About Priyanka_Reddy

Hi Team, I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team. So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path", I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this. Below is the script I have written in   ansible   for pushing security rule.   - name: Get API key uri: url: https://{{ inventory_hostname }}/api/ method: GET status_code: 200 validate_certs: no use_proxy: no return_content: yes body_format: json headers: Content-Type: application/xml body: type: keygen user: "{{ creds['username'] }}" password: "{{ creds['password'] }}" register: api_key_result1 delegate_to: localhost - name: print security key shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)' register: key - name: Create Security rule uri: url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule' client_key: "{{ key.stdout_lines }}" method: POST status_code: 200 body: source: <> destination: <> service: "HTTPS" body_format: json headers: Content-Type: application/xml follow_redirects: all return_content: yes validate_certs: no use_proxy: no register: result ======================================================== ERROR: File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__ context.load_cert_chain(cert_file, key_file) TypeError: certfile should be a valid filesystem path fatal: [<IP>]: FAILED! => { "changed": false, "content": "", "elapsed": 0, "invocation": { "module_args": { "attributes": null, "backup": null, "body": { "destination": "<>", "service": "HTTPS", "source": "<IP>" }, "body_format": "json", "client_cert": null, "client_key": "[<KEY>]", "content": null, "creates": null, "delimiter": null, "dest": null, "directory_mode": null, "follow": false, "follow_redirects": "all", "force": false, "force_basic_auth": false, "group": null, "headers": { "Content-Type": "application/xml" }, "http_agent": "ansible-httpget", "method": "POST", "mode": null, "owner": null, "regexp": null, "remote_src": null, "removes": null, "return_content": true, "selevel": null, "serole": null, "setype": null, "seuser": null, "src": null, "status_code": [ "200" ], "timeout": 30, "unix_socket": null, "unsafe_writes": false, "url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_...", "url_password": null, "url_username": null, "use_proxy": false, "validate_certs": false } }, "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path", "redirected": false, "status": -1, "url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_T..." } ============================================================== ============================================================== my client.py has the below snippet regarding the certfile, i am not sure , do i have to modify the cert__file variable?, if yes where?  =========== try: import ssl except ImportError: pass else: class HTTPSConnection(HTTPConnection): "This class allows communication via SSL." default_port = HTTPS_PORT # XXX Should key_file and cert_file be deprecated in favour of context? def __init__(self, host, port=None, key_file=None, cert_file=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None, *, context=None, check_hostname=None): super(HTTPSConnection, self).__init__(host, port, timeout, source_address) if (key_file is not None or cert_file is not None or check_hostname is not None): import warnings warnings.warn("key_file, cert_file and check_hostname are " "deprecated, use a custom context instead.", DeprecationWarning, 2) self.key_file = key_file self.cert_file = cert_file if context is None: context = ssl._create_default_https_context() # enable PHA for TLS 1.3 connections if available if context.post_handshake_auth is not None: context.post_handshake_auth = True will_verify = context.verify_mode != ssl.CERT_NONE if check_hostname is None: check_hostname = context.check_hostname if check_hostname and not will_verify: raise ValueError("check_hostname needs a SSL context with " "either CERT_OPTIONAL or CERT_REQUIRED") if key_file or cert_file: context.load_cert_chain(cert_file, key_file) # cert and key file means the user wants to authenticate. # enable TLS 1.3 PHA implicitly even for custom contexts. if context.post_handshake_auth is not None: context.post_handshake_auth = True self._context = context self._check_hostname = check_hostname def connect(self): "Connect to a host on a given (SSL) port." super().connect()   ... View more

Hi Team, I am trying to automate palo alto version 10.2.3-h2. Initially I tried to use Ansible: palo_security_rule module to push a security rule to palo alto, but I got error "hip_profiles unexpected here". The workaround for this error as looked up in google was to load current config in palo alto, which was not accepted as a feasible solution by my team. So I tried to use Ansible Api method to push the security rule to palo alto and I am getting this error "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path", I haven't got any workarounds for this error, and I didn't understand what this is related to. Can anyone please help me how can I fix this. Below is the script I have written in ansible for pushing security rule.   - name: Get API key uri: url: https://{{ inventory_hostname }}/api/ method: GET status_code: 200 validate_certs: no use_proxy: no return_content: yes body_format: json headers: Content-Type: application/xml body: type: keygen user: "{{ creds['username'] }}" password: "{{ creds['password'] }}" register: api_key_result1 delegate_to: localhost - name: print security key shell: echo "{{ api_key_result.content }}" | grep -o -P '(?<=<key>).*(?=</key>)' register: key - name: Create Security rule uri: url: 'https://<IP-ADDRESS>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<VALUE>&name=Ansible_Test_Rule' client_key: "{{ key.stdout_lines }}" method: POST status_code: 200 body: source: <> destination: <> service: "HTTPS" body_format: json headers: Content-Type: application/xml follow_redirects: all return_content: yes validate_certs: no use_proxy: no register: result ======================================================== ERROR: File "/usr/lib64/python3.6/http/client.py", line 1422, in __init__ context.load_cert_chain(cert_file, key_file) TypeError: certfile should be a valid filesystem path fatal: [<IP>]: FAILED! => { "changed": false, "content": "", "elapsed": 0, "invocation": { "module_args": { "attributes": null, "backup": null, "body": { "destination": "<>", "service": "HTTPS", "source": "<IP>" }, "body_format": "json", "client_cert": null, "client_key": "[<KEY>]", "content": null, "creates": null, "delimiter": null, "dest": null, "directory_mode": null, "follow": false, "follow_redirects": "all", "force": false, "force_basic_auth": false, "group": null, "headers": { "Content-Type": "application/xml" }, "http_agent": "ansible-httpget", "method": "POST", "mode": null, "owner": null, "regexp": null, "remote_src": null, "removes": null, "return_content": true, "selevel": null, "serole": null, "setype": null, "seuser": null, "src": null, "status_code": [ "200" ], "timeout": 30, "unix_socket": null, "unsafe_writes": false, "url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=<DEVICE-GROUP>&name=Ansible_Test_Rule", "url_password": null, "url_username": null, "use_proxy": false, "validate_certs": false } }, "msg": "Status code was -1 and not [200]: An unknown error occurred: certfile should be a valid filesystem path", "redirected": false, "status": -1, "url": "https://<IP>/restapi/v10.2/Policies/SecurityPreRules?location=vsys&vsys=DEVICE-GROUP>&name=Ansible_Test_Rule" }   ... View more