Technical Tip: Restricting multiple admin sessions from the same admin user.

Umer221 · ‎01-02-2025

Description

This article explains how to restrict an admin user to a single active admin session.

Scope

FortiOS, FortiGate.

Solution

To disable concurrent admin logins, execute the following commands in the CLI:

config system global

set admin-concurrent disable

end

After implementing this configuration, FortiGate will only allow a single active session from an admin user at any time. If an admin attempts to log in while an existing admin session is active, the login will be denied, and an authentication failure message will appear.

GUI Error: 'Authentication failure' (as shown in the screenshot):

SSH Error: 'Permission denied, please try again.'.

image - 2025-01-01T122221.146.png

This feature restricts concurrent admin logins across all access methods, including the GUI, SSH, and Telnet.

If an admin session is active on one protocol (e.g., SSH), no other sessions (e.g., HTTPS) can be initiated until the first session is closed. The only exception to this rule is that 'jsconsole' (GUI CLI Console) type admin sessions which would show via 'exec disconnect-admin-session' do not count towards the single concurrent admin session limit.

If the goal is to limit the total amount of admin sessions in totality on the FortiGate and not simply limit each admin to a single active session, this can be handled via a different setting covered in the article below.

Technical Tip: How to set a maximum number of logged-in administrators