End-of-Life (EoL)
Apply User-ID Mapping and Populate Dynamic Address Groups
(API)
Use the
type=user-id
parameter
to apply User-ID mapping information directly to the firewall. If
you are using a third-party VPN solution or have users who are connecting
to an 802.1x enabled wireless network, the User-ID API enables you
to map users to groups so that you can capture log-in events and
send them to the User-ID agent or directly to the firewall. Additionally,
you can use the API to register the IP-to-user mapping information
from the input file to populate the members of a Dynamic Address
Group on the firewall.
curl -F key=<apikey> --form file=@<filename> "https://<firewall>/api/?type=user-id"
or
curl --data-urlencode -d type=user-id --data-urlencode "cmd=xml-document" https://<firewall>/api/?key=<apikey>
With your User-ID API requests, you can use the following optional
parameters:
- vsys=vsys_id—Specify the vsys where you want to apply User-ID mapping.
- target=serialnumber—Specify the firewall by serial number when redirecting through Panorama.
- Use a GET request if the URL query size is less than 2K and a POST request if the request size is between 2K to 5MB. Limit the query size to 5MB.
- When multiple login or logout events are generated at the same time, make sure to follow these guidelines to ensure optimal firewall performance:
- Design your application to queue events and perform batch API updates instead of sending single event or mapping updates.
- Limit the number of concurrent API calls to five. This limit ensures that there is no performance impact to the firewall web interface as the management plane web server handles requests from both the API and the web interface.
Use the information in the following table to apply User-ID mapping
information to a firewall:
Mapping or Registration
Action | API Request |
---|---|
User-ID mapping for a login, logout, or groups. | Use this input file format when providing
a User-ID mapping for a login event, logout event, or for groups: You can include a HIP report by including a <hip-report></hip-report> XML container
within an
<entry> parent element.
|
Multi-User System Entry | Use the following input file format to set
up a terminal server entry on the firewall and to specify the port
range and block size of ports that will be assigned per user. If
you are using the default port range (1025 to 65534) and block size
(200) you do not need to send a multiusersystem setup message; the
firewall will automatically create the terminal server object when
it receives the first login message.
|
User-ID XML multiuser system login event | When the terminal servers sends a login
event payload to the firewall, it can contain multiple login events.
The firewall uses the information in the information in the login
message to populate its user mapping table. For example, if the
firewall received a packet with a source address and port of 10.1.1.23:20101,
it would map the request to user jparker for policy enforcement.
|
User-ID XML multiuser system logout | Upon receipt of a logout event message with
a blockstart parameter, the firewall removes the corresponding IP address-port-user
mapping. If the logout message contains a username and IP address,
but no blockstart parameter, the firewall removes all mappings for
the user. If the logout message contains an IP address only, the
firewall removes the multi-user system and all associated mappings.
|
Dynamic Address Group IP address registration |
|
Recommended For You
Recommended Videos
Recommended videos not found.