User-ID XML-API with cURL

Reply
L1 Bithead

User-ID XML-API with cURL

Hi Everyone.

I have been playing with a script to effectively write my own PAN user agent for a rather specific reason.

I can confirm that my script generates a valid xml script and I can post it via the api browser and see that the IP address and new username correlate.

The bit where I get stuck is getting cURL to post the the xml file to the api. I am using the following command:

curl --insecure --form file=@output.xml "https://192.168.1.1/api/?type=user-id&action=set&key=INSERT-KEY-HERE"

and receive the following error back:

<response status = 'error' code = '400'><result><msg>No file uploaded</msg></result></response>

any help would be much appreciated thanks!

L1 Bithead

Re: User-ID XML-API with cURL

also, when I try this:

wget --no-check-certificate --post-file output.xml "https://192.168.1.1/api/?type=user-id&action=set&client=wget&file-name=output.xml"

the file is processed by the api and I can see the user to ip mapping, however wget continues to retry the command as it is expecting a response

L4 Transporter

Re: User-ID XML-API with cURL

I know this is a ridiculous sounding hack, but couldn't you simply set wget's 'retries' option to 1 and call it a day?

‘-t number’
‘--tries=number’
     Set number of retries to number. Specify 0 or ‘inf’ for infinite retrying. 
     The default is to retry 20 times, with the exception of fatal errors like 
     “connection refused” or “not found” (404), which are not retried. 
L1 Bithead

Re: User-ID XML-API with cURL

definitely wont be calling it a day, but this *may* get me out of the woods for now and only because I am in a hurry

L4 Transporter

Re: User-ID XML-API with cURL

Yes I meant "call it a day" as a relative term, just to get it temporarily working :smileyhappy: I suppose the response from the PA should be a 200 'OK' that curl or wget never receives... might be a bug report you have to end up working with support on

L4 Transporter

Re: User-ID XML-API with cURL

Looks like a '201 Created' is the correct response to a POST:

asp.net mvc - What is the correct response to an HTTP POST request? - Stack Overflow

If you can get a pcap of the request/response from and to the PA device (you could even pull down the SSL certificate and load it into Wireshark to decrypt the SSL session), and show that the PA never responds appropriately to the HTTP POST that might help your case with support too

L4 Transporter

Re: User-ID XML-API with cURL

The behavior you are seeing with cURL is a known issue which has been fixed and is currently targeted to be included in PAN-OS 5.0.4.  The open bug number is 48966.

L4 Transporter

Re: User-ID XML-API with cURL

Just out of curiosity what's the fix? Is it to respond with an HTTP status code after the POST succeeds?

L4 Transporter

Re: User-ID XML-API with cURL

I don't have much detail, but it is related to some validation checks being applied incorrectly when cURL was used.  Due to the failed check the device would ignore the uploaded file and not create a user mapping based on the file.

L1 Bithead

Re: User-ID XML-API with cURL

Would it be also fair to say that the wget waiting for a response from the PAN and not getting one could be related to this as well?

also, do we have a rough eta on a release date for 5.0.4?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!