For details on cookie usage on our site, read our Privacy Policy
trying to do commit and then push from panorama with a script
- LIVEcommunity
- Tools
- Automation / API
- Automation/API Discussions
- trying to do commit and then push from panorama with a script
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report This Content
10-02-2022 02:38 AM - edited 10-02-2022 02:39 AM
Hi
Spending some time to integrate my letsencrypt setup with palo - shame that palo haven't done this yet ... thats another thread.
I have a script that will take the lets encrypt certs - currently it pushes them into my nginx and my F5 setup ...
I would like to push it into my panorama and commit - with comments and then push with comments
I have
curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=${certname}&...}"
That works fine .. the bit thats failing is
curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit><partial><admin><member>${paAPIuser}</member></admin><no-device-group/><template><member>${TName}</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commit from script ${DT}</description></commit>"
I keep getting 403 ...
I have a user specifically setup for this. I created an API token - and then modified the security .. does the token have the permission set at the time it was created - I presume it doesn't !!!
But I have turned off all web access and cli access and allowed just about all xml api and api - whats the difference and which one do i need above.
But I still get 403
I'm at a loss
then what / how do i do a push
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report This Content
10-18-2022 03:29 AM
Hi @Alex_Samad,
"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ? "
No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...
"okay how do you work out if a job is finished"
This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:
https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>
"Side not how can i do a commit push from the cli . I could ssh there."
Commit to Panorama is done in configuration mode:
admin@Panorama# commit
+ description Enter commit description
> force force
> partial partial
<Enter> Finish input
Push to managed devices is done in operational mode:
admin@Panorama> commit-all
> log-collector-config log-collector-config
> shared-policy shared-policy
> template template
> template-stack template-stack
> wildfire-appliance-config wildfire-appliance-config
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report This Content
10-03-2022 04:21 AM
Hi @Alex_Samad, there's a few things to clear up to help you:
- The "commit" call is needed first to commit Panorama's candidate configuration to running, then a "commit-all" call is needed to push to managed firewalls (discussed here: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...)
- XML API is what you are using here, as opposed to the REST API (discussed here: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/about-the-pan-os-xml-api), so when constructing your administrator roles, keep that in mind
- The administrator's generated API key gives access to the privileges of that administrator at the time of making API calls, not at the time the API key was generated
- If the access is incorrect, you would expect a 403 as you described:
<response status = 'error' code = '403'>
<result>
<msg>Type [commit] not authorized for user role.</msg>
</result>
</response>- ...so maybe the access needs re-configuring? https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role-based-access-c...
Hope that helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report This Content
10-03-2022 01:55 PM - edited 10-03-2022 02:37 PM
Hi
Thats very helpful, I didn't know about the commit commit-all
The problem is I have given the admin role all the permissions under xml api .. and I still get 403 😞
On the safe side I had also given it all of the permissions under api as well .
I have turned off all of the web ui
EDIT - I tried logging in as the user and I can't see much ... I will have to double check the permissions ...
EDIT2 - think this is the problem - I have assigned the role panorama profile - that looks like I can't admin the device itself. which is interesting - cause if I give it device group and template rights not sure i will have the right to commit and push ..
Edit3 .. given it all of the roles permissions I can log into the web site and commit and push, but still can't from the CLI ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report This Content
10-04-2022 02:36 AM
Hi @Alex_Samad,
I'll post screenshots of the admin role and administrator account I used, I only allowed XML API in the role and assigned that role the to the administrator account. Remember that exact options for configuring this could differ between PAN-OS versions. If you believe the administrative role-based access control is not working as expected, you can raise a ticket via your normal support process to have this investigated.
Hope that helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report This Content
10-04-2022 11:56 AM - edited 10-04-2022 12:03 PM
Hi
Thanks for that. Mine is the same - except I have added in the all perms from the rest api tab as well.
I have already logged a case with support - taken 4 days of them wanting to do a screen session cause they don't understand .. sigh
I tried recreating the api key ... not luck
curl 'https://panorama.yieldbroker.com/api?key=<APIKEY>&cmd=<commit><partial><admin><member><APIUSER></member></admin><no-device-group/><template><member>YBCert</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commitfromscript20221005-262646</description></commit>'
- How to generate password hash in Automation/API Discussions
- Import Existing Security Policies from Panorama to Terraform code (Reverse Terraform for Palo Alto) in Automation/API Discussions
- Gather info with panos_security_rule in Automation/API Discussions
- Retrieving Hit Count and Last Hit Date Using Python in Automation/API Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
