trying to do commit and then push from panorama with a script

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

trying to do commit and then push from panorama with a script

L4 Transporter

Hi

 

Spending some time to integrate my letsencrypt setup with palo - shame that palo haven't done this yet ... thats another thread.

 

I have a script that will take the lets encrypt certs - currently it pushes them into my nginx and my F5 setup ...

I would like to push it into my panorama and commit - with comments and then push with comments

 

I have 

 

curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=${certname}&...}"

 

That works fine .. the bit thats failing is 

curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit><partial><admin><member>${paAPIuser}</member></admin><no-device-group/><template><member>${TName}</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commit from script ${DT}</description></commit>"

 

 

I keep getting 403 ... 

 

I have a user specifically setup for this. I created an API token - and then modified the security .. does the token have the permission set at the time it was created - I presume it doesn't !!!

 

But I have turned off all web access and cli access and allowed just about all xml api and api - whats the difference and which one do i need above.

 

But I still get 403 

 

I'm at a loss 

 

then what / how do i do a push 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @Alex_Samad,

 

"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ?  "

No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...

 

"okay  how do you work out if a job is finished"

This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:

https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>

 

"Side not how can i do a commit push from the cli . I could ssh there."

Commit to Panorama is done in configuration mode:

admin@Panorama# commit 
+ description   Enter commit description
> force         force 
> partial       partial 
  <Enter>       Finish input

 

Push to managed devices is done in operational mode:

admin@Panorama> commit-all 
> log-collector-config        log-collector-config 
> shared-policy               shared-policy 
> template                    template 
> template-stack              template-stack 
> wildfire-appliance-config   wildfire-appliance-config 

 

Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

9 REPLIES 9

L5 Sessionator

Hi @Alex_Samad, there's a few things to clear up to help you:

<response status = 'error' code = '403'>
    <result>
        <msg>Type [commit] not authorized for user role.</msg>
    </result>
</response>

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi

 

Thats very helpful, I didn't know about the commit commit-all

The problem is I have given the admin role all the permissions under xml api .. and I still get 403 😞

On the safe side I had also given it all of the permissions under api as well .

I have turned off all of the web ui 

 

EDIT - I tried logging in as the user and I can't see much ... I will have to double check the permissions ...

EDIT2 - think this is the problem - I have assigned the role panorama profile - that looks like I can't admin the device itself.  which is interesting - cause if I give it device group and template rights not sure i will have the right to commit and push .. 

Edit3 .. given it all of the roles permissions I can log into the web site and commit and push, but still can't from the CLI ... 

L5 Sessionator

Hi @Alex_Samad,

I'll post screenshots of the admin role and administrator account I used, I only allowed XML API in the role and assigned that role the to the administrator account. Remember that exact options for configuring this could differ between PAN-OS versions. If you believe the administrative role-based access control is not working as expected, you can raise a ticket via your normal support process to have this investigated.

 

Hope that helps!

 

Screenshot 2022-10-04 at 10.31.56.png

Screenshot 2022-10-04 at 10.31.00.png

Screenshot 2022-10-04 at 10.31.12.png

Screenshot 2022-10-04 at 10.31.20.png

Screenshot 2022-10-04 at 10.31.30.png

     

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi

 

Thanks for that. Mine is the same - except I have added in the all perms from the rest api tab as well.

 

I have already logged a case with support - taken 4 days of them wanting to do a screen session cause they don't understand .. sigh

 

I tried recreating the api key ... not luck

 

curl 'https://panorama.yieldbroker.com/api?key=<APIKEY>&cmd=<commit><partial><admin><member><APIUSER></member></admin><no-device-group/><template><member>YBCert</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commitfromscript20221005-262646</description></commit>'
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!