Automation of partial config load from xml

r000m5 — Thu, 29 Dec 2022 18:07:16 GMT

Hello,

TL;DR : I use PA-VM 10.0.4 and paloaltonetworks.panos 2.12.2 galaxy ansible modules. Do you know a way to automate a partial config load from xml ? Ideally using ansible but maybe using API or python ? I tried several things with ansible, none of them are working.

Ultimately I'd like to automate the use of this command, which is OK with CLI :

load config partial from-xpath /config/devices/entry[@name="localhost.localdomain"]/vsys/entry[@name="vsys1"] to-xpath /config/devices/entry[@name="localhost.localdomain"]/vsys/entry[@name="vsys1"] mode replace from capirca.xml

Let's consider this command first, which is also OK with CLI :

load config partial mode replace from capirca.xml

I tried to automate using ansible. The Ansible panos_loadcfg module does not allow partial config load.

So I tried this task using ansible :

- name: load configuration paloaltonetworks.panos.panos_op: provider: "{{ palo_provider }}" cmd: 'load config partial mode replace from capirca.xml' cmd_is_xml: false

I get this Error even though the command is OK using CLI : load config partial mode replace from \"capirca.xml\" : load -> config -> partial -> mode is invalid

The full traceback is: File "/tmp/ansible_paloaltonetworks.panos.panos_op_payload_toh3va6v/ansible_paloaltonetworks.panos.panos_op_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_op.py", line 186, in main File "/home/r0m/.local/lib/python3.9/site-packages/panos/firewall.py", line 242, in op return super(Firewall, self).op( File "/home/r0m/.local/lib/python3.9/site-packages/panos/base.py", line 4047, in op element = self.xapi.op(cmd, vsys, False, extra_qs, retry_on_peer=retry_on_peer) File "/home/r0m/.local/lib/python3.9/site-packages/panos/base.py", line 3899, in method raise the_exception fatal: [fw-test]: FAILED! => { "changed": false, "invocation": { "module_args": { "api_key": null, "cmd": "load config partial mode replace from capirca.xml", "cmd_is_xml": false, "ignore_disconnect": null, "ip_address": null, "password": null, "port": 443, "provider": { "api_key": null, "ip_address": "fw-test.local.r0.me", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "port": 443, "serial_number": null, "username": "admin" }, "username": "admin", "vsys": "vsys1" } }, "msg": "Failed to run command : load config partial mode replace from \"capirca.xml\" : load -> config -> partial -> mode is invalid"

It's worth noting that this command is working. Unfortunately, I really need a partial load.

- name: load configuration paloaltonetworks.panos.panos_op: provider: "{{ palo_provider }}" cmd: 'load config from capirca.xml' cmd_is_xml: false

Will anyone be able to help me with partial config load automation ?

Regards !

Romain

Re: Automation of partial config load from xml

r000m5 — Fri, 30 Dec 2022 14:06:12 GMT

I found the solution :

- name: load configuration paloaltonetworks.panos.panos_op: provider: "{{ palo_provider }}" cmd: '<load><config><partial><from-xpath>/config/devices/entry[@name="localhost.localdomain"]/vsys/entry[@name="vsys1"]</from-xpath><to-xpath>/config/devices/entry[@name="localhost.localdomain"]/vsys/entry[@name="vsys1"]</to-xpath><mode>replace</mode><from>capirca.xml</from></partial></config></load>' cmd_is_xml: true

I was able to get the xml version of the command using

debug cli on

topic Automation of partial config load from xml in Next-Generation Firewall Discussions

Automation of partial config load from xml

Re: Automation of partial config load from xml