Regarding response message of User-ID API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Regarding response message of User-ID API

L2 Linker

Hello,

I found strange response message from user-id API on PAN-OS 5.0 while I was tweaking my user-id API tool.

Here is the XML message I sent to the firewall directory(not through dedicated user-id agent machine):

*******************************************

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="test3" ip="1.1.1.1" timeout="1"><hip-report/></entry></login><logout/><groups><entry name="group1"><members><entry name="test3"/></members></entry></groups></payload></uid-message>

*******************************************

Response message from the firewall:

*******************************************

<response status="success"><result><![CDATA[

missing user-name.                  <------------------------------------!!!!!!!!!!!!!!!! what is this???

]]></result></response>

*******************************************

But user name was properly set into the firewall:

*******************************************

admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

1.1.1.1         vsys1  XMLAPI  test3                            59             59          

Total: 1 users

*******************************************

This isn't defect of my tool since doing with wget(mentioned in API Usage Guide). I also tried attaching domain name into username and group name. The firewall responded identical message in those cases.


It seems that logging and policy control are working properly so this might be a cosmetic issue. But what I want to know are:

- what does the message mean?

- any way to eliminate this?

If this message doesn't have to be cared, it's ok but I want to decide if this message can be ignored in developer's program kicking the API.

Thanks,

3 REPLIES 3

L2 Linker

Hello,

I wonder if it is the result of your using the minimized syntax for the empty tags of <hip-profile/> and <logout/>. While they are perfectly valid XML I have run into some instances where they don't work as expected. If you expand them in your wget do you get the same error?

Nick

Here is what I tried with wget and tweaked xml file.

$ cat test.xml

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="user1" ip="1.1.1.1" timeout="10"><hip-report></hip-report></entry><entry name="user2" ip="1.2.2.2" timeout="10"><hip-report></hip-report></entry></login><logout></logout><groups><entry name="group1"><members><entry name="user1"/></members></entry><entry name="group2"><members><entry name="user2"/></members></entry></groups></payload></uid-message>

$ wget --no-check-cert --post-file test.xml "https://172.16.22.67/api/?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhR..."

--2013-01-16 10:13:52--  https://172.16.22.67/api/?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhR...

Connecting to 172.16.22.67:443... connected.

WARNING: cannot verify 172.16.22.67's certificate, issued by `/C=US/ST=CA/L=Sunnyvale/O=Palo Alto Networks/OU=Support/CN=localhost/emailAddress=support@paloaltonetworks.com':

  Self-signed certificate encountered.

    WARNING: certificate common name `localhost' doesn't match requested host name `172.16.22.67'.

HTTP request sent, awaiting response... 200 OK

Length: 107 [application/xml]

Saving to: `index.html?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&action=set&file-name=test.xml&client=wget.1'

100%[============================================================================>] 107         --.-K/s   in 0s

2013-01-16 10:13:53 (4.29 MB/s) - `index.html?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&action=set&file-name=test.xml&client=wget.1' saved [107/107]

$ cat index.html\?type\=user-id\&key\=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09\&action\=set\&file-name\=test.xml\&client\=wget.1

<response status="success"><result><![CDATA[

missing user-name.

missing user-name.

It's same as I did in my program.

Hello,

I finally got an answer. All I needed was to eliminate <hip-report> tag. Here is the XML data what I submitted without response message.

$ cat test.xml

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="user1" ip="1.1.1.1" timeout="10"></entry><entry name="user2" ip="1.2.2.2" timeout="10"></entry></login><logout></logout><groups><entry name="group1"><members><entry name="user1"/></members></entry><entry name="group2"><members><entry name="user2"/></members></entry></groups></payload></uid-message>

Thank you for your advice.

  • 2526 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!