I have been playing with a script to effectively write my own PAN user agent for a rather specific reason.
I can confirm that my script generates a valid xml script and I can post it via the api browser and see that the IP address and new username correlate.
The bit where I get stuck is getting cURL to post the the xml file to the api. I am using the following command:
curl --insecure --form email@example.com "https://192.168.1.1/api/?type=user-id&action=set&key=INSERT-KEY-HERE"
and receive the following error back:
<response status = 'error' code = '400'><result><msg>No file uploaded</msg></result></response>
any help would be much appreciated thanks!
also, when I try this:
wget --no-check-certificate --post-file output.xml "https://192.168.1.1/api/?type=user-id&action=set&client=wget&file-name=output.xml"
the file is processed by the api and I can see the user to ip mapping, however wget continues to retry the command as it is expecting a response
I know this is a ridiculous sounding hack, but couldn't you simply set wget's 'retries' option to 1 and call it a day?
‘-t number’ ‘--tries=number’ Set number of retries to number. Specify 0 or ‘inf’ for infinite retrying. The default is to retry 20 times, with the exception of fatal errors like “connection refused” or “not found” (404), which are not retried.
Yes I meant "call it a day" as a relative term, just to get it temporarily working :smileyhappy: I suppose the response from the PA should be a 200 'OK' that curl or wget never receives... might be a bug report you have to end up working with support on
Looks like a '201 Created' is the correct response to a POST:
If you can get a pcap of the request/response from and to the PA device (you could even pull down the SSL certificate and load it into Wireshark to decrypt the SSL session), and show that the PA never responds appropriately to the HTTP POST that might help your case with support too
The behavior you are seeing with cURL is a known issue which has been fixed and is currently targeted to be included in PAN-OS 5.0.4. The open bug number is 48966.
I don't have much detail, but it is related to some validation checks being applied incorrectly when cURL was used. Due to the failed check the device would ignore the uploaded file and not create a user mapping based on the file.
Would it be also fair to say that the wget waiting for a response from the PAN and not getting one could be related to this as well?
also, do we have a rough eta on a release date for 5.0.4?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!