topic USER ID PROBLEMS in Automation/API Discussions https://live.paloaltonetworks.com/t5/automation-api-discussions/user-id-problems/m-p/49698#M1121 <HTML><HEAD></HEAD><BODY><DIV dir="ltr"><SPAN style="color: #000000; font-family: Arial; font-size: 10pt;"><STRONG>Background:</STRONG></SPAN></DIV><DIV dir="ltr"><SPAN style="color: #000000; font-family: Arial; font-size: 10pt;"><STRONG><BR /></STRONG></SPAN></DIV><DIV dir="ltr"><P></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">Utilizing the PAN perl modules version: PAN-perl-20121110</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">How it works: A php web page calls a perl script to update a user's ip mapping in the firewall.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Example command:</STRONG></SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">code snippet:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">my $cmd = "&lt;uid-message&gt;&lt;version&gt;1.0&lt;/version&gt;&lt;type&gt;update&lt;/type&gt;&lt;payload&gt;&lt;login&gt;&lt;entry name=\"$id\" ip=\"$ip\" timeout=\"86400\"&gt;&lt;/entry&gt;&lt;/login&gt;&lt;/payload&gt;&lt;/uid-message&gt;";</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">$api-&gt;user_id(cmd =&gt; $cmd);</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">unless ($api-&gt;status_sucess) { exit 1; }</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">A similar command can be executed using panxapi with the same results.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Expected behavior:</STRONG></SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">A user clicks a button on a web page to update their user-id mapping.&nbsp; The value of the timeout of that mapping is set to 86400.&nbsp; The mapping shows up in the PAN firewall Cmdline interface "show user ip-user-mapping all". The user can then access resources though the firewall.&nbsp; This has worked for approximately 1 year.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Current behavior</STRONG>:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">A user clicks a button on a web page to update their user-id mapping.&nbsp; The value of the timeout of that mapping is set to 86400, the PAN firewall does not return an error code for setting the user-id mapping.&nbsp; The mapping DOES NOT show up in the PAN firewall Cmdline interface.&nbsp; The user is unable to access resources through the firewall.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">Troubleshooting so far:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The value of the timeout was able to be set to a lower number; however that only functioned for a short period of time.&nbsp; The value had to be lowered again to allow the user-id mapping functionality to occur.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Differential:</STRONG></SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">There is another PAN firewall that is utilizing the exact same user-id mapping scripts from the same web server.&nbsp; The mapping works without issue with the timeout value set to 86400.&nbsp; </SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The two PAN firewall are different models and running different software versions:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">PA-5050&nbsp; Software version 5.0.3 DOES NOT work</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">PA-5020 Software version 5.0.7 does work</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The PA-5050 has been up for 350 days.&nbsp; The PA-5020 has been up for 65 days.</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The PA-5050 has more sessions ~2000 and throughput.&nbsp; The PA-5020 as about ~500 sessions.</SPAN></P><P dir="ltr"></P></DIV></BODY></HTML> Wed, 04 Jun 2014 17:21:54 GMT CarlF 2014-06-04T17:21:54Z USER ID PROBLEMS https://live.paloaltonetworks.com/t5/automation-api-discussions/user-id-problems/m-p/49698#M1121 <HTML><HEAD></HEAD><BODY><DIV dir="ltr"><SPAN style="color: #000000; font-family: Arial; font-size: 10pt;"><STRONG>Background:</STRONG></SPAN></DIV><DIV dir="ltr"><SPAN style="color: #000000; font-family: Arial; font-size: 10pt;"><STRONG><BR /></STRONG></SPAN></DIV><DIV dir="ltr"><P></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">Utilizing the PAN perl modules version: PAN-perl-20121110</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">How it works: A php web page calls a perl script to update a user's ip mapping in the firewall.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Example command:</STRONG></SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">code snippet:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">my $cmd = "&lt;uid-message&gt;&lt;version&gt;1.0&lt;/version&gt;&lt;type&gt;update&lt;/type&gt;&lt;payload&gt;&lt;login&gt;&lt;entry name=\"$id\" ip=\"$ip\" timeout=\"86400\"&gt;&lt;/entry&gt;&lt;/login&gt;&lt;/payload&gt;&lt;/uid-message&gt;";</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">$api-&gt;user_id(cmd =&gt; $cmd);</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">unless ($api-&gt;status_sucess) { exit 1; }</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">A similar command can be executed using panxapi with the same results.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Expected behavior:</STRONG></SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">A user clicks a button on a web page to update their user-id mapping.&nbsp; The value of the timeout of that mapping is set to 86400.&nbsp; The mapping shows up in the PAN firewall Cmdline interface "show user ip-user-mapping all". The user can then access resources though the firewall.&nbsp; This has worked for approximately 1 year.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Current behavior</STRONG>:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">A user clicks a button on a web page to update their user-id mapping.&nbsp; The value of the timeout of that mapping is set to 86400, the PAN firewall does not return an error code for setting the user-id mapping.&nbsp; The mapping DOES NOT show up in the PAN firewall Cmdline interface.&nbsp; The user is unable to access resources through the firewall.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">Troubleshooting so far:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The value of the timeout was able to be set to a lower number; however that only functioned for a short period of time.&nbsp; The value had to be lowered again to allow the user-id mapping functionality to occur.</SPAN></P><P dir="ltr"></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;"><STRONG>Differential:</STRONG></SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">There is another PAN firewall that is utilizing the exact same user-id mapping scripts from the same web server.&nbsp; The mapping works without issue with the timeout value set to 86400.&nbsp; </SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The two PAN firewall are different models and running different software versions:</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">PA-5050&nbsp; Software version 5.0.3 DOES NOT work</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">PA-5020 Software version 5.0.7 does work</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The PA-5050 has been up for 350 days.&nbsp; The PA-5020 has been up for 65 days.</SPAN></P><P dir="ltr"><SPAN style="font-family: Arial; font-size: 10pt;">The PA-5050 has more sessions ~2000 and throughput.&nbsp; The PA-5020 as about ~500 sessions.</SPAN></P><P dir="ltr"></P></DIV></BODY></HTML> Wed, 04 Jun 2014 17:21:54 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/user-id-problems/m-p/49698#M1121 CarlF 2014-06-04T17:21:54Z