Security rule automation via "panos_security_rule" returned error

kenchung — Mon, 12 Jun 2023 04:43:33 GMT

I am new to Ansible and trying to set up automation for PA security rule via Ansible for customer. We have installed the panos module from Ansible galaxy and the required python libraries like pan-os-python. However, we encountered two issues when we tried to use the panos_security_rule module in our playbook.
1. If we include the log_setting parameter, the playbook will return error stating "unsupported parameter: log_setting", but from documentation it should not be the case.
2. if we exclude the log_setting parameter, the playbook will return error stating "hip-profiles unexpected here", but we don't use any hip profile in our case.

Error message screenshot attached. My playbook is something like below.

---
- name: PA configs
hosts: "{{ device_name }}"
connection: local
collections:
- paloaltonetworks.panos
gather_facts: no

vars:
date: "{{lookup('pipe','date \"+%Y-%m-%d\"')}}"
ansible_user: "ansible"
ansible_password: "password"
provider:
ip_address: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_password}}"

tasks:

- name: Get REST API Key
uri:
validate_certs: no
url: 'https://{{ ansible_host }}/api/?type=keygen&user={{ ansible_user }}&password={{ ansible_password }}'
return_content: yes
method: GET
register: response_api_key

- name: Read XML response
xml:
content: 'text'
xmlstring: '{{ response_api_key.content }}'
xpath: '/response/result/key'
register: api_key

- name: Push PA config
panos_security_rule:
ip_address: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_password}}"
rule_name: 'Ansible Test Rule'
source_zone: ['srczone']
source_ip: ['any']
destination_zone: ['dstzone']
destination_ip: ['1.1.1.1']
application: ['any']
log_end: true

log_setting: ['syslog profile']
group_profile: ['Sec_Profile_Grp']
action: 'allow'

- name: Commit
panos_commit:
ip_address: "{{ ansible_host}}"
username: "{{ ansible_host }}"
password: "{{ ansible_password }}"

Any help? Thanks.

Re: Security rule automation via "panos_security_rule" returned error

SimonT — Tue, 11 Jul 2023 06:26:52 GMT

hi @kenchung have a look at the reference documentation:

"log_setting" is a string but you put it in brackets which converts it to a list:

log_setting: ['syslog profile'].

you want: log_setting: 'syslog profile'

Same for group profile.

Unsure about the hip profile. There is a note in the documention saying not to use it. Maybe if you set gather facts to yes then version will correct that?

topic Security rule automation via "panos_security_rule" returned error in Automation/API Discussions

Security rule automation via "panos_security_rule" returned error

Re: Security rule automation via "panos_security_rule" returned error