topic ansible zone creation failing in Automation/API Discussions

ansible zone creation failing

Pouyesh1 — Wed, 08 Apr 2020 05:25:32 GMT

i'm trying to run the following task in my play to create a bunch of new L3 subinterfaces on ae2 and then add them to the appropriate security zone. if i try to assign the zone as part of the panos_l3_subinterface, or through a different play (as shown in code vs commented out section) i get the same error message.

my understanding is that if i dont have the zone created it should create it .. however it keeps complaining about the mode..

failed: [my-panorama] (item=adding zone: Z-VL-1200 ) => {"ansible_loop_var": "item", "changed": false, "item": {"brm_srv_fw_interface": "ae2", "brm_srv_fw_vlan_ip_address": "10.218.0", "kam_srv_fw_interface": "ae2", "kam_srv_fw_vlan_ip_address": "10.11.0", "srv_fw_zone_name": "Z-VL-1200", "vic_srv_fw_interface": "ae2", "vic_srv_fw_vlan_ip_address": "10.11.128", "vlan_id": "1200", "vlan_name": "Seg-VL-1200"}, "msg": "Failed apply: Z-VL-1200 -> network -> layer3 '[ae2.1200]' is not a valid reference\n Z-VL-1200 -> network -> layer3 is invalid"}

tasks: - name: make Interfaces in Test-Template panos_l3_subinterface: provider: '{{ PANO_Provider }}' enable_dhcp: no name: "ae2.{{ item.vlan_id }}" tag: '{{ item.vlan_id }}' vr_name: vr-inside #zone_name: '{{ item.srv_fw_zone_name }}' ip: ["{{ item.kam_srv_fw_vlan_ip_address }}.1/24"] template: Test-Template loop: '{{ build_vlan }}' loop_control: label: "adding interface: ae2.{{ item.vlan_id }}" - name: make zones on Test-Template panos_zone: provider: '{{ PANO_Provider }}' zone: '{{ item.srv_fw_zone_name }}' mode: "layer3" enable_userid: yes interface: "[ae2.{{ item.vlan_id }}]" template: Test-Template loop: '{{ build_vlan }}' loop_control: label: 'adding zone: {{ item.srv_fw_zone_name }} '

Re: ansible zone creation failing

Pouyesh1 — Wed, 08 Apr 2020 16:32:33 GMT

in case anyone can help here, i ran a simpler play with -vvvv enabled

The full traceback is: File "/tmp/ansible_panos_l3_subinterface_payload_qkpcbcde/ansible_panos_l3_subinterface_payload.zip/ansible/modules/panos_l3_subinterface.py", line 273, in main File "/usr/local/lib/python3.6/site-packages/pandevice/network.py", line 325, in set_zone update, running_config, return_type, False, mode=mode) File "/usr/local/lib/python3.6/site-packages/pandevice/base.py", line 1522, in _set_reference obj.update(reference_var) File "/usr/local/lib/python3.6/site-packages/pandevice/base.py", line 633, in update retry_on_peer=self.HA_SYNC) File "/usr/local/lib/python3.6/site-packages/pandevice/base.py", line 3486, in method raise the_exception fatal: [my-panorama]: FAILED! => { "changed": false, "invocation": { "module_args": { "adjust_tcp_mss": null, "api_key": null, "comment": null, "create_default_route": false, "dhcp_default_route_metric": null, "enable_dhcp": false, "ip": [ "10.11.1.1/24" ], "ip_address": null, "ipv4_mss_adjust": null, "ipv6_enabled": null, "ipv6_mss_adjust": null, "management_profile": null, "mtu": null, "name": "ae2.1200", "netflow_profile": null, "password": null, "port": 443, "provider": { "api_key": null, "ip_address": "vic-panora-lpr1", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "port": 443, "serial_number": null, "username": "ansible-play" }, "state": "present", "tag": 1200, "template": "xxx-KAM-SRV-FW", "username": "admin", "vr_name": "default", "vsys": null, "zone_name": "TEST3" } }, "msg": "Failed setref: TEST3 -> network -> layer3 'ae2.1200' is not a valid reference\n TEST3 -> network -> layer

this was the play:

- name: adds security zones, interfaces and firewall rules hosts: my-panorama connection: local gather_facts: False vars_files: - 'build-vlan.yml' - 'firewall-rules.yml' - 'my-secrets.yml' #- 'ios.yml' #{{ item.patunnel_name }} # -e 'ansible_python_interpreter=/usr/bin/python3' roles: - role: PaloAltoNetworks.paloaltonetworks tasks: - name: make Interfaces in Test-Template panos_l3_subinterface: provider: '{{ PANO_Provider }}' enable_dhcp: no name: "ae2.1200" tag: 1200 zone_name: TEST3 ip: ["10.11.1.1/24"] template: xxx-KAM-SRV-FW

Re: ansible zone creation failing

Pouyesh1 — Thu, 09 Apr 2020 15:49:01 GMT

Fixed the issue - it seems that if the aggregate was created manually and it was NOT PUT INTO a VR then the subinterfaces through scripting get that error.. panorama seems to manually allow this to get bypassed.. however most of my firewalls have their AE created by a partner and they weren't put into a VR... adding them to VR allowed the scripts to run.