Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-29-2022 02:36 PM
More of an advice posting than a request for assistance.
Do not make your PA firewall admin password really crazy long and complex (like I did ~ at 19 characters long).
If you do, you might get tripped up by Expedition when you try and add a device and the user API keys.
Background:
New PA-440 Firewall (FW)
Stood up Expedition VM on Monday the 21st.
I kept getting "Invalid Credential" in Expedition when trying to add the API key for admin with my crazy long complex pwd.
I was able to SSH from the Ubuntu Server to the FW using admin with its 19-character long password so was greatly puzzled why Expedition was bombing out. Even opened a case on PA support. Lots of inconclusive results found.
After a zoom session a short time ago with my local PA VAR and a SE with PA, I found a clue to a possible solution in the /home/userSpace/devices/debug.txt file: only part of that long booger of a pwd was being transmitted to the FW so of course(!) authentication is going to fail! As an aside, I find it curious that the pwd used is in clear text in the debug.txt file!
After changing my FW admin pwd to something that _just_ meets the security requirements (8 long, one cap, 5 lower and 2 bangs), committing, signing out of everything, signing back into Expedition, adding my device and using the shorter admin pwd, the add succeeded and the 3 keys were populated!
01-20-2023 01:44 PM
I'm running into the same issue. PWD = 9 characters, upper case, lower case, number, special character #
Any recommendations?
01-20-2023 02:32 PM
@M.Anderson Try to remove the special character and try again, if it's still not working, you can try create a new user account on the firewall and assign the API read permission.
01-24-2023 09:20 AM
I did both. Added a new user account with API read permissions, as well as removing the special character. Thank you sir!
01-16-2024 07:35 AM
any resolution to this? I've tried username/password, api login, removal of special characters, etc
01-16-2024 09:05 AM
Try to execute the external command and later in Expedition create the device and add directly the created API_KEY
curl -H "Content-Type: application/x-www-form-urlencoded" -X POST https://firewall/api/?type=keygen -d 'user=<user>&password=<password>'
Reference article: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/get-your...
Hope this helps,
David
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
