diff --git a/assets/pango/errors/panos.go b/assets/pango/errors/panos.go index 9b9f30c4..d98daf02 100644 --- a/assets/pango/errors/panos.go +++ b/assets/pango/errors/panos.go @@ -58,8 +58,12 @@ func Parse(body []byte) error { _ = xml.Unmarshal(body, &e) if e.Failed() { + msg := e.Message() + if msg == "" { + msg = fmt.Sprintf("(raw response: %s)", strings.TrimSpace(string(body))) + } return Panos{ - Msg: e.Message(), + Msg: msg, Code: e.Code, } } diff --git a/specs/device/administrator.yaml b/specs/device/administrator.yaml new file mode 100644 index 00000000..305a7e5a --- /dev/null +++ b/specs/device/administrator.yaml @@ -0,0 +1,233 @@ +name: administrator +terraform_provider_config: + description: Administrator Account + skip_resource: false + skip_datasource: false + resource_type: entry + resource_variants: [] + suffix: administrator + plural_suffix: '' + plural_name: '' + plural_description: '' + custom_validation: false +go_sdk_config: + skip: false + package: + - device + - administrator +panos_xpath: + path: + - mgt-config + - users + vars: [] +locations: +- name: panorama + xpath: + path: + - config + vars: [] + description: Panorama administrator + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + description: Administrator pushed via a Panorama template + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-stack + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + description: Administrator pushed via a Panorama template stack + devices: + - panorama + validators: [] + required: false + read_only: false +entries: +- name: name + description: '' + validators: [] +spec: + params: + - name: authentication-profile + type: string + profiles: + - xpath: + - authentication-profile + validators: + - type: length + spec: + max: 255 + spec: {} + description: Authentication profile for this administrator + required: false + - name: public-key + type: string + profiles: + - xpath: + - public-key + validators: + - type: length + spec: + max: 4096 + spec: {} + description: SSH public key for certificate-based authentication + required: false + - name: phash + type: string + profiles: + - xpath: + - phash + validators: [] + spec: {} + description: Hashed administrator password + required: false + codegen_overrides: + terraform: + name: password + sensitive: true + hashing: + type: solo + - name: permissions + type: object + profiles: + - xpath: + - permissions + validators: [] + spec: + params: + - name: role-based + type: object + profiles: + - xpath: + - role-based + validators: [] + spec: + params: + - name: superuser + type: bool + profiles: + - xpath: + - superuser + validators: [] + spec: {} + description: Full system access + required: false + - name: superreader + type: bool + profiles: + - xpath: + - superreader + validators: [] + spec: {} + description: Read-only access to entire system + required: false + - name: deviceadmin + type: bool + profiles: + - xpath: + - deviceadmin + validators: [] + spec: {} + description: Device administrator access (all vsys) + required: false + - name: devicereader + type: bool + profiles: + - xpath: + - devicereader + validators: [] + spec: {} + description: Device read-only access (all vsys) + required: false + - name: vsysadmin + type: bool + profiles: + - xpath: + - vsysadmin + validators: [] + spec: {} + description: Virtual system administrator access + required: false + - name: vsysreader + type: bool + profiles: + - xpath: + - vsysreader + validators: [] + spec: {} + description: Virtual system read-only access + required: false + - name: custom + type: object + profiles: + - xpath: + - custom + validators: [] + spec: + params: + - name: profile + type: string + profiles: + - xpath: + - profile + validators: + - type: length + spec: + max: 255 + spec: {} + description: Custom admin role profile name + required: false + variants: [] + description: Custom role based on an admin role profile + required: false + variants: [] + description: Role-based access control + required: false + variants: [] + description: Administrator permissions and role assignment + required: false + variants: [] diff --git a/specs/device/profiles/data-filtering.yaml b/specs/device/profiles/data-filtering.yaml index 785042ee..165758ca 100644 --- a/specs/device/profiles/data-filtering.yaml +++ b/specs/device/profiles/data-filtering.yaml @@ -1,12 +1,12 @@ name: data-filtering-profile terraform_provider_config: - description: Data Filtering Profile + description: Data Filtering Security Profile skip_resource: false skip_datasource: false resource_type: entry resource_variants: - singular - suffix: data_filtering_profile + suffix: data_filtering_security_profile plural_suffix: '' plural_name: '' plural_description: '' @@ -36,6 +36,38 @@ locations: validators: [] required: false read_only: false +- name: vsys + xpath: + path: + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: ngfw_device + description: The NGFW device name + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The Virtual System name + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys name cannot be "shared". Use the "shared" location instead + type: entry + description: Located in a specific Virtual System + devices: + - ngfw + validators: [] + required: false + read_only: false - name: device-group xpath: path: @@ -69,6 +101,160 @@ locations: validators: [] required: false read_only: false +- name: template + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + - shared + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + description: A shared resource located within a specific template + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-vsys + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + - name: ngfw_device + description: The NGFW device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The vsys. + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys cannot be "shared". + type: entry + description: Located in a specific template, device and vsys. + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +- name: template-stack + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + - shared + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + description: Located in a specific template stack + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-stack-vsys + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + - name: ngfw_device + description: The NGFW device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The vsys. + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys cannot be "shared". + type: entry + description: Located in a specific template stack, device and vsys. + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false entries: - name: name description: '' @@ -82,7 +268,7 @@ spec: - data-capture validators: [] spec: {} - description: '' + description: Enable data capture required: false - name: description type: string @@ -113,7 +299,7 @@ spec: values: - value: 'yes' - value: 'no' - description: disable object override in child device groups + description: Disable object override in child device groups required: false - name: rules type: list @@ -136,7 +322,7 @@ spec: - data-object validators: [] spec: {} - description: '' + description: Name of the data pattern object required: false - name: direction type: enum @@ -151,11 +337,12 @@ spec: - download - both spec: + default: both values: - value: upload - value: download - value: both - description: '' + description: Direction of data transfer to monitor required: false - name: alert-threshold type: int64 @@ -169,7 +356,7 @@ spec: max: 65535 spec: default: 1 - description: '' + description: Alert threshold count required: false - name: block-threshold type: int64 @@ -183,7 +370,7 @@ spec: max: 65535 spec: default: 1 - description: '' + description: Block threshold count required: false - name: log-severity type: string @@ -193,7 +380,7 @@ spec: validators: [] spec: default: informational - description: '' + description: Log severity for matched traffic required: false - name: application type: list @@ -206,7 +393,7 @@ spec: type: string items: type: string - description: '' + description: Applications to match required: false - name: file-type type: list @@ -219,9 +406,9 @@ spec: type: string items: type: string - description: '' + description: File types to match required: false variants: [] - description: '' + description: Data filtering rules required: false variants: [] diff --git a/specs/device/profiles/email-server-profile.yaml b/specs/device/profiles/email-server-profile.yaml new file mode 100644 index 00000000..900ec7ab --- /dev/null +++ b/specs/device/profiles/email-server-profile.yaml @@ -0,0 +1,577 @@ +name: email-server-profile +terraform_provider_config: + description: Email Server Profile + skip_resource: false + skip_datasource: false + resource_type: entry + resource_variants: + - singular + suffix: email_server_profile + plural_suffix: '' + plural_name: '' + plural_description: '' + custom_validation: false +go_sdk_config: + skip: false + package: + - device + - profiles + - email +panos_xpath: + path: + - log-settings + - email + vars: [] +locations: +- name: panorama + xpath: + path: + - config + - panorama + vars: [] + description: Located in a panorama. + validators: [] + required: false + read_only: false +- name: vsys + xpath: + path: + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: ngfw_device + description: The NGFW device name + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The Virtual System name + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys name cannot be "shared". Use the "shared" location instead + type: entry + description: Located in a specific Virtual System + devices: + - ngfw + validators: [] + required: false + read_only: false +- name: template + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + - shared + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + description: A shared resource located within a specific template + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-vsys + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + - name: ngfw_device + description: The NGFW device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The vsys. + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys cannot be "shared". + type: entry + description: Located in a specific template, device and vsys. + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +- name: template-stack + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + - shared + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + description: Located in a specific template stack + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-stack-vsys + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + - name: ngfw_device + description: The NGFW device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The vsys. + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys cannot be "shared". + type: entry + description: Located in a specific template stack, device and vsys. + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +entries: +- name: name + description: '' + validators: [] +spec: + params: + - name: server + type: list + profiles: + - xpath: + - server + - entry + type: entry + validators: [] + spec: + type: object + items: + type: object + spec: + params: + - name: from + type: string + profiles: + - xpath: + - from + validators: + - type: length + spec: + max: 128 + spec: {} + description: From email address + required: false + - name: to + type: string + profiles: + - xpath: + - to + validators: + - type: length + spec: + max: 128 + spec: {} + description: To email address + required: false + - name: and-also-to + type: string + profiles: + - xpath: + - and-also-to + validators: + - type: length + spec: + max: 128 + spec: {} + description: Additional CC email address + required: false + - name: gateway + type: string + profiles: + - xpath: + - gateway + validators: + - type: length + spec: + max: 63 + spec: {} + description: IP address or FQDN of SMTP gateway + required: false + - name: port + type: int64 + profiles: + - xpath: + - port + validators: + - type: length + spec: + min: 1 + max: 65535 + spec: + default: 25 + description: SMTP port number + required: false + - name: tls-version + type: enum + profiles: + - xpath: + - tls-version + validators: + - type: values + spec: + values: + - '1.0' + - '1.1' + - '1.2' + spec: + default: '1.2' + values: + - value: '1.0' + - value: '1.1' + - value: '1.2' + description: Minimum TLS version for SMTP connection + required: false + - name: auth + type: enum + profiles: + - xpath: + - auth + validators: + - type: values + spec: + values: + - Auto + - Login + - Plain + spec: + default: Auto + values: + - value: Auto + - value: Login + - value: Plain + description: Authentication method for SMTP + required: false + - name: certificate-profile + type: string + profiles: + - xpath: + - certificate-profile + validators: + - type: length + spec: + max: 255 + spec: {} + description: Certificate profile for TLS verification + required: false + variants: [] + description: List of email servers + required: false + codegen_overrides: + terraform: + name: servers + - name: format + type: object + profiles: + - xpath: + - format + validators: [] + spec: + params: + - name: auth + type: string + profiles: + - xpath: + - auth + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for auth log + required: false + - name: config + type: string + profiles: + - xpath: + - config + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for config log + required: false + - name: correlation + type: string + profiles: + - xpath: + - correlation + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for correlation log + required: false + - name: data + type: string + profiles: + - xpath: + - data + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for data log + required: false + - name: decryption + type: string + profiles: + - xpath: + - decryption + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for decryption log + required: false + - name: globalprotect + type: string + profiles: + - xpath: + - globalprotect + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for globalprotect log + required: false + - name: gtp + type: string + profiles: + - xpath: + - gtp + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for gtp log + required: false + - name: hip-match + type: string + profiles: + - xpath: + - hip-match + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for hip-match log + required: false + - name: iptag + type: string + profiles: + - xpath: + - iptag + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for iptag log + required: false + - name: sctp + type: string + profiles: + - xpath: + - sctp + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for sctp log + required: false + - name: system + type: string + profiles: + - xpath: + - system + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for system log + required: false + - name: threat + type: string + profiles: + - xpath: + - threat + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for threat log + required: false + - name: traffic + type: string + profiles: + - xpath: + - traffic + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for traffic log + required: false + - name: tunnel + type: string + profiles: + - xpath: + - tunnel + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for tunnel log + required: false + - name: url + type: string + profiles: + - xpath: + - url + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for url log + required: false + - name: userid + type: string + profiles: + - xpath: + - userid + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for userid log + required: false + - name: wildfire + type: string + profiles: + - xpath: + - wildfire + validators: + - type: length + spec: + max: 2048 + spec: {} + description: Custom format for wildfire log + required: false + variants: [] + description: Custom log format strings + required: false + variants: [] diff --git a/specs/device/profiles/snmp-trap-profile.yaml b/specs/device/profiles/snmp-trap-profile.yaml new file mode 100644 index 00000000..1ab2fda2 --- /dev/null +++ b/specs/device/profiles/snmp-trap-profile.yaml @@ -0,0 +1,427 @@ +name: snmp-trap-profile +terraform_provider_config: + description: SNMP Trap Server Profile + skip_resource: false + skip_datasource: false + resource_type: entry + resource_variants: + - singular + suffix: snmp_trap_profile + plural_suffix: '' + plural_name: '' + plural_description: '' + custom_validation: false +go_sdk_config: + skip: false + package: + - device + - profiles + - snmptrap +panos_xpath: + path: + - log-settings + - snmptrap + vars: [] +locations: +- name: panorama + xpath: + path: + - config + - panorama + vars: [] + description: Located in a panorama. + validators: [] + required: false + read_only: false +- name: vsys + xpath: + path: + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: ngfw_device + description: The NGFW device name + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The Virtual System name + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys name cannot be "shared". Use the "shared" location instead + type: entry + description: Located in a specific Virtual System + devices: + - ngfw + validators: [] + required: false + read_only: false +- name: template + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + - shared + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + description: A shared resource located within a specific template + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-vsys + xpath: + path: + - config + - devices + - $panorama_device + - template + - $template + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template + description: Specific Panorama template + required: true + validators: [] + type: entry + - name: ngfw_device + description: The NGFW device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The vsys. + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys cannot be "shared". + type: entry + description: Located in a specific template, device and vsys. + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +- name: template-stack + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + - shared + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + description: Located in a specific template stack + devices: + - panorama + validators: [] + required: false + read_only: false +- name: template-stack-vsys + xpath: + path: + - config + - devices + - $panorama_device + - template-stack + - $template_stack + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: panorama_device + description: Specific Panorama device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: template_stack + description: The template stack + required: true + validators: [] + type: entry + - name: ngfw_device + description: The NGFW device + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The vsys. + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys cannot be "shared". + type: entry + description: Located in a specific template stack, device and vsys. + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +entries: +- name: name + description: '' + validators: [] +spec: + params: + - name: version + type: object + profiles: + - xpath: + - version + validators: [] + spec: + params: [] + variants: + - name: v2c + type: object + profiles: + - xpath: + - v2c + validators: [] + spec: + params: + - name: server + type: list + profiles: + - xpath: + - server + - entry + type: entry + validators: [] + spec: + type: object + items: + type: object + spec: + params: + - name: community + type: string + profiles: + - xpath: + - community + validators: + - type: length + spec: + max: 127 + spec: {} + description: SNMP community string + required: false + - name: manager + type: string + profiles: + - xpath: + - manager + validators: + - type: length + spec: + max: 63 + spec: {} + description: IP address or FQDN of SNMP manager + required: false + variants: [] + description: List of SNMPv2c trap receivers + required: false + codegen_overrides: + terraform: + name: servers + variants: [] + description: SNMPv2c configuration + required: false + - name: v3 + type: object + profiles: + - xpath: + - v3 + validators: [] + spec: + params: + - name: server + type: list + profiles: + - xpath: + - server + - entry + type: entry + validators: [] + spec: + type: object + items: + type: object + spec: + params: + - name: engineid + type: string + profiles: + - xpath: + - engineid + validators: + - type: length + spec: + max: 255 + spec: {} + description: SNMP engine ID (hex string, e.g. 0x80...) + required: false + - name: manager + type: string + profiles: + - xpath: + - manager + validators: + - type: length + spec: + max: 63 + spec: {} + description: IP address or FQDN of SNMP manager + required: false + - name: user + type: string + profiles: + - xpath: + - user + validators: + - type: length + spec: + max: 31 + spec: {} + description: SNMPv3 username + required: false + - name: authpwd + type: string + profiles: + - xpath: + - authpwd + validators: + - type: length + spec: + max: 255 + spec: {} + description: SNMPv3 authentication password + required: false + codegen_overrides: + terraform: + sensitive: true + - name: privpwd + type: string + profiles: + - xpath: + - privpwd + validators: + - type: length + spec: + max: 255 + spec: {} + description: SNMPv3 privacy password + required: false + codegen_overrides: + terraform: + sensitive: true + - name: authproto + type: enum + profiles: + - xpath: + - authproto + validators: + - type: values + spec: + values: + - MD5 + - SHA + spec: + default: SHA + values: + - value: MD5 + - value: SHA + description: Authentication protocol + required: false + - name: privproto + type: enum + profiles: + - xpath: + - privproto + validators: + - type: values + spec: + values: + - AES128 + - DES + spec: + default: AES128 + values: + - value: AES128 + - value: DES + description: Privacy protocol + required: false + variants: [] + description: List of SNMPv3 trap receivers + required: false + codegen_overrides: + terraform: + name: servers + variants: [] + description: SNMPv3 configuration + required: false + description: SNMP version and server configuration + required: false + variants: [] diff --git a/specs/objects/profiles/decryption-profile.yaml b/specs/objects/profiles/decryption-profile.yaml new file mode 100644 index 00000000..d5b93f29 --- /dev/null +++ b/specs/objects/profiles/decryption-profile.yaml @@ -0,0 +1,496 @@ +name: decryption-profile +terraform_provider_config: + description: Decryption Profile + skip_resource: false + skip_datasource: false + resource_type: entry + resource_variants: + - singular + suffix: decryption_profile + plural_suffix: '' + plural_name: '' + plural_description: '' + custom_validation: false +go_sdk_config: + skip: false + package: + - objects + - profiles + - decryption +panos_xpath: + path: + - profiles + - decryption + vars: [] +locations: +- name: shared + xpath: + path: + - config + - shared + vars: [] + description: Panorama shared object + devices: + - panorama + - ngfw + validators: [] + required: false + read_only: false +- name: vsys + xpath: + path: + - config + - devices + - $ngfw_device + - vsys + - $vsys + vars: + - name: ngfw_device + description: The NGFW device name + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: vsys + description: The Virtual System name + required: false + default: vsys1 + validators: + - type: not-values + spec: + values: + - value: shared + error: The vsys name cannot be "shared". Use the "shared" location instead + type: entry + description: Located in a specific Virtual System + devices: + - ngfw + validators: [] + required: false + read_only: false +- name: device-group + xpath: + path: + - config + - devices + - $panorama_device + - device-group + - $device_group + vars: + - name: panorama_device + description: Panorama device name + required: false + default: localhost.localdomain + validators: [] + type: entry + - name: device_group + description: Device Group name + required: true + validators: + - type: not-values + spec: + values: + - value: shared + error: The device group name cannot be "shared". Use the "shared" location + instead + type: entry + location_filter: true + description: Located in a specific Device Group + devices: + - panorama + validators: [] + required: false + read_only: false +entries: +- name: name + description: '' + validators: [] +spec: + params: + - name: description + type: string + profiles: + - xpath: + - description + validators: + - type: length + spec: + min: 0 + max: 255 + spec: {} + description: '' + required: false + - name: ssl-forward-proxy + type: object + profiles: + - xpath: + - ssl-forward-proxy + validators: [] + spec: + params: + - name: auto-include-altname + type: bool + profiles: + - xpath: + - auto-include-altname + validators: [] + spec: {} + description: Automatically include the alternative name of the certificate + required: false + - name: block-client-cert + type: bool + profiles: + - xpath: + - block-client-cert + validators: [] + spec: {} + description: Block sessions with client certificate + required: false + - name: block-expired-certificate + type: bool + profiles: + - xpath: + - block-expired-certificate + validators: [] + spec: {} + description: Block sessions with expired certificates + required: false + - name: block-timeout-cert + type: bool + profiles: + - xpath: + - block-timeout-cert + validators: [] + spec: {} + description: Block sessions if certificate status cannot be retrieved within timeout + required: false + - name: block-unknown-cert + type: bool + profiles: + - xpath: + - block-unknown-cert + validators: [] + spec: {} + description: Block sessions if certificate status is unknown + required: false + - name: block-unsupported-cipher + type: bool + profiles: + - xpath: + - block-unsupported-cipher + validators: [] + spec: {} + description: Block sessions with unsupported cipher suites + required: false + - name: block-unsupported-version + type: bool + profiles: + - xpath: + - block-unsupported-version + validators: [] + spec: {} + description: Block sessions with unsupported protocol versions + required: false + - name: block-untrusted-issuer + type: bool + profiles: + - xpath: + - block-untrusted-issuer + validators: [] + spec: {} + description: Block sessions with untrusted certificate issuers + required: false + - name: client-cert-auth + type: bool + profiles: + - xpath: + - client-cert-auth + validators: [] + spec: {} + description: Enable client certificate authentication + required: false + - name: restrict-cert-exts + type: bool + profiles: + - xpath: + - restrict-cert-exts + validators: [] + spec: {} + description: Restrict certificate extensions + required: false + - name: strip-alpn + type: bool + profiles: + - xpath: + - strip-alpn + validators: [] + spec: {} + description: Strip ALPN extension from ClientHello + required: false + variants: [] + description: SSL forward proxy decryption settings + required: false + - name: ssl-inbound-proxy + type: object + profiles: + - xpath: + - ssl-inbound-proxy + validators: [] + spec: + params: + - name: block-if-no-resource + type: bool + profiles: + - xpath: + - block-if-no-resource + validators: [] + spec: {} + description: Block sessions when decryption resources are not available + required: false + - name: block-unsupported-cipher + type: bool + profiles: + - xpath: + - block-unsupported-cipher + validators: [] + spec: {} + description: Block sessions with unsupported cipher suites + required: false + - name: block-unsupported-version + type: bool + profiles: + - xpath: + - block-unsupported-version + validators: [] + spec: {} + description: Block sessions with unsupported protocol versions + required: false + - name: block-if-hsm-unavailable + type: bool + profiles: + - xpath: + - block-if-hsm-unavailable + validators: [] + spec: {} + description: Block sessions when HSM is unavailable + required: false + - name: block-tls13-downgrade-no-resource + type: bool + profiles: + - xpath: + - block-tls13-downgrade-no-resource + validators: [] + spec: {} + description: Block TLS 1.3 downgrade when no resources are available + required: false + variants: [] + description: SSL inbound proxy decryption settings + required: false + - name: ssl-no-proxy + type: object + profiles: + - xpath: + - ssl-no-proxy + validators: [] + spec: + params: + - name: block-expired-certificate + type: bool + profiles: + - xpath: + - block-expired-certificate + validators: [] + spec: {} + description: Block sessions with expired certificates + required: false + - name: block-untrusted-issuer + type: bool + profiles: + - xpath: + - block-untrusted-issuer + validators: [] + spec: {} + description: Block sessions with untrusted certificate issuers + required: false + variants: [] + description: SSL no-proxy decryption settings + required: false + - name: ssl-protocol-settings + type: object + profiles: + - xpath: + - ssl-protocol-settings + validators: [] + spec: + params: + - name: min-version + type: enum + profiles: + - xpath: + - min-version + validators: + - type: values + spec: + values: + - sslv3 + - tls1-0 + - tls1-1 + - tls1-2 + - tls1-3 + spec: + default: tls1-0 + values: + - value: sslv3 + - value: tls1-0 + - value: tls1-1 + - value: tls1-2 + - value: tls1-3 + description: Minimum SSL/TLS protocol version + required: false + - name: max-version + type: enum + profiles: + - xpath: + - max-version + validators: + - type: values + spec: + values: + - sslv3 + - tls1-0 + - tls1-1 + - tls1-2 + - tls1-3 + - max + spec: + default: max + values: + - value: sslv3 + - value: tls1-0 + - value: tls1-1 + - value: tls1-2 + - value: tls1-3 + - value: max + description: Maximum SSL/TLS protocol version + required: false + - name: auth-algo-md5 + type: bool + profiles: + - xpath: + - auth-algo-md5 + validators: [] + spec: {} + description: Allow MD5 authentication algorithm + required: false + - name: auth-algo-sha1 + type: bool + profiles: + - xpath: + - auth-algo-sha1 + validators: [] + spec: {} + description: Allow SHA1 authentication algorithm + required: false + - name: auth-algo-sha256 + type: bool + profiles: + - xpath: + - auth-algo-sha256 + validators: [] + spec: {} + description: Allow SHA256 authentication algorithm + required: false + - name: auth-algo-sha384 + type: bool + profiles: + - xpath: + - auth-algo-sha384 + validators: [] + spec: {} + description: Allow SHA384 authentication algorithm + required: false + - name: enc-algo-3des + type: bool + profiles: + - xpath: + - enc-algo-3des + validators: [] + spec: {} + description: Allow 3DES encryption algorithm + required: false + - name: enc-algo-rc4 + type: bool + profiles: + - xpath: + - enc-algo-rc4 + validators: [] + spec: {} + description: Allow RC4 encryption algorithm + required: false + - name: enc-algo-aes-128-cbc + type: bool + profiles: + - xpath: + - enc-algo-aes-128-cbc + validators: [] + spec: {} + description: Allow AES-128-CBC encryption algorithm + required: false + - name: enc-algo-aes-256-cbc + type: bool + profiles: + - xpath: + - enc-algo-aes-256-cbc + validators: [] + spec: {} + description: Allow AES-256-CBC encryption algorithm + required: false + - name: enc-algo-aes-128-gcm + type: bool + profiles: + - xpath: + - enc-algo-aes-128-gcm + validators: [] + spec: {} + description: Allow AES-128-GCM encryption algorithm + required: false + - name: enc-algo-aes-256-gcm + type: bool + profiles: + - xpath: + - enc-algo-aes-256-gcm + validators: [] + spec: {} + description: Allow AES-256-GCM encryption algorithm + required: false + - name: keyxchg-algo-dhe + type: bool + profiles: + - xpath: + - keyxchg-algo-dhe + validators: [] + spec: {} + description: Allow DHE key exchange algorithm + required: false + - name: keyxchg-algo-ecdhe + type: bool + profiles: + - xpath: + - keyxchg-algo-ecdhe + validators: [] + spec: {} + description: Allow ECDHE key exchange algorithm + required: false + - name: keyxchg-algo-rsa + type: bool + profiles: + - xpath: + - keyxchg-algo-rsa + validators: [] + spec: {} + description: Allow RSA key exchange algorithm + required: false + variants: [] + description: SSL/TLS protocol settings + required: false + variants: []