API - Manage Users for VPN access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

API - Manage Users for VPN access

L1 Bithead

Hello Community,

 

i'm currently planing a project which should be able to control the VPN user access via the API.

It should be a simple tool where you just need to click a single button. The tool then activates or deactivates the user for that VPN via the API.

How do i activate/deactivate local user on the PA with the API?

I've already searched through the /api on our 850 but haven't found what i want.

What would be your approach?

 

Thank you in advance.

 

Kind regards,

JustAGuy

 

1 accepted solution

Accepted Solutions

I've finally managed to get the right API command for enabling/disabling local users.

All capitalized words between these chars "<>" need to be adjusted!

 

First you need to get the apikey with the following request:

https://<FIREWALL IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>

 

Then you can disable the user via the following:

https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>yes</disabled>

 

or enable it via this:

https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>no</disabled>

 

Lastly you need to commit your changes:

https://<FIREWALL IP>/api/?type=commit&key=<APIKEY>&cmd=<commit><description><YOUR DESCRIPTION></description></commit>

View solution in original post

3 REPLIES 3

L1 Bithead

That's a great project.

I am just curious. Why wouldn't you use GlobalProtect for VPN?

The tool should work with different firewall vendors.

One of it is Palo Alto NGFW.

Is there a difference between controlling the global protect users vs. f.e ipsec?

I've finally managed to get the right API command for enabling/disabling local users.

All capitalized words between these chars "<>" need to be adjusted!

 

First you need to get the apikey with the following request:

https://<FIREWALL IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>

 

Then you can disable the user via the following:

https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>yes</disabled>

 

or enable it via this:

https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>no</disabled>

 

Lastly you need to commit your changes:

https://<FIREWALL IP>/api/?type=commit&key=<APIKEY>&cmd=<commit><description><YOUR DESCRIPTION></description></commit>

  • 1 accepted solution
  • 3528 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!