Using the SonicOS API to get the list of SSL VPN Users
dougthor42
Newbie ✭
Recently I needed to pull a list of all SSL VPN users on our SonicWall NSA 2600 running SonicOS Enhanced 6.5.4.4-44n. Normally, I'd use SNMP to get this sort of information. However, this version does not include SSL-VPN information in the OIDs.
I found out that 6.5.4 has a RESTful API that accepts and returns JSON.
Here's how to get the list of users via the API:
- Enable SonicOS API: Manage -> System -> Appliance -> Base Settings -> Enable SonicOS API
- Enable the "RFC-7616 HTTP Digest Access authentication" with default values.
- Disable all other auth methods (optional)
- Open up a terminal that has curl installed (I used WSL with Ubuntu 18.04) and run this shell script:
USER=admin PASSWORD=password # IP Addr and HTTPS Web management port of the SonicWall. URL=192.168.1.1:8443 # Login using Digest Auth curl -k -i -u $USER:$PASSWORD --digest -X HEAD https://$URL/api/sonicos/auth # If you're using basic auth, use this instead: # curl -k -i -u $USER:$PASSWORD -X POST https://$URL/api/sonicos/auth # Query the SSL VPN Sessions curl -k -i -X GET "https://$URL/api/sonicos/reporting/ssl-vpn/sessions" -H "accept: application/json" # "Logout" by deleting the auth info. curl -k -i -X DELETE "https://$URL/api/sonicos/auth"
Notes:
- The user that you connect with must be the Administrator user (Eg: the one defined in Manage -> System Setup -> Appliance -> Base Settings). I don't know why this is, but I wasn't able to get things to work for any other user (my hope was to use a read-only account...)
- Logging in with the API preempts any web-based session, so keep that in mind.
- If you use a custom port for HTTPS web management, make sure to include that in the API calls. That took me far longer to figure out than I would have liked...
- I did not need to adjust any firewall or management settings.
- The code above has a bunch of
-ioptions included for debugging purposes. They can be removed.
Category: Developer Hub
Tagged:
6
Comments
Thanks for this @dougthor42 , super helpful. 😀
Up! Super useful.
@dougthor42 TLDR: You can actually use any Admin equivalent user. The short answer is to disable the login popup window for the SonicWall Administrators Group and allow the user to go straight in to manage the appliance. I'll post this in the other forum as well. -Marco Octavian
Related, useful info:
Disabling the User Login Status Popup
https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-additional-administrator-user-profiles-in-sonicos-enhanced/170505824663553/
You can disable the User Login Status Popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the Popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.
More..
http://help.sonicwall.com/help/sw/eng/7410/25/9/0/content/Ch110_Users_Management.127.67.html
Disabling the Popup for only Some Administrators
If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status popup window with a Manage button), this can be achieved as follows:
1 Create a local group with the Members go straight to the management UI on web login check box selected.
2 Add the group to the relevant administrative group, but do not select this check box in the administrative group.
3 Add those user accounts that are to be administrative-only to the new user group. The User Login Status popup window is disabled for these users.
4 Add the user accounts that are to have privileged and administrative access directly to the top-level administrative group.