Check GlobalProtect VPN users with PowerShell GUI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Check GlobalProtect VPN users with PowerShell GUI

L2 Linker

I wrote a simple PowerShell GUI script that can check for GlobalProtectVPN users connected currently, or at a past date.

It uses the Rest API to grab the information. Not sure if anyone would find it useful.

Here is the Github link: https://github.com/marcusit/PaltoShell

 

paltoshell

 

15 REPLIES 15

L1 Bithead

Thank you for building this. I get an error after I try and genereate the API key 'The remote name could not be resolved'.

 

I treid both the hostname and IP for the variable in the script but still get this same error. Any ideas on what I may be missing? I do get prompted for authentication, could it be an authentication issue?

I noticed that I had left a static variable in the function to generate a new API key (line 82).

I updated the code on GitHub, so if you download the script again it should work for you now.

 

The authentication comes from the script itself, it stores the credentials in a variable that it then passess to the firewall to be able to generate the API key.

Thanks for the quick update. Now I seem to be getting - 

 

 

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."
+   [xml]$get_api_key = $KeyClient.DownloadString($key_url)

 

Are you running PowerShell version 4 or higher? You can check my running "$psversiontable.PSVersion" in PowerShell.

You would also need Microsoft .NET Framework. Not sure on version, but it works with 4.6.01590.

Yes. Version 5 and .NET 4.6

To me this sounds like the TLS version does not mat or the server/client where you run the script does not trust the firewall certificate. As far as I know by default powershell only connects to trusted certs and I am sure that by default TLS1.0 (and only 1.0) is used.

 

By adding this line you can force TLS1.2:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;


@Remowrote:

To me this sounds like the TLS version does not mat or the server/client where you run the script does not trust the firewall certificate. As far as I know by default powershell only connects to trusted certs and I am sure that by default TLS1.0 (and only 1.0) is used.

 

By adding this line you can force TLS1.2:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

This might be correct. You can check for cert errors by going to the firewall GUI and see if you receive a cert warning. 

You can do some testing by just running this code snippet:

  $fw_hostname = "Your firweall hostname or IP here"
  $pass = Get-Credential -Credential $env:userdomain\$env:username
  $plainpass = $pass.GetNetworkCredential().Password
  $key_url = "https://"+$fw_hostname+"/api/?type=keygen&user="+$env:username+"&password="+$plainpass
  $KeyClient = New-Object System.Net.WebClient
  $KeyClient.DownloadString($key_url)

Be sure to change the first line. You should get text output similar to below:

<response status = 'success'><result><key>YOUR API KEY</key></result></response>

 

Finally you can test it in a browser too, to make sure you are able to generate an API key:

https://<FIREWALL HOSTNAME OR IP>/api/?type=keygen&user=<YOUR FW USERNAME>&password=<YOUR FW PASSWORD>

I really apprecaite all of the help. It looks like the TLS fix worked and am now able to generate the API key.

 

Now i get this when i try and query the users. I am assuming this is a permission thing -

Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (403) Forbidden."
At C:\WINDOWS\System32\WindowsPowerShell\PaltoShell-GUI.ps1:121 char:5
+     [xml]$global:result = $WebClient.DownloadString($query_url)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

You might not have the correct API permissions on the firewall. I have not had a chance to pinpoint exactly what permissions are needed as I have superuser rights, and no lower account to test with.

You can create custom admin roles and grant API permissions under Device > Admin Roles. You would then tie this role to your administrative account.

I seem to be able to a query with just the "Operational Request" API right (Device > Admin Roles > <custom role> > "XML API" tab). I can't guarantee that more permissions will not be needed.

Able to get it up and running thank you.

 

I noticed that the tool will only query a specific day - is it possible to select a date and see all users connected from that date until now?

 

Example: enter the date 2/1/18 and see all users that connected to GP from then until now with date/time stamps associated? Similar to what you see when you view the Monitor logs on the firewall, but jsut with the username and timestamp?

Try using the "all time" option, and save the results which will create a spreadsheet that you can filter by connection date. I use that myself for reporting on VPN users.

 

I might be able to add that feature in if I get some free cycles.

Thats odd - I dont have an All Time option similar to your original screenshot

 

11.PNG

I had added that feature when I took the screenshot but did not actually push it to the git repo.

If you re-download the script the feature will be in. Everything else should be the same.

 

https://github.com/marcusit/PaltoShell

 

  • 11563 Views
  • 15 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!