Using the API to refresh the group mapping cache

Not the thread I had in mind but this should answer your question:

https://live.paloaltonetworks.com/docs/DOC-4126

"

2.4 Operational Commands 

Beginning with PAN-OS 4.1.0, you can use any of the operational commands available on the command line

interface using the Op API request below:

http(s)://hostname/api/?type=op&cmd=xml-body

Refer to the API browser and follow the link for operational commands to see a complete listing of all the

different options available for the xml-body and their corresponding operation.

Examples of operational API requests include setting, showing, or clearing runtime parameters, saving and

loading configurations to disk, retrieving interface or system information, etc.

To request a system restart, use:

http(s)://hostname/api/?type=op&cmd=<request><restart><system></system></restart></request>

To install system software version 4.1.0, use:

http(s)://hostname/api/?type=op&cmd=<request><system><software><install><version>4.1.0</version></install>

</software></system></request>

To set the system setting to turn on multi-vsys mode, use:

http(s)://hostname/api/?type=op&cmd=<set><system><setting><multi-vsys></multi-

vsys></setting></system></set>

To schedule a User Activity Report, use:

http(s)://hostname/api/?type=op&cmd=<schedule><uar-

report><user>username</user><title>titlename</title></uar-report></schedule>

To save or load config to/from a file, use:

http(s)://hostname/api/?type=op&cmd=<save><config><to>filename</to></config></save>, and

http(s)://hostname/api/?type=op&cmd=<load><config><from>filename</from></config></load>

"

"

The API browser is available at http(s)://hostname/api. You need to be logged in to the device’s WebUI to be

able to view the API browser.

You can use API browser to navigate different API requests that are available for use. For configuration

commands, you can navigate to any path and view the corresponding xpath and API URL on the browser. 

For Configuration commands, you can navigate to a specific command to see its xpath.

For Operational commands and Commit commands, you can navigate to a specific command to see the xml

body to use for the cmd parameter.

For reports, you can view the report names for all the supported dynamic and predefined reports.

"

Thanks for your help but I'm after a debug command, specifically this one,

debug user-id refresh group-mapping group-mapping-name

I couldn't find this in the thread you supplied and any documentation or anywhere in the Discussions, just thought I'd check here before ruling it out completely.

Thanks,

https://<panip>/debug ? :smileysilly:

Sorry I have no idea, tried support@ in case noone in here is able to help?

And I guess this didnt work?

https://<panip>/api/?type=op&cmd=<debug><user-id><refresh><group-mapping><group-mapping-name></group-mapping-name></group-mapping></refresh></user-id></debug>

Hi, Debug commands are not among the <op> commands that are exposed via the API.  If you search for PAN-Perl there is an expect based CLI tool for remotely executing CLI commands on the firewall that will work.

oh snap!

How come?

There are lots of debug commands that can impact the performance of the device significantly so they limit what is exposed, the correct handling of this is to map it to a corresponding <op> command that makes sense like request user-id refresh (dp-uid-gid | group-mapping | user-id).  I think that is an excellent Feature Request!  I can bring it up to the User-ID Product Manager if you would like.

I did try something similar in the API browser to see what works but it didn't come back with anything useful

Thanks anyways

Yes, can you please put that in as a Feature Request.  Let me know if I should also bring it to the attention of my local PAN guys.

Thanks

Hi,  Yes you should have them flag it as well - you can have them reach out to me for additional details (I'm at corporate)

Thanks I've let them know.