Using the API to refresh the group mapping cache

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using the API to refresh the group mapping cache

L3 Networker

Hi,

Is there a way using the Rest API to refresh the group mapping cache?

We're using AD groups where possible to control access in policies, and the system refreshes every hour but sometimes this is too long.

I have the CLI command to do this but would like to set this up with the API if possible.

Thanks,

Eugeneoup

11 REPLIES 11

L6 Presenter

Yes I think all commands are possible... there is a thread describing on how to map CLI commands into REST API... will return when I find this thread (unless someone else is quicker than me 😃

Not the thread I had in mind but this should answer your question:

https://live.paloaltonetworks.com/docs/DOC-4126

"

2.4 Operational Commands 

Beginning with PAN-OS 4.1.0, you can use any of the operational commands available on the command line

interface using the Op API request below:

http(s)://hostname/api/?type=op&cmd=xml-body

Refer to the API browser and follow the link for operational commands to see a complete listing of all the

different options available for the xml-body and their corresponding operation.

Examples of operational API requests include setting, showing, or clearing runtime parameters, saving and

loading configurations to disk, retrieving interface or system information, etc.

To request a system restart, use:

http(s)://hostname/api/?type=op&cmd=<request><restart><system></system></restart></request>

To install system software version 4.1.0, use:

http(s)://hostname/api/?type=op&cmd=<request><system><software><install><version>4.1.0</version></install>

</software></system></request>

To set the system setting to turn on multi-vsys mode, use:

http(s)://hostname/api/?type=op&cmd=<set><system><setting><multi-vsys></multi-

vsys></setting></system></set>

To schedule a User Activity Report, use:

http(s)://hostname/api/?type=op&cmd=<schedule><uar-

report><user>username</user><title>titlename</title></uar-report></schedule>

To save or load config to/from a file, use:

http(s)://hostname/api/?type=op&cmd=<save><config><to>filename</to></config></save>, and

http(s)://hostname/api/?type=op&cmd=<load><config><from>filename</from></config></load>

"

"

The API browser is available at http(s)://hostname/api. You need to be logged in to the device’s WebUI to be

able to view the API browser.

You can use API browser to navigate different API requests that are available for use. For configuration

commands, you can navigate to any path and view the corresponding xpath and API URL on the browser. 

For Configuration commands, you can navigate to a specific command to see its xpath.

For Operational commands and Commit commands, you can navigate to a specific command to see the xml

body to use for the cmd parameter.

For reports, you can view the report names for all the supported dynamic and predefined reports.

"

Thanks for your help but I'm after a debug command, specifically this one,

debug user-id refresh group-mapping group-mapping-name


I couldn't find this in the thread you supplied and any documentation or anywhere in the Discussions, just thought I'd check here before ruling it out completely.

Thanks,

https://<panip>/debug ? :smileysilly:

Sorry I have no idea, tried support@ in case noone in here is able to help?

And I guess this didnt work?

https://<panip>/api/?type=op&cmd=<debug><user-id><refresh><group-mapping><group-mapping-name></group-mapping-name></group-mapping></refresh></user-id></debug>

Hi, Debug commands are not among the <op> commands that are exposed via the API.  If you search for PAN-Perl there is an expect based CLI tool for remotely executing CLI commands on the firewall that will work.

oh snap!

How come?

There are lots of debug commands that can impact the performance of the device significantly so they limit what is exposed, the correct handling of this is to map it to a corresponding <op> command that makes sense like request user-id refresh (dp-uid-gid | group-mapping | user-id).  I think that is an excellent Feature Request!  I can bring it up to the User-ID Product Manager if you would like.

I did try something similar in the API browser to see what works but it didn't come back with anything useful

Thanks anyways Smiley Happy

Yes, can you please put that in as a Feature Request.  Let me know if I should also bring it to the attention of my local PAN guys.

Thanks

Hi,  Yes you should have them flag it as well - you can have them reach out to me for additional details (I'm at corporate)

Thanks I've let them know.

  • 5558 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!