10-18-2011 08:39 AM
After issuing a the set .sh command we recieve an error when pushing the policy to panorama.
/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG1']/pre-rulebase/security ../templates/dev2rama//set/12_security-rules.xml
Executing: /usr/local/bin/panxapi -S -h 192.168.0.230 -K 0RgWc42Oi0vDx2WRUIUM6A== ../templates/dev2rama//set/12_security-rules.xml "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG1']/pre-rulebase/security"
set: Malformed Request status="error" code="18"
Any ideas what would cause this? It seemed to import the rulebase fine.
../templates/dev2rama//show/12_security-rules.xpath
Executing: panxapi -rsx "devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules"
show: success
Thanks.
10-18-2011 09:25 AM
Hi Tony,
What version of PAN-Perl do you currently have installed? the initial mechanism that panxapi was using to interact with the XML API was HTTPS 'GET' which has a limitation to the number of characters that you can push to the FW at a given time. The latest version posted (PAN-perl-20110828) the default mechanism is now 'POST' which eliminates that as an issue. It would also be helpful to know what model and software version your are running on Panorama and the FW's that you are attempting to migrate from. You can also add a debug flag to the script for the panxapi call by modifying this line in the set script:
/usr/local/bin/panxapi -h $hostname -K $api_key -S $elem "$xpath"
/usr/local/bin/panxapi -h $hostname -K $api_key -DS $elem "$xpath"
Best Regards,
Marc
10-18-2011 09:56 AM
We are running the 0828 version with 4.0.4 on a PA-2050 and 4.0.5 for Panorama. It's failing only on the policy side. We are getting objects fine. I think you are onto something with the character side of things though. The policy is comprised of over 2,700 rules. We'll add the debug flag & see what it gets us.
-Mike
10-18-2011 10:13 AM
Marc,
After setting the debug we see it is terminating at rule "1511", is there a limitation as to how many rules it will convert?
ber>any</member></application><action>allow</action><log-end>yes</log-end><disabled>no</disabled><negate-source>no</negate-source><negate-destination>no</negate-destination><description/></entry><entry name="rule 1511',
key => '0RgWc42Oi0vDx2WRUIUM6A=='
};
API response:
<response status="error" code="18"><msg><line>Malformed Request</line></msg></response>
$VAR1 = {
msg => {
line => 'Malformed Request'
},
status => 'error',
code => '18'
};
set: Malformed Request status="error" code="18"
Thanks, Tony
10-18-2011 10:35 AM
weird! A malformed request indicates a general failure of the call and that no data is passed so you shouldnt be displaying any of the policies in Panorama at the conclusion of that call. The rules are all set in an atomic transaction that is step 12 of the template execution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
