Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.


L0 Member

Utilizing the PAN perl modules version: PAN-perl-20121110

How it works: A php web page calls a perl script to update a user's ip mapping in the firewall.

Example command:

code snippet:

my $cmd = "<uid-message><version>1.0</version><type>update</type><payload><login><entry name=\"$id\" ip=\"$ip\" timeout=\"86400\"></entry></login></payload></uid-message>";

$api->user_id(cmd => $cmd);

unless ($api->status_sucess) { exit 1; }

A similar command can be executed using panxapi with the same results.

Expected behavior:

A user clicks a button on a web page to update their user-id mapping.  The value of the timeout of that mapping is set to 86400.  The mapping shows up in the PAN firewall Cmdline interface "show user ip-user-mapping all". The user can then access resources though the firewall.  This has worked for approximately 1 year.

Current behavior:

A user clicks a button on a web page to update their user-id mapping.  The value of the timeout of that mapping is set to 86400, the PAN firewall does not return an error code for setting the user-id mapping.  The mapping DOES NOT show up in the PAN firewall Cmdline interface.  The user is unable to access resources through the firewall.

Troubleshooting so far:

The value of the timeout was able to be set to a lower number; however that only functioned for a short period of time.  The value had to be lowered again to allow the user-id mapping functionality to occur.


There is another PAN firewall that is utilizing the exact same user-id mapping scripts from the same web server.  The mapping works without issue with the timeout value set to 86400. 

The two PAN firewall are different models and running different software versions:

PA-5050  Software version 5.0.3 DOES NOT work

PA-5020 Software version 5.0.7 does work

The PA-5050 has been up for 350 days.  The PA-5020 has been up for 65 days.

The PA-5050 has more sessions ~2000 and throughput.  The PA-5020 as about ~500 sessions.

  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!