Apply User-ID Mapping and Populate Dynamic Groups (API)
Table of Contents
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Apply User-ID Mapping and Populate Dynamic Groups (API)
Use the type=user-id parameter
to apply User-ID mapping information directly to the firewall. If
you are using a third-party VPN solution or have users who are connecting
to an 802.1x enabled wireless network, the User-ID API enables you
to map users to groups so that you can capture login events and
send them to the User-ID agent or directly to the firewall. Additionally,
you can use the API to register the IP-to-user mapping information
from the input file to populate the members of a dynamic address
group or dynamic user group on the firewall.
curl -F key=<apikey> --form file=@<filename> "https://<firewall>/api/?type=user-id"
or
curl --data-urlencode key=<apikey> -d type=user-id --data-urlencode "cmd=xml-document" https://<firewall>/api/
With your User-ID API requests, you can use the following optional
parameters:
- vsys=vsys_id—Specify the vsys where you want to apply User-ID mapping.
- target=serialnumber—Specify the firewall by serial number when redirecting through Panorama.
- Use a GET request if the URL query size is less than 2K and a POST request if the request size is between 2K to 5MB. Limit the query size to 5MB.
- When multiple login or logout events are generated at the same time, make sure to
follow these guidelines to ensure optimal firewall performance:
-
Design your application to queue events and perform batch API updates instead of sending single event or mapping updates.
-
Limit the number of concurrent API calls to five. The suggested limit ensures that there is no performance impact to the firewall web interface as the management plane web server handles requests from both the API and the web interface. Limits may vary depending on the type of request. The limit may be higher depending on requests.
-
- (Panorama managed firewalls only) You cannot view the IP addresses of a DAG
registered using XML API on the Panorama web interface. You must log in to the Panorama CLI to view the
registered IP addresses of a DAG populated using XML API on Panorama and use the
following command:show object registered-ip all
Use the information in the following table to apply User-ID mapping
information to a firewall:
Mapping or Registration Action | API Request |
---|---|
User-ID mapping for a login, logout, or
groups. | Use this input file format when providing
a User-ID mapping for a login event, logout event, or for groups: You can include a HIP report by including a<hip-report></hip-report> XML container within an<entry> parent element. |
Multi-User System Entry | Use the following input file format to set
up a terminal server entry on the firewall and to specify the port
range and block size of ports that will be assigned per user. If
you are using the default port range (1025 to 65534) and block size
(200) you do not need to send amultiusersystem setup message;
the firewall will automatically create the terminal server object
when it receives the first login message.
|
User-ID XML multiuser system login event | When the terminal servers sends a login
event payload to the firewall, it can contain multiple login events.
The firewall uses the information in the information in the login
message to populate its user mapping table. For example, if the
firewall received a packet with a source address and port of 10.2.1.23:20101,
it would map the request to user jparker for policy enforcement.
|
User-ID XML multiuser system logout | Upon receipt of a logout event message with
ablockstart parameter, the firewall removes
the corresponding IP address-port-user mapping. If the logout message
contains a username and IP address, but noblockstart parameter,
the firewall removes all mappings for the user. If the logout message contains
an IP address only, the firewall removes the multi-user system and
all associated mappings.
|
Dynamic address group IP address registration | Use the following input file format to dynamically
register and unregister IP addresses. You can configure a
timeout as part of the member element to automatically unregister
IP address-to-tag mapping after a specified amount of time. By default,
no timeout is specified meaning the mapping will not timeout and
must be manually unregistered. Additionally, a timeout of zero (0)
seconds does not timeout. You can specify a timeout between zero
(0) seconds and 2,592,000 seconds (30 days).
|
Register tags for a user to add that user
to a dynamic user group | Use the following input file format to dynamically
register tags to a user and include that user in a dynamic user group. To
register a tag for a user, that user must have an existing user
mapping or group mapping. You can configure a timeout
to automatically unregister the user-to-tag mapping after a specified
amount of time. By default, no timeout is specified meaning the
mapping will not timeout and must be manually unregistered. You
can specify a timeout between zero (0) and 2,562,000 seconds (30
days).
|
Unregister specific tags for a user to remove
that user from the dynamic user group | Use the following input file format to unregister
a specific dynamic tag from a user and remove the user from the
dynamic user group associated with that tag.
|
Unregister all tags for a user | Use the following input file format to unregister
all tags for a specific user.
|
Clear all tags for all users | Use the following input file format to unregister
all tags from all users.
|