Using the Palo Alto API for Captive Portal Logout

It’s API time! Haven’t had a post in a while but in wanted to share this:

This year I had the opportunity to roll out a Palo Alto networks next-gen firewall appliance. We have many areas of our college that require specific access to deliver classes (think IT, engineering etc). These areas are separated by an L2 firewall. Since i was rolling out a full user-id implementation of Palo Alto, i needed a solution that allowed these isolated areas to be able to access the network.

This is where the captive portal is really handy. You can redirect HTTP requests to a login page where the user is authenticated against your directory source and at the same time User-ID on the PAN will map that user to the source IP. The user will then be able to hit layer 7 rules based on user or group. You will also get the full content-id tracking of which user did what during their session. The issue that I faced was how to remove stale sessions if a user left a PC before the timeout values kicked in.

A really cool feature of PAN-OS is its extensive RESTful XML API. You can browse PAN firewalls API by simply going to http(s)://hostname/api/ (where host name is the device name and domain or IP address). Using the XML API i was able to create a php logout script which when called would remove the user to IP mapping from both the data plane and the management plane. The API supports both http GET and POST methods. The guide is accessible here.

Below is the code for logout.php which we call with wget or similar (no proxy). I used PHP as it was easy with the global $_SERVER[‘REMOTE_ADDR’] variable – this is so we could get the true client address as some machines are behind nat or even worse dual nat! The php curl module is used to access the PAN API using the http GET method.

The variables needed are DNS name of the device and your API key. A prerequisite is that your host has the php5-curl package installed (for debian based /w apache it is ‘sudo apt-get install php5-curl’).

$ch = curl_init();
$url = “https://” .”$hostname”. “/api/?type=op&key=” .”$key”. “&vsys=vsys1&cmd=<clear><user-cache><ip>” .”$ipaddress
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$output = curl_exec($ch);
curl_close($ch);
$format_dp = “<br /><br />Response from PAN User-ID Data Plane:<br /> “;
$response = $format_dp.$output;
echo $response .” = api response <br /><br />”;

$format_msg = “I think your IP address is “;
$msg = $format_msg.$ipaddress;
echo $msg .”<br><br>”;

$ch1 = curl_init();
$urlmp = “https://” .”$hostname”. “/api/?type=op&key=” .”$key”. “&vsys=vsys1&cmd=<clear><user-cache-mp><ip>” .”$ipaddress
curl_setopt($ch1, CURLOPT_URL, $urlmp);
curl_setopt($ch1, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch1, CURLOPT_SSL_VERIFYPEER, false);

$output1 = curl_exec($ch1);
curl_close($ch1);

$format_mp = “Response from PAN User-ID Mgmt Plane: <br />”;
$response1 = $format_mp.$output1;
echo $response1 . ” = api response”;
?>
[/php] Quite simply you can call the script with a shell script or browse to the php page. We used a shell script and wget to http GET the script. You could set the shell / batch / powershell to run at logoff / startup whatever suits.

Originally published as ‘Using the Palo Alto API for Captive Portal Logout’.

About Post Author

nikonau

See author's posts