search

kevinsteves / pan-python

Multi-tool set for Palo Alto Networks PAN-OS, Panorama, WildFire and AutoFocus
Other
266 stars 102 forks source link

PanXapiError: ElementTree.fromstring ParseError: not well-formed (invalid token) #14

Closed XioNoX closed 7 years ago

XioNoX commented 7 years ago

If a LLDP neighbor has in its description (and probably other places) the symbol "<" (most likely others symbols as well), PanXapi will return the error:

pan.xapi.PanXapiError: ElementTree.fromstring ParseError: not well-formed (invalid token): line 72, column 26

Here is for example the line 72 of the returned XML:

<port-description>border2<=>fw2:eth1-14</port-description>
kevinsteves commented 7 years ago

This may be a PAN-OS bug, where XML special characters are not being quoted in the 'show lldp neighbors' XML API response. Can you provide more details including PAN-OS version and neighbor configuration to help me duplicate? Thanks.

I set up a cisco SG-300 with this:

interface gigabitethernet8 no eee enable description border2<=>fw2:eth1-14 switchport mode access switchport access vlan 12 lldp optional-tlv port-desc sys-name sys-desc sys-cap no eee lldp enable green-ethernet short-reach !

and PAN-OS 7.1.7 shows this, where port-description is set to the interface name and not the interface description string:

`

MAC address bc:c4:93:ef:5b:ca Interface name gi8 gigabitethernet8 111 SG300-10 SG300-10 10-Port Gigabit Managed Switch B, R, B, R,

`

XioNoX commented 7 years ago

On the other side is a Juniper router:

ge-1/0/1 {
    description border1<=>fw1:eth1-13;
    encapsulation ethernet-bridge;
    unit 0 {
        family bridge;
    }
}                                       
ge-1/0/2 {
    description border1<=>fw2:eth1-13;
    encapsulation ethernet-bridge;
    unit 0 {
        family bridge;
    }
}

The palo alto is running 7.1.2

Our cisco neighbors report the port description as the full interface name eg. GigabitEthernet2/0/2 But for Juniper neighbor, it shows the description:

show lldp neighbors all
[...]
Port description: Office-core: to_fw1b:eth1-14

That's after renaming it to a description without the "<"

kevinsteves commented 7 years ago

This appears to be related to this feature:

https://www.juniper.net/documentation/en_US/junos15.1/topics/reference/configuration-statement/port-description-type-edit-protocols-lldp.html

I don't have a switch with a junos version with that feature to duplicate.

Can you open a support case and request to log a bug for PAN-OS for this?

XioNoX commented 7 years ago

Ticket 00613270 opened with Palo Alto

XioNoX commented 7 years ago

"Your case has been escalated to my care. We have reproduced the issue in the lab and reported it to our development team. I will keep you posted with more information regarding issue at my earliest."

arkaraung1993 commented 6 years ago

Hi XioNox,

I am so facing this issue:

error msg: "ElementTree.fromstring ParseError: not well-formed (invalid token)

I am trying to automate Palo Alto firewall with Ansible.

Panos Os Version : 7.1.14

When you found solution on this, please kindly share.

Much appreciate when can you help on it.