topic Ansible Module ver 2.2 does not support sec rule update operation deprecated in Automation/API Discussions

Ansible Module ver 2.2 does not support sec rule update operation deprecated

mesgun — Mon, 17 Jun 2019 17:53:45 GMT

Newly Ansible Module ver 2.2 does not support sec rule update. operation keyword is deprecated and state key only has absent or present values.

I have also experienced after creating sec-rule, objects are not created automatically. I can see the rule is created with the specified source and destination ips but objects of the ip addresses not present in the objects section.

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

gfreeman — Mon, 17 Jun 2019 18:23:36 GMT

Regarding operation being replaced with state, this is intended. Using state, you either assert you want something to exist (and be configured as specified) or not exist (whether it was there previously or not). This is a huge quality of life improvement as you no longer need pre-existing knowledge to use the modules effectively.

Regarding address objects being "created automatically," I am not sure I understand what you're saying. Are you saying that an object would not exist previously and then would exist and be defined after calling panos_security_rule...? Or that you specify address objects in the source and destinations but those are not present in the resulting security rule..?

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

mesgun — Mon, 17 Jun 2019 18:49:08 GMT

Thank You gfreeman for your reply

As far as i understand from your explaining i can update an existing sec-rule by just using its name .

Let me ask the second part other way.

Do i have to create address objects before i add security rule ?.

Or if i add a security rule via ansible, shouldn't be objects created automatically in the firewall ?

In my case i see the security rule is created and in the rule row i can see the source ip but in the objects tab i cannot see the object i have used in the rule.

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

mesgun — Tue, 18 Jun 2019 04:13:19 GMT

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

gfreeman — Tue, 18 Jun 2019 17:27:08 GMT

In your playbook, you need to use IP addresses when you want a freeform IP address, or names (for example, names of address objects) if you want to use a named object.

Let me use your "Action Test" rule as an example, as it has two IPs. Since I don't know what the name of "1.2.3.4" is in your firewall, I'll just name it "ansible-address-object".

Here's my full playbook:

- name: Network Playbook
  hosts: fw
  connection: local
  gather_facts: false

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab auth creds
    include_vars: 'vars.yml'
    no_log: 'yes'

  - name: create address object
    panos_address_object:
      provider: '{{ aws_provider }}'
      name: 'ansible-address-object'
      value: '1.2.3.4'
      description: 'created by Ansible'
      commit: false

  - name: create security rule using the address object
    panos_security_rule:
      provider: '{{ aws_provider }}'
      rule_name: 'Action Test'
      source_ip: ['ansible-address-object', '2.3.4.5']
      action: 'deny'
      service: ['service-http']
      commit: false

This playbook results in a new address object being created named "ansible-address-object", and then that object is used in the source address field of my "Action Test" rule.

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

mesgun — Wed, 19 Jun 2019 06:21:04 GMT

Thank You for your detailed reply @gfreeman I have used the sample you have sent and see the added address object in the firewall.

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

JeremyViteka — Mon, 27 Jan 2020 16:39:06 GMT

I am having a similar issue with not being able to update an existing rule. Has this functionality been completely removed?