topic forcefully logout all GP users from gateways in General Topics

forcefully logout all GP users from gateways

Karup — Mon, 06 Apr 2020 11:06:18 GMT

Hi Anyone,

I'm trying to logout all GP VPN users forcefully logout from the gateway either doesn't logout users or no errors throwing on command as well

>request global-protect-gateway client-logout gateway gp-gateway reason force-logout user * computer *

Login & logout time is same before and after execute this commands. Please let me know, have any one tried this way or share the correct commands.

Regards,

Karup

Re: forcefully logout all GP users from gateways

kiwi — Mon, 06 Apr 2020 11:56:58 GMT

Hi @Karup ,

As far as I can see only portal users can be logged out all at once.

> request global-protect-portal client-logout portal <value> reason force-logout filter-user all-users

This seems like a missing feature on the gateway to disconnect all users at once. You can do it for one user on the CLI or from the UI Network>GlobalProtect>Gateways> <value> >Remote Users

You might want to raise a feature request with your local SE.

Cheers,

-Kiwi.

Re: forcefully logout all GP users from gateways

Karup — Mon, 06 Apr 2020 12:17:14 GMT

Thanks for your comment Kiwi! I'll get this with PA SE.

Re: forcefully logout all GP users from gateways

Karup — Tue, 14 Apr 2020 10:51:30 GMT

Please use the below command to logout all users from the portal but this command could also be working from PAN 9.0.

> request global-protect-portal client-logout portal <value> reason <force-logout> filter-user all-users

Below is the command to disconnect all users at once from a Gateway but this feature is only available from the PAN-OS 9.0.2

>request global-protect-gateway client-logout-all gateway <value>

Regards,

Karup

Re: forcefully logout all GP users from gateways

alowther_chatham — Mon, 20 Apr 2020 17:31:09 GMT

I'm on 8.1, so I used the API to loop through users and log them off. I came up with this set of commands that I can run from any linux box with curl and xmllint

FW=your_firewall_name GW=your_gateway_name # read admin password into environment variable so it is hidden from history file read -s pass # get a key to use the api install -m 0600 /dev/null pa_${FW}.key RESP=$(curl -kq https://${FW}/api --data-urlencode "type=keygen" --data-urlencode "user=admin" --data-urlencode "password=${pass}") xmllint --xpath "//key/text()" <(echo $RESP) > pa_${FW}.key # get connected users, then loop over them to log them off USERS=$(curl -kq https://${FW}/api -d "type=op" -d "cmd=<show><global-protect-gateway><current-user><gateway>${GW}</gateway></current-user></global-protect-gateway></show>" -d "key=$(cat pa_${FW}.key)") for i in $(seq $(xmllint --xpath "count(//username)" <(echo $USERS) )); do U=$(xmllint --xpath "//entry[$i]/username/text()" <(echo $USERS)) D=$(xmllint --xpath "//entry[$i]/domain/text()" <(echo $USERS)) C=$(xmllint --xpath "//entry[$i]/computer/text()" <(echo $USERS)) echo logout: ${C}:${D}:${U} curl -kq https://${FW}/api -d "type=op" -d "cmd=<request><global-protect-gateway><client-logout><computer>${C}</computer><domain>${D}</domain><user>${U}</user><gateway>${GW}-N</gateway></client-logout></global-protect-gateway></request>" -d "key=$(cat pa_${FW}.key)" done