10-02-2022 02:38 AM - edited 10-02-2022 02:39 AM
Hi
Spending some time to integrate my letsencrypt setup with palo - shame that palo haven't done this yet ... thats another thread.
I have a script that will take the lets encrypt certs - currently it pushes them into my nginx and my F5 setup ...
I would like to push it into my panorama and commit - with comments and then push with comments
I have
curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=${certname}&...}"
That works fine .. the bit thats failing is
curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit><partial><admin><member>${paAPIuser}</member></admin><no-device-group/><template><member>${TName}</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commit from script ${DT}</description></commit>"
I keep getting 403 ...
I have a user specifically setup for this. I created an API token - and then modified the security .. does the token have the permission set at the time it was created - I presume it doesn't !!!
But I have turned off all web access and cli access and allowed just about all xml api and api - whats the difference and which one do i need above.
But I still get 403
I'm at a loss
then what / how do i do a push
10-18-2022 03:29 AM
Hi @Alex_Samad,
"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ? "
No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...
"okay how do you work out if a job is finished"
This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:
https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>
"Side not how can i do a commit push from the cli . I could ssh there."
Commit to Panorama is done in configuration mode:
admin@Panorama# commit
+ description Enter commit description
> force force
> partial partial
<Enter> Finish input
Push to managed devices is done in operational mode:
admin@Panorama> commit-all
> log-collector-config log-collector-config
> shared-policy shared-policy
> template template
> template-stack template-stack
> wildfire-appliance-config wildfire-appliance-config
Hope this helps!
10-03-2022 04:21 AM
Hi @Alex_Samad, there's a few things to clear up to help you:
<response status = 'error' code = '403'>
<result>
<msg>Type [commit] not authorized for user role.</msg>
</result>
</response>
Hope that helps!
10-03-2022 01:55 PM - edited 10-03-2022 02:37 PM
Hi
Thats very helpful, I didn't know about the commit commit-all
The problem is I have given the admin role all the permissions under xml api .. and I still get 403 😞
On the safe side I had also given it all of the permissions under api as well .
I have turned off all of the web ui
EDIT - I tried logging in as the user and I can't see much ... I will have to double check the permissions ...
EDIT2 - think this is the problem - I have assigned the role panorama profile - that looks like I can't admin the device itself. which is interesting - cause if I give it device group and template rights not sure i will have the right to commit and push ..
Edit3 .. given it all of the roles permissions I can log into the web site and commit and push, but still can't from the CLI ...
10-04-2022 02:36 AM
Hi @Alex_Samad,
I'll post screenshots of the admin role and administrator account I used, I only allowed XML API in the role and assigned that role the to the administrator account. Remember that exact options for configuring this could differ between PAN-OS versions. If you believe the administrative role-based access control is not working as expected, you can raise a ticket via your normal support process to have this investigated.
Hope that helps!
10-04-2022 11:56 AM - edited 10-04-2022 12:03 PM
Hi
Thanks for that. Mine is the same - except I have added in the all perms from the rest api tab as well.
I have already logged a case with support - taken 4 days of them wanting to do a screen session cause they don't understand .. sigh
I tried recreating the api key ... not luck
curl 'https://panorama.yieldbroker.com/api?key=<APIKEY>&cmd=<commit><partial><admin><member><APIUSER></member></admin><no-device-group/><template><member>YBCert</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commitfromscript20221005-262646</description></commit>'10-05-2022 04:47 AM
Do you still receive a 403 like the one I posted earlier in the thread? Does it say:
Type [commit] not authorized for user role.If so then there must still be something that needs fixing with the Admin Role, or the assignment of the Administrator to the Admin Role, or using the wrong Administrator to generate the API key, or something along those lines... You can share (DM) me the case number if you want.
10-13-2022 05:17 PM
Hi
Trying to work with palo support - 2 weeks .... 1 week person didn't understand ... 2nd week got somebody enthusiastic, 5 days nothing.
I tried setting the role to super user ... that failed as well !
<response status = 'error' code = '400'><result><msg>Missing value for parameter "type".</msg></result></response>
sent him updated tech support and details .. silence ...
curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=decrypt&form..."
curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit></commit>"
10-14-2022 02:27 AM
Hi @Alex_Samad, the response you get now (400 and "Missing value...") shows that your admin user can talk to the API, you are no longer getting 403 "unauthorised"). This shows your original problem was around admin users and/or roles.
The new error means your API call is not constructed correctly. The API calls are below, it looks like your commit API call is missing the "type" parameter per the 400 error. After commit to Panorama, you would then push to the firewalls (managed devices)
# Upload keypair
https://{{host}}/api/?key={{key}}&type=import&category=keypair&format=pem&certificate-name={{cert-name}}&target-tpl={{template-name}}&passphrase={{passphrase}}
# Commit to Panorama
https://{{host}}/api/?key={{key}}&type=commit&cmd=<commit-all></commit-all>
# Push to managed devices using relavant template stack
https://{{host}}/api?key={{key}}&type=commit&action=all&cmd=<commit-all><template-stack><name>{{tpl-stack-name}}</name></template-stack></commit-all>
Hope this helps
10-14-2022 02:24 PM - edited 10-14-2022 04:08 PM
Hi
OMG - i double checked it with /api browser, sigh missed the obvious
As for the permission - I have given the role all of the permissions - apart from cli
also used the web debugger to get the commands
<request cmd="op" cookie="X" target="panorama">
<operations xml="yes">
<commit-and-push>
<description>Test Commit Push</description>
<push-to>
<template-stack-config>
<merge-with-candidate-cfg>yes</merge-with-candidate-cfg>
<force-template-values>no</force-template-values>
<template-stack>
<entry name="Stacka_AP">
<device>
<member>1</member>
</device>
</entry>
<entry name="Stacky">
<device>
<member>2</member>
</device>
</entry>
<entry name="StackP">
<device>
<member>3</member>
</device>
</entry>
</template-stack>
<description>Test Commit Push</description>
</template-stack-config>
</push-to>
</commit-and-push>
</operations>
</request>
Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ?
EDIT :- found my own answer - not commit-push via xml api ... WTF
So commit - starts job - you get job id .. okay how do you work out if a job is finished - how do i know when to do the commit-all
Side not how can i do a commit push from the cli . I could ssh there.
It just seems sometime the people who create the panos interface have no idea..
10-18-2022 03:29 AM
Hi @Alex_Samad,
"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ? "
No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...
"okay how do you work out if a job is finished"
This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:
https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>
"Side not how can i do a commit push from the cli . I could ssh there."
Commit to Panorama is done in configuration mode:
admin@Panorama# commit
+ description Enter commit description
> force force
> partial partial
<Enter> Finish input
Push to managed devices is done in operational mode:
admin@Panorama> commit-all
> log-collector-config log-collector-config
> shared-policy shared-policy
> template template
> template-stack template-stack
> wildfire-appliance-config wildfire-appliance-config
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
