topic Re: Disconnect GlobalProtect user not working via API. in GlobalProtect Discussions

Disconnect GlobalProtect user not working via API.

Jamesy — Thu, 03 Mar 2022 17:13:28 GMT

I am trying to disconnect a global protect user on our gateway via the API. I have tested using the API browser and via a CURL command, but no matter what syntax or variation of the username I use, I get the message Remote-VPN-Gateway-N joe.bloggs Invalid user name. Below is the syntax I am using with the XML API based on the documentation. Am I missing something fundamental, or have I hit a bug in the API?

The PANOS version I am running is 9.1.12-h3.

<request> <global-protect-gateway> <client-logout> <gateway>Remote-VPN-gateway-N</gateway> <user>joe.bloggs</user> <reason>force-logout</reason> </client-logout> </global-protect-gateway> </request>

Re: Disconnect GlobalProtect user not working via API.

TomYoung — Fri, 04 Mar 2022 01:16:54 GMT

Hi @Jamesy ,

Wow! The solution is not in the example here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-manage-globalprotect-users-api, but it is in the response.

You need to add the <domain></domain> parameter. https://live.paloaltonetworks.com/t5/automation-api-discussions/why-can-my-api-call-show-globalprotect-users-but-cannot/td-p/232802

I have tested this with Postman, and it works! Without the domain, I get the same error as you. Perhaps we both have logged in with AD accounts. My Primary Username under Network > GlobalProtect > Gateways > Remote Users is domain\username. I guess that parameter is required if a domain exists.

Thanks,

Tom

Re: Disconnect GlobalProtect user not working via API.

Jamesy — Fri, 04 Mar 2022 09:24:53 GMT

Hi Tom,

Thanks for the reply. I found this article yesterday evening and tried it, but the result is the same, I'm afraid.
No matter what combination of parameters and no matter the order I place them in, I get the same message. My primary usernames are listed as firstname.surname@domain.com which I have tried also.

My new syntax including the domain is below and the error message I get is:
Remote-Gateway-N domain.com joe.bloggs Invalid user name

<request><global-protect-gateway><client-logout><domain>domain.com</domain><gateway>Remote-Gateway-N</gateway><user>joe.bloggs</user></client-logout></global-protect-gateway></request>

Re: Disconnect GlobalProtect user not working via API.

TomYoung — Fri, 04 Mar 2022 14:37:39 GMT

Hi @Jamesy ,

This is the cmd= that worked for me.

<request><global-protect-gateway><client-logout><gateway>Gateway-Name-N</gateway><domain>Domain</domain><user>Username</user><reason>force-logout</reason><computer>Computer-Name</computer></client-logout></global-protect-gateway></request>

The computer may be required. I got that from the example in the doc. Maybe add it?
My domain is displayed as domain/username. So, no .com was needed. Maybe try without?
I don't know if order is important. Maybe try the exact order?

Thanks,

Tom

Re: Disconnect GlobalProtect user not working via API.

Jamesy — Fri, 04 Mar 2022 15:02:54 GMT

Hi Tom,

I had tried this variation of the command, but it was the same. I did manage to get it working.

I ran a show command to verify what was being returned, and I noticed that the computer name was in upper case, so I added that, and it worked. The error message, despite mentioning invalid username, has actually nothing to do with the username.

I verified by running again with one letter in lower case as well as a variation with the domain parameter removed, and it failed each time with the invalid username error.

So it seems, the gateway name (including the -N), the username (mine was in email format user.name@domain.com) and the computer name are all mandatory case-sensitive params.

I don't think the order of these params is important.

Thanks for the help.

Re: Disconnect GlobalProtect user not working via API.

Guillermo1234 — Sat, 10 Aug 2024 15:32:58 GMT

The necessary fields to disconnect a user are the gateway name (including the -N), the username, and the computer name; these are mandatory and must be included. You cannot use just the username.

This is described in the documentation at the following link (step 2), but it does not clarify that it is truly mandatory.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-manage-globalprotect-users-api