HIP Profile Configuration Object
Table of Contents
- Overview
- Core Methods
- HIP Profile Model Attributes
- Exceptions
- Basic Configuration
- Usage Examples
- Managing Configuration Changes
- Error Handling
- Best Practices
- Full Script Examples
- Related Models
Overview
The HIPProfile class provides functionality to manage Host Information Profile (HIP) profiles in Palo Alto Networks' Strata
Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and deleting
HIP profiles. HIP profiles define security posture matching criteria that can be used in security policies to enforce endpoint compliance.
Core Methods
| Method | Description | Parameters | Return Type |
|---|---|---|---|
create() |
Creates a new HIP profile | data: Dict[str, Any] |
HIPProfileResponseModel |
get() |
Retrieves a HIP profile by ID | object_id: str |
HIPProfileResponseModel |
update() |
Updates an existing HIP profile | hip_profile: HIPProfileUpdateModel |
HIPProfileResponseModel |
delete() |
Deletes a HIP profile | object_id: str |
None |
list() |
Lists HIP profiles with filtering | folder: str, **filters |
List[HIPProfileResponseModel] |
fetch() |
Gets HIP profile by name | name: str, folder: str |
HIPProfileResponseModel |
HIP Profile Model Attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
str | Yes | Name of HIP profile (max 31 chars) |
id |
UUID | Yes* | Unique identifier (*response only) |
description |
str | No | Profile description (max 255 chars) |
match |
str | Yes | Match expression for the profile |
folder |
str | Yes** | Folder location (**one container required) |
snippet |
str | Yes** | Snippet location (**one container required) |
device |
str | Yes** | Device location (**one container required) |
Exceptions
| Exception | HTTP Code | Description |
|---|---|---|
InvalidObjectError |
400 | Invalid HIP profile data or format |
MissingQueryParameterError |
400 | Missing required parameters |
NameNotUniqueError |
409 | HIP profile name already exists |
ObjectNotPresentError |
404 | HIP profile not found |
ReferenceNotZeroError |
409 | HIP profile still referenced |
AuthenticationError |
401 | Authentication failed |
ServerError |
500 | Internal server error |
Basic Configuration
from scm.client import ScmClient
# Initialize client using the unified client approachclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
hip_profile_max_limit=5000 # Optional: set custom max_limit
)
# Access the hip_profile module directly through the client# client.hip_profile is automatically initialized for you
# Initialize client using the unified client approachclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
hip_profile_max_limit=5000 # Optional: set custom max_limit
)
# Access the hip_profile module directly through the client# client.hip_profile is automatically initialized for you
You can also use the traditional approach if preferred:
from scm.client import Scm
from scm.config.objects import HIPProfile
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize HIPProfile with custom max_limithip_profiles = HIPProfile(client, max_limit=5000)
from scm.config.objects import HIPProfile
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize HIPProfile with custom max_limithip_profiles = HIPProfile(client, max_limit=5000)
Usage Examples
Creating HIP Profiles
# Basic HIP profile with simple match expressionbasic_profile_config = {
"name": "windows-workstations",
"folder": "Shared",
"description": "Windows workstations with basic security requirements",
"match": '"is-win"' # Single HIP object reference
}
# Create basic HIP profilebasic_profile = client.hip_profile.create(basic_profile_config)
# HIP profile with complex match expression using AND/OR logiccomplex_profile_config = {
"name": "secure-workstations",
"folder": "Shared",
"description": "Secured workstations with enhanced security posture",
"match": '"is-win" and "is-firewall-enabled"' # Combined match expression
}
# Create complex HIP profilecomplex_profile = client.hip_profile.create(complex_profile_config)
# HIP profile with negative match expressionnegative_profile_config = {
"name": "non-windows-devices",
"folder": "Shared",
"description": "All devices except Windows workstations",
"match": 'not ("is-win")' # NOT operator in match expression
}
# Create negative match HIP profilenegative_profile = client.hip_profile.create(negative_profile_config)
"name": "windows-workstations",
"folder": "Shared",
"description": "Windows workstations with basic security requirements",
"match": '"is-win"' # Single HIP object reference
}
# Create basic HIP profilebasic_profile = client.hip_profile.create(basic_profile_config)
# HIP profile with complex match expression using AND/OR logiccomplex_profile_config = {
"name": "secure-workstations",
"folder": "Shared",
"description": "Secured workstations with enhanced security posture",
"match": '"is-win" and "is-firewall-enabled"' # Combined match expression
}
# Create complex HIP profilecomplex_profile = client.hip_profile.create(complex_profile_config)
# HIP profile with negative match expressionnegative_profile_config = {
"name": "non-windows-devices",
"folder": "Shared",
"description": "All devices except Windows workstations",
"match": 'not ("is-win")' # NOT operator in match expression
}
# Create negative match HIP profilenegative_profile = client.hip_profile.create(negative_profile_config)
Retrieving HIP Profiles
# Fetch by name and folderhip_profile = client.hip_profile.fetch(name="windows-workstations", folder="Shared")
print(f"Found HIP profile: {hip_profile.name}")
# Get by IDhip_by_id = client.hip_profile.get(hip_profile.id)
print(f"Retrieved HIP profile: {hip_by_id.name}")
print(f"Match expression: {hip_by_id.match}")
print(f"Found HIP profile: {hip_profile.name}")
# Get by IDhip_by_id = client.hip_profile.get(hip_profile.id)
print(f"Retrieved HIP profile: {hip_by_id.name}")
print(f"Match expression: {hip_by_id.match}")
Updating HIP Profiles
# Fetch existing HIP profileexisting_profile = client.hip_profile.fetch(name="secure-workstations", folder="Shared")
# Create update model with modified match expressionfrom scm.models.objects import HIPProfileUpdateModel
update_model = HIPProfileUpdateModel(
id=existing_profile.id,
name=existing_profile.name,
description="Enhanced security requirements for workstations",
match='"is-win" and "is-firewall-enabled" and "is-disk-encrypted"'
)
# Perform updateupdated_profile = client.hip_profile.update(update_model)
print(f"Updated match expression: {updated_profile.match}")
# Create update model with modified match expressionfrom scm.models.objects import HIPProfileUpdateModel
update_model = HIPProfileUpdateModel(
id=existing_profile.id,
name=existing_profile.name,
description="Enhanced security requirements for workstations",
match='"is-win" and "is-firewall-enabled" and "is-disk-encrypted"'
)
# Perform updateupdated_profile = client.hip_profile.update(update_model)
print(f"Updated match expression: {updated_profile.match}")
Listing HIP Profiles
# List with direct filter parametersfiltered_profiles = client.hip_profile.list(
folder='Shared',
exact_match=True
)
# Process resultsfor profile in filtered_profiles:
print(f"Name: {profile.name}")
print(f"Match: {profile.match}")
# Define filter parameters as dictionarylist_params = {
"folder": "Shared",
"exclude_folders": ["Test", "Development"]
}
# List with filters as kwargsfiltered_profiles = client.hip_profile.list(**list_params)
folder='Shared',
exact_match=True
)
# Process resultsfor profile in filtered_profiles:
print(f"Name: {profile.name}")
print(f"Match: {profile.match}")
# Define filter parameters as dictionarylist_params = {
"folder": "Shared",
"exclude_folders": ["Test", "Development"]
}
# List with filters as kwargsfiltered_profiles = client.hip_profile.list(**list_params)
Deleting HIP Profiles
# Delete by IDprofile_id = "123e4567-e89b-12d3-a456-426655440000"
client.hip_profile.delete(profile_id)
client.hip_profile.delete(profile_id)
Managing Configuration Changes
Performing Commits
# Prepare commit parameterscommit_params = {
"folders": ["Shared"],
"description": "Updated HIP profiles",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = client.commit(**commit_params)
print(f"Commit job ID: {result.job_id}")
"folders": ["Shared"],
"description": "Updated HIP profiles",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = client.commit(**commit_params)
print(f"Commit job ID: {result.job_id}")
Monitoring Jobs
# Get status of specific jobjob_status = client.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")
Error Handling
from scm.client import ScmClient
from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)
# Initialize clientclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
try:
# Create HIP profile configuration
hip_config = {
"name": "test-hip-profile",
"folder": "Shared",
"description": "Test HIP profile",
"match": '"is-win" or "is-mac"'
}
# Create the HIP profile using the unified client
new_profile = client.hip_profile.create(hip_config)
# Commit changes directly on the client
result = client.commit(
folders=["Shared"],
description="Added test HIP profile",
sync=True
)
# Check job status on the client
status = client.get_job_status(result.job_id)
except InvalidObjectError as e:
print(f"Invalid HIP profile data: {e.message}")
except NameNotUniqueError as e:
print(f"HIP profile name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"HIP profile not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"HIP profile still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")
from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)
# Initialize clientclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
try:
# Create HIP profile configuration
hip_config = {
"name": "test-hip-profile",
"folder": "Shared",
"description": "Test HIP profile",
"match": '"is-win" or "is-mac"'
}
# Create the HIP profile using the unified client
new_profile = client.hip_profile.create(hip_config)
# Commit changes directly on the client
result = client.commit(
folders=["Shared"],
description="Added test HIP profile",
sync=True
)
# Check job status on the client
status = client.get_job_status(result.job_id)
except InvalidObjectError as e:
print(f"Invalid HIP profile data: {e.message}")
except NameNotUniqueError as e:
print(f"HIP profile name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"HIP profile not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"HIP profile still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")
Best Practices
-
Client Usage
- Use the unified
ScmClientapproach for simpler code - Access HIP profile operations via
client.hip_profileproperty - Perform commit operations directly on the client
- Monitor jobs directly on the client
- Set appropriate max_limit parameters for large datasets using
hip_profile_max_limit
- Use the unified
-
Match Expression Syntax
- Use quoted object names in match expressions (e.g.,
"is-win") - Combine expressions with boolean operators (
and,or,not) - Group complex expressions with parentheses
- Verify HIP objects exist before referencing them
- Keep expressions simple and maintainable
- Use quoted object names in match expressions (e.g.,
-
Container Management
- Always specify exactly one container (folder, snippet, or device)
- Use consistent container names
- Validate container existence
- Group related HIP profiles
- Consider inheritance patterns
-
Performance
- Set appropriate max_limit values
- Use pagination for large lists
- Cache frequently accessed profiles
- Implement proper retry logic
- Monitor API response times
-
Security
- Follow least privilege principle
- Validate input data
- Use secure connection settings
- Implement proper authentication
- Monitor security posture changes
-
Error Handling
- Implement comprehensive error handling
- Check job status after commits
- Log error details
- Handle specific exceptions
- Validate match expressions before creation
Full Script Examples
Refer to the hip_profile.py example.