topic trying to do commit and then push from panorama with a script in Automation/API Discussions

trying to do commit and then push from panorama with a script

Alex_Samad — Sun, 02 Oct 2022 09:39:02 GMT

Spending some time to integrate my letsencrypt setup with palo - shame that palo haven't done this yet ... thats another thread.

I have a script that will take the lets encrypt certs - currently it pushes them into my nginx and my F5 setup ...

I would like to push it into my panorama and commit - with comments and then push with comments

I have

curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=${certname}&format=pem&target-tpl=${TName}&passphrase=${cpass}"

That works fine .. the bit thats failing is

curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit><partial><admin><member>${paAPIuser}</member></admin><no-device-group/><template><member>${TName}</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commit from script ${DT}</description></commit>"

I keep getting 403 ...

I have a user specifically setup for this. I created an API token - and then modified the security .. does the token have the permission set at the time it was created - I presume it doesn't !!!

But I have turned off all web access and cli access and allowed just about all xml api and api - whats the difference and which one do i need above.

But I still get 403

I'm at a loss

then what / how do i do a push

Re: trying to do commit and then push from panorama with a script

JimmyHolland — Mon, 03 Oct 2022 11:21:20 GMT

Hi @Alex_Samad, there's a few things to clear up to help you:

The "commit" call is needed first to commit Panorama's candidate configuration to running, then a "commit-all" call is needed to push to managed firewalls (discussed here: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commit-configuration-api)
XML API is what you are using here, as opposed to the REST API (discussed here: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/about-the-pan-os-xml-api), so when constructing your administrator roles, keep that in mind
The administrator's generated API key gives access to the privileges of that administrator at the time of making API calls, not at the time the API key was generated
If the access is incorrect, you would expect a 403 as you described:

<response status = 'error' code = '403'> <result> <msg>Type [commit] not authorized for user role.</msg> </result> </response>

...so maybe the access needs re-configuring? https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role-based-access-control

Hope that helps!

Re: trying to do commit and then push from panorama with a script

Alex_Samad — Mon, 03 Oct 2022 21:37:59 GMT

Thats very helpful, I didn't know about the commit commit-all

The problem is I have given the admin role all the permissions under xml api .. and I still get 403 😞

On the safe side I had also given it all of the permissions under api as well .

I have turned off all of the web ui

EDIT - I tried logging in as the user and I can't see much ... I will have to double check the permissions ...

EDIT2 - think this is the problem - I have assigned the role panorama profile - that looks like I can't admin the device itself. which is interesting - cause if I give it device group and template rights not sure i will have the right to commit and push ..

Edit3 .. given it all of the roles permissions I can log into the web site and commit and push, but still can't from the CLI ...

Re: trying to do commit and then push from panorama with a script

JimmyHolland — Tue, 04 Oct 2022 09:36:00 GMT

Hi @Alex_Samad,

I'll post screenshots of the admin role and administrator account I used, I only allowed XML API in the role and assigned that role the to the administrator account. Remember that exact options for configuring this could differ between PAN-OS versions. If you believe the administrative role-based access control is not working as expected, you can raise a ticket via your normal support process to have this investigated.

Hope that helps!

Re: trying to do commit and then push from panorama with a script

Alex_Samad — Tue, 04 Oct 2022 19:03:47 GMT

Thanks for that. Mine is the same - except I have added in the all perms from the rest api tab as well.

I have already logged a case with support - taken 4 days of them wanting to do a screen session cause they don't understand .. sigh

I tried recreating the api key ... not luck

curl 'https://panorama.yieldbroker.com/api?key=<APIKEY>&cmd=<commit><partial><admin><member><APIUSER></member></admin><no-device-group/><template><member>YBCert</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commitfromscript20221005-262646</description></commit>'

Re: trying to do commit and then push from panorama with a script

JimmyHolland — Wed, 05 Oct 2022 11:47:08 GMT

Do you still receive a 403 like the one I posted earlier in the thread? Does it say:

Type [commit] not authorized for user role.

If so then there must still be something that needs fixing with the Admin Role, or the assignment of the Administrator to the Admin Role, or using the wrong Administrator to generate the API key, or something along those lines... You can share (DM) me the case number if you want.

Re: trying to do commit and then push from panorama with a script

Alex_Samad — Fri, 14 Oct 2022 00:17:43 GMT

Trying to work with palo support - 2 weeks .... 1 week person didn't understand ... 2nd week got somebody enthusiastic, 5 days nothing.

I tried setting the role to super user ... that failed as well !

<response status = 'error' code = '400'><result><msg>Missing value for parameter "type".</msg></result></response>

sent him updated tech support and details .. silence ...

curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=decrypt&format=pem&target-tpl=YBCert&passphrase=xXxXxX"

curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit></commit>"

Re: trying to do commit and then push from panorama with a script

JimmyHolland — Fri, 14 Oct 2022 09:27:25 GMT

Hi @Alex_Samad, the response you get now (400 and "Missing value...") shows that your admin user can talk to the API, you are no longer getting 403 "unauthorised"). This shows your original problem was around admin users and/or roles.

The new error means your API call is not constructed correctly. The API calls are below, it looks like your commit API call is missing the "type" parameter per the 400 error. After commit to Panorama, you would then push to the firewalls (managed devices)

# Upload keypair https://{{host}}/api/?key={{key}}&type=import&category=keypair&format=pem&certificate-name={{cert-name}}&target-tpl={{template-name}}&passphrase={{passphrase}} # Commit to Panorama https://{{host}}/api/?key={{key}}&type=commit&cmd=<commit-all></commit-all> # Push to managed devices using relavant template stack https://{{host}}/api?key={{key}}&type=commit&action=all&cmd=<commit-all><template-stack><name>{{tpl-stack-name}}</name></template-stack></commit-all>

Hope this helps

Re: trying to do commit and then push from panorama with a script

Alex_Samad — Fri, 14 Oct 2022 23:08:53 GMT

OMG - i double checked it with /api browser, sigh missed the obvious

As for the permission - I have given the role all of the permissions - apart from cli

also used the web debugger to get the commands

<request cmd="op" cookie="X" target="panorama">
  <operations xml="yes">
    <commit-and-push>
      <description>Test Commit Push</description>
      <push-to>
        <template-stack-config>
          <merge-with-candidate-cfg>yes</merge-with-candidate-cfg>
          <force-template-values>no</force-template-values>
          <template-stack>
            <entry name="Stacka_AP">
              <device>
                <member>1</member>
              </device>
            </entry>
            <entry name="Stacky">
              <device>
                <member>2</member>
              </device>
            </entry>
            <entry name="StackP">
              <device>
                <member>3</member>
              </device>
            </entry>
          </template-stack>
          <description>Test Commit Push</description>
        </template-stack-config>
      </push-to>
    </commit-and-push>
  </operations>
</request>

Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ?

EDIT :- found my own answer - not commit-push via xml api ... WTF

So commit - starts job - you get job id .. okay how do you work out if a job is finished - how do i know when to do the commit-all

Side not how can i do a commit push from the cli . I could ssh there.

It just seems sometime the people who create the panos interface have no idea..

Re: trying to do commit and then push from panorama with a script

JimmyHolland — Tue, 18 Oct 2022 10:29:49 GMT

Hi @Alex_Samad,

"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ? "

No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commit-configuration-api

"okay how do you work out if a job is finished"

This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:

https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>

"Side not how can i do a commit push from the cli . I could ssh there."

Commit to Panorama is done in configuration mode:

admin@Panorama# commit + description Enter commit description > force force > partial partial <Enter> Finish input

Push to managed devices is done in operational mode:

admin@Panorama> commit-all > log-collector-config log-collector-config > shared-policy shared-policy > template template > template-stack template-stack > wildfire-appliance-config wildfire-appliance-config

Hope this helps!