Using the API to refresh the group mapping cache

Reply
Highlighted
L3 Networker

Using the API to refresh the group mapping cache

Hi,

Is there a way using the Rest API to refresh the group mapping cache?

We're using AD groups where possible to control access in policies, and the system refreshes every hour but sometimes this is too long.

I have the CLI command to do this but would like to set this up with the API if possible.

Thanks,

Eugeneoup

L6 Presenter

Re: Using the API to refresh the group mapping cache

Yes I think all commands are possible... there is a thread describing on how to map CLI commands into REST API... will return when I find this thread (unless someone else is quicker than me =)

L6 Presenter

Re: Using the API to refresh the group mapping cache

Not the thread I had in mind but this should answer your question:

https://live.paloaltonetworks.com/docs/DOC-4126

"

2.4 Operational Commands 

Beginning with PAN-OS 4.1.0, you can use any of the operational commands available on the command line

interface using the Op API request below:

http(s)://hostname/api/?type=op&cmd=xml-body

Refer to the API browser and follow the link for operational commands to see a complete listing of all the

different options available for the xml-body and their corresponding operation.

Examples of operational API requests include setting, showing, or clearing runtime parameters, saving and

loading configurations to disk, retrieving interface or system information, etc.

To request a system restart, use:

http(s)://hostname/api/?type=op&cmd=<request><restart><system></system></restart></request>

To install system software version 4.1.0, use:

http(s)://hostname/api/?type=op&cmd=<request><system><software><install><version>4.1.0</version></install>

</software></system></request>

To set the system setting to turn on multi-vsys mode, use:

http(s)://hostname/api/?type=op&cmd=<set><system><setting><multi-vsys></multi-

vsys></setting></system></set>

To schedule a User Activity Report, use:

http(s)://hostname/api/?type=op&cmd=<schedule><uar-

report><user>username</user><title>titlename</title></uar-report></schedule>

To save or load config to/from a file, use:

http(s)://hostname/api/?type=op&cmd=<save><config><to>filename</to></config></save>, and

http(s)://hostname/api/?type=op&cmd=<load><config><from>filename</from></config></load>

"

"

The API browser is available at http(s)://hostname/api. You need to be logged in to the device’s WebUI to be

able to view the API browser.

You can use API browser to navigate different API requests that are available for use. For configuration

commands, you can navigate to any path and view the corresponding xpath and API URL on the browser. 

For Configuration commands, you can navigate to a specific command to see its xpath.

For Operational commands and Commit commands, you can navigate to a specific command to see the xml

body to use for the cmd parameter.

For reports, you can view the report names for all the supported dynamic and predefined reports.

"

L3 Networker

Re: Using the API to refresh the group mapping cache

Thanks for your help but I'm after a debug command, specifically this one,

debug user-id refresh group-mapping group-mapping-name


I couldn't find this in the thread you supplied and any documentation or anywhere in the Discussions, just thought I'd check here before ruling it out completely.

Thanks,

L6 Presenter

Re: Using the API to refresh the group mapping cache

https://<panip>/debug ? :smileysilly:

Sorry I have no idea, tried support@ in case noone in here is able to help?

And I guess this didnt work?

https://<panip>/api/?type=op&cmd=<debug><user-id><refresh><group-mapping><group-mapping-name></group-mapping-name></group-mapping></refresh></user-id></debug>

L2 Linker

Re: Using the API to refresh the group mapping cache

Hi, Debug commands are not among the <op> commands that are exposed via the API.  If you search for PAN-Perl there is an expect based CLI tool for remotely executing CLI commands on the firewall that will work.

L6 Presenter

Re: Using the API to refresh the group mapping cache

oh snap!

How come?

L2 Linker

Re: Using the API to refresh the group mapping cache

There are lots of debug commands that can impact the performance of the device significantly so they limit what is exposed, the correct handling of this is to map it to a corresponding <op> command that makes sense like request user-id refresh (dp-uid-gid | group-mapping | user-id).  I think that is an excellent Feature Request!  I can bring it up to the User-ID Product Manager if you would like.

L3 Networker

Re: Using the API to refresh the group mapping cache

I did try something similar in the API browser to see what works but it didn't come back with anything useful

Thanks anyways :smileyhappy:

L3 Networker

Re: Using the API to refresh the group mapping cache

Yes, can you please put that in as a Feature Request.  Let me know if I should also bring it to the attention of my local PAN guys.

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!