Check GlobalProtect VPN users with PowerShell GUI

Reply
Highlighted
L2 Linker

Check GlobalProtect VPN users with PowerShell GUI

I wrote a simple PowerShell GUI script that can check for GlobalProtectVPN users connected currently, or at a past date.

It uses the Rest API to grab the information. Not sure if anyone would find it useful.

Here is the Github link: https://github.com/marcusit/PaltoShell

 

paltoshell

 

Highlighted
L1 Bithead

Re: Check GlobalProtect VPN users with PowerShell GUI

Thank you for building this. I get an error after I try and genereate the API key 'The remote name could not be resolved'.

 

I treid both the hostname and IP for the variable in the script but still get this same error. Any ideas on what I may be missing? I do get prompted for authentication, could it be an authentication issue?

Highlighted
L2 Linker

Re: Check GlobalProtect VPN users with PowerShell GUI

I noticed that I had left a static variable in the function to generate a new API key (line 82).

I updated the code on GitHub, so if you download the script again it should work for you now.

 

The authentication comes from the script itself, it stores the credentials in a variable that it then passess to the firewall to be able to generate the API key.

Highlighted
L1 Bithead

Re: Check GlobalProtect VPN users with PowerShell GUI

Thanks for the quick update. Now I seem to be getting - 

 

 

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."
+   [xml]$get_api_key = $KeyClient.DownloadString($key_url)

 

Highlighted
L2 Linker

Re: Check GlobalProtect VPN users with PowerShell GUI

Are you running PowerShell version 4 or higher? You can check my running "$psversiontable.PSVersion" in PowerShell.

You would also need Microsoft .NET Framework. Not sure on version, but it works with 4.6.01590.

Highlighted
L1 Bithead

Re: Check GlobalProtect VPN users with PowerShell GUI

Yes. Version 5 and .NET 4.6

Highlighted
Cyber Elite

Re: Check GlobalProtect VPN users with PowerShell GUI

To me this sounds like the TLS version does not mat or the server/client where you run the script does not trust the firewall certificate. As far as I know by default powershell only connects to trusted certs and I am sure that by default TLS1.0 (and only 1.0) is used.

 

By adding this line you can force TLS1.2:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
Highlighted
L2 Linker

Re: Check GlobalProtect VPN users with PowerShell GUI


@vsys_remowrote:

To me this sounds like the TLS version does not mat or the server/client where you run the script does not trust the firewall certificate. As far as I know by default powershell only connects to trusted certs and I am sure that by default TLS1.0 (and only 1.0) is used.

 

By adding this line you can force TLS1.2:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

This might be correct. You can check for cert errors by going to the firewall GUI and see if you receive a cert warning. 

You can do some testing by just running this code snippet:

  $fw_hostname = "Your firweall hostname or IP here"
  $pass = Get-Credential -Credential $env:userdomain\$env:username
  $plainpass = $pass.GetNetworkCredential().Password
  $key_url = "https://"+$fw_hostname+"/api/?type=keygen&user="+$env:username+"&password="+$plainpass
  $KeyClient = New-Object System.Net.WebClient
  $KeyClient.DownloadString($key_url)

Be sure to change the first line. You should get text output similar to below:

<response status = 'success'><result><key>YOUR API KEY</key></result></response>

 

Finally you can test it in a browser too, to make sure you are able to generate an API key:

https://<FIREWALL HOSTNAME OR IP>/api/?type=keygen&user=<YOUR FW USERNAME>&password=<YOUR FW PASSWORD>

Highlighted
L1 Bithead

Re: Check GlobalProtect VPN users with PowerShell GUI

I really apprecaite all of the help. It looks like the TLS fix worked and am now able to generate the API key.

 

Now i get this when i try and query the users. I am assuming this is a permission thing -

Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (403) Forbidden."
At C:\WINDOWS\System32\WindowsPowerShell\PaltoShell-GUI.ps1:121 char:5
+     [xml]$global:result = $WebClient.DownloadString($query_url)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
Highlighted
L2 Linker

Re: Check GlobalProtect VPN users with PowerShell GUI

You might not have the correct API permissions on the firewall. I have not had a chance to pinpoint exactly what permissions are needed as I have superuser rights, and no lower account to test with.

You can create custom admin roles and grant API permissions under Device > Admin Roles. You would then tie this role to your administrative account.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!