kevinsteves/pan-python

"show config diff" returning 'error: "invalid client cli"'

goohuu opened this issue · 2 comments

goohuu commented

Tested in latest version of pan-python: fb9fcc4
Palo Alto version: 7.1.5 (VMWare ESXi)
OS: Debian 8 and Ubuntu 16.04

When trying to display the diff between running and candidate configuration, I get the following:

[/tmp/pan-python] ./bin/panxapi.py -DD -jro '<show><config><diff></diff></config></show>'
element: "<show><config><diff></diff></config></show>"
__parse_path: /home/gohu/.panrc: { 'api_key': '******', 'hostname': '172.16.0.2'}
panrcs: [{ 'api_key': '******', 'hostname': '172.16.0.2'}]
panrc: { 'api_key': '******', 'hostname': '172.16.0.2'}
using legacy urllib
query: {'cmd': '<show><config><diff></diff></config></show>', 'type': 'op', 'key': '******'}
URI: https://172.16.0.2/api/?cmd=<show><config><diff></diff></config></show>&type=op&key=******
method: POST
HTTP response headers:
Server: 
Date: Mon, 13 Feb 2017 16:45:49 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 78
Connection: close
ETag: "24004-12b-57e5df77"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Access-Control-Allow-Origin: 
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: PHPSESSID=33e7b9ed7b247d9151446df11ce47555; path=/; secure; HttpOnly

response_attrib: {'status': 'error'}
path: ./msg/line [<Element 'line' at 0x7f31748898d0>]
op: error: "invalid client cli"
[/tmp/pan-python]

The "invalid client cli" issue only happens with this specific operation command.
Is that expected?

gettingswifty commented

It appears that command is not exposed to the API (I ran into the same issue trying a different command the other day). You can verify this by going into to API Browser ('https://FW_IP/api' from a web browser) > Operational Commands > show > config.

You can, however, pull a candidate config using 'show config candidate' and then diff the two through a different method.

goohuu commented

Ok good to know!
Thanks for pointing out the workaround. So I used the following command which gives a good diff view:

root@server:~# diff -u <(panxapi.py -xrs) <(panxapi.py -Xro 'show config candidate')
show: success
op: success
--- /dev/fd/63	2017-02-16 08:31:07.527324217 +0000
+++ /dev/fd/62	2017-02-16 08:31:07.527324217 +0000
@@ -821,9 +870,7 @@
             </routing-table>
           </entry>
         </virtual-router>
-        <vlan>
-          <entry name="szetzet" />
-        </vlan>
+        <vlan />
       </network>
       <deviceconfig>
         <system>