- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-04-2014 10:21 AM
Utilizing the PAN perl modules version: PAN-perl-20121110
How it works: A php web page calls a perl script to update a user's ip mapping in the firewall.
Example command:
code snippet:
my $cmd = "<uid-message><version>1.0</version><type>update</type><payload><login><entry name=\"$id\" ip=\"$ip\" timeout=\"86400\"></entry></login></payload></uid-message>";
$api->user_id(cmd => $cmd);
unless ($api->status_sucess) { exit 1; }
A similar command can be executed using panxapi with the same results.
Expected behavior:
A user clicks a button on a web page to update their user-id mapping. The value of the timeout of that mapping is set to 86400. The mapping shows up in the PAN firewall Cmdline interface "show user ip-user-mapping all". The user can then access resources though the firewall. This has worked for approximately 1 year.
Current behavior:
A user clicks a button on a web page to update their user-id mapping. The value of the timeout of that mapping is set to 86400, the PAN firewall does not return an error code for setting the user-id mapping. The mapping DOES NOT show up in the PAN firewall Cmdline interface. The user is unable to access resources through the firewall.
Troubleshooting so far:
The value of the timeout was able to be set to a lower number; however that only functioned for a short period of time. The value had to be lowered again to allow the user-id mapping functionality to occur.
Differential:
There is another PAN firewall that is utilizing the exact same user-id mapping scripts from the same web server. The mapping works without issue with the timeout value set to 86400.
The two PAN firewall are different models and running different software versions:
PA-5050 Software version 5.0.3 DOES NOT work
PA-5020 Software version 5.0.7 does work
The PA-5050 has been up for 350 days. The PA-5020 has been up for 65 days.
The PA-5050 has more sessions ~2000 and throughput. The PA-5020 as about ~500 sessions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!