
How can I make this so that only one person can access a single User-ID?
You cannot build additional servers like LDAP, SAML, Kerberos, etc...
04-11-2023 05:43 AM
The easiest path to accomplish this is to enforce GlobalProtect from client machines on the network and then use a script to ensure that each user-id is only ever associated once. There's a script example that @Remo shared years ago HERE that uses the API to ensure only a single mapping.
The problem that you'll run into if you don't use an enforced GlobalProtect connection is that there's certain situations where we'd expect to see someone map to multiple IPs. Keeping in mind that user-id isn't a User->IP mapping but rather an IP->User mapping, if you have an environment where someone would get a different IP address when they move around the building(s) having the user associated temporarily with multiple IPs wouldn't be unexpected.
04-11-2023 02:57 AM
You can create by creating a username and password and ensure that has a unique name so that it doesn't conflict. and enable user-id and this will allow the firewall to identify users and their ip address ,map the usernames with ip addresses in User Agent-ID.set or create the access policies like what are the actions that need to be allowed to that particular user.
note:the main thing is that the user should rely on keeping the credentials secure by not sharing to anybody.
04-11-2023 05:43 AM
The easiest path to accomplish this is to enforce GlobalProtect from client machines on the network and then use a script to ensure that each user-id is only ever associated once. There's a script example that @Remo shared years ago HERE that uses the API to ensure only a single mapping.
The problem that you'll run into if you don't use an enforced GlobalProtect connection is that there's certain situations where we'd expect to see someone map to multiple IPs. Keeping in mind that user-id isn't a User->IP mapping but rather an IP->User mapping, if you have an environment where someone would get a different IP address when they move around the building(s) having the user associated temporarily with multiple IPs wouldn't be unexpected.
04-11-2023 06:10 PM
It was the answer I was looking for.
Thanks so much for the link to the example😀
08-29-2024 11:10 AM
I know that this is an old post but I would like to share an update for anyone looking for a solution.
In order to achieve that I created a external & standalone program to limit concurrent GlobalProtect sessions/connections per unique user. It can be accessed here: https://github.com/enginy88/PAN-GPLimiter
This topic also discussed here: https://live.paloaltonetworks.com/t5/general-topics/pan-gplimiter-limit-concurrent-globalprotect-ses...
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!