Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-14-2013 04:43 PM
Hello,
I found strange response message from user-id API on PAN-OS 5.0 while I was tweaking my user-id API tool.
Here is the XML message I sent to the firewall directory(not through dedicated user-id agent machine):
*******************************************
<uid-message><version>1.0</version><type>update</type><payload><login><entry name="test3" ip="1.1.1.1" timeout="1"><hip-report/></entry></login><logout/><groups><entry name="group1"><members><entry name="test3"/></members></entry></groups></payload></uid-message>
*******************************************
Response message from the firewall:
*******************************************
<response status="success"><result><![CDATA[
missing user-name. <------------------------------------!!!!!!!!!!!!!!!! what is this???
]]></result></response>
*******************************************
But user name was properly set into the firewall:
*******************************************
admin@PA-200> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
1.1.1.1 vsys1 XMLAPI test3 59 59
Total: 1 users
*******************************************
This isn't defect of my tool since doing with wget(mentioned in API Usage Guide). I also tried attaching domain name into username and group name. The firewall responded identical message in those cases.
It seems that logging and policy control are working properly so this might be a cosmetic issue. But what I want to know are:
- what does the message mean?
- any way to eliminate this?
If this message doesn't have to be cared, it's ok but I want to decide if this message can be ignored in developer's program kicking the API.
Thanks,
01-15-2013 11:39 AM
Hello,
I wonder if it is the result of your using the minimized syntax for the empty tags of <hip-profile/> and <logout/>. While they are perfectly valid XML I have run into some instances where they don't work as expected. If you expand them in your wget do you get the same error?
Nick
01-15-2013 05:18 PM
Here is what I tried with wget and tweaked xml file.
$ cat test.xml
<uid-message><version>1.0</version><type>update</type><payload><login><entry name="user1" ip="1.1.1.1" timeout="10"><hip-report></hip-report></entry><entry name="user2" ip="1.2.2.2" timeout="10"><hip-report></hip-report></entry></login><logout></logout><groups><entry name="group1"><members><entry name="user1"/></members></entry><entry name="group2"><members><entry name="user2"/></members></entry></groups></payload></uid-message>
$ wget --no-check-cert --post-file test.xml "https://172.16.22.67/api/?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhR..."
--2013-01-16 10:13:52-- https://172.16.22.67/api/?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhR...
Connecting to 172.16.22.67:443... connected.
WARNING: cannot verify 172.16.22.67's certificate, issued by `/C=US/ST=CA/L=Sunnyvale/O=Palo Alto Networks/OU=Support/CN=localhost/emailAddress=support@paloaltonetworks.com':
Self-signed certificate encountered.
WARNING: certificate common name `localhost' doesn't match requested host name `172.16.22.67'.
HTTP request sent, awaiting response... 200 OK
Length: 107 [application/xml]
Saving to: `index.html?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&action=set&file-name=test.xml&client=wget.1'
100%[============================================================================>] 107 --.-K/s in 0s
2013-01-16 10:13:53 (4.29 MB/s) - `index.html?type=user-id&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&action=set&file-name=test.xml&client=wget.1' saved [107/107]
$ cat index.html\?type\=user-id\&key\=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09\&action\=set\&file-name\=test.xml\&client\=wget.1
<response status="success"><result><
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
