Issue/Help with "Create a decryption rule" - not working with ssl-inbound-inspection

[bashaway]

Documentation link

API Document
https://pan.dev/access/api/prisma-access-config/post-sse-config-v-1-decryption-rules/

API Endpoint
https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules

Describe the problem

I am unable to create a decryption policy for SSL Inbound Inspection using the Prisma Access Configuration API. What payload should I use to create a decryption policy with “SSL Inbound Inspection” as the decryption type?

When trying to create a decryption policy by specifying SSL Inbound Inspection as the decryption type according to the API documentation, I am unable to create the policy correctly.

In the API documentation, the description for “type” is as follows, so I tried to create the policy by copying the content of an existing decryption policy that was created via the WebUI.

    type object
        **type** object

        oneOf

        *   ssl\_forward\_proxy
        *   ssl\_inbound\_inspection

First, I created a decryption policy using the SCM WebUI. I specified the following parameters, and used default values for the others:

• name: test-ssl-inbound-inspection-GUI
• position: pre
• action: Decrypt
• type: SSL Inbound Inspection
• certificates: Authentication Cookie CA

I retrieved this policy using the following command:

curl -s -X GET \
 -H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules?position=pre&folder=Shared&name=test-ssl-inbound-inspection-GUI" | jq

The output was as follows:

{
  "id": "abb61004-fd1d-45f5-b767-39ac2a646091",
  "name": "test-ssl-inbound-inspection-GUI",
  "folder": "Shared",
  "source_hip": [
    "any"
  ],
  "destination_hip": [
    "any"
  ],
  "action": "decrypt",
  "profile": "best-practice",
  "from": [
    "any"
  ],
  "to": [
    "any"
  ],
  "source": [
    "any"
  ],
  "destination": [
    "any"
  ],
  "source_user": [
    "any"
  ],
  "category": [
    "any"
  ],
  "service": [
    "any"
  ],
  "type": {
    "ssl_inbound_inspection": {
      "certificates": [
        "Authentication Cookie CA"
      ]
    }
  },
  "log_setting": "Cortex Data Lake"
}

To create a policy with the same content, I made the following API request:

curl -s -X POST \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer ${ACCESS_TOKEN}" \
 -d '{
  "name": "test-ssl-inbound-inspection-API",
  "folder": "Shared",
  "source_hip": [
    "any"
  ],
  "destination_hip": [
    "any"
  ],
  "action": "decrypt",
  "profile": "best-practice",
  "from": [
    "any"
  ],
  "to": [
    "any"
  ],
  "source": [
    "any"
  ],
  "destination": [
    "any"
  ],
  "source_user": [
    "any"
  ],
  "category": [
    "any"
  ],
  "service": [
    "any"
  ],
  "type": {
    "ssl_inbound_inspection": {
      "certificates": [
        "Authentication Cookie CA"
      ]
    }
  },
  "log_setting": "Cortex Data Lake"
}
' \
"https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules?position=pre&folder=Shared" | jq

The output was:

{
  "_errors": [
    {
      "code": "API_I00035",
      "message": "Invalid Request Payload [object Object]",
      "details": [
        "\"type.ssl_inbound_inspection\" must be a string"
      ]
    }
  ],
  "_request_id": "3f2c408b-4c38-4dc9-b6be-067835d3957b"
}

Following the error message, I specified the certificate as a string:

curl -s -X POST \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer ${ACCESS_TOKEN}" \
 -d '{
  "name": "test-ssl-inbound-inspection-API",
  "folder": "Shared",
  "source_hip": [
    "any"
  ],
  "destination_hip": [
    "any"
  ],
  "action": "decrypt",
  "profile": "best-practice",
  "from": [
    "any"
  ],
  "to": [
    "any"
  ],
  "source": [
    "any"
  ],
  "destination": [
    "any"
  ],
  "source_user": [
    "any"
  ],
  "category": [
    "any"
  ],
  "service": [
    "any"
  ],
  "type": {
    "ssl_inbound_inspection": "Authentication Cookie CA"
  },
  "log_setting": "Cortex Data Lake"
}
' \
"https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules?position=pre&folder=Shared" | jq

The output was as follows:

{
  "_errors": [
    {
      "code": "API_I00013",
      "message": "Your configuration is not valid. Please review the error message for more details.",
      "details": {
        "errorType": "Invalid Object",
        "message": [
          " test-ssl-inbound-inspection -> type -> ssl-inbound-inspection unexpected here",
          " test-ssl-inbound-inspection -> type -> ssl-inbound-inspection  is unexpected ",
          " test-ssl-inbound-inspection -> type is invalid"
        ],
        "errors": [
          {
            "type": "UNEXPECTED_NODE_ERROR",
            "message": "node unexpected here",
            "params": [
              "text"
            ]
          },
          {
            "type": "UNEXPECTED_NODE_ERROR",
            "message": "node unexpected here"
          }
        ]
      }
    }
  ],
  "_request_id": "1aec9c9d-0480-4c52-8696-b41a059d473f"
}

I also tried changing the type as follows, but I got the same “type.ssl_inbound_inspection must be a string” error as in the first case.

  "type": {
    "ssl_inbound_inspection": {"certificates": "Authentication Cookie CA"}
  },

In all cases, I was unable to create a policy with “SSL Inbound Inspection” as the decryption type.

On the other hand, if I use SSL Forward Proxy, I can create the policy by specifying the type as follows:

  "type": {
    "ssl_forward_proxy": {}
  }

What payload should I use to create a decryption policy with “SSL Inbound Inspection” as the decryption type?

Suggested fix