Using User-ID XML API to get data?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using User-ID XML API to get data?

Not applicable

Is there a way to use User-ID xml api to get data from User-ID agent?

1 accepted solution

Accepted Solutions

Palo Alto Networks Guru

Unfortunately there isn't. The User-ID XML API is designed to feed User-IP information into the Agent and the firewall, but not to retrieve any data. Out of curiousity, may I still ask what you are trying to achieve?

View solution in original post

7 REPLIES 7

Palo Alto Networks Guru

Unfortunately there isn't. The User-ID XML API is designed to feed User-IP information into the Agent and the firewall, but not to retrieve any data. Out of curiousity, may I still ask what you are trying to achieve?

I don't know about aigarkais but I would like to be able to get data from the agent so I can do user-id to IP lookups without having to log into a PAN device.

A tool like that would be useful to a number of IT groups for supporting users. Currently, if support needs to do a remote login to a workstation, they need to ask the user what their IP address is. If the user is not very knowledgable about computers, this can be a frustrating task for both the user and the support person. Leveraging the user-id agent to lookup the mapping would make a lot of people happy.

Hi Jim,

You can poll the firewall for its current list of mappings.

I was able to run:

$ curl -k "https://x.x.x.x/api/?type=op&cmd=<show><user><ip-user-mapping><all></all></ip-user-mapping></user></show>&key=INSERT_API_KEY_HERE"

from any machine with curl and it outputs all of the mappings on the firewall. It's not polling the agent, but it's close and will probably suffice for what you're wanting. Note, you'll have to have XML API setup, and you'll need to insert your own firewall's IP and XML API key in the above command.

Thanks,


Jason Seals

Jim,

Here is the wget equivalent if you'd prefer:

wget --no-check-certificate "https://x.x.x.x/api/?type=op&cmd=<show><user><ip-user-mapping><all></all></ip-user-mapping></user></show>&key=INSERT_API_KEY_HERE"

After the wget finishes, you'll just need to view the contents of the index file it pulls down as that contains the user info it pulled from the firewall.

Thanks,

Jason Seals

Hello,

I'm curious as to how to set this information. Using the https://<mgmt ip>/api API browser, I don't see where or how I may set this information. Using IMAP/POP3 logs, I have a plethora of IP<->username mappings - just need to know how to get them into our 2050.

Thanks in advance. 😃

Disregard -- I've found ye olde DOC-1348.

We send syslog data from our PA devices that include the username field populated and the IP address they're coming from, and we heavily use our SIEM to normalize that data to provide username-IP mappings all the time.

You could build a home grown web interface search that could search a syslog server's logs and return username-IP mappings. Or use something like ELSA and get web access to your PA logs that way:

enterprise-log-search-and-archive - Enterprise log search and archive (ELSA) is an industrial-streng...

  • 1 accepted solution
  • 4623 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!