11-15-2019 04:25 AM
Hi,
We have a use case where, upon detection of a session with an unknown userID, we'd like the Palo firewall to interrogate an external service via REST API for the UserID/IP address mapping.
I appreciate the normal way is to prepopulate the Palo or UserID Agent servers with data from external sources, but this is not possible in this case.
Any ideas?
Thanks.
11-15-2019 06:43 AM
I dont know of any method via cli to add static mappings, this really defeats the object...
so no CLI then no API.
would you not be better off interrogating the ip mapping via ssh or similar and then import this to a server that the user-id agent can itself interrogate or is this also part of the problem..
11-25-2019 01:09 AM
Thanks for your reply MickBall.
I'm not concerned with the CLI especially. I just want the firewall to send a query to an external source for UserID/IP address mapping when a new session from an 'unknown user' is presented.
The external source is not static and will be constantly updating with new UserID/IP address mappings.
11-25-2019 01:22 AM
NP.
Of course. i understand...
would you not be better off posting a similar request in the automation/API discussions area.
BTW. exactly what server are you looking to interrogate.
11-25-2019 01:31 AM
"would you not be better off posting a similar request in the automation/API discussions area."
- Yes, almost definitely! 🙂
I'll see if an admin can move it for me.
It's a DDI server, used for IPAM/DHCP, that I want to interrogate.
11-26-2019 01:09 PM
I think you're underestimating the potential query volume this could generate. Even a PA-220 is rated for 4200 CPS.
If your IPAM solution has APIs available to query user -> IP assignment, I'd periodically query the DB and use the User-ID API to create IP-User mappings on the firewall with that information.
11-26-2019 02:06 PM
Hello,
So when you say external, are you referring to external to the PAN or your environment? Seems that User-ID would be the best option if these sessions are internal.
Perhaps I misunderstood your request?
Regards,
11-26-2019 08:02 PM
The firewall itself directly isn't going to be able to do this, but it is something that could be scripted. You simply need to generate an HTTP call whenever an unknown user is identified in the traffic log that you can grab the source from. The script would need to take that source and query the external service for the user-id information. That information would then need to be fed back to the API so that the firewall can update its user-id database with the user from the external source.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
