Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-03-2022 09:13 AM - edited 03-03-2022 09:13 AM
I am trying to disconnect a global protect user on our gateway via the API. I have tested using the API browser and via a CURL command, but no matter what syntax or variation of the username I use, I get the message Remote-VPN-Gateway-N joe.bloggs Invalid user name. Below is the syntax I am using with the XML API based on the documentation. Am I missing something fundamental, or have I hit a bug in the API?
The PANOS version I am running is 9.1.12-h3.
<request>
<global-protect-gateway>
<client-logout>
<gateway>Remote-VPN-gateway-N</gateway>
<user>joe.bloggs</user>
<reason>force-logout</reason>
</client-logout>
</global-protect-gateway>
</request>
03-04-2022 07:02 AM
Hi Tom,
I had tried this variation of the command, but it was the same. I did manage to get it working.
I ran a show command to verify what was being returned, and I noticed that the computer name was in upper case, so I added that, and it worked. The error message, despite mentioning invalid username, has actually nothing to do with the username.
I verified by running again with one letter in lower case as well as a variation with the domain parameter removed, and it failed each time with the invalid username error.
So it seems, the gateway name (including the -N), the username (mine was in email format user.name@domain.com) and the computer name are all mandatory case-sensitive params.
I don't think the order of these params is important.
Thanks for the help.
03-03-2022 05:16 PM
Hi @Jamesy ,
Wow! The solution is not in the example here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-m..., but it is in the response.
You need to add the <domain></domain> parameter. https://live.paloaltonetworks.com/t5/automation-api-discussions/why-can-my-api-call-show-globalprote...
I have tested this with Postman, and it works! Without the domain, I get the same error as you. Perhaps we both have logged in with AD accounts. My Primary Username under Network > GlobalProtect > Gateways > Remote Users is domain\username. I guess that parameter is required if a domain exists.
Thanks,
Tom
03-04-2022 01:24 AM
Hi Tom,
Thanks for the reply. I found this article yesterday evening and tried it, but the result is the same, I'm afraid.
No matter what combination of parameters and no matter the order I place them in, I get the same message. My primary usernames are listed as firstname.surname@domain.com which I have tried also.
My new syntax including the domain is below and the error message I get is:
Remote-Gateway-N domain.com joe.bloggs Invalid user name
<request><global-protect-gateway><client-logout><domain>domain.com</domain><gateway>Remote-Gateway-N</gateway><user>joe.bloggs</user></client-logout></global-protect-gateway></request>
03-04-2022 06:37 AM
Hi @Jamesy ,
This is the cmd= that worked for me.
<request><global-protect-gateway><client-logout><gateway>Gateway-Name-N</gateway><domain>Domain</domain><user>Username</user><reason>force-logout</reason><computer>Computer-Name</computer></client-logout></global-protect-gateway></request>
Thanks,
Tom
03-04-2022 07:02 AM
Hi Tom,
I had tried this variation of the command, but it was the same. I did manage to get it working.
I ran a show command to verify what was being returned, and I noticed that the computer name was in upper case, so I added that, and it worked. The error message, despite mentioning invalid username, has actually nothing to do with the username.
I verified by running again with one letter in lower case as well as a variation with the domain parameter removed, and it failed each time with the invalid username error.
So it seems, the gateway name (including the -N), the username (mine was in email format user.name@domain.com) and the computer name are all mandatory case-sensitive params.
I don't think the order of these params is important.
Thanks for the help.
08-10-2024 08:32 AM
The necessary fields to disconnect a user are the gateway name (including the -N), the username, and the computer name; these are mandatory and must be included. You cannot use just the username.
This is described in the documentation at the following link (step 2), but it does not clarify that it is truly mandatory.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
