Maximum number of FW admin sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Maximum number of FW admin sessions

L4 Transporter

Hi Community

I was teaching a class and was asked a simple question:

Is there a max number of FW administrators that can be concurrently logged into the FW at the same time?

I have a large customer (a Managed Service Provider) with a large number of FWs, as well as a international team supporting the customers.

It is possible to have many admins logged into the box at the same time.

Do we have a reasonable number (25, 30, 50?) that reaches the max number, or can I go back and state that 25 or 50 admins could be logged in, but Palo Alto Networks does not recommend it?

Thanks.

1 accepted solution

Accepted Solutions

L5 Sessionator

There is currently no limit for admins to login concurrently.However, you may experience a performance impact with the more admins logged in.For example : If the host of admins  start generating reports,simultaneously , there could be some issues.

But there should not be any issues configuring multiple admins as this is not limited by the Software.

View solution in original post

7 REPLIES 7

L5 Sessionator

There is currently no limit for admins to login concurrently.However, you may experience a performance impact with the more admins logged in.For example : If the host of admins  start generating reports,simultaneously , there could be some issues.

But there should not be any issues configuring multiple admins as this is not limited by the Software.

FYI,

when managing the firewalls via Panorama ( considering the larger scope of admins who are managing all these  firewalls ), the admins managing older versions of Panorama ( 5.0 and older ) would experience bottlenecks when more than 5 users were logged in concurrently, and managing the devices. With the Panorama 5.1 and above, we support more than 20+ concurrently logged in admins, and managing the firewalls ( config changes, reports, log queries, context switch all happening at once with no slowdown ), and we have seen good results with 15 concurrently logged in users

)

Hope that helps!

BR,

Karthik RP

L5 Sessionator

Hi,

Technically, no problem for 25 or 50 admins in palo in same time. Just keep in mind:

     - All admin have to use a different account else performence will be very low.

     - Does it make sense to have 50 admins for palo ? Generally main part of admin just want to have access to report then should be better to schedule sending custom report.

Hope clear

V.

Well you can have 225 VSYS on the PA-5000 series so at least 226 concurrent admins should be possible (one per VSYS + at least one superadmin).

L3 Networker

Sorry I connecting on this thread so late, but I have faced with following problem and no other thread has no discussion of this issue. I was tested something in configuration of LDAP auth profiles for admins and make several log in's and out from same client IP to web interface. After 15 or 20 log in's and out's, I have faced with automatic log off from web interface after successful login. Some of them was unsuccessful due to miss-configuration in auth profiles. Is that treated like some kind of BF attack? In CLI everything goes fine and with "show admins" I saw that have about 20 active sessions even if I loged out from web interface....

Tician

I would like for you to go back and test the number of users and logins.

Your comment about After 15 or 20 log in's and out's, I have faced with automatic log off from web interface after successful login..... I have seen this before (automatic log off when you logged in...) and I see this as a bug in 6.x version of software.  I have talked to PAN about this, but I do not think a bug tracker has been identified on this.

Hi,

 

Is there still no way to limit the admin users ?

 

Means, If i have 10 admin accounts and at one time I only want to allows 4 5 admins to access the PA and not anymore ?

  • 1 accepted solution
  • 9074 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!