topic Re: User ID Mapping Directly to Firewalls in General Topics

User ID Mapping Directly to Firewalls

Kevin_Holleran — Mon, 08 Apr 2013 20:05:25 GMT

Good afternoon,

Previously we used the PAN-UID perl module to update User ID Agents running on servers, which would in turn update the firewalls.

With version 5.0, there is not this capability:

2.9 User-ID mapping

Beginning with PAN-OS 5.0.0, you can apply User-ID mapping information directly to the firewall using the API with the type=user-id parameter.

Has anyone implemented this? Can you provide any examples? The documentation is kind of limited & we are having a lot of trouble with the UserID Agents having memory leaks and not working.

Thanks for your help.

Kevin

Re: User ID Mapping Directly to Firewalls

mikand — Mon, 08 Apr 2013 21:37:31 GMT

You mean something like this?

Re: User ID Mapping Directly to Firewalls

UhMayYeah — Tue, 09 Apr 2013 01:43:12 GMT

Following Document shows how to :

How to Add User-IP Mapping to Firewall using API on PAN-OS 5.0

https://live.paloaltonetworks.com/docs/DOC-4348

-Ameya

Re: User ID Mapping Directly to Firewalls

Kevin_Holleran — Tue, 09 Apr 2013 13:25:37 GMT

No, I have already implemented this. I mean connecting directly to the firewall API, not through a UID agent.

Thanks.

Re: User ID Mapping Directly to Firewalls

Kevin_Holleran — Tue, 09 Apr 2013 13:29:35 GMT

Exactly what I am looking for, thanks!

Re: User ID Mapping Directly to Firewalls

reynolbr — Mon, 05 Aug 2013 12:48:24 GMT

We have been attempting to make this request through the API but get a Invalid Credentials. We setup an admin account with API access and get a Key back.

When we try to post the key and the new User-ID mapping we get Invalid Credentials. Anyone have a snippet of the post or ssl code in vb/c# ?

string strSandbox = "https://10.10.10.10/api/?type=user-id&key=" + key + "&action=set&vsys=vsys1"; ;

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(strSandbox);

req.Method = "POST";

req.ContentType = "application/x-www-form-urlencoded";

byte[] param = Request.BinaryRead(HttpContext.Current.Request.ContentLength);

StringBuilder requestContent = new StringBuilder();

requestContent.Append("<uid-message>");

requestContent.Append("<version>1.0</version>");

requestContent.Append("<type>update</type>");

requestContent.Append("<payload>");

requestContent.Append("<login>");

requestContent.Append("<entry name=\"domain\\" + LoginUser.UserName.ToLower() + "\" ip=\"" + SIP.Text + "\"/>");

requestContent.Append("</login>");

requestContent.Append("</payload>");

requestContent.Append("</uid-message>");

strRequest += "&cmd=" + requestContent;

req.ContentLength = strRequest.Length;

ServicePointManager.ServerCertificateValidationCallback = delegate(object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; };

//Send the request

StreamWriter streamOut = new StreamWriter(req.GetRequestStream(), System.Text.Encoding.ASCII);

streamOut.Write(strRequest);

streamOut.Close();

StreamReader streamIn = new StreamReader(req.GetResponse().GetResponseStream());

string strResponse = streamIn.ReadToEnd();

streamIn.Close();

Re: User ID Mapping Directly to Firewalls

mbutt — Tue, 06 Aug 2013 06:14:30 GMT

I am not sure if you are looking for the following or not

https://live.paloaltonetworks.com/docs/DOC-1662

https://live.paloaltonetworks.com/docs/DOC-1348

https://live.paloaltonetworks.com/docs/DOC-1580

Hope this helps

Thanks