How to reduce GlobalProtect Clientless VPN sessions count on the Firewall.

How to reduce GlobalProtect Clientless VPN sessions count on the Firewall.

10345
Created On 04/19/23 04:32 AM - Last Modified 11/29/23 17:52 PM


Objective


  • To Check the maximum capacity of the Firewall in the number of GlobalProtect Clientless VPN Sessions.
  • To Shorten timeout settings to reduce the GlobalProtect Clientless VPN Sessions of a Firewall.

Environment


  • Palo Alto Firewalls
  • PAN-OS 10.0 and above
  • Maximum GlobalProtect Clientless VPN sessions

Procedure



Attention Strata Cloud Manager Users: If you've been redirected to this knowledge article, please skip ahead and start with Step 2 .
 
  1. Check the maximum capacity of GlobalProtect Clientless VPN sessions for your Firewall
    1. Use the Product Selection  web page click Show More under your platform name to find the GlobalProtect Clientless VPN- Max SSL tunnels
    2. For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command: 
      > show system info
  2. Adjust the timeout settings to control the number of GlobalProtect Clientless VPN sessions the Firewall maintains. Below are the different procedures you can use. The items listed below will give you control from broad to specific timeout settings.
 
  1. Tune accelerated aging settings from GUI: Device > Setup > Session > Session Settings 
    1. Accelerated Aging
    2. Accelerated Aging Threshold
    3. Accelerated Aging Scaling Factor
Accelerated-aging.png
  1. Go to GUI: Objects > Applications, search for SSL, and adjust the Timeout Settings highlighted below to a lower value.
ssl4.png
  1. Go to GUI:  Network > GlobalProtect > [click on appropriate GP NAME] > GlobalProtect Portal Configuration > Clientless VPN > General > Clientless VPN, and adjust the Timeout Settings highlighted below to a lower value.
GP-clientless.png
  1. Create Application Override using How to Create an Application Override. When configuring Timeout Settings refer Step 2.b as baseline.
  1. If the number of GlobalProtect Clientless VPN sessions count cannot be reduced below the capacity limit after following the above recommendations:
    1. For a hardware FW consider upgrading your FW to a higher capacity platform.
    2. For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1PeCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language