topic Re: Delete user out of the user agent via API in General Topics

Delete user out of the user agent via API

markuskohlmeier — Thu, 16 May 2013 08:29:45 GMT

Hi.

I would like to delete a specific user out of the user agent cache via the XML API. Is it possible to do this when the ip user mapping was done by the agent itself (get the user via DC or exchange login). I enabled the user id XML API on the agent and send them this string:

<uid-message>

<type>update</type>

</payload>

</uid-message>

Here is the response (looks good):

<uid-response><version>1.0</version><code>0</code><message>ok</message></uid-response>

But in the log of the user agent I found this entry and the user is still in the user agent and also in the firewall user cache.

05/16/13 10:04:20:787[Debug 374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.

show user ip-user-mapping ip x.x.x.x

IP address: x.x.x.x (vsys1)

User: domainY\userZ

From: UIA

Idle Timeout: 2658s

Max. TTL: 2658s

Does anyone has a hint what I am doing wrong?

Regards, Markus

Re: Delete user out of the user agent via API

NGS_SOC — Fri, 17 May 2013 09:52:42 GMT

Script looks fine, I have an explicit logoff like this in place with 4.1.x and 5.0.x. The only difference I have is in ip & name order, in mine script is exchanged,

If you still have user in "show user ip-user-mapping all" list this means that the user still present somewhere and the userid, please verify the user-id logs when loggin off you should have logs like these, where X.X.X. are private ips,

New xml api connection X.X.X.X : 56522:2010737129.

XML api thread 0 from X.X.X.X : 56522 is started.

Event: type="XML API connection" name="X.X.X.X" status="Connected"

Device thread 0 send server status X.X.X.X : 56522 Connected (XML API)

XML api thread 0 accept finished

XML api thread 0 SSL no certificate

Reading 2 security logs takes 0 ms for DC domain.local.

XML API IP 192.168.1.11(name DOMAIN\user) logoff.

Event: type="XML API connection" name="X.X.X.X" status="Disconnected"

XML api thread 0 exits.

XML api connection X.X.X.X : 56522 closed.

All XML api connection stopped!

Re: Delete user out of the user agent via API

markuskohlmeier — Fri, 17 May 2013 12:35:36 GMT

Hi NGS,

I tried it with switched order of the name and ip already, but without any success. The user agent has the version 5.0.4-5 and the firewall is running on PAN-OS 5.0.3.

Regards, Markus

Re: Delete user out of the user agent via API

NGS_SOC — Fri, 17 May 2013 15:02:10 GMT

HI, below I attached an example of vbs script I used in order to obtain explicit login/logout from the network client, try to see if they work for you. Simply modify USER-ID agent address+ port. Once launched the script is able to grab domain\user from the local machine ad set the PA login, or the logout.

Dropbox - Login-Logout-API.zip

I also use similar login\logout script integrated with 802.1X wifi enterpirse (Aerohive vendor), if the user is still preset there is surely something tha keeps alive the use connection.

Also with an 5.0.x infrastrucutre you can talk to the PANOS directy using URL like this, without the USER-ID agent broker.

https://<Firewall-IPaddress>/api/?type=user-id&key=<Key Value>&action=set&vsys=vsys1&cmd=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="pan\sam1" ip="<Client-IPaddress>"/></login></payload></uid-message>

Re: Delete user out of the user agent via API

markuskohlmeier — Tue, 21 May 2013 06:43:12 GMT

Hi NGS,

thank you very much. I will try it.

Regards, Markus

Re: Delete user out of the user agent via API

markuskohlmeier — Wed, 22 May 2013 09:29:41 GMT

Hi NGS,

I was able to test your srcipt (good job by the way). But also with your script I did not work. I get the same error in the user agent log.

[Debug 374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.

Regards, Markus

Re: Delete user out of the user agent via API

NGS_SOC — Wed, 22 May 2013 19:26:54 GMT


[Debug  374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.

It seems that domainY\userZ was not previously inserted, maybe not in that form. Via show user ip-user-mapping all are you sure to see domainY\userZ ? Maybe is like domainY.com\userZ and this is a different string causing me in the past some troubles.

Re: Delete user out of the user agent via API

markuskohlmeier — Thu, 23 May 2013 08:53:06 GMT

Hi, this is not the problem. It looks like the problem is that the information is collected via the user agent itself and not the via xml api.

Re: Delete user out of the user agent via API

markuskohlmeier — Mon, 27 May 2013 15:23:43 GMT

Hi community.

Does anyone know if it is possible to overwrite the ip-user-mapping collected by the user agent via the xml-api?

It looks like that it is not possible to logout the user via the xml-api when the information is collected by the user agent. When I send a login via the xml-api before the logout it seem to be ok.

Regards, Markus