05-21-2023 08:12 PM
Hi,
Checked the documentation but just cannot get a decryption rule created when using "decryption_type: 'ssl-inbound-inspection'"
https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_decryption_rule_module.html
yaml file is vanilla just the same as the example:
- name: add inbound decryption rule to Panorama device group
panos_decryption_rule:
provider: '{{ provider }}'
device_group: '{{ device_group }}'
name: 'sampleRule'
description: 'Made by Ansible'
source_zones: ['any']
source_addresses: ['any']
source_users: ['any']
source_hip: ['any']
destination_zones: ['any']
destination_addresses: ['any']
destination_hip: ['any']
negate_destination: false
services: ['any']
url_categories: ['any']
action: 'decrypt'
decryption_type: 'ssl-inbound-inspection'
ssl_certificate: 'test-cert'
log_successful_tls_handshakes: true
log_failed_tls_handshakes: true
audit_comment: 'Initial config'
Error is this:
"msg": "Failed apply: test-decom -> type -> ssl-inbound-inspection unexpected here\n test-decom -> type -> ssl-inbound-inspection is unexpected \n test-decom -> type is invalid"
In the Panorama php.debug.log file I see this for the attempt:
<type>
<ssl-inbound-inspection>
test-cert
</ssl-inbound-inspection>
</type>
but with "debug cli on" when I try to set the rule via the CLI I see this:
<type>
<ssl-inbound-inspection>
<certificates>
<member>test-cert</member>
</certificates>
</ssl-inbound-inspection>
</type>
Panorama is 10.2 and that part of the tool now supports multiple certificates so perhaps that's the issue?
$ ansible-galaxy collection list | grep pano
paloaltonetworks.panos 2.16.0
05-22-2023 01:49 AM
Thanks for this one @SimonT. It arises because in 10.2+ there is the possibility to have multiple certs, instead of just one, hence the underlying PAN-OS API changed and the integrations need updating. This is tracked here right now
05-21-2023 10:15 PM
Seems the issue is in https://github.com/PaloAltoNetworks/pan-os-python/blob/develop/panos/policies.py
I edited my local copy with the following and it now works:
params.append(
VersionedParamPath(
"ssl_certificate",
vartype="member",
path="type/{decryption_type}/certificates/",
condition={"decryption_type": "ssl-inbound-inspection",},
)
)
05-22-2023 01:49 AM
Thanks for this one @SimonT. It arises because in 10.2+ there is the possibility to have multiple certs, instead of just one, hence the underlying PAN-OS API changed and the integrations need updating. This is tracked here right now
08-16-2023 02:56 AM
Hi @SimonT, thanks for this. Which line exactly did you edit in policies.py?
08-16-2023 11:00 PM - edited 08-16-2023 11:01 PM
this is the diff:
< path="type/{decryption_type}/certificates/",
---
> path="type/{decryption_type}",
08-20-2023 08:08 PM
Thanks @SimonT, it needs the line you specified as well as the 'vartype="member". Working as expected now.
params.append(
VersionedParamPath(
"ssl_certificate",
vartype="member",
path="type/{decryption_type}/certificates/",
#path="type/{decryption_type}",
condition={"decryption_type": "ssl-inbound-inspection",},
)
)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
