How to restrict the max number of concurrent admin sessions allowed for each administrator and user account?
30521
Created On 10/24/22 01:22 AM - Last Modified 01/10/23 03:40 AM
Objective
Steps to restrict the max number of concurrent admin sessions allowed for each administrator and user account from Web UI and CLI.
Environment
- PANOS 10.0.0 and above
- Any PA Firewall or Panorama
Procedure
Configuration is available via UI and CLI:
Panorama UI:
GUI: Panorama > Setup >Management >Authentication Settings >Max Session Count (number)
Firewall UI:
GUI: Firewall > Setup > Management > Authentication Settings >Max Session Count (number)
CLI:
admin@FW> configure t
admin@FW# set deviceconfig setting management admin-session max-session-count
<value> <0-4> Set the maximum number of sessions administrators are allowed
admin@FW# commit
admin@FW# exit
Note: Commit need to be performed to save the config change.Additional Information
Scenario:
○ let’s take an example of administrator with name ‘test1’.
○ If the max-session-count is set to 1, and firewall has an active admin session for test1 via UI, then firewall will not allow another admin session for user ‘test1’ either via UI/CLI/XMLAPI
○ Along with max-session-count, another setting, will allow how long the admin session can stay logged in even if the admin session is not idle.
admin@FW# set deviceconfig setting management admin-session max-session-time
<value> Set the maximum session time (0, 60-1499 minutes)
○ By default:
○ In normal mode, max session count and session time is 0, means no restriction on session count and session will be active for 30 days
○ In FIPS mode, max session count is 4 and session active time is 720 minutes