Ansible Module ver 2.2 does not support sec rule update operation deprecated

Reply
Highlighted
L1 Bithead

Ansible Module ver 2.2 does not support sec rule update operation deprecated

Newly Ansible Module ver 2.2 does not support sec rule update. operation keyword is deprecated and state key  only has absent or present values.

 

I have also experienced  after creating sec-rule, objects are not created automatically. I can see the rule is created with the specified source and destination ips but objects of the ip addresses not present in the objects section.

 

L4 Transporter

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

Regarding operation being replaced with state, this is intended.  Using state, you either assert you want something to exist (and be configured as specified) or not exist (whether it was there previously or not).  This is a huge quality of life improvement as you no longer need pre-existing knowledge to use the modules effectively.

 

Regarding address objects being "created automatically," I am not sure I understand what you're saying.  Are you saying that an object would not exist previously and then would exist and be defined after calling panos_security_rule...?  Or that you specify address objects in the source and destinations but those are not present in the resulting security rule..?

L1 Bithead

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

Thank You gfreeman for your reply

As far as i understand from your explaining i can update an existing sec-rule by just using its name .

Let me ask the second part other way.

Do i have to create address objects before i add security rule ?.

Or if i add a security rule via ansible, shouldn't be objects created automatically in the firewall ?

In my case i see the security rule is created and in the rule row i can see the source ip but in the objects tab i cannot see the object i have used in the rule.

 

 

 

L1 Bithead

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

2019-06-18 07_08_05-SEC-PA-VM100.png2019-06-18 07_12_00-SEC-PA-VM100.png

L4 Transporter

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

In your playbook, you need to use IP addresses when you want a freeform IP address, or names (for example, names of address objects) if you want to use a named object.

 

Let me use your "Action Test" rule as an example, as it has two IPs.  Since I don't know what the name of "1.2.3.4" is in your firewall, I'll just name it "ansible-address-object".

 

Here's my full playbook:

 

- name: Network Playbook
  hosts: fw
  connection: local
  gather_facts: false

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab auth creds
    include_vars: 'vars.yml'
    no_log: 'yes'

  - name: create address object
    panos_address_object:
      provider: '{{ aws_provider }}'
      name: 'ansible-address-object'
      value: '1.2.3.4'
      description: 'created by Ansible'
      commit: false

  - name: create security rule using the address object
    panos_security_rule:
      provider: '{{ aws_provider }}'
      rule_name: 'Action Test'
      source_ip: ['ansible-address-object', '2.3.4.5']
      action: 'deny'
      service: ['service-http']
      commit: false

This playbook results in a new address object being created named "ansible-address-object", and then that object is used in the source address field of my "Action Test" rule.

L1 Bithead

Re: Ansible Module ver 2.2 does not support sec rule update operation deprecated

Thank You for your detailed reply @gfreeman I have used the sample you have sent and see the added address object in the firewall. 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!