- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2013 10:30 PM
Hi,
Is there a way using the Rest API to refresh the group mapping cache?
We're using AD groups where possible to control access in policies, and the system refreshes every hour but sometimes this is too long.
I have the CLI command to do this but would like to set this up with the API if possible.
Thanks,
Eugeneoup
03-28-2013 02:14 PM
Yes I think all commands are possible... there is a thread describing on how to map CLI commands into REST API... will return when I find this thread (unless someone else is quicker than me 😃
03-28-2013 03:22 PM
Not the thread I had in mind but this should answer your question:
https://live.paloaltonetworks.com/docs/DOC-4126
"
2.4 Operational Commands
Beginning with PAN-OS 4.1.0, you can use any of the operational commands available on the command line
interface using the Op API request below:
http(s)://hostname/api/?type=op&cmd=xml-body
Refer to the API browser and follow the link for operational commands to see a complete listing of all the
different options available for the xml-body and their corresponding operation.
Examples of operational API requests include setting, showing, or clearing runtime parameters, saving and
loading configurations to disk, retrieving interface or system information, etc.
To request a system restart, use:
http(s)://hostname/api/?type=op&cmd=<request><restart><system></system></restart></request>
To install system software version 4.1.0, use:
http(s)://hostname/api/?type=op&cmd=<request><system><software><install><version>4.1.0</version></install>
</software></system></request>
To set the system setting to turn on multi-vsys mode, use:
http(s)://hostname/api/?type=op&cmd=<set><system><setting><multi-vsys></multi-
vsys></setting></system></set>
To schedule a User Activity Report, use:
http(s)://hostname/api/?type=op&cmd=<schedule><uar-
report><user>username</user><title>titlename</title></uar-report></schedule>
To save or load config to/from a file, use:
http(s)://hostname/api/?type=op&cmd=<save><config><to>filename</to></config></save>, and
http(s)://hostname/api/?type=op&cmd=<load><config><from>filename</from></config></load>
"
"
The API browser is available at http(s)://hostname/api. You need to be logged in to the device’s WebUI to be
able to view the API browser.
You can use API browser to navigate different API requests that are available for use. For configuration
commands, you can navigate to any path and view the corresponding xpath and API URL on the browser.
For Configuration commands, you can navigate to a specific command to see its xpath.
For Operational commands and Commit commands, you can navigate to a specific command to see the xml
body to use for the cmd parameter.
For reports, you can view the report names for all the supported dynamic and predefined reports.
"
04-01-2013 04:23 PM
Thanks for your help but I'm after a debug command, specifically this one,
debug user-id refresh group-mapping group-mapping-name
I couldn't find this in the thread you supplied and any documentation or anywhere in the Discussions, just thought I'd check here before ruling it out completely.
Thanks,
04-01-2013 08:23 PM
Hi, Debug commands are not among the <op> commands that are exposed via the API. If you search for PAN-Perl there is an expect based CLI tool for remotely executing CLI commands on the firewall that will work.
04-01-2013 08:37 PM
There are lots of debug commands that can impact the performance of the device significantly so they limit what is exposed, the correct handling of this is to map it to a corresponding <op> command that makes sense like request user-id refresh (dp-uid-gid | group-mapping | user-id). I think that is an excellent Feature Request! I can bring it up to the User-ID Product Manager if you would like.
04-01-2013 08:47 PM
I did try something similar in the API browser to see what works but it didn't come back with anything useful
Thanks anyways
04-01-2013 08:48 PM
Yes, can you please put that in as a Feature Request. Let me know if I should also bring it to the attention of my local PAN guys.
Thanks
04-01-2013 08:50 PM
Hi, Yes you should have them flag it as well - you can have them reach out to me for additional details (I'm at corporate)
04-01-2013 09:19 PM
Thanks I've let them know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!