11-15-2021 11:24 AM
How can you view the peak number of global protect licenses are being consumed
on a PAN? And when those licenses are consumed, what is the behavior of the GP
clients that connect beyond the limit? For example the 3220 allows for 1024 GP
connections simultaneously from what I understand. What happens to the 1025th
GP client that attempts to connect? TY
11-15-2021 03:34 PM - edited 11-15-2021 03:37 PM
Hi @MichaelMedwid ,
I don't think the firewall records the peak users, but you can check current or previous -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC. Previous should show the "peak" from a unique username count. I would hope that an NMS could graph GP users via SNMP.
The maximum GP users is a hardware limit. If it is exceeded the gateway will refuse the connection. See the picture in this thread -> https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-....
Thanks,
Tom
11-15-2021 04:34 PM
I presumed that the 1025th session would be dropped due to the hardware limitation.
Here are the SNMP OIDs that you can draw SNMP graphs for the GlobalProtect sessions, and you may set up a threshold alert when it reaches a specific value like 800 sessions.
GlobalProtect gateway % utilization | panGPGWUtilizationPct.0 | 1.3.6.1.4.1.25461.2.1.2.5.1.1 | PAN-COMMON-MIB |
GlobalProtect gateway max tunnels | panGPGWUtilizationMaxTunnels.0 | 1.3.6.1.4.1.25461.2.1.2.5.1.2 | PAN-COMMON-MIB |
GlobalProtect gateway active tunnels | panGPGWUtilizationActiveTunnels.0 | 1.3.6.1.4.1.25461.2.1.2.5.1.3 | PAN-COMMON-MIB |
You can simply test with a snmpwalk query for the active GP connections.
snmpwalk -v3 -l authPriv -u SNMPUser -a SHA -A "Auth_Password" -x AES -X "Priv_Password" 192.168.1.1 .1.3.6.1.4.1.25461.2.1.2.5.1.3
FYI, for the SNMP setup
Device -> Setup -> Operations -> Miscellaneous -> SNMP Setup
Thanks,
11-15-2021 03:34 PM - edited 11-15-2021 03:37 PM
Hi @MichaelMedwid ,
I don't think the firewall records the peak users, but you can check current or previous -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC. Previous should show the "peak" from a unique username count. I would hope that an NMS could graph GP users via SNMP.
The maximum GP users is a hardware limit. If it is exceeded the gateway will refuse the connection. See the picture in this thread -> https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-....
Thanks,
Tom
11-15-2021 04:34 PM
I presumed that the 1025th session would be dropped due to the hardware limitation.
Here are the SNMP OIDs that you can draw SNMP graphs for the GlobalProtect sessions, and you may set up a threshold alert when it reaches a specific value like 800 sessions.
GlobalProtect gateway % utilization | panGPGWUtilizationPct.0 | 1.3.6.1.4.1.25461.2.1.2.5.1.1 | PAN-COMMON-MIB |
GlobalProtect gateway max tunnels | panGPGWUtilizationMaxTunnels.0 | 1.3.6.1.4.1.25461.2.1.2.5.1.2 | PAN-COMMON-MIB |
GlobalProtect gateway active tunnels | panGPGWUtilizationActiveTunnels.0 | 1.3.6.1.4.1.25461.2.1.2.5.1.3 | PAN-COMMON-MIB |
You can simply test with a snmpwalk query for the active GP connections.
snmpwalk -v3 -l authPriv -u SNMPUser -a SHA -A "Auth_Password" -x AES -X "Priv_Password" 192.168.1.1 .1.3.6.1.4.1.25461.2.1.2.5.1.3
FYI, for the SNMP setup
Device -> Setup -> Operations -> Miscellaneous -> SNMP Setup
Thanks,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
