PAN-GPLimiter: Limit Concurrent GlobalProtect Sessions/Connections Per Unique User

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-GPLimiter: Limit Concurrent GlobalProtect Sessions/Connections Per Unique User

L2 Linker


PAN-GPLimiter: Limit Concurrent GlobalProtect Sessions/Connections Per Unique User

 

Hi All,

 

I would like to introduce my Go program for limiting concurrent remote user logins in a single GP Gateway on a PAN-OS Firewall.
(Keywords: Limit the maximum number of simultaneous GlobalProtect sessions/connections per unique user.)

 

PAN-GPLimiter [ https://github.com/enginy88/PAN-GPLimiter ]

 

It’s incredibly easy to use, with no prerequisites, dependencies, or installation required, unlike the former initiatives. The project includes pre-compiled ready-to-go binary images for Linux, Windows and MacOS under the releases section. All usage information including explanations of the settings are documented.

 

This project was created in 2021 and has undergone several code updates since then. Although the entire project and its code have been open-sourced from the beginning, I hadn't publicly announced it before to avoid any potential issues in its early stages. After being used by select clients for 3 years without any issues, I now consider it quite stable. So, it's the perfect time to share it with everyone!

 

I am aware of some other early attempts to address this issue, but you can read the full story below or more on the GitHub page as well.

 

What's the motivation?

 

This one is maybe the most ever wanted feature request of Global Protect for decades! (FR4603-Concurrent Session Limiting) After tons of FR votes, endless requests from customers, lots of reddit messages asks for workarounds, people who are in charge don't have in the same opinion with the technical guys who are on the field as they haven't green lighted for developers to implement this super easy feature for years.

 

Finally, I ran out of hope and couldn't remain more indifferent to it. So this forces me to create my own home-brewed solution and I give myself the go-ahead.

 

A Brief History:

 

Once I started to implement this program, there was only a PowerShell script dating from 2018. I haven't tried it by myself but many ones couldn't make it run for some reason. (Or it really doesn't run at all!) Assuming it works, it's also OS (Windows) dependent, inefficient, couldn't handle edge-cases, lacks some features, etc... But besides that, it did its job as it inspired me and led the way to me!

 

After I created this program, I've found that someone else also created a Python script in 2020. I was surprised when faced with that since I didn't realize there was such an attempt at all. Honestly if I had known about it, I may never have started at first. You can also check this work since it provides some different features than this one.

 

Let me know if you need further adjustments. All responses and feedback are welcome. Enjoy!

 

Disclaimer: Even though I am an official Professional Services Consultant and Technical Trainer, this is my personal project, which means it is not officially under support or warranty of Palo Alto Networks. Use at your own risk.

5 REPLIES 5

L2 Linker


I’d also like to mention that this FOSS (Free and Open Source Software) is released under the Apache License, which is GPL-compatible and approved by both the FSF and OSI. In short, everyone is welcome to use and distribute it!

L1 Bithead

Great work @enginy 

L0 Member

Hello everyone, @enginy  by any chance, have you already tried it in a Prisma Access environment? I'll be testing it soon. Thanks a lot for your work!

L2 Linker

Hello @ClementADNOV, the only thing preventing this from working in the Prisma Access environment is that you don't have direct control over nodes, which means you cannot obtain the API key necessary for the tool. At least for now...

L0 Member

Hello everyone, I am new here.

  • 1863 Views
  • 5 replies
  • 9 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!