API call to Panorama for generating a ticket to disable GlobalProtect fails with "Command succeeded with no output" after PAN-OS upgrade.

API call to Panorama for generating a ticket to disable GlobalProtect fails with "Command succeeded with no output" after PAN-OS upgrade.

1518
Created On 10/11/22 02:21 AM - Last Modified 04/24/24 22:07 PM


Symptom


  • API call is being initiated towards the Panorama for generating a ticket to disable GlobalProtect
<request><global-protect-portal><ticket><duration>10</duration><portal>GlobalProtect_Portal</portal><request>AB12-CD34</request><tpl>Template_Name</tpl></ticket></global-protect-portal></request>&key=<API_KEY>
  • The API call stopped working after a PAN-OS upgrade to 10.1.6+ and 10.2.2+
  • The error message returned by the API call is 
<response status="error">
<msg>
<line>Command succeeded with no output</line>
</msg>
</response>

 

Environment


  • Panorama managed Palo Alto Firewalls
  • GlobalProtect Portal defined in a template
  • PAN-OS 10.1.6+ and 10.2.2+
  • API

Cause


  • In 10.2, the template name must be included in the API call to Panorama.
  • The previous design did not check the template name while generating GP tickets.

Resolution


  1. Add the template name in the API call as follows :- 
    <tpl>Template_Name</tpl>
  2. The new API call would be :-
<request><global-protect-portal><ticket><duration>10</duration><portal>GlobalProtect_Portal</portal><request>AB12-CD34</request><tpl>Template_Name</tpl></ticket></global-protect-portal></request>&key=<API_KEY>

 

Additional Information


  • In instances where multiple templates have portals with the same name error is seen in the older version
  • Hence, to remediate this occurrence, a template name is required when generating tickets to disable GP.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlnGCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail