Is there a way using the Rest API to refresh the group mapping cache?
We're using AD groups where possible to control access in policies, and the system refreshes every hour but sometimes this is too long.
I have the CLI command to do this but would like to set this up with the API if possible.
Yes I think all commands are possible... there is a thread describing on how to map CLI commands into REST API... will return when I find this thread (unless someone else is quicker than me =)
Not the thread I had in mind but this should answer your question:
2.4 Operational Commands
Beginning with PAN-OS 4.1.0, you can use any of the operational commands available on the command line
interface using the Op API request below:
Refer to the API browser and follow the link for operational commands to see a complete listing of all the
different options available for the xml-body and their corresponding operation.
Examples of operational API requests include setting, showing, or clearing runtime parameters, saving and
loading configurations to disk, retrieving interface or system information, etc.
To request a system restart, use:
To install system software version 4.1.0, use:
To set the system setting to turn on multi-vsys mode, use:
To schedule a User Activity Report, use:
To save or load config to/from a file, use:
The API browser is available at http(s)://hostname/api. You need to be logged in to the device’s WebUI to be
able to view the API browser.
You can use API browser to navigate different API requests that are available for use. For configuration
commands, you can navigate to any path and view the corresponding xpath and API URL on the browser.
For Configuration commands, you can navigate to a specific command to see its xpath.
For Operational commands and Commit commands, you can navigate to a specific command to see the xml
body to use for the cmd parameter.
For reports, you can view the report names for all the supported dynamic and predefined reports.
Thanks for your help but I'm after a debug command, specifically this one,
debug user-id refresh group-mapping group-mapping-name
I couldn't find this in the thread you supplied and any documentation or anywhere in the Discussions, just thought I'd check here before ruling it out completely.
Hi, Debug commands are not among the <op> commands that are exposed via the API. If you search for PAN-Perl there is an expect based CLI tool for remotely executing CLI commands on the firewall that will work.
There are lots of debug commands that can impact the performance of the device significantly so they limit what is exposed, the correct handling of this is to map it to a corresponding <op> command that makes sense like request user-id refresh (dp-uid-gid | group-mapping | user-id). I think that is an excellent Feature Request! I can bring it up to the User-ID Product Manager if you would like.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!