User ID Mapping Directly to Firewalls

Reply
Not applicable

User ID Mapping Directly to Firewalls

Good afternoon,

Previously we used the PAN-UID perl module to update User ID Agents running on servers, which would in turn update the firewalls.

With version 5.0, there is not this capability:

2.9 User-ID mapping

Beginning with PAN-OS 5.0.0, you can apply User-ID mapping information directly to the firewall using the API with the type=user-id parameter.


Has anyone implemented this?  Can you provide any examples?  The documentation is kind of limited & we are having a lot of trouble with the UserID Agents having memory leaks and not working.


Thanks for your help.



Kevin


Accepted Solutions
L5 Sessionator

Following Document shows how to :

How to Add User-IP Mapping to Firewall using API on PAN-OS 5.0

https://live.paloaltonetworks.com/docs/DOC-4348

-Ameya

View solution in original post


All Replies
L6 Presenter

You mean something like this?

L5 Sessionator

Following Document shows how to :

How to Add User-IP Mapping to Firewall using API on PAN-OS 5.0

https://live.paloaltonetworks.com/docs/DOC-4348

-Ameya

View solution in original post

Not applicable

No, I have already implemented this.  I mean connecting directly to the firewall API, not through a UID agent.

Thanks.

Not applicable

Exactly what I am looking for, thanks!

L0 Member

We have been attempting to make this request through the API but get a Invalid Credentials.  We setup an admin account with API access and get a Key back.

When we try to post the key and the new User-ID mapping we get Invalid Credentials.  Anyone have a snippet of the post or ssl code in vb/c# ?

string strSandbox = "https://10.10.10.10/api/?type=user-id&key=" + key + "&action=set&vsys=vsys1"; ;

        HttpWebRequest req = (HttpWebRequest)WebRequest.Create(strSandbox);

req.Method = "POST";

        req.ContentType = "application/x-www-form-urlencoded";

        byte[] param = Request.BinaryRead(HttpContext.Current.Request.ContentLength);

StringBuilder requestContent = new StringBuilder();

        requestContent.Append("<uid-message>");

        requestContent.Append("<version>1.0</version>");

        requestContent.Append("<type>update</type>");

        requestContent.Append("<payload>");

        requestContent.Append("<login>");

        requestContent.Append("<entry name=\"domain\\" + LoginUser.UserName.ToLower() + "\" ip=\"" + SIP.Text + "\"/>");

        requestContent.Append("</login>");

        requestContent.Append("</payload>");

        requestContent.Append("</uid-message>");

strRequest += "&cmd=" + requestContent;

        req.ContentLength = strRequest.Length;

        ServicePointManager.ServerCertificateValidationCallback = delegate(object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { return true; };

        //Send the request

        StreamWriter streamOut = new StreamWriter(req.GetRequestStream(), System.Text.Encoding.ASCII);

        streamOut.Write(strRequest);

        streamOut.Close();

        StreamReader streamIn = new StreamReader(req.GetResponse().GetResponseStream());

        string strResponse = streamIn.ReadToEnd();

        streamIn.Close();

L5 Sessionator

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!