Use the type=user-id parameter to apply User-ID mapping information directly to the firewall. If you are using a third-party VPN solution or have users who are connecting to an 802.1x enabled wireless network, the User-ID API enables you to map users to groups so that you can capture log-in events and send them to the User-ID agent or directly to the firewall. Additionally, you can use the API to register the IP-to-user mapping information from the input file to populate the members of a Dynamic Address Group on the firewall.
curl -F key=apikey --form file=@filename "https://firewall/api/?type=user-id"
curl --data-urlencode key=apikey -d type=user-id --data-urlencode "cmd=xml-document" https://firewall/api/
With your User-ID API requests, you can use the following optional parameters:
vsys=vsys_id —Specify the vsys where you want to apply User-ID mapping. target=serialnumber —Specify the firewall by serial number when redirecting through Panorama.
Use the information in the following table to apply User-ID mapping information to a firewall:
Mapping or Registration Action API Request
User-ID mapping for a login, logout, or groups. Use this input file format when providing a User-ID mapping for a login event, logout event, or for groups: <uid-message> <version>1.0</version> <type>update</type> <payload> <login> <entry name="domain\uid1" ip="" timeout="20"> </entry> </login> <groups> <entry name="group1"> <members> <entry name="user1"/> <entry name="user2"/> </members> </entry> <entry name="group2"> <members> <entry name="user3"/> </members> </entry> </groups> </payload> </uid-message></uid-message> You can include a HIP report by including a <hip-report></hip-report> XML container within an <entry> parent element.
Multi-User System Entry Use the following input file format to set up a terminal server entry on the firewall and to specify the port range and block size of ports that will be assigned per user. If you are using the default port range (1025 to 65534) and block size (200) you do not need to send a multiusersystem setup message; the firewall will automatically create the terminal server object when it receives the first login message. <uid-message> <payload> <multiusersystem> <entry ip="" startport="xxxxx" endport="xxxxx" blocksize="xxx"> </multiusersystem> </payload> <type>update</type> <version>1.0</version> </uid-message>
User-ID XML multiuser system login event When the terminal servers sends a login event payload to the firewall, it can contain multiple login events. The firewall uses the information in the information in the login message to populate its user mapping table. For example, if the firewall received a packet with a source address and port of, it would map the request to user jparker for policy enforcement. <uid-message> <payload> <login> <entry name="acme\jparker" ip="" blockstart="20100"> </login> </payload> <type>update</type> <version>1.0</version> </uid-message>
User-ID XML multiuser system logout Upon receipt of a logout event message with a blockstart parameter, the firewall removes the corresponding IP address-port-user mapping. If the logout message contains a username and IP address, but no blockstart parameter, the firewall removes all mappings for the user. If the logout message contains an IP address only, the firewall removes the multi-user system and all associated mappings. <uid-message> <payload> <logout> <entry user="domain\uid2" ip="" blockstart="xxxxx"> </logout> </payload> <type>update</type> <version>1.0</version> </uid-message>
Dynamic Address Group IP address registration <uid-message> <version>1.0</version> <type>update</type> <payload> <register> <entry ip=""> <tag> <member>CBB09C3D-3416-4734-BE90-0395B7598DE3</member> </tag> </entry> </register> <unregister> <entry ip=""/> <tag> <member>CBB09C3D-3416-4734-BE90-0395B7598DE5</member> </tag> </entry> </unregister> </payload> </uid-message>

Related Documentation