One common use of the PAN-OS XML API is to manage GlobalProtect users. You can use two API requests to view and then disconnect a Global Protect user who has been logged in for too long.
Show and Manage GlobalProtect Users
View all GlobalProtect users.
Make a request to view all GlobalProtect users:
curl -X GET
'https://firewall/api/?type=op&cmd=<show><global-protect-gateway><current-user/>
</global-protect-gateway></show>&key=apikey'
The response contains a list of users along with related information including IP addresses, logins, and client information:
<response status="success">
<result>
<domain />
<islocal>yes</islocal>
<username>dward</username>
<computer>Dan’s iPhone</computer>
<client>Apple iOS 8.1.2</client>
<vpn-type>Device Level VPN</vpn-type>
<virtual-ip>192.168.2.1</virtual-ip>
<public-ip>166.173.63.240</public-ip>
<tunnel-type>SSL</tunnel-type>
<login-time>Jan.22 01:50:36</login-time>
<login-time-utc>1421916636</login-time-utc>
<lifetime>2592000</lifetime>
</entry>
</result>
</response>
The
<login-time-utc>
field is the login date/time in UNIX time format (number of seconds elapsed since 00:00:00 1 Jan 1970). To find the list of users, filter the output for this field and compare the login-time-utc value to current date and time (or another date and time).
Disconnect a GlobalProtect user.
Upon identifying the user that you want to disconnect, send a request that includes the GlobalProtect gateway, username, computer, and a
force-logout
reason:
curl -X GET 'https://firewall/api/?type=op&cmd=<request><global-protect-gateway><client-logout>
<gateway>Home-N</gateway><user>dward</user><reason>force-logout</reason>
<computer>Dan’s%20iPhone</computer></client-logout></global-protect-gateway>
</request>&key=apikey'
A successful response shows that the user has been successfully disconnected:
<response status="success">
<result>
<response status="success">
<gateway>Home-N</gateway>
<domain>(null)</domain>
<user>dward</user>
<computer>Dan’s iPhone</computer>
</response>
</result>
</response>
