sending user-id logon/logoffss to firewall via PAN-perl

Reply
L0 Member

sending user-id logon/logoffss to firewall via PAN-perl

Hi everyone,

Can anyone advise how the PAN-Perl module can be used in per scripts to send user-id mappiungs directly to the firewall? In reading the module,  the PAN-Perl module (PAN::XAPI) seems to include every restull api type, except user-id and so I don't seem to be able to send an "action='user-id', xpath= ...user-id xml..." it's not listed in the doc, nor the module as far as I can see.

 

 

I know I can use PAN:API to talk to external agent collectors (which I've tested), but there is a 10-15 second polling period before the Firewall is updated which in my scenario is a touch too long, (and  doesn't seem to be changable in config).

 

any suggestions ?

 

Cheers

Jason

L1 Bithead

Re: sending user-id logon/logoffss to firewall via PAN-perl

Hi,

 

I have not played with the Perl module, but i have just been playing with Python, and using a external DB source to feed into the User-ID login, and logouts.

There are a few examples on GitHub, but they are mainly Python.

In theory you can do it with perl as it is just RestfulAPI.

 

I am assuming you are OK with getting the API Key.

 

My example of the API request format for the login.

 

https://192.168.0.200/api/?key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srN...> <type>update</type> <payload> <login> <entry name="user1" ip="10.0.0.1"/> <entry name="domain\user2" ip="10.0.0.2"/> </login> </payload></uid-message>

 

 

Toby

Highlighted
L3 Networker

Re: sending user-id logon/logoffss to firewall via PAN-perl

You would need to have at least this version:

 

2012-08-30

  - PAN::XAPI, bin/panxapi: add support for updating dynamic objects
    in PAN-OS 5.0 (type=user-id).
L3 Networker

Re: sending user-id logon/logoffss to firewall via PAN-perl

L0 Member

Re: sending user-id logon/logoffss to firewall via PAN-perl

Thanks everyone. Rather than doing direct Rest http calls I was hoping to use PAN::XAPI because it had all the underlying http logic and error handling in simple functions, which simplied things and added reliability for my need. I ended up adding a 15 line subroutine that added $api->userid($cmd) with the same format as the rest of PAN:XAPIs functions, which solved everthing.

 

Thanks for your help !

 

Jason

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!