User-ID XML-API with cURL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID XML-API with cURL

L1 Bithead

Hi Everyone.

I have been playing with a script to effectively write my own PAN user agent for a rather specific reason.

I can confirm that my script generates a valid xml script and I can post it via the api browser and see that the IP address and new username correlate.

The bit where I get stuck is getting cURL to post the the xml file to the api. I am using the following command:

curl --insecure --form file=@output.xml "https://192.168.1.1/api/?type=user-id&action=set&key=INSERT-KEY-HERE"

and receive the following error back:

<response status = 'error' code = '400'><result><msg>No file uploaded</msg></result></response>

any help would be much appreciated thanks!

12 REPLIES 12

L1 Bithead

also, when I try this:

wget --no-check-certificate --post-file output.xml "https://192.168.1.1/api/?type=user-id&action=set&client=wget&file-name=output.xml"

the file is processed by the api and I can see the user to ip mapping, however wget continues to retry the command as it is expecting a response

I know this is a ridiculous sounding hack, but couldn't you simply set wget's 'retries' option to 1 and call it a day?

‘-t number’
‘--tries=number’
     Set number of retries to number. Specify 0 or ‘inf’ for infinite retrying. 
     The default is to retry 20 times, with the exception of fatal errors like 
     “connection refused” or “not found” (404), which are not retried. 

definitely wont be calling it a day, but this *may* get me out of the woods for now and only because I am in a hurry

Yes I meant "call it a day" as a relative term, just to get it temporarily working Smiley Happy I suppose the response from the PA should be a 200 'OK' that curl or wget never receives... might be a bug report you have to end up working with support on

Looks like a '201 Created' is the correct response to a POST:

asp.net mvc - What is the correct response to an HTTP POST request? - Stack Overflow

If you can get a pcap of the request/response from and to the PA device (you could even pull down the SSL certificate and load it into Wireshark to decrypt the SSL session), and show that the PA never responds appropriately to the HTTP POST that might help your case with support too

L4 Transporter

The behavior you are seeing with cURL is a known issue which has been fixed and is currently targeted to be included in PAN-OS 5.0.4.  The open bug number is 48966.

Just out of curiosity what's the fix? Is it to respond with an HTTP status code after the POST succeeds?

I don't have much detail, but it is related to some validation checks being applied incorrectly when cURL was used.  Due to the failed check the device would ignore the uploaded file and not create a user mapping based on the file.

Would it be also fair to say that the wget waiting for a response from the PAN and not getting one could be related to this as well?

also, do we have a rough eta on a release date for 5.0.4?

ffs 5.0.3 is just out and you already want 5.0.4? Smiley Happy

There is no ETA on 5.0.4 at this time.

only because the fix is described (hopefully) in 5.0.4 Smiley Wink

  • 6853 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!