Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Disconnect GlobalProtect user not working via API.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disconnect GlobalProtect user not working via API.

L2 Linker

I am trying to disconnect a global protect user on our gateway via the API. I have tested using the API browser and via a CURL command, but no matter what syntax or variation of the username I use, I get the message Remote-VPN-Gateway-N joe.bloggs Invalid user name. Below is the syntax I am using with the XML API based on the documentation. Am I missing something fundamental, or have I hit a bug in the API?

 

The PANOS version I am running is 9.1.12-h3.

 

 

<request>
    <global-protect-gateway>
        <client-logout>
            <gateway>Remote-VPN-gateway-N</gateway>
            <user>joe.bloggs</user>
            <reason>force-logout</reason>
        </client-logout>
    </global-protect-gateway>
</request>

 

 

1 accepted solution

Accepted Solutions

Hi Tom,

I had tried this variation of the command, but it was the same. I did manage to get it working.

 

I ran a show command to verify what was being returned, and I noticed that the computer name was in upper case, so I added that, and it worked. The error message, despite mentioning invalid username, has actually nothing to do with the username.

 

I verified by running again with one letter in lower case as well as a variation with the domain parameter removed, and it failed each time with the invalid username error.

 

So it seems, the gateway name (including the -N), the username (mine was in email format user.name@domain.com) and the computer name are all mandatory case-sensitive params.

 

I don't think the order of these params is important.

 

Thanks for the help.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @Jamesy ,

 

Wow!  The solution is not in the example here ->  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-m..., but it is in the response.

 

You need to add the <domain></domain> parameter.  https://live.paloaltonetworks.com/t5/automation-api-discussions/why-can-my-api-call-show-globalprote...

 

I have tested this with Postman, and it works!  Without the domain, I get the same error as you.  Perhaps we both have logged in with AD accounts.  My Primary Username under Network > GlobalProtect > Gateways > Remote Users is domain\username.  I guess that parameter is required if a domain exists.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

Thanks for the reply. I found this article yesterday evening and tried it, but the result is the same, I'm afraid.
No matter what combination of parameters and no matter the order I place them in, I get the same message. My primary usernames are listed as firstname.surname@domain.com which I have tried also.

My new syntax including the domain is below and the error message I get is:
Remote-Gateway-N domain.com joe.bloggs Invalid user name

 

<request><global-protect-gateway><client-logout><domain>domain.com</domain><gateway>Remote-Gateway-N</gateway><user>joe.bloggs</user></client-logout></global-protect-gateway></request>

 

 

Cyber Elite
Cyber Elite

Hi @Jamesy ,

 

This is the cmd= that worked for me.

 

<request><global-protect-gateway><client-logout><gateway>Gateway-Name-N</gateway><domain>Domain</domain><user>Username</user><reason>force-logout</reason><computer>Computer-Name</computer></client-logout></global-protect-gateway></request>

 

  1. The computer may be required.  I got that from the example in the doc.  Maybe add it?
  2. My domain is displayed as domain/username.  So, no .com was needed.  Maybe try without?
  3. I don't know if order is important.  Maybe try the exact order?

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

I had tried this variation of the command, but it was the same. I did manage to get it working.

 

I ran a show command to verify what was being returned, and I noticed that the computer name was in upper case, so I added that, and it worked. The error message, despite mentioning invalid username, has actually nothing to do with the username.

 

I verified by running again with one letter in lower case as well as a variation with the domain parameter removed, and it failed each time with the invalid username error.

 

So it seems, the gateway name (including the -N), the username (mine was in email format user.name@domain.com) and the computer name are all mandatory case-sensitive params.

 

I don't think the order of these params is important.

 

Thanks for the help.

L0 Member

The necessary fields to disconnect a user are the gateway name (including the -N), the username, and the computer name; these are mandatory and must be included. You cannot use just the username.

This is described in the documentation at the following link (step 2), but it does not clarify that it is truly mandatory.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/show-and-...

Customs become laws
  • 1 accepted solution
  • 4364 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!