Palo Alto Target Connector CLI Configuration

This topic includes CLI commands and parameters for adding Active Directory target applications and target accounts.
capam32
This topic includes CLI commands and parameters for adding Active Directory target applications and target accounts.
2
Palo Alto Add Target Application CLI Parameters
To add a Palo Alto target application and connector using the CLI, use the addTargetApplication command and the following command parameters:
TargetApplication.type
The target application connector type.
Required
Default Value
Valid Values
yes
N/A
Palo Alto
Attribute.sshPort
Indicates the port that is used to connect to the host using SSH.
Required
Default Value
Valid Values
no
22
0-65535
Attribute.sshSessionTimeout
When using an SSH connection, specifies the amount of time in milliseconds that Credential Manager waits for the remote host to respond.
Required
Default Value
Valid Values
no
5000
1000-99999
Attribute.scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected input from the remote host.
Required
Default Value
Valid Values
no
5000
5000-59999
Attribute.useUpdateScriptType
Specifies whether the default, revised, or replacement update script should be used. If you require a revised or replacement script, use the default script and contact CA Services.
Required
Default Value
Valid Values
no
'DEFAULT'
'DEFAULT', 'REVISED' or 'REPLACEMENT'
Attribute.revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if you require a revised or replacement script.
Required
Default Value
Valid Values
no
N/A
a file name
Attribute.useVerifyScriptType
Verifies whether the default, revised, or replacement script gets used. If you require a revised or replacement script, use the default script and contact CA Services.
Required
Default Value
Valid Values
no
'DEFAULT'
'DEFAULT', 'REVISED' or 'REPLACEMENT'
Attribute.revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if you require a revised or replacement script.
Required
Default Value
Valid Values
no
N/A
a file name
Attribute.userNameEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a user name.
Required
Default Value
Valid Values
no
(?si).*?(login|username):.*?
valid regular expression syntax
Attribute.passwordEntryPrompt
A regular expression that matches the prompt produced by the remote host when it requests a password.
Required
Default Value
Valid Values
no
(?si)(.*?password(\sfor|:).*?)
valid regular expression syntax
Attribute.passwordConfirmationPrompt
A regular expression that matches the prompt produced by the remote host when it requests a password be confirmed.
Required
Default Value
Valid Values
no
AIX: (?si).*?new password.*?
All other platforms: (?si).*?password:.*?)
valid regular expression syntax
Attribute.passwordChangePrompt
A regular expression that matches the prompt produced by the remote host when it requests that a password be changed because it has expired.
Required
Default Value
Valid Values
no
(?si).*?change your password.*?
valid regular expression syntax
Palo Alto Add Target Account CLI Parameters
To add an Active Directory target account that uses the target connector, use the addTargetAccount command and the following command parameters:
Attribute.useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Required
Default Value
Valid Values
yes
false
true, false
Attribute.otherAccount
Specifies which other account to use when updating the target account.
Required
Default Value
Valid Values
yes if
Attribute.useOtherAccountToChangePassword
is true.
N/A
a valid target account ID.
Attribute.protocol
Specifies the protocol to use for communicating with the remote host.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is false
SSH2_PASSWORD_AUTH
 SSH2_PASSWORD_AUTH
Attribute.pwType
The credential type; whether it pertains to a user or privileged (or "enable") account.
Required
Default Value
Valid Values
yes
user
user, privileged
Attribute.useOtherPrivilegedAccount
Required
Default Value
Valid Values
yes
false
true, false
Attribute.otherPrivilegedAccount
Required
Default Value
Valid Values
no
N/A
a valid target account ID
Attribute.changeAuxLoginPassword
Required
Default Value
Valid Values
no
N/A
true, false
Attribute.changeConsoleLoginPassword
Required
Default Value
Valid Values
yes
N/A
true, false
Attribute.changeVtyLoginPassword
Required
Default Value
Valid Values
no
N/A
true, false
Attribute.numVTYPorts
Required
Default Value
Valid Values
yes if
changeVtyLoginPassword
is true
N/A
1-15
Palo Alto CLI Example
cmdName=addTargetApplication TargetServer.hostName=www.ca.com TargetApplication.type=
?????
 TargetApplication.name=PaloAlto
Attribute.extensionType=????? Attribute.useDefaultUpdateScript=true Attribute.useDefaultVerifyScript=true
cmdName=addTargetAccount TargetServer.hostName=www.ca.com TargetApplication.name=PaloAlto TargetAccount.userName=account1
TargetAccount.password=password1 Attribute.protocol=SSH2_PASSWORD_AUTH Attribute.useOtherAccountToChangePassword=false
pwType=user useOtherPrivilegedAccount=false changeAuxLoginPassword=false changeConsoleLoginPassword=false
changeVtyLoginPassword=true numVTYPorts=1