Scheduled FTP Log Export Fails when Initiated from the WebGUI
Resolution
Issue
When a scheduled FTP Log Export is performed from the PAN-OS WebGUI, it fails with the following error message: Authentication failed invalid username/password. However, a manual FTP export (through CLI) succeeds with the same credentials to the same server.
Cause
Prior to PAN-OS 5.0.1, a backslash ('\') is automatically inserted in front of any special characters (for example, '\', '-', '_') found in usernames. The configuration file does not contain the '\' character.
The following sample excerpt shows the configuration for the FTP export:
ftp {
password -AQ==ksVRfeBaRUBQTwI+kJu8/yoLE8w=PyOeqOfhWu0cpE45DDfAGw==;
hostname NSKIWICT.practice.lrgh.org;
port 40001;
username fw_ftp;
passive-mode yes;
When the scheduled ftp export is initiated, the username contains a erroneous '\' character: fw\_ftp
When performing the ftp export manually, the username is correctly submitted: fw_ftp
The crond.log file for the scheduled ftp export shows:
mp \ cron 03-08 16:45:01
mgmt crond[19213]: (root) CMD (/usr/local/bin/pan_log_export_ftp --type=url --host=nskiwict.practice.lrgh.org --port=40001 --user='fw\\\\_ftp' --auto-retry-mode --passive-mode --passwd=pepsi24 2>&1 > /var/log/pan/logftpexport.log)
When the server receives the request with the invalid username (due to the additional '\' characters), the connection fails and the ftp export process is terminated.
Resolution
Upgrade the Palo Alto Networks firewall to PAN-OS 5.0.1 or above to resolve this issue. The related bug number is 45975 and is briefly described in this document: PAN-OS 5.0.1: Addressed Issues.
owner: rshobana