update complex passwords via XML API with CDATA

Ever seen that world “CDATA” in any error message when you worked with Palo Alto API? Let me help you if not, but want to be prepared.

Use case:

In an enterprise enviroment with a lot of security devices the password update of the emergency user or local user for the emergency cases can be time consuming. The emergency users on each device should have its own password that is not shared among the devices.

To update the password on Firewalls via API check this documented here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkTCAS

We need 5 API calls or at least 4 if you have the API key already:

1. Generate an API key if you dont have
2. Generate a password hash via API from the cleartext password
3. Update the password hash in the template for the user
4. Commit the panorama
5. Commit the template with the devices belonging to it.

In Step 2. on Panorama use the following cmd:

<request><password-hash><password>$clearpassword</password><templatename>$templatename</templatename></password-hash></request>

$templatename and $clearpassword are variables in PS.

In Step 3. the arguments are the followings for Panorama:

type=config
action=edit
key=$apiKey
xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='$templatename']/config/mgt-config/users/entry[@name='$tmpl_username']/phash
element=<phash>$pwdhash</phash>

$apiKey and $templatename and $tmpl_username and $pwdhash are variables in PS.

Problem:

Its not a problem to automate the distribution of hundred or tausend passwords via xml API, but what could lead to an issue is the password complexity:

We can handle:

• Minimum password length
• Expiration
• Minimum Duration
• Password complexity:
  • Uppercase letters
  • lowercase letters
  • number
  • special characters…?

Special characters like < or > are allowed chars but since we use an xml api can it be used in an xml element text? Lets test it on https://www.w3schools.com/xml/xml_validator.asp

So its not working :-( but this “<” character can be part of a complex password, right? So at this point you will learn what is CDATA (that still has as some fallbacks).

So What does <![CDATA[]]> in XML mean? Look at this artice please.

Lets try it with CDATA:

Workaround:

When you generate the password hash via API use the following syntax, for demostration purposes I used powershell:

    $cmd = "<request><password-hash><password><![CDATA[$clearpassword]]></password><templatename>$templatename</templatename></password-hash></request>"
    $encoded_cmd = [System.Web.HttpUtility]::UrlEncode($cmd)
    [xml]$content = invoke-restMethod -uri "$PanoramaURL/api/?type=op&cmd=$encoded_cmd&key=$apiKey"
    $pwdhash = $content.response.result.phash

Take away:

If you work with XML and you are unsure what is in the element text use the CDATA in any cases. Palo Alto PANOS does not use it for example when you query via XML API the DHCP server leases from the firewall, so it cannot be parsed if somebody uses weird character in the hostname that is listed in the leases. Dont be like a Palo Alto developer. :-)