04-14-2023 05:36 AM - edited 04-14-2023 06:37 AM
Hi Team,
I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team.
So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",
I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this.
Below is the script I have written in ansible for pushing security rule.
- name: Get API key
uri:
url: https://{{ inventory_hostname }}/api/
method: GET
status_code: 200
validate_certs: no
use_proxy: no
return_content: yes
body_format: json
headers:
Content-Type: application/xml
body:
type: keygen
user: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
register: api_key_result1
delegate_to: localhost
- name: print security key
shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)'
register: key
- name: Create Security rule
uri:
url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule'
client_key: "{{ key.stdout_lines }}"
method: POST
status_code: 200
body:
source: <>
destination: <>
service: "HTTPS"
body_format: json
headers:
Content-Type: application/xml
follow_redirects: all
return_content: yes
validate_certs: no
use_proxy: no
register: result
========================================================
ERROR:
File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__
context.load_cert_chain(cert_file, key_file)
TypeError: certfile should be a valid filesystem path
fatal: [<IP>]: FAILED! => {
"changed": false,
"content": "",
"elapsed": 0,
"invocation": {
"module_args": {
"attributes": null,
"backup": null,
"body": {
"destination": "<>",
"service": "HTTPS",
"source": "<IP>"
},
"body_format": "json",
"client_cert": null,
"client_key": "[<KEY>]",
"content": null,
"creates": null,
"delimiter": null,
"dest": null,
"directory_mode": null,
"follow": false,
"follow_redirects": "all",
"force": false,
"force_basic_auth": false,
"group": null,
"headers": {
"Content-Type": "application/xml"
},
"http_agent": "ansible-httpget",
"method": "POST",
"mode": null,
"owner": null,
"regexp": null,
"remote_src": null,
"removes": null,
"return_content": true,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"status_code": [
"200"
],
"timeout": 30,
"unix_socket": null,
"unsafe_writes": false,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_...",
"url_password": null,
"url_username": null,
"use_proxy": false,
"validate_certs": false
}
},
"msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path",
"redirected": false,
"status": -1,
"url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_T..."
}
04-16-2023 04:14 AM
Hi @Priyanka_Reddy ,
These errors are not PANW specific, but I will point you in the right direction.
Thanks,
Tom
04-17-2023 12:00 AM
Hi @TomYoung ,
Can you please help me with the correct syntax of panos_security_rule, making hip_profile as an option, in the first point mentioned by you.
Regarding the API "the cert_file variable in the client.py Python script is incorrect" ::::: my client.py has the below snippet regarding the certfile, i am not sure where i have to modify the cert__file variable.
===========
try:
import ssl
except ImportError:
pass
else:
class HTTPSConnection(HTTPConnection):
"This class allows communication via SSL."
default_port = HTTPS_PORT
# XXX Should key_file and cert_file be deprecated in favour of context?
def __init__(self, host, port=None, key_file=None, cert_file=None,
timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
source_address=None, *, context=None,
check_hostname=None):
super(HTTPSConnection, self).__init__(host, port, timeout,
source_address)
if (key_file is not None or cert_file is not None or
check_hostname is not None):
import warnings
warnings.warn("key_file, cert_file and check_hostname are "
"deprecated, use a custom context instead.",
DeprecationWarning, 2)
self.key_file = key_file
self.cert_file = cert_file
if context is None:
context = ssl._create_default_https_context()
# enable PHA for TLS 1.3 connections if available
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
will_verify = context.verify_mode != ssl.CERT_NONE
if check_hostname is None:
check_hostname = context.check_hostname
if check_hostname and not will_verify:
raise ValueError("check_hostname needs a SSL context with "
"either CERT_OPTIONAL or CERT_REQUIRED")
if key_file or cert_file:
context.load_cert_chain(cert_file, key_file)
# cert and key file means the user wants to authenticate.
# enable TLS 1.3 PHA implicitly even for custom contexts.
if context.post_handshake_auth is not None:
context.post_handshake_auth = True
self._context = context
self._check_hostname = check_hostname
def connect(self):
"Connect to a host on a given (SSL) port."
super().connect()
04-19-2023 05:51 AM
Can anyone help me regarding the above query.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
