Gather info with panos_security_rule

zol123 — Tue, 04 Oct 2022 11:15:41 GMT

Hi
I dont fully understand how to use the panos_security_rule module to find rule panos_security_rule to find rules since https://github.com/PaloAltoNetworks/pan-os-ansible/blob/develop/plugins/modules/panos_security_rule_facts.py seems to be deprecated.
What i do want is to get all the defined rules in the firewall.

My supersimple playbook looks like this:

--
- name: Network Playbook
hosts: all
connection: local
gather_facts: false

vars:
sec_rules:
ip_address: 1.1.1.1
vars_prompt:

- name: password
prompt: password
- name: username
prompt: username
private: no

collections:
- paloaltonetworks.panos

tasks:
- name: Get all rules
panos_security_rule:
ip_address: " {{ ip_address }} "
username: " {{ username }} "
password: " {{ password }} "
rulebase: rulebase
state: 'gathered'
register: sec_rules

- debug:
msg: '{{ sec_rules }}'

I get this output.

ansible-playbook [core 2.12.3]
config file = None
configured module search path = ['/home/labb/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/labb/.local/lib/python3.9/site-packages/ansible
ansible collection location = /home/labb/.ansible/collections:/usr/share/ansible/collections
executable location = /home/labb/.local/bin/ansible-playbook
python version = 3.9.10 (main, Mar 16 2022, 15:24:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
jinja version = 3.0.3
libyaml = True
No config file found; using defaults
host_list declined parsing /ansible/ansible/fwtest as it did not pass its verify_file() method
script declined parsing /ansible/ansible/fwtest as it did not pass its verify_file() method
auto declined parsing /ansible/ansible/fwtest as it did not pass its verify_file() method
[WARNING]: While constructing a mapping from /ansible/ansible/fwtest, line 4, column 5, found a duplicate dict key (ansible_connection). Using last defined value only.
Parsed /ansible/ansible/fwtest inventory source with yaml plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: palo.yaml ******************************************************************************************************************************************************
1 plays in palo.yaml
password:
username: alo

PLAY [Network Playbook] **************************************************************************************************************************************************
META: ran handlers

TASK [Get all rules] *****************************************************************************************************************************************************
task path: /ansibles/FW/palo.yaml:23
<1.1.1.1> ESTABLISH LOCAL CONNECTION FOR USER: labb
<1.1.1.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/labb/.ansible/tmp/ansible-local-9234529bmja22 `"&& mkdir "` echo /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340 `" && echo ansible-tmp-1664879620.1387732-92355-183172280362340="` echo /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340 `" ) && sleep 0'
Using module file /home/labb/.ansible/collections/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_security_rule.py
<1.1.1.1> PUT /home/labb/.ansible/tmp/ansible-local-9234529bmja22/tmp80mh80tb TO /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/AnsiballZ_panos_security_rule.py
<1.1.1.1> EXEC /bin/sh -c 'chmod u+x /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/ /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/AnsiballZ_panos_security_rule.py && sleep 0'
<1.1.1.1> EXEC /bin/sh -c '/usr/local/bin/python3.9 /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/AnsiballZ_panos_security_rule.py && sleep 0'
<1.1.1.1> EXEC /bin/sh -c 'rm -f -r /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/ > /dev/null 2>&1 && sleep 0'
fatal: [1.1.1.1]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"action": "allow",
"antivirus": null,
"api_key": null,
"application": [
"any"
],
"audit_comment": null,
"category": [
"any"
],
"commit": null,
"data_filtering": null,
"description": null,
"destination_ip": [
"any"
],
"destination_zone": [
"any"
],
"device_group": "shared",
"devicegroup": null,
"disable_server_response_inspection": false,
"disabled": false,
"existing_rule": null,
"file_blocking": null,
"group_profile": null,
"group_tag": null,
"hip_profiles": null,
"icmp_unreachable": null,
"ip_address": " 1.1.1.1 ",
"location": null,
"log_end": true,
"log_setting": null,
"log_start": false,
"negate_destination": false,
"negate_source": false,
"negate_target": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"provider": null,
"rule_name": null,
"rule_type": "universal",
"rulebase": "rulebase",
"schedule": null,
"service": [
"application-default"
],
"source_ip": [
"any"
],
"source_user": [
"any"
],
"source_zone": [
"any"
],
"spyware": null,
"state": "gathered",
"tag_name": null,
"target": null,
"url_filtering": null,
"username": " ansible ",
"uuid": null,
"vsys": "vsys1",
"vulnerability": null,
"wildfire_analysis": null
}
},
"msg": "missing required arguments: rule_name"
}

PLAY RECAP ***************************************************************************************************************************************************************
1.1.1.1 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Im runing against a single device not panorama, if that matter?

Re: Gather info with panos_security_rule

JimmyHolland — Mon, 10 Oct 2022 16:29:51 GMT

Hi @zol123, the panos_security_rule_facts module still works, it is not fully deprecated, so at this time I would recommend continuing to utilise it for this use case

Re: Gather info with panos_security_rule

gfreeman — Wed, 19 Oct 2022 20:03:00 GMT

The Ansible collection was just updated (v2.11.0) with a new parameter, gathered_filter. You can use this parameter to finally fully replace the panos_security_rule_facts module. If you want everything, then it's as simple as doing this:

- name: Get all security rules panos_security_rule: provider: '{{ provider_dict }}' state: 'gathered' gathered_filter: '*' register: ans - debug: msg: '{{ ans }}'

Re: Gather info with panos_security_rule

zol123 — Mon, 24 Oct 2022 10:19:52 GMT

Thanks

topic Re: Gather info with panos_security_rule in Automation/API Discussions

Gather info with panos_security_rule

Re: Gather info with panos_security_rule

Re: Gather info with panos_security_rule

Re: Gather info with panos_security_rule