03-09-2020 07:02 AM
Hello Community,
i'm currently planing a project which should be able to control the VPN user access via the API.
It should be a simple tool where you just need to click a single button. The tool then activates or deactivates the user for that VPN via the API.
How do i activate/deactivate local user on the PA with the API?
I've already searched through the /api on our 850 but haven't found what i want.
What would be your approach?
Thank you in advance.
Kind regards,
JustAGuy
03-10-2020 06:19 AM - edited 03-10-2020 06:22 AM
I've finally managed to get the right API command for enabling/disabling local users.
All capitalized words between these chars "<>" need to be adjusted!
First you need to get the apikey with the following request:
https://<FIREWALL IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>
Then you can disable the user via the following:
https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>yes</disabled>
or enable it via this:
https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>no</disabled>
Lastly you need to commit your changes:
https://<FIREWALL IP>/api/?type=commit&key=<APIKEY>&cmd=<commit><description><YOUR DESCRIPTION></description></commit>
03-09-2020 07:38 AM
That's a great project.
I am just curious. Why wouldn't you use GlobalProtect for VPN?
03-09-2020 07:43 AM
The tool should work with different firewall vendors.
One of it is Palo Alto NGFW.
Is there a difference between controlling the global protect users vs. f.e ipsec?
03-10-2020 06:19 AM - edited 03-10-2020 06:22 AM
I've finally managed to get the right API command for enabling/disabling local users.
All capitalized words between these chars "<>" need to be adjusted!
First you need to get the apikey with the following request:
https://<FIREWALL IP>/api/?type=keygen&user=<USERNAME>&password=<PASSWORD>
Then you can disable the user via the following:
https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>yes</disabled>
or enable it via this:
https://<FIREWALL IP>/api/?type=config&action=set&key=<API KEY>&xpath=/config/shared/local-user-database/user/entry[@name='<LOCAL USERNAME>']&element=<disabled>no</disabled>
Lastly you need to commit your changes:
https://<FIREWALL IP>/api/?type=commit&key=<APIKEY>&cmd=<commit><description><YOUR DESCRIPTION></description></commit>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
