05-16-2013 01:29 AM
Hi.
I would like to delete a specific user out of the user agent cache via the XML API. Is it possible to do this when the ip user mapping was done by the agent itself (get the user via DC or exchange login). I enabled the user id XML API on the agent and send them this string:
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<logout><entry ip="x.x.x.x" name="domainY\userZ"></entry></logout>
</payload>
</uid-message>
Here is the response (looks good):
<uid-response><version>1.0</version><code>0</code><message>ok</message></uid-response>
But in the log of the user agent I found this entry and the user is still in the user agent and also in the firewall user cache.
05/16/13 10:04:20:787[Debug 374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.
show user ip-user-mapping ip x.x.x.x
IP address: x.x.x.x (vsys1)
User: domainY\userZ
From: UIA
Idle Timeout: 2658s
Max. TTL: 2658s
Does anyone has a hint what I am doing wrong?
Regards, Markus
05-17-2013 02:52 AM
Script looks fine, I have an explicit logoff like this in place with 4.1.x and 5.0.x. The only difference I have is in ip & name order, in mine script is exchanged,
<logout><entry name="domainY\user" ip="x.x.x.x"></entry></logout>
If you still have user in "show user ip-user-mapping all" list this means that the user still present somewhere and the userid, please verify the user-id logs when loggin off you should have logs like these, where X.X.X. are private ips,
New xml api connection X.X.X.X : 56522:2010737129.
XML api thread 0 from X.X.X.X : 56522 is started.
Event: type="XML API connection" name="X.X.X.X" status="Connected"
Device thread 0 send server status X.X.X.X : 56522 Connected (XML API)
XML api thread 0 accept finished
XML api thread 0 SSL no certificate
Reading 2 security logs takes 0 ms for DC domain.local.
XML API IP 192.168.1.11(name DOMAIN\user) logoff.
Event: type="XML API connection" name="X.X.X.X" status="Disconnected"
XML api thread 0 exits.
XML api connection X.X.X.X : 56522 closed.
All XML api connection stopped!
05-17-2013 05:35 AM
Hi NGS,
I tried it with switched order of the name and ip already, but without any success. The user agent has the version 5.0.4-5 and the firewall is running on PAN-OS 5.0.3.
Regards, Markus
05-17-2013 08:02 AM
HI, below I attached an example of vbs script I used in order to obtain explicit login/logout from the network client, try to see if they work for you. Simply modify USER-ID agent address+ port. Once launched the script is able to grab domain\user from the local machine ad set the PA login, or the logout.
Dropbox - Login-Logout-API.zip
I also use similar login\logout script integrated with 802.1X wifi enterpirse (Aerohive vendor), if the user is still preset there is surely something tha keeps alive the use connection.
Also with an 5.0.x infrastrucutre you can talk to the PANOS directy using URL like this, without the USER-ID agent broker.
https://<Firewall-IPaddress>/api/?type=user-id&key=<Key Value>&action=set&vsys=vsys1&cmd=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="pan\sam1" ip="<Client-IPaddress>"/></login></payload></uid-message>
05-20-2013 11:43 PM
Hi NGS,
thank you very much. I will try it.
Regards, Markus
05-22-2013 02:29 AM
Hi NGS,
I was able to test your srcipt (good job by the way). But also with your script I did not work. I get the same error in the user agent log.
[Debug 374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.
Regards, Markus
05-22-2013 12:26 PM
[Debug 374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.
It seems that domainY\userZ was not previously inserted, maybe not in that form. Via show user ip-user-mapping all are you sure to see domainY\userZ ? Maybe is like domainY.com\userZ and this is a different string causing me in the past some troubles.
05-23-2013 01:53 AM
Hi, this is not the problem. It looks like the problem is that the information is collected via the user agent itself and not the via xml api.
05-27-2013 08:23 AM
Hi community.
Does anyone know if it is possible to overwrite the ip-user-mapping collected by the user agent via the xml-api?
It looks like that it is not possible to logout the user via the xml-api when the information is collected by the user agent. When I send a login via the xml-api before the logout it seem to be ok.
Regards, Markus
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
