Regarding response message of User-ID API

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Regarding response message of User-ID API

L2 Linker


I found strange response message from user-id API on PAN-OS 5.0 while I was tweaking my user-id API tool.

Here is the XML message I sent to the firewall directory(not through dedicated user-id agent machine):


<uid-message><version>1.0</version><type>update</type><payload><login><entry name="test3" ip="" timeout="1"><hip-report/></entry></login><logout/><groups><entry name="group1"><members><entry name="test3"/></members></entry></groups></payload></uid-message>


Response message from the firewall:


<response status="success"><result><![CDATA[

missing user-name.                  <------------------------------------!!!!!!!!!!!!!!!! what is this???



But user name was properly set into the firewall:


admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------         vsys1  XMLAPI  test3                            59             59          

Total: 1 users


This isn't defect of my tool since doing with wget(mentioned in API Usage Guide). I also tried attaching domain name into username and group name. The firewall responded identical message in those cases.

It seems that logging and policy control are working properly so this might be a cosmetic issue. But what I want to know are:

- what does the message mean?

- any way to eliminate this?

If this message doesn't have to be cared, it's ok but I want to decide if this message can be ignored in developer's program kicking the API.



L2 Linker


I wonder if it is the result of your using the minimized syntax for the empty tags of <hip-profile/> and <logout/>. While they are perfectly valid XML I have run into some instances where they don't work as expected. If you expand them in your wget do you get the same error?


Here is what I tried with wget and tweaked xml file.

$ cat test.xml

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="user1" ip="" timeout="10"><hip-report></hip-report></entry><entry name="user2" ip="" timeout="10"><hip-report></hip-report></entry></login><logout></logout><groups><entry name="group1"><members><entry name="user1"/></members></entry><entry name="group2"><members><entry name="user2"/></members></entry></groups></payload></uid-message>

$ wget --no-check-cert --post-file test.xml ""

--2013-01-16 10:13:52--

Connecting to connected.

WARNING: cannot verify's certificate, issued by `/C=US/ST=CA/L=Sunnyvale/O=Palo Alto Networks/OU=Support/CN=localhost/':

  Self-signed certificate encountered.

    WARNING: certificate common name `localhost' doesn't match requested host name `'.

HTTP request sent, awaiting response... 200 OK

Length: 107 [application/xml]

Saving to: `index.html?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&action=set&file-name=test.xml&client=wget.1'

100%[============================================================================>] 107         --.-K/s   in 0s

2013-01-16 10:13:53 (4.29 MB/s) - `index.html?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&action=set&file-name=test.xml&client=wget.1' saved [107/107]

$ cat index.html\?type\=user-id\&key\=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09\&action\=set\&file-name\=test.xml\&client\=wget.1

<response status="success"><result><![CDATA[

missing user-name.

missing user-name.

It's same as I did in my program.


I finally got an answer. All I needed was to eliminate <hip-report> tag. Here is the XML data what I submitted without response message.

$ cat test.xml

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="user1" ip="" timeout="10"></entry><entry name="user2" ip="" timeout="10"></entry></login><logout></logout><groups><entry name="group1"><members><entry name="user1"/></members></entry><entry name="group2"><members><entry name="user2"/></members></entry></groups></payload></uid-message>

Thank you for your advice.

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!