Ansible Module ver 2.2 does not support sec rule update operation deprecated

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Ansible Module ver 2.2 does not support sec rule update operation deprecated

L1 Bithead

Newly Ansible Module ver 2.2 does not support sec rule update. operation keyword is deprecated and state key  only has absent or present values.

 

I have also experienced  after creating sec-rule, objects are not created automatically. I can see the rule is created with the specified source and destination ips but objects of the ip addresses not present in the objects section.

 

1 accepted solution

Accepted Solutions

In your playbook, you need to use IP addresses when you want a freeform IP address, or names (for example, names of address objects) if you want to use a named object.

 

Let me use your "Action Test" rule as an example, as it has two IPs.  Since I don't know what the name of "1.2.3.4" is in your firewall, I'll just name it "ansible-address-object".

 

Here's my full playbook:

 

- name: Network Playbook
  hosts: fw
  connection: local
  gather_facts: false

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab auth creds
    include_vars: 'vars.yml'
    no_log: 'yes'

  - name: create address object
    panos_address_object:
      provider: '{{ aws_provider }}'
      name: 'ansible-address-object'
      value: '1.2.3.4'
      description: 'created by Ansible'
      commit: false

  - name: create security rule using the address object
    panos_security_rule:
      provider: '{{ aws_provider }}'
      rule_name: 'Action Test'
      source_ip: ['ansible-address-object', '2.3.4.5']
      action: 'deny'
      service: ['service-http']
      commit: false

This playbook results in a new address object being created named "ansible-address-object", and then that object is used in the source address field of my "Action Test" rule.

View solution in original post

6 REPLIES 6

L5 Sessionator

Regarding operation being replaced with state, this is intended.  Using state, you either assert you want something to exist (and be configured as specified) or not exist (whether it was there previously or not).  This is a huge quality of life improvement as you no longer need pre-existing knowledge to use the modules effectively.

 

Regarding address objects being "created automatically," I am not sure I understand what you're saying.  Are you saying that an object would not exist previously and then would exist and be defined after calling panos_security_rule...?  Or that you specify address objects in the source and destinations but those are not present in the resulting security rule..?

Thank You gfreeman for your reply

As far as i understand from your explaining i can update an existing sec-rule by just using its name .

Let me ask the second part other way.

Do i have to create address objects before i add security rule ?.

Or if i add a security rule via ansible, shouldn't be objects created automatically in the firewall ?

In my case i see the security rule is created and in the rule row i can see the source ip but in the objects tab i cannot see the object i have used in the rule.

 

 

 

2019-06-18 07_08_05-SEC-PA-VM100.png2019-06-18 07_12_00-SEC-PA-VM100.png

In your playbook, you need to use IP addresses when you want a freeform IP address, or names (for example, names of address objects) if you want to use a named object.

 

Let me use your "Action Test" rule as an example, as it has two IPs.  Since I don't know what the name of "1.2.3.4" is in your firewall, I'll just name it "ansible-address-object".

 

Here's my full playbook:

 

- name: Network Playbook
  hosts: fw
  connection: local
  gather_facts: false

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab auth creds
    include_vars: 'vars.yml'
    no_log: 'yes'

  - name: create address object
    panos_address_object:
      provider: '{{ aws_provider }}'
      name: 'ansible-address-object'
      value: '1.2.3.4'
      description: 'created by Ansible'
      commit: false

  - name: create security rule using the address object
    panos_security_rule:
      provider: '{{ aws_provider }}'
      rule_name: 'Action Test'
      source_ip: ['ansible-address-object', '2.3.4.5']
      action: 'deny'
      service: ['service-http']
      commit: false

This playbook results in a new address object being created named "ansible-address-object", and then that object is used in the source address field of my "Action Test" rule.

Thank You for your detailed reply @gfreeman I have used the sample you have sent and see the added address object in the firewall. 

 

L0 Member

I am having a similar issue with not being able to update an existing rule. Has this functionality been completely removed?

  • 1 accepted solution
  • 7043 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!