IKE Crypto Profile

The IKECryptoProfile class provides functionality to manage IKE (Internet Key Exchange) Crypto Profile objects in Palo Alto Networks' Strata Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting IKE crypto profiles used for IPsec VPN tunnels.

IKE Crypto Profiles define:

• Hash algorithms for integrity validation
• Encryption algorithms for data confidentiality
• Diffie-Hellman groups for secure key exchange
• Lifetime settings for security key rotation

Class Overview

from scm.client import ScmClient

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Access the IKE Crypto Profile service directly through the client
ike_profiles = client.ike_crypto_profile

Method	Description	Parameters	Return Type
create()	Creates a new IKE crypto profile	data: Dict[str, Any]	IKECryptoProfileResponseModel
get()	Retrieves a profile by ID	object_id: str	IKECryptoProfileResponseModel
update()	Updates an existing profile	profile: IKECryptoProfileUpdateModel	IKECryptoProfileResponseModel
delete()	Deletes a profile	object_id: str	None
list()	Lists profiles with filtering	folder: str, snippet: str, device: str, **filters	List[IKECryptoProfileResponseModel]
fetch()	Gets profile by name and container	name: str, folder: str, snippet: str, device: str	IKECryptoProfileResponseModel

IKE Crypto Profile Model Attributes

Attribute	Type	Required	Default	Description
name	str	Yes	None	Profile name. Max 31 chars. Pattern: ^[0-9a-zA-Z._-]+$
id	UUID	Yes*	None	Unique identifier (*response/update only)
hash	List[HashAlgorithm]	Yes	None	Hashing algorithms
encryption	List[EncryptionAlgorithm]	Yes	None	Encryption algorithms
dh_group	List[DHGroup]	Yes	None	Phase-1 DH groups
lifetime	LifetimeType	No	None	Lifetime configuration (seconds, minutes, hours, or days)
authentication_multiple	int	No	0	IKEv2 SA reauthentication interval multiplier (0-50)
folder	str	No**	None	Folder containing the profile. Max 64 chars
snippet	str	No**	None	Snippet containing the profile. Max 64 chars
device	str	No**	None	Device containing the profile. Max 64 chars

* Only required for update and response models ** Exactly one container field (folder/snippet/device) must be provided

Exceptions

Exception	HTTP Code	Description
InvalidObjectError	400	Invalid profile data or format
MissingQueryParameterError	400	Missing required parameters
NameNotUniqueError	409	Profile name already exists
ObjectNotPresentError	404	Profile not found
AuthenticationError	401	Authentication failed
ServerError	500	Internal server error

Methods

List IKE Crypto Profiles

# List all profiles in a folder
profiles = client.ike_crypto_profile.list(folder="Texas")

# Process results
for profile in profiles:
    print(f"Profile: {profile.name}")
    print(f"  Hash: {[h.value for h in profile.hash]}")
    print(f"  Encryption: {[e.value for e in profile.encryption]}")
    print(f"  DH Groups: {[g.value for g in profile.dh_group]}")

Filtering Responses

The list() method supports additional filtering parameters:

# List with exact match on container
profiles = client.ike_crypto_profile.list(
    folder="Texas",
    exact_match=True
)

# Exclude specific folders from results
profiles = client.ike_crypto_profile.list(
    folder="All",
    exclude_folders=["Shared", "Default"]
)

# Exclude specific snippets
profiles = client.ike_crypto_profile.list(
    folder="Texas",
    exclude_snippets=["default-snippet"]
)

# Exclude specific devices
profiles = client.ike_crypto_profile.list(
    folder="Texas",
    exclude_devices=["DeviceA", "DeviceB"]
)

Controlling Pagination with max_limit

The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000.

from scm.client import ScmClient

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Configure max_limit using the property setter
client.ike_crypto_profile.max_limit = 1000

# List all profiles - auto-paginates through results
all_profiles = client.ike_crypto_profile.list(folder="Texas")

Fetch an IKE Crypto Profile

# Fetch by name and folder
profile = client.ike_crypto_profile.fetch(
    name="ike-crypto-sha256-aes256",
    folder="Texas"
)
print(f"Found profile: {profile.name}")

# Get by ID
profile_by_id = client.ike_crypto_profile.get(profile.id)
print(f"Retrieved profile: {profile_by_id.name}")

Create an IKE Crypto Profile

from scm.client import ScmClient

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# Prepare IKE crypto profile configuration
profile_config = {
    "name": "ike-crypto-sha256-aes256",
    "hash": ["sha256", "sha384"],
    "encryption": ["aes-256-cbc", "aes-256-gcm"],
    "dh_group": ["group14", "group19", "group20"],
    "lifetime": {"hours": 8},
    "authentication_multiple": 3,
    "folder": "Texas"
}

# Create the IKE crypto profile
new_profile = client.ike_crypto_profile.create(profile_config)
print(f"Created IKE crypto profile: {new_profile.name} (ID: {new_profile.id})")

Update an IKE Crypto Profile

# Fetch existing profile
existing = client.ike_crypto_profile.fetch(
    name="ike-crypto-sha256-aes256",
    folder="Texas"
)

# Modify attributes using dot notation
existing.hash = ["sha384", "sha512"]
existing.encryption = ["aes-256-gcm"]
existing.lifetime = {"days": 1}

# Perform update
updated_profile = client.ike_crypto_profile.update(existing)
print(f"Updated profile: {updated_profile.name}")

Delete an IKE Crypto Profile

# Get the profile to delete
profile = client.ike_crypto_profile.fetch(
    name="ike-crypto-sha256-aes256",
    folder="Texas"
)

# Delete by ID
client.ike_crypto_profile.delete(str(profile.id))
print(f"Deleted profile: {profile.name}")

Use Cases

Performing Commits

# Prepare commit parameters
commit_params = {
    "folders": ["Texas"],
    "description": "Updated IKE crypto profiles",
    "sync": True,
    "timeout": 300  # 5 minute timeout
}

# Commit the changes
result = client.commit(**commit_params)

print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

# Get status of specific job
job_status = client.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")

# List recent jobs
recent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
    print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.client import ScmClient
from scm.exceptions import (
    InvalidObjectError,
    MissingQueryParameterError,
    NameNotUniqueError,
    ObjectNotPresentError
)

# Initialize client
client = ScmClient(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

try:
    # Create IKE crypto profile
    profile_config = {
        "name": "ike-crypto-test",
        "hash": ["sha256"],
        "encryption": ["aes-256-cbc"],
        "dh_group": ["group14"],
        "folder": "Texas"
    }

    new_profile = client.ike_crypto_profile.create(profile_config)

    # Commit changes
    result = client.commit(
        folders=["Texas"],
        description="Added IKE crypto profile",
        sync=True
    )

    # Check job status
    status = client.get_job_status(result.job_id)

except InvalidObjectError as e:
    print(f"Invalid profile data: {e.message}")
except NameNotUniqueError as e:
    print(f"Profile name already exists: {e.message}")
except ObjectNotPresentError as e:
    print(f"Profile not found: {e.message}")
except MissingQueryParameterError as e:
    print(f"Missing parameter: {e.message}")

Related Topics

• IKECryptoProfileBaseModel
• IKECryptoProfileCreateModel
• IKECryptoProfileUpdateModel
• IKECryptoProfileResponseModel
• HashAlgorithm
• EncryptionAlgorithm
• DHGroup
• LifetimeSeconds
• LifetimeMinutes
• LifetimeHours
• LifetimeDays

Refer to the ike_crypto_profile.py example.