This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About jgrote
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About jgrote
03-13-2017
5Posts
2Likes
0Solutions
Mar 13, 2017Last Visited
User
Activity
User
Profile
Latest posts by jgrote
| Subject | Views | Posted |
|---|---|---|
| 578 | 01-03-2017 05:05 PM | |
| 3672 | 12-22-2016 08:38 AM | |
| 3684 | 12-21-2016 02:31 PM | |
| 7428 | 12-21-2016 12:21 PM | |
| 3693 | 12-21-2016 12:18 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 12-21-2016 12:21 PM | |
| 1 Like | 12-21-2016 02:31 PM |
User Badges
Community Statistics
| Member Since | 12-21-2016 12:07 PM |
| Date Last Visited | 03-13-2017 01:23 PM |
| Posts | 5 |
| Total Likes Received | 2 |
01-03-2017
05:05 PM
Hello, I'm working on a Powershell module to interact with the XML API. I can get the syntax for the various commands just fine via the API browser and CLI/GUI debug, however I was wondering if there is a command or some way to get something like a WSDL file or XML document that defines all the command combinations and their syntax that I could parse so I don't have to hard-code in validations such as what kind of actions and request types there are? If there isn't, I was thinking of maybe writing something that crawls the API browser and returns the info, but that's a really heavy discovery that would take forever to run and prone to breakage if the HTML format ever changes, but I'd really prefer to have something like https://mypaloalto.device/api/help?format=xml or something that would dump all the commands and their parameter combinations into something I could parse. Does anyone know if something like this exists? I couldn't find it anywhere in the documentation. Thanks.
... View more
12-22-2016
08:38 AM
Yeah that's my next step, just wanted to chime in here to make sure I'm not missing something obvious. I'll open a ticket and report back.
... View more
12-21-2016
02:31 PM
1 Kudo
Problem is you still have to add them on an individually named basis to the administrators list. Here's an example of trying to do it your way with a member of the group but not having the person explicity added as an administrator (auth.log dump): 2016-12-21 14:26:44.392 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:1639): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 1, body length 2156
2016-12-21 14:26:44.392 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:1662): Trying to authenticate: <profile: "", vsys: "", username "t-jgrote">
2016-12-21 14:26:44.392 -0800 debug: _get_auth_prof_detail(pan_auth_util.c:925): "t-jgrote" is an admin user
2016-12-21 14:26:44.409 -0800 Error: pan_auth_cache_get_admin_authprof(pan_auth_cache_adminusers.c:222): No default auth profile found for username t-jgrote
2016-12-21 14:26:44.409 -0800 Error: _get_admin_authentication_profile_by_name(pan_auth_util.c:501): No admin auth prof found with the name t-jgrote
2016-12-21 14:26:44.409 -0800 Error: _get_admin_authentication_profile(pan_auth_util.c:546): No auth prof/vsys is found for admin user "t-jgrote"
2016-12-21 14:26:44.409 -0800 Error: pan_get_authprofile_n_setting(pan_auth_util.c:1014): Failed to get authentication profile for admin t-jgrote
2016-12-21 14:26:44.409 -0800 Error: pan_set_admin_user_stat(pan_auth_admin_login_stat.c:246): Admin user "t-jgrote" home dir "/opt/pancfg/home/t-jgrote" has NOT created yet
2016-12-21 14:26:44.409 -0800 Error: pan_auth_send_auth_resp(pan_auth_server.c:389): pan_set_admin_user_stat("t-jgrote", False)
2016-12-21 14:26:44.409 -0800 failed authentication for user 't-jgrote'. vsys 'shared', From: <REDACTED>.
2016-12-21 14:26:44.409 -0800 debug: _log_auth_respone(pan_auth_server.c:243): Sent FAILED auth response for user 't-jgrote' (exp_in_days=-1 (-1 never; 0 within a day))
2016-12-21 14:26:44.409 -0800 Error: pan_auth_request_process(pan_auth_state_engine.c:1713): Failed to get authentication profile
2016-12-21 14:26:44.409 -0800 Error: _taskq_worker(pan_taskq.c:622): Error executing tasks process fn If I add him to administrators with the auth profile specified then it works fine. So that just filters who the profile applies to, but it appears they still have to be manually set up in "Administrators". I suppose if I have to I could automate the process with a periodic powershell script that gets the group members and then updates the administrators table via the API, but I'd rather this be "native" if possible. Looking for guidance, I can't imagine this is a terribly unusual request especially in larger organizations. EDIT: Also I'm looking to do this in Panorama, but if its doable at the individual PANOS level that is worth looking at.
... View more
12-21-2016
12:21 PM
1 Kudo
Azure AD Domain Services is now GA, so if you're willing to pay for it, you could do LDAP auth against that: https://azure.microsoft.com/en-us/services/active-directory-ds/ But you can't do transparent UserID because you have no "domain controller" to read events from.
... View more
12-21-2016
12:18 PM
Hello, We have an environment with several adminstrators from a rotating NOC. With the current LDAP method to my understanding we have to manually add the administrator name to the PA administrators list before login will work (e.g. jdoe). We would like to be able to tie it to an AD group (e.g. "Firewall Admins") so anyone who is a member of that group will get access with no further configuration. This is possible in pretty much all other systems we work with (Cisco ASA, etc.) My research has led that this isn't possible with LDAP but might be possible with RADIUS/NPS and attributes (which I'm comfortable with setting up) Before I go to the trouble, do I still have to manually add named administrators to the firewall config with the RADIUS setup, or will they be autocreated? (e.g. if I log in as "jdoe" to the firewall and have never logged in before or added him as an administrator, as long as he is a member of "Firewall Admins" he will get access to the firewall with the access class defined in his RADIUS attribute)? Thanks for any assistance.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-13-2017
01:23 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks