topic Re: Ansible panos_decryption_rule - not working with ssl-inbound-inspection in Automation/API Discussions

Ansible panos_decryption_rule - not working with ssl-inbound-inspection

SimonT — Mon, 22 May 2023 03:12:34 GMT

Hi,

Checked the documentation but just cannot get a decryption rule created when using "decryption_type: 'ssl-inbound-inspection'"

https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_decryption_rule_module.html

https://github.com/PaloAltoNetworks/pan-os-ansible/blob/develop/plugins/modules/panos_decryption_rule.py

yaml file is vanilla just the same as the example:

- name: add inbound decryption rule to Panorama device group
panos_decryption_rule:
provider: '{{ provider }}'
device_group: '{{ device_group }}'
name: 'sampleRule'
description: 'Made by Ansible'
source_zones: ['any']
source_addresses: ['any']
source_users: ['any']
source_hip: ['any']
destination_zones: ['any']
destination_addresses: ['any']
destination_hip: ['any']
negate_destination: false
services: ['any']
url_categories: ['any']
action: 'decrypt'
decryption_type: 'ssl-inbound-inspection'
ssl_certificate: 'test-cert'
log_successful_tls_handshakes: true
log_failed_tls_handshakes: true
audit_comment: 'Initial config'

Error is this:

"msg": "Failed apply: test-decom -> type -> ssl-inbound-inspection unexpected here\n test-decom -> type -> ssl-inbound-inspection is unexpected \n test-decom -> type is invalid"

In the Panorama php.debug.log file I see this for the attempt:

but with "debug cli on" when I try to set the rule via the CLI I see this:

Panorama is 10.2 and that part of the tool now supports multiple certificates so perhaps that's the issue?

$ ansible-galaxy collection list | grep pano
paloaltonetworks.panos 2.16.0

Re: Ansible panos_decryption_rule - not working with ssl-inbound-inspection

SimonT — Mon, 22 May 2023 05:15:41 GMT

Seems the issue is in https://github.com/PaloAltoNetworks/pan-os-python/blob/develop/panos/policies.py

I edited my local copy with the following and it now works:

params.append(
VersionedParamPath(
"ssl_certificate",
vartype="member",
path="type/{decryption_type}/certificates/",
condition={"decryption_type": "ssl-inbound-inspection",},
)
)

Re: Ansible panos_decryption_rule - not working with ssl-inbound-inspection

JimmyHolland — Mon, 22 May 2023 08:49:06 GMT

Thanks for this one @SimonT. It arises because in 10.2+ there is the possibility to have multiple certs, instead of just one, hence the underlying PAN-OS API changed and the integrations need updating. This is tracked here right now

Re: Ansible panos_decryption_rule - not working with ssl-inbound-inspection

bgre033 — Wed, 16 Aug 2023 09:56:51 GMT

Hi @SimonT, thanks for this. Which line exactly did you edit in policies.py?

Re: Ansible panos_decryption_rule - not working with ssl-inbound-inspection

SimonT — Thu, 17 Aug 2023 06:01:13 GMT

this is the diff:

< path="type/{decryption_type}/certificates/",
---
> path="type/{decryption_type}",

Re: Ansible panos_decryption_rule - not working with ssl-inbound-inspection

bgre033 — Mon, 21 Aug 2023 03:08:45 GMT

Thanks @SimonT, it needs the line you specified as well as the 'vartype="member". Working as expected now.

params.append( VersionedParamPath( "ssl_certificate", vartype="member", path="type/{decryption_type}/certificates/", #path="type/{decryption_type}", condition={"decryption_type": "ssl-inbound-inspection",}, ) )