https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/539737#M3357 <P>Thanks. That was exactly what I was looking for.</P> Fri, 21 Apr 2023 18:07:13 GMT TLepingwell-ctr 2023-04-21T18:07:13Z https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/538495#M3349 <P>I am trying to automate blocking GlobalProtect clients via API calls. Our firewall is running PanOS&nbsp;9.1.15-h1 and is controlled by a onsite Panorama instance on&nbsp;10.1.8-h2. Due to the version mismatch GlobalProtect device blocks must be implemented directly on the firewall because the blocking mechanism for GlobalProtect clients changed between PanOS 9 and 10.</P><P>&nbsp;</P><P>I know that it is possible to disconnect a GlobalProtect session via the API, but if the device is not blocked they can just reconnect.</P><P>&nbsp;</P><P>Where I am stuck is finding an API call that corresponds to the Network -&gt; GlobalProtect -&gt; Device Block List category in PanOS 9. I have the suspicion that this functionality might not be exposed by the API in this version of PanOS, but I wanted to ask to see if anyone has had success with this or can confirm that the functionality is not exposed.</P> Wed, 12 Apr 2023 17:31:37 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/538495#M3349 TLepingwell-ctr 2023-04-12T17:31:37Z https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/538968#M3353 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/212556">@TLepingwell-ctr</a>,</P> <P>If there is no block list already, the XML API call to create the list with a host in the list is:</P> <LI-CODE lang="markup">https://{{host}}/api?type=op&amp;cmd=&lt;request&gt;&lt;device-block-list&gt;&lt;create&gt;&lt;list&gt;{{list-name}}&lt;/list&gt;&lt;devices&gt;&lt;member&gt;{{host-id}};{{host-name}}&lt;/member&gt;&lt;/devices&gt;&lt;/create&gt;&lt;/device-block-list&gt;&lt;/request&gt;&amp;key={{key}}</LI-CODE> <P>You can add multiple &lt;member&gt;&lt;/member&gt; blocks for each host.</P> <P>&nbsp;</P> <P>If you already have a list created (there can only be one list per VSYS I believe), then you want the update XML API call instead of the create XML API call:</P> <LI-CODE lang="markup">https://{{host}}/api?type=op&amp;cmd=&lt;request&gt;&lt;device-block-list&gt;&lt;create&gt;&lt;list&gt;{{list-name}}&lt;/list&gt;&lt;devices&gt;&lt;member&gt;{{host-id}};{{host-name}}&lt;/member&gt;&lt;/devices&gt;&lt;/create&gt;&lt;/device-block-list&gt;&lt;/request&gt;&amp;key={{key}} </LI-CODE> <P>You can add multiple &lt;member&gt;&lt;/member&gt; blocks for each host like the previous API call. Note that this call will replace the current list of hosts with the hosts listed in &lt;member&gt; blocks. If you wish to add a host, you likely need to get the current list:</P> <LI-CODE lang="markup">https://{{host}}/api?type=op&amp;cmd=&lt;request&gt;&lt;device-block-list&gt;&lt;show&gt;&lt;all/&gt;&lt;/show&gt;&lt;/device-block-list&gt;&lt;/request&gt;&amp;key={{key}}</LI-CODE> <P>...then add the new host to the list in the response, then send the newly updated list back.<BR /><BR />Hope this helps</P> Mon, 17 Apr 2023 10:25:56 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/538968#M3353 JimmyHolland 2023-04-17T10:25:56Z https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/539737#M3357 <P>Thanks. That was exactly what I was looking for.</P> Fri, 21 Apr 2023 18:07:13 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/modify-globalprotect-device-block-list-via-api/m-p/539737#M3357 TLepingwell-ctr 2023-04-21T18:07:13Z