Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Is it possible to allow only one connection per user-ID in the Palo Alto firewall?

L2 Linker

Basically, it is a state in which multiple users can be connected when User-ID is created.
How can I make this so that only one person can access a single User-ID?
You cannot build additional servers like LDAP, SAML, Kerberos, etc...

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@HilineISP_Tech,

The easiest path to accomplish this is to enforce GlobalProtect from client machines on the network and then use a script to ensure that each user-id is only ever associated once. There's a script example that @Remo shared years ago HERE that uses the API to ensure only a single mapping. 

 

The problem that you'll run into if you don't use an enforced GlobalProtect connection is that there's certain situations where we'd expect to see someone map to multiple IPs. Keeping in mind that user-id isn't a User->IP mapping but rather an IP->User mapping, if you have an environment where someone would get a different IP address when they move around the building(s) having the user associated temporarily with multiple IPs wouldn't be unexpected.

View solution in original post

4 REPLIES 4

L1 Bithead

You can create by creating a username and password and ensure that has a unique name so that it doesn't conflict. and enable user-id and this will allow the firewall to identify users and their ip address ,map the usernames with ip addresses in User Agent-ID.set or create the access policies like what are the actions that need to be allowed to that particular user.

note:the main thing is that the user should rely on keeping the credentials secure by not sharing to anybody.

AbbasAli.S

Cyber Elite
Cyber Elite

@HilineISP_Tech,

The easiest path to accomplish this is to enforce GlobalProtect from client machines on the network and then use a script to ensure that each user-id is only ever associated once. There's a script example that @Remo shared years ago HERE that uses the API to ensure only a single mapping. 

 

The problem that you'll run into if you don't use an enforced GlobalProtect connection is that there's certain situations where we'd expect to see someone map to multiple IPs. Keeping in mind that user-id isn't a User->IP mapping but rather an IP->User mapping, if you have an environment where someone would get a different IP address when they move around the building(s) having the user associated temporarily with multiple IPs wouldn't be unexpected.

It was the answer I was looking for.
Thanks so much for the link to the example😀

L2 Linker

 

I know that this is an old post but I would like to share an update for anyone looking for a solution.

 

In order to achieve that I created a external & standalone program to limit concurrent GlobalProtect sessions/connections per unique user. It can be accessed herehttps://github.com/enginy88/PAN-GPLimiter

This topic also discussed here: https://live.paloaltonetworks.com/t5/general-topics/pan-gplimiter-limit-concurrent-globalprotect-ses...

Hope this helps!

  • 1 accepted solution
  • 2370 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!