topic Ansible Panos_security_rule "find" option isn't working? in Automation/API Discussions

Ansible Panos_security_rule "find" option isn't working?

RobertNunez — Mon, 08 Apr 2019 18:23:26 GMT

Hi All,

I am testing all PaloAlto's Ansible modules here and I'm keep getting the following error when using "operation: find"

Here is my playbook:

---
- name: Testing Palo Alto Panorama Panos_Security_rule module
connection: local
hosts: panorama
vars:
pan_username: palo_ansible
pan_password: somepasswd

tasks:
- name: Find a specific security rule
panos_security_rule:
ip_address: '1.2.3.4'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
operation: 'find'
rule_name: 'NTP_permit'
register: result

- debug: msg='{{result.stdout_lines}}'

And here is the error:

Rule 'NTP_permit' not found. Is the name correct?

I already register this new rule and commit all changes. I can delete the same policy without any issues; however, the operation "find" isn't working as recommended here: http://paloaltonetworks.github.io/ansible-pan/modules/panos_security_rule_module.html or https://docs.ansible.com/ansible/2.4/panos_security_rule_module.html

I am running Ansible core v2.7.8 with Python 2.7.5 and Panorama v8.1.3. Any idea if this option works?

Thanks,

Roberto

Re: Ansible Panos_security_rule "find" option isn't working?

ffadhil — Thu, 18 Apr 2019 20:24:21 GMT

Hi Robero,

Mine works fine. can you make yours like this(added #state: 'present'):

---
- name: Testing Palo Alto Panorama Panos_Security_rule module
connection: local
hosts: panorama
vars:
pan_username: palo_ansible
pan_password: somepasswd

tasks:
- name: Find a specific security rule
panos_security_rule:
ip_address: '1.2.3.4'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
operation: 'find'

#state: 'present'
rule_name: 'NTP_permit'
register: result

- debug: msg='{{result.stdout_lines}}'

Re: Ansible Panos_security_rule "find" option isn't working?

RobertNunez — Wed, 24 Apr 2019 18:03:42 GMT

Hi There!,

Thanks for your reply. I understand the "state" variable is not supported by panos_security_rule module; thus adding or removing this option will not make any difference.

Per some unknown reason this playbook still reporting the same error and I don't know how to escalate it.

Best regards,

Roberto

Re: Ansible Panos_security_rule "find" option isn't working?

gfreeman — Thu, 25 Apr 2019 16:48:36 GMT

A few things:

I don't see you pulling in the Ansible role with your playbook. Palo Alto Networks is using Ansible Galaxy roles to distribute the latest versions of the modules, so you should be using that. Here is the link: https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks

The operation parameter is being removed (from all modules) in favor of state, which is more inline with Ansible standards. Having said that, if you are trying to determine, "if I run this kind of traffic, what rule will that match?" then the module you want to use is panos_match_rule.

Hope this helps!

Re: Ansible Panos_security_rule "find" option isn't working?

RobertNunez — Thu, 25 Apr 2019 19:20:52 GMT

Thanks for the information and your help here; however, this isn't working either. When running "panos_match_rule" module I got the following error:

========================

fatal: [mypanorama]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"application": "ntp",
"category": null,
"destination_ip": "any",
"destination_port": 123,
"destination_zone": null,
"ip_address": "1.2.3.4",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"protocol": null,
"rule_type": "security",
"source_ip": "any",
"source_port": null,
"source_user": null,
"source_zone": null,
"to_interface": null,
"username": "ansiblepan",
"vsys_id": "vsys3456"
}
}
}

MSG:

Panorama is not supported.

========================

However!, what I did find out was that "panos_query_rules" works when using the following playbook:

tasks:
- name: Find a specific security rule
panos_query_rules:
ip_address: '{{ firewall_host }}'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
tag_name: 'NTP_permit'
devicegroup: 'LABGroup'
register: result

I really appreciate you guys helped me here. My concern is that the official PAN and Ansible documentation isn't accurate, as you can see in the last example described at https://docs.ansible.com/ansible/latest/modules/panos_security_rule_module.html.

Thanks!

Re: Ansible Panos_security_rule "find" option isn't working?

gfreeman — Thu, 25 Apr 2019 20:04:01 GMT

So, this is part of the confusion that we are trying to handle.

There are two distinct groups of panos_* Ansible modules. The first is what you get when you install Ansible. The second is what you get when you use the Ansible Galaxy role. Your link is the documentation for what you get when you install Ansible. The documentation for the Ansible Galaxy role is located here: https://paloaltonetworks.github.io/ansible-pan/