Decryption Profile Models
Overview
The Decryption Profile models provide a structured way to manage SSL/TLS decryption settings in Palo Alto Networks' Strata Cloud Manager. These models support configuring forward proxy, inbound proxy, and no-proxy SSL settings, as well as protocol-specific settings like allowed algorithms and TLS versions. The models handle validation of inputs and outputs when interacting with the SCM API.
Attributes
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
| name | str | Yes | None | Name of profile. Must start with alphanumeric char |
| ssl_forward_proxy | SSLForwardProxy | No | None | SSL Forward Proxy settings |
| ssl_inbound_proxy | SSLInboundProxy | No | None | SSL Inbound Proxy settings |
| ssl_no_proxy | SSLNoProxy | No | None | SSL No Proxy settings |
| ssl_protocol_settings | SSLProtocolSettings | No | None | SSL Protocol settings |
| folder | str | No* | None | Folder where profile is defined. Max length: 64 chars |
| snippet | str | No* | None | Snippet where profile is defined. Max length: 64 chars |
| device | str | No* | None | Device where profile is defined. Max length: 64 chars |
| id | UUID | Yes** | None | UUID of the profile (response only) |
* Exactly one container type (folder/snippet/device) must be provided ** Only required for response model
SSL Protocol Settings Attributes
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
| min_version | SSLVersion | Yes | tls1_0 | Minimum allowed SSL/TLS version |
| max_version | SSLVersion | Yes | tls1_2 | Maximum allowed SSL/TLS version |
| auth_algo_md5 | bool | No | True | Allow MD5 authentication |
| auth_algo_sha1 | bool | No | True | Allow SHA1 authentication |
| auth_algo_sha256 | bool | No | True | Allow SHA256 authentication |
| auth_algo_sha384 | bool | No | True | Allow SHA384 authentication |
| enc_algo_3des | bool | No | True | Allow 3DES encryption |
| enc_algo_aes_128_cbc | bool | No | True | Allow AES-128-CBC encryption |
| enc_algo_aes_256_cbc | bool | No | True | Allow AES-256-CBC encryption |
| enc_algo_rc4 | bool | No | True | Allow RC4 encryption |
Model Validators
Container Type Validation
For create operations, exactly one container type must be specified:
# Using dictionaryfrom scm.config.security import DecryptionProfile
# Error: multiple containers specifiedtry:
profile_dict = {
"name": "invalid-profile",
"folder": "Shared",
"device": "fw01", # Can't specify both folder and device
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3"
}
}
profile = DecryptionProfile(api_client)
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# Using model directlyfrom scm.models.security import DecryptionProfileCreateModel
# Error: no container specifiedtry:
profile = DecryptionProfileCreateModel(
name="invalid-profile",
ssl_protocol_settings={
"min_version": "tls1-2",
"max_version": "tls1-3"
}
)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# Error: multiple containers specifiedtry:
profile_dict = {
"name": "invalid-profile",
"folder": "Shared",
"device": "fw01", # Can't specify both folder and device
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3"
}
}
profile = DecryptionProfile(api_client)
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# Using model directlyfrom scm.models.security import DecryptionProfileCreateModel
# Error: no container specifiedtry:
profile = DecryptionProfileCreateModel(
name="invalid-profile",
ssl_protocol_settings={
"min_version": "tls1-2",
"max_version": "tls1-3"
}
)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
SSL Version Validation
The SSL protocol settings enforce that max_version cannot be less than min_version:
# Using dictionarytry:
profile_dict = {
"name": "invalid-profile",
"folder": "Shared",
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-1" # Invalid: max < min
}
}
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "max_version cannot be less than min_version"
# Using model directlyfrom scm.models.security import SSLProtocolSettings
try:
settings = SSLProtocolSettings(
min_version="tls1-2",
max_version="tls1-1" # Invalid: max < min
)
except ValueError as e:
print(e) # "max_version cannot be less than min_version"
profile_dict = {
"name": "invalid-profile",
"folder": "Shared",
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-1" # Invalid: max < min
}
}
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "max_version cannot be less than min_version"
# Using model directlyfrom scm.models.security import SSLProtocolSettings
try:
settings = SSLProtocolSettings(
min_version="tls1-2",
max_version="tls1-1" # Invalid: max < min
)
except ValueError as e:
print(e) # "max_version cannot be less than min_version"
Usage Examples
Creating a Basic Decryption Profile
# Using dictionaryprofile_dict = {
"name": "basic-profile",
"folder": "Shared",
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3",
"auth_algo_sha256": True,
"auth_algo_sha384": True
}
}
profile = DecryptionProfile(api_client)
response = profile.create(profile_dict)
# Using model directlyfrom scm.models.security import (
DecryptionProfileCreateModel,
SSLProtocolSettings,
SSLVersion
)
profile = DecryptionProfileCreateModel(
name="basic-profile",
folder="Shared",
ssl_protocol_settings=SSLProtocolSettings(
min_version=SSLVersion.tls1_2,
max_version=SSLVersion.tls1_3,
auth_algo_sha256=True,
auth_algo_sha384=True
)
)
payload = profile.model_dump(exclude_unset=True)
response = profile.create(payload)
"name": "basic-profile",
"folder": "Shared",
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3",
"auth_algo_sha256": True,
"auth_algo_sha384": True
}
}
profile = DecryptionProfile(api_client)
response = profile.create(profile_dict)
# Using model directlyfrom scm.models.security import (
DecryptionProfileCreateModel,
SSLProtocolSettings,
SSLVersion
)
profile = DecryptionProfileCreateModel(
name="basic-profile",
folder="Shared",
ssl_protocol_settings=SSLProtocolSettings(
min_version=SSLVersion.tls1_2,
max_version=SSLVersion.tls1_3,
auth_algo_sha256=True,
auth_algo_sha384=True
)
)
payload = profile.model_dump(exclude_unset=True)
response = profile.create(payload)
Creating a Profile with Forward Proxy Settings
# Using dictionaryforward_proxy_dict = {
"name": "forward-proxy-profile",
"folder": "Shared",
"ssl_forward_proxy": {
"auto_include_altname": True,
"block_expired_certificate": True,
"block_untrusted_issuer": True,
"strip_alpn": False
},
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3"
}
}
response = profile.create(forward_proxy_dict)
# Using model directlyfrom scm.models.security import (
DecryptionProfileCreateModel,
SSLForwardProxy,
SSLProtocolSettings,
SSLVersion
)
forward_proxy = DecryptionProfileCreateModel(
name="forward-proxy-profile",
folder="Shared",
ssl_forward_proxy=SSLForwardProxy(
auto_include_altname=True,
block_expired_certificate=True,
block_untrusted_issuer=True,
strip_alpn=False
),
ssl_protocol_settings=SSLProtocolSettings(
min_version=SSLVersion.tls1_2,
max_version=SSLVersion.tls1_3
)
)
payload = forward_proxy.model_dump(exclude_unset=True)
response = profile.create(payload)
"name": "forward-proxy-profile",
"folder": "Shared",
"ssl_forward_proxy": {
"auto_include_altname": True,
"block_expired_certificate": True,
"block_untrusted_issuer": True,
"strip_alpn": False
},
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3"
}
}
response = profile.create(forward_proxy_dict)
# Using model directlyfrom scm.models.security import (
DecryptionProfileCreateModel,
SSLForwardProxy,
SSLProtocolSettings,
SSLVersion
)
forward_proxy = DecryptionProfileCreateModel(
name="forward-proxy-profile",
folder="Shared",
ssl_forward_proxy=SSLForwardProxy(
auto_include_altname=True,
block_expired_certificate=True,
block_untrusted_issuer=True,
strip_alpn=False
),
ssl_protocol_settings=SSLProtocolSettings(
min_version=SSLVersion.tls1_2,
max_version=SSLVersion.tls1_3
)
)
payload = forward_proxy.model_dump(exclude_unset=True)
response = profile.create(payload)
Updating a Decryption Profile
# Using dictionaryupdate_dict = {
"id": "123e4567-e89b-12d3-a456-426655440000",
"name": "updated-profile",
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3",
"auth_algo_sha384": True,
"enc_algo_aes_256_gcm": True
}
}
response = profile.update(update_dict)
# Using model directlyfrom scm.models.security import DecryptionProfileUpdateModel
update = DecryptionProfileUpdateModel(
id="123e4567-e89b-12d3-a456-426655440000",
name="updated-profile",
ssl_protocol_settings=SSLProtocolSettings(
min_version=SSLVersion.tls1_2,
max_version=SSLVersion.tls1_3,
auth_algo_sha384=True,
enc_algo_aes_256_gcm=True
)
)
payload = update.model_dump(exclude_unset=True)
response = profile.update(payload)
"id": "123e4567-e89b-12d3-a456-426655440000",
"name": "updated-profile",
"ssl_protocol_settings": {
"min_version": "tls1-2",
"max_version": "tls1-3",
"auth_algo_sha384": True,
"enc_algo_aes_256_gcm": True
}
}
response = profile.update(update_dict)
# Using model directlyfrom scm.models.security import DecryptionProfileUpdateModel
update = DecryptionProfileUpdateModel(
id="123e4567-e89b-12d3-a456-426655440000",
name="updated-profile",
ssl_protocol_settings=SSLProtocolSettings(
min_version=SSLVersion.tls1_2,
max_version=SSLVersion.tls1_3,
auth_algo_sha384=True,
enc_algo_aes_256_gcm=True
)
)
payload = update.model_dump(exclude_unset=True)
response = profile.update(payload)