Delete user out of the user agent via API

Reply
Highlighted
L2 Linker

Delete user out of the user agent via API

Hi.

I would like to delete a specific user out of the user agent cache via the XML API. Is it possible to do this when the ip user mapping was done by the agent itself (get the user via DC or exchange login). I enabled the user id XML API on the agent and send them this string:

<uid-message>

<version>1.0</version>

<type>update</type>

<payload>

<logout><entry ip="x.x.x.x" name="domainY\userZ"></entry></logout>

</payload>

</uid-message>

Here is the response (looks good):

<uid-response><version>1.0</version><code>0</code><message>ok</message></uid-response>

But in the log of the user agent I found this entry and the user is still in the user agent and also in the firewall user cache.

05/16/13 10:04:20:787[Debug  374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.

show user ip-user-mapping ip x.x.x.x

IP address:  x.x.x.x (vsys1)

User:        domainY\userZ

From:        UIA

Idle Timeout: 2658s

Max. TTL:    2658s

Does anyone has a hint what I am doing wrong?

Regards, Markus

Highlighted
L3 Networker

Script looks fine, I have an explicit logoff like this in place with 4.1.x and 5.0.x. The only difference I have is in ip & name order, in mine script is exchanged,

<logout><entry name="domainY\user" ip="x.x.x.x"></entry></logout>


If you still have user in "show user ip-user-mapping all" list this means that the user still present somewhere and the userid, please verify the user-id logs when loggin off you should have logs like these, where X.X.X. are private ips,


New xml api connection X.X.X.X : 56522:2010737129.

XML api thread 0 from X.X.X.X : 56522 is started.

Event: type="XML API connection" name="X.X.X.X" status="Connected"

Device thread 0 send server status X.X.X.X : 56522 Connected (XML API)

XML api thread 0 accept finished

XML api thread 0 SSL no certificate

Reading 2 security logs takes 0 ms for DC domain.local.

XML API IP 192.168.1.11(name DOMAIN\user) logoff.

Event: type="XML API connection" name="X.X.X.X" status="Disconnected"

XML api thread 0 exits.

XML api connection X.X.X.X : 56522 closed.

All XML api connection stopped!



Highlighted
L2 Linker

Hi NGS,

I tried it with switched order of the name and ip already, but without any success. The user agent has the version 5.0.4-5 and the firewall is running on PAN-OS 5.0.3.

Regards, Markus

Highlighted
L3 Networker

HI, below I attached an example of vbs script I used in order to obtain explicit login/logout from the network client, try to see if they work for you. Simply modify USER-ID agent address+ port. Once launched  the script is able to grab domain\user from the local machine ad set the PA login, or the logout.

Dropbox - Login-Logout-API.zip

I also use similar login\logout script integrated with 802.1X wifi enterpirse (Aerohive vendor), if the user is still preset there is surely something tha keeps alive the use connection.

Also with an 5.0.x infrastrucutre you can talk to the PANOS directy using URL like this, without the USER-ID agent broker.

https://<Firewall-IPaddress>/api/?type=user-id&key=<Key Value>&action=set&vsys=vsys1&cmd=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="pan\sam1" ip="<Client-IPaddress>"/></login></payload></uid-message>

Highlighted
L2 Linker

Hi NGS,

thank you very much. I will try it.

Regards, Markus

Highlighted
L2 Linker

Hi NGS,

I was able to test your srcipt (good job by the way). But also with your script I did not work. I get the same error in the user agent log.

[Debug  374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.


Regards, Markus

L3 Networker

[Debug  374]: XML API IP x.x.x.x(name domainY\userZ) logoff but entry not existed.

It seems that domainY\userZ was not previously inserted, maybe not in that form. Via show user ip-user-mapping all are you sure to see domainY\userZ ? Maybe is like domainY.com\userZ and this is a different string causing me in the past some troubles.

Highlighted
L2 Linker

Hi, this is not the problem. It looks like the problem is that the information is collected via the user agent itself and not the via xml api.

Highlighted
L2 Linker

Hi community.

Does anyone know if it is possible to overwrite the ip-user-mapping collected by the user agent via the xml-api?

It looks like that it is not possible to logout the user via the xml-api when the information is collected by the user agent. When I send a login via the xml-api before the logout it seem to be ok.

Regards, Markus

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!