topic Re: Ansible error while fetching zone from Panorama template stack in Automation/API Discussions

Ansible error while fetching zone from Panorama template stack

MAULIK_NUTA — Wed, 29 Jun 2022 13:15:40 GMT

Hi ,

i'm preparing for IPSEC in palo alto using Ansible. we have panorama template stack used for zone configuration to all firewall.

when we tried to configure tunnel interface and attached to zone( zone was inherited from template stack) , i'm getting below error..

"msg": "Failed setref: edit failed, may need to override template object XYZ first "

Ansible task sample:

---
- hosts: PALO_HOST
connection: local
gather_facts: false

collections:
- paloaltonetworks.panos

tasks:
- name: load var
include_vars: provider.yaml

- name: Create tunnel interfaces
paloaltonetworks.panos.panos_tunnel:
provider: '{{ provider }}'
if_name: '{{ item.tunnel_id }}'
ip: '{{ item.ip }}/30'
management_profile: 'PING-ONLY'
state: 'present'
# template: 'NA-LAB_stack'
zone_name: 'XYZ'
vr_name: 'default'
commit: False
comment: "to-aws-{{ item.id }}"
with_items:
- { ip : '4.4.4.4' , tunnel_id : 'tunnel.119', id : '1' }
- { ip : '4.4.4.5' , tunnel_id : 'tunnel.120' , id : '2'}

Re: Ansible error while fetching zone from Panorama template stack

aleksandar.astardzhiev — Thu, 07 Jul 2022 12:36:23 GMT

Hi @MAULIK_NUTA ,

Let me check if I get your setup correctly:

- You have Panorama that push Zones definition to managed firewalls

- You are using Anisible to create IPsec tunnel locally on the firewall (not through the Panorama)

Correct?

Although the GUI allow you to define the zone under the interface, the actual configuration is the opposite - interfaces are assigned to zones

zone { VPN-Tunnel { network { layer3 [ tunnel.2 tunnel.1]; log-setting default; enable-packet-buffer-protection yes; } } }

So when you push Zone definition from Panorama it is not part of the firewall local config - you cannot see it in the extract running-config.xml, nor under CLI (in config mode # show zone). So when you create the tunnel interface locally it cannot be assigned to the required zone, because it is not part of the local configuration so it definition does not exist.

As the error suggest you need to override the zone definition pushed by Panorama template. This will create zone definition in the local fw config, to which you can add the new local tunnel interface.

Re: Ansible error while fetching zone from Panorama template stack

MAULIK_NUTA — Mon, 11 Jul 2022 12:49:46 GMT

hi @aleksandar.astardzhiev ,

that's correct.. that's what i was looking for...i made adjustment and created tunnel config first then created zone , attached interface as a layer 3 to it,...still getting same error...

- name: Create tunnel interfaces
panos_tunnel:
provider: '{{ provider }}'
if_name: '{{ item.tunnel_id }}'
ip: '{{ item.ip }}/30'
management_profile: 'PING-ONLY'
state: 'present'
# template: 'NA-LAB_stack'
#zone_name: 'AWS-REMOTE-ZONE'
vr_name: 'default'
commit: False
comment: "to-aws-{{ item.id }}"
with_items:
- { ip: '{{parsed_vpn.vpn_connection.ipsec_tunnel[0].customer_gateway.tunnel_inside_address.ip_address}}' ,tunnel_id : '{{ tunnel_id_1 }}', id : '1'} ##
- { ip: '{{parsed_vpn.vpn_connection.ipsec_tunnel[1].customer_gateway.tunnel_inside_address.ip_address}}' ,tunnel_id : '{{ tunnel_id_2 }}', id : '2'}

- name: create zone and attached to interface
panos_zone:
provider: '{{ provider }}'
state: 'present'
zone: 'AWS-REMOTE-ZONE'
mode: 'layer3'
interface: ['tunnel.109']

error: FAILED! => {"changed": false, "msg": "Failed apply: edit failed, may need to override template object AWS-REMOTE-ZONE first"}

Re: Ansible error while fetching zone from Panorama template stack

aleksandar.astardzhiev — Mon, 11 Jul 2022 20:55:11 GMT

Hi @MAULIK_NUTA

If you search for the error "may need to override template" in the forum search you can see couple of people also received such error, but in most case the problem was in their syntax, so I am wondering if the error is actually misleading and your real problem is something else.

Have you tried to create the tunnel interfaces without assigning them to zone and without creating the zone.

Another approach would be to try to override the zone, not creating it. https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_type_cmd.html?highlight=override

Re: Ansible error while fetching zone from Panorama template stack

MAULIK_NUTA — Mon, 18 Jul 2022 12:25:05 GMT

@aleksandar.astardzhiev i have create the tunnel interfaces without assigning them to zone and that did work...also as you suggested i tried to overrid zone using xpath/xml api , it did work too.