Modify GlobalProtect Device Block List via API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Modify GlobalProtect Device Block List via API

L0 Member

I am trying to automate blocking GlobalProtect clients via API calls. Our firewall is running PanOS 9.1.15-h1 and is controlled by a onsite Panorama instance on 10.1.8-h2. Due to the version mismatch GlobalProtect device blocks must be implemented directly on the firewall because the blocking mechanism for GlobalProtect clients changed between PanOS 9 and 10.

 

I know that it is possible to disconnect a GlobalProtect session via the API, but if the device is not blocked they can just reconnect.

 

Where I am stuck is finding an API call that corresponds to the Network -> GlobalProtect -> Device Block List category in PanOS 9. I have the suspicion that this functionality might not be exposed by the API in this version of PanOS, but I wanted to ask to see if anyone has had success with this or can confirm that the functionality is not exposed.

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @TLepingwell-ctr,

If there is no block list already, the XML API call to create the list with a host in the list is:

https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}

You can add multiple <member></member> blocks for each host.

 

If you already have a list created (there can only be one list per VSYS I believe), then you want the update XML API call instead of the create XML API call:

https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}

You can add multiple <member></member> blocks for each host like the previous API call. Note that this call will replace the current list of hosts with the hosts listed in <member> blocks. If you wish to add a host, you likely need to get the current list:

https://{{host}}/api?type=op&cmd=<request><device-block-list><show><all/></show></device-block-list></request>&key={{key}}

...then add the new host to the list in the response, then send the newly updated list back.

Hope this helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

2 REPLIES 2

L5 Sessionator

Hi @TLepingwell-ctr,

If there is no block list already, the XML API call to create the list with a host in the list is:

https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}

You can add multiple <member></member> blocks for each host.

 

If you already have a list created (there can only be one list per VSYS I believe), then you want the update XML API call instead of the create XML API call:

https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}

You can add multiple <member></member> blocks for each host like the previous API call. Note that this call will replace the current list of hosts with the hosts listed in <member> blocks. If you wish to add a host, you likely need to get the current list:

https://{{host}}/api?type=op&cmd=<request><device-block-list><show><all/></show></device-block-list></request>&key={{key}}

...then add the new host to the list in the response, then send the newly updated list back.

Hope this helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Thanks. That was exactly what I was looking for.

  • 1 accepted solution
  • 1782 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!