Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

trying to do commit and then push from panorama with a script

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

trying to do commit and then push from panorama with a script

L4 Transporter

Hi

 

Spending some time to integrate my letsencrypt setup with palo - shame that palo haven't done this yet ... thats another thread.

 

I have a script that will take the lets encrypt certs - currently it pushes them into my nginx and my F5 setup ...

I would like to push it into my panorama and commit - with comments and then push with comments

 

I have 

 

curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=${certname}&...}"

 

That works fine .. the bit thats failing is 

curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit><partial><admin><member>${paAPIuser}</member></admin><no-device-group/><template><member>${TName}</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commit from script ${DT}</description></commit>"

 

 

I keep getting 403 ... 

 

I have a user specifically setup for this. I created an API token - and then modified the security .. does the token have the permission set at the time it was created - I presume it doesn't !!!

 

But I have turned off all web access and cli access and allowed just about all xml api and api - whats the difference and which one do i need above.

 

But I still get 403 

 

I'm at a loss 

 

then what / how do i do a push 

 

1 accepted solution

Accepted Solutions

Hi @Alex_Samad,

 

"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ?  "

No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...

 

"okay  how do you work out if a job is finished"

This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:

https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>

 

"Side not how can i do a commit push from the cli . I could ssh there."

Commit to Panorama is done in configuration mode:

admin@Panorama# commit 
+ description   Enter commit description
> force         force 
> partial       partial 
  <Enter>       Finish input

 

Push to managed devices is done in operational mode:

admin@Panorama> commit-all 
> log-collector-config        log-collector-config 
> shared-policy               shared-policy 
> template                    template 
> template-stack              template-stack 
> wildfire-appliance-config   wildfire-appliance-config 

 

Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

9 REPLIES 9

L5 Sessionator

Hi @Alex_Samad, there's a few things to clear up to help you:

<response status = 'error' code = '403'>
    <result>
        <msg>Type [commit] not authorized for user role.</msg>
    </result>
</response>

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi

 

Thats very helpful, I didn't know about the commit commit-all

The problem is I have given the admin role all the permissions under xml api .. and I still get 403 😞

On the safe side I had also given it all of the permissions under api as well .

I have turned off all of the web ui 

 

EDIT - I tried logging in as the user and I can't see much ... I will have to double check the permissions ...

EDIT2 - think this is the problem - I have assigned the role panorama profile - that looks like I can't admin the device itself.  which is interesting - cause if I give it device group and template rights not sure i will have the right to commit and push .. 

Edit3 .. given it all of the roles permissions I can log into the web site and commit and push, but still can't from the CLI ... 

L5 Sessionator

Hi @Alex_Samad,

I'll post screenshots of the admin role and administrator account I used, I only allowed XML API in the role and assigned that role the to the administrator account. Remember that exact options for configuring this could differ between PAN-OS versions. If you believe the administrative role-based access control is not working as expected, you can raise a ticket via your normal support process to have this investigated.

 

Hope that helps!

 

Screenshot 2022-10-04 at 10.31.56.png

Screenshot 2022-10-04 at 10.31.00.png

Screenshot 2022-10-04 at 10.31.12.png

Screenshot 2022-10-04 at 10.31.20.png

Screenshot 2022-10-04 at 10.31.30.png

     

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi

 

Thanks for that. Mine is the same - except I have added in the all perms from the rest api tab as well.

 

I have already logged a case with support - taken 4 days of them wanting to do a screen session cause they don't understand .. sigh

 

I tried recreating the api key ... not luck

 

curl 'https://panorama.yieldbroker.com/api?key=<APIKEY>&cmd=<commit><partial><admin><member><APIUSER></member></admin><no-device-group/><template><member>YBCert</member></template><no-template-stack/><no-log-collector-group/><no-log-collector/><no-wildfire-appliance-cluster/><no-wildfire-appliance/><device-and-network>excluded</device-and-network><shared-object>excluded</shared-object></partial><description>Commitfromscript20221005-262646</description></commit>'

L5 Sessionator

Do you still receive a 403 like the one I posted earlier in the thread? Does it say:

Type [commit] not authorized for user role.

If so then there must still be something that needs fixing with the Admin Role, or the assignment of the Administrator to the Admin Role, or using the wrong Administrator to generate the API key, or something along those lines... You can share (DM) me the case number if you want.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi

 

Trying to work with palo support - 2 weeks .... 1 week person didn't understand ... 2nd week got somebody enthusiastic, 5 days nothing.

 

I tried setting the role to super user ... that failed as well !

 

<response status = 'error' code = '400'><result><msg>Missing value for parameter &quot;type&quot;.</msg></result></response>

 

sent him updated tech support and details .. silence ...

 

curl -F "file=@./combined.pem" "https://panorama/api?key=${paAPIpassword}&type=import&category=keypair&certificate-name=decrypt&form..."

 

curl "https://panorama/api?key=${paAPIpassword}&cmd=<commit></commit>"

 

 

 

 

Hi @Alex_Samad, the response you get now (400 and "Missing value...") shows that your admin user can talk to the API, you are no longer getting 403 "unauthorised"). This shows your original problem was around admin users and/or roles.

 

The new error means your API call is not constructed correctly. The API calls are below, it looks like your commit API call is missing the "type" parameter per the 400 error. After commit to Panorama, you would then push to the firewalls (managed devices)

 

# Upload keypair
https://{{host}}/api/?key={{key}}&type=import&category=keypair&format=pem&certificate-name={{cert-name}}&target-tpl={{template-name}}&passphrase={{passphrase}}

# Commit to Panorama
https://{{host}}/api/?key={{key}}&type=commit&cmd=<commit-all></commit-all>

# Push to managed devices using relavant template stack
https://{{host}}/api?key={{key}}&type=commit&action=all&cmd=<commit-all><template-stack><name>{{tpl-stack-name}}</name></template-stack></commit-all>

 

Hope this helps

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi

 

OMG - i double checked it with /api browser, sigh missed the obvious

 

As for the permission - I have given the role all of the permissions - apart from cli

 

 

also used the web debugger to get the commands 

 

<request cmd="op" cookie="X" target="panorama">
  <operations xml="yes">
    <commit-and-push>
      <description>Test Commit Push</description>
      <push-to>
        <template-stack-config>
          <merge-with-candidate-cfg>yes</merge-with-candidate-cfg>
          <force-template-values>no</force-template-values>
          <template-stack>
            <entry name="Stacka_AP">
              <device>
                <member>1</member>
              </device>
            </entry>
            <entry name="Stacky">
              <device>
                <member>2</member>
              </device>
            </entry>
            <entry name="StackP">
              <device>
                <member>3</member>
              </device>
            </entry>
          </template-stack>
          <description>Test Commit Push</description>
        </template-stack-config>
      </push-to>
    </commit-and-push>
  </operations>
</request>

 

Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ?  

 

 

EDIT :- found my own answer - not commit-push via xml api ... WTF

So commit - starts job - you get job id .. okay  how do you work out if a job is finished - how do i know when to do the commit-all 

Side not how can i do a commit push from the cli . I could ssh there.

 

It just seems sometime the people who create the panos interface have no idea.. 

Hi @Alex_Samad,

 

"Found this when doing a commit and push from the GUI. how does this translate into a API call what would be the type ? op ?  "

No, the commit operations are their own type, as shown in my previous response on 14 October. More docs here FYI: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-panorama-api/pan-os-xml-api-request-types/commi...

 

"okay  how do you work out if a job is finished"

This is also in the docs, see the link just above. Commit works as an asynchronous operation, allowing the script/program to not be held waiting for a synchronous response. The API call would be:

https://{{host}}/api?key={{key}}&type=op&cmd=<show><jobs><id>{{job}}</id></jobs></show>

 

"Side not how can i do a commit push from the cli . I could ssh there."

Commit to Panorama is done in configuration mode:

admin@Panorama# commit 
+ description   Enter commit description
> force         force 
> partial       partial 
  <Enter>       Finish input

 

Push to managed devices is done in operational mode:

admin@Panorama> commit-all 
> log-collector-config        log-collector-config 
> shared-policy               shared-policy 
> template                    template 
> template-stack              template-stack 
> wildfire-appliance-config   wildfire-appliance-config 

 

Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 1 accepted solution
  • 7225 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!