- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-12-2023 10:31 AM
I am trying to automate blocking GlobalProtect clients via API calls. Our firewall is running PanOS 9.1.15-h1 and is controlled by a onsite Panorama instance on 10.1.8-h2. Due to the version mismatch GlobalProtect device blocks must be implemented directly on the firewall because the blocking mechanism for GlobalProtect clients changed between PanOS 9 and 10.
I know that it is possible to disconnect a GlobalProtect session via the API, but if the device is not blocked they can just reconnect.
Where I am stuck is finding an API call that corresponds to the Network -> GlobalProtect -> Device Block List category in PanOS 9. I have the suspicion that this functionality might not be exposed by the API in this version of PanOS, but I wanted to ask to see if anyone has had success with this or can confirm that the functionality is not exposed.
04-17-2023 03:25 AM
Hi @TLepingwell-ctr,
If there is no block list already, the XML API call to create the list with a host in the list is:
https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}
You can add multiple <member></member> blocks for each host.
If you already have a list created (there can only be one list per VSYS I believe), then you want the update XML API call instead of the create XML API call:
https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}
You can add multiple <member></member> blocks for each host like the previous API call. Note that this call will replace the current list of hosts with the hosts listed in <member> blocks. If you wish to add a host, you likely need to get the current list:
https://{{host}}/api?type=op&cmd=<request><device-block-list><show><all/></show></device-block-list></request>&key={{key}}
...then add the new host to the list in the response, then send the newly updated list back.
Hope this helps
04-17-2023 03:25 AM
Hi @TLepingwell-ctr,
If there is no block list already, the XML API call to create the list with a host in the list is:
https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}
You can add multiple <member></member> blocks for each host.
If you already have a list created (there can only be one list per VSYS I believe), then you want the update XML API call instead of the create XML API call:
https://{{host}}/api?type=op&cmd=<request><device-block-list><create><list>{{list-name}}</list><devices><member>{{host-id}};{{host-name}}</member></devices></create></device-block-list></request>&key={{key}}
You can add multiple <member></member> blocks for each host like the previous API call. Note that this call will replace the current list of hosts with the hosts listed in <member> blocks. If you wish to add a host, you likely need to get the current list:
https://{{host}}/api?type=op&cmd=<request><device-block-list><show><all/></show></device-block-list></request>&key={{key}}
...then add the new host to the list in the response, then send the newly updated list back.
Hope this helps
04-21-2023 11:07 AM
Thanks. That was exactly what I was looking for.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!