How to add new objects to a Panos_address_group

Reply
L1 Bithead

How to add new objects to a Panos_address_group

Hi Folks,

 

I see that "Panos_address_group" can help you to create groups with a list of "static_values"; however, how do you "add/modify" a new IP addresses to an existing group or how do you delete values from the static list?

 

I did try using "panos_address_object" module; but this works in the same way that "panos_object" when adding a new address to a group.

 

What is your recommendation to solve this issue?

 

Thanks,

Roberto

 

 

L1 Bithead

Re: How to add new objects to a Panos_address_group

I've forgot to mention that "Panos_address_group" module deleted all existing host records when using an existing group name.


Is this the way that should work? This become a big issue when you have more than 1K hosts associated to a group and all of the sudden all get removed.

 

Thanks,

Robert

L3 Networker

Re: How to add new objects to a Panos_address_group

Hi Robert,

 

That is actually working as designed.  As a task automation tool, Ansible is idempotent in nature.  This means that any task will be performed exactly as prescribed.  That same task can be performed repeatedly and nothing will change as long as none of the parameters have changed.  However, if any parameter changes from what is currently defined, the new parameter will be applied in whole.

 

If a parameter such as an address group list contains 1,000 members and you simply need to add one more, you will need to specify all 1,001 members.  Otherwise the 1,000 will be overwritten by the 1.

 

This concept is much broader than Ansible and is actually a fundamental concept of Infrastructure as Code (IaC) in automation.  All of the Ansible modules for PAN-OS support this notion of idempotent operations.

 

Hopefully this clears up any confusion.

 

Regards,

-Bob-

Highlighted
L1 Bithead

Re: How to add new objects to a Panos_address_group

Thanks Bob.


I understand the issue; however, reading all the members of a giving address group and adding IPs all again just to add an IP address or more or eliminate it will not be an easy task and could cause many other issues.


Especially when you have to delete an IP address across three or four address groups, and the need to recreate all groups again if/when the IP address is found in all groups.


Would you confirm if Panos_address_group (update or delete options) will not be available at all either via this module or any new Panos module?


Thanks,

Roberto

L4 Transporter

Re: How to add new objects to a Panos_address_group

I think that the way to do this is to use a "facts" module to get the current setting, then do a Jinja2 modification on the current config to do the update.  So in this case you would use panos_object_facts to get the current config, register the result to some variable, then use panos_address_group with a modified setting.

L1 Bithead

Re: How to add new objects to a Panos_address_group

I will rather prefer a module that can help executing the following:

"cmd": "set device-group MYCLOUD address-group MYCLOUD-GRP-1 static SMTP-10.10.20.30",

or

"cmd": "delete device-group MYCLOUD address-group MYCLOUD-GRP-1 static SMTP-<IP Address>"


This will look easy to understand and cleaner than a playbook that get it all (our production config have twenty+ groups with an average of 2K IP addresses each), remove it and re-add it.

 

Do you have a way or module to execute this?

Thanks,

Roberto

L4 Transporter

Re: How to add new objects to a Panos_address_group

Decided to make answering this a blog article so it helps more people:

 

https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-facts-modules-to-do-updates/b...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!