https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535096#M3335 <P>Researching that error message, I think something else is not quite right with your Ansible environment. Are the paths set correctly? Have you got the correct Python interpreter? And got the dependencies installed in the right place?</P> Mon, 20 Mar 2023 15:35:38 GMT JimmyHolland 2023-03-20T15:35:38Z https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/534909#M3332 <P>I am trying to figure out a way that I can use Ansible playbook to override the interzone-default rule to add 'logging at session end'.</P><P>&nbsp;</P><P>Have tried using panos_type_cmd but so far not having any luck.&nbsp; Just gettin the following error:</P><P>"module_stdout": "",<BR />"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",<BR />"rc": 1</P><P>&nbsp;</P><P>Here is what the task looks like in playbook:</P><P>&nbsp;</P><DIV><DIV><SPAN>tasks</SPAN><SPAN>:</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp;- </SPAN><SPAN>name</SPAN><SPAN>: </SPAN><SPAN>Set logging on interzone-default</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; paloaltonetworks.panos.panos_type_cmd</SPAN><SPAN>:</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; provider</SPAN><SPAN>: </SPAN><SPAN>'{{ device }}'</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; xpath</SPAN><SPAN>: </SPAN><SPAN>"/config/predefined/default-security-rules/rules/entry[@name='interzone-default']/"</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmd</SPAN><SPAN>: </SPAN><SPAN>edit</SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; element</SPAN><SPAN>: </SPAN></DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;log-end&gt;yes&lt;/log-end&gt;</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Have also tried using 'set' command with no luck.</SPAN></DIV></DIV> Fri, 17 Mar 2023 19:34:35 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/534909#M3332 Jaromme 2023-03-17T19:34:35Z https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535040#M3333 <P>Those predefined inter and intra zone rules are slightly different, here's a task definition that works on my lab VM-Series, which I found using the GUI debug:</P> <LI-CODE lang="markup"> - name: Set logging on interzone-default paloaltonetworks.panos.panos_type_cmd: provider: '{{ device }}' xpath: | /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1'] /rulebase/default-security-rules/rules/entry[@name='interzone-default'] cmd: edit element: &lt;entry name="interzone-default"&gt;&lt;action&gt;deny&lt;/action&gt;&lt;log-end&gt;yes&lt;/log-end&gt;&lt;/entry&gt;</LI-CODE> <P>&nbsp;</P> <P>Hope that helps!</P> Mon, 20 Mar 2023 10:40:36 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535040#M3333 JimmyHolland 2023-03-20T10:40:36Z https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535092#M3334 <P>Thanks Jimmy!&nbsp;</P><P>&nbsp;</P><P>I tried the task you provided but am getting an error:</P><P>&nbsp;</P><P>"changed": true,<BR />"msg": "non-zero return code",<BR />"rc": 127,<BR />"stderr": "/bin/sh: show: command not found\n",<BR />"stderr_lines": [<BR />"/bin/sh: show: command not found"<BR />],<BR />"stdout": "",<BR />"stdout_lines": []</P> Mon, 20 Mar 2023 15:29:49 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535092#M3334 Jaromme 2023-03-20T15:29:49Z https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535096#M3335 <P>Researching that error message, I think something else is not quite right with your Ansible environment. Are the paths set correctly? Have you got the correct Python interpreter? And got the dependencies installed in the right place?</P> Mon, 20 Mar 2023 15:35:38 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535096#M3335 JimmyHolland 2023-03-20T15:35:38Z https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535110#M3336 <P>Nevermind, it was just me being dumb.&nbsp; I had two different playbooks I was testing and was running the wrong one.&nbsp; It works, Thanks!</P> Mon, 20 Mar 2023 16:03:05 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-change-interzone-default-logging/m-p/535110#M3336 Jaromme 2023-03-20T16:03:05Z