Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-29-2022 06:15 AM
Hi ,
i'm preparing for IPSEC in palo alto using Ansible. we have panorama template stack used for zone configuration to all firewall.
when we tried to configure tunnel interface and attached to zone( zone was inherited from template stack) , i'm getting below error..
"msg": "Failed setref: edit failed, may need to override template object XYZ first "
Ansible task sample:
---
- hosts: PALO_HOST
connection: local
gather_facts: false
collections:
- paloaltonetworks.panos
tasks:
- name: load var
include_vars: provider.yaml
- name: Create tunnel interfaces
paloaltonetworks.panos.panos_tunnel:
provider: '{{ provider }}'
if_name: '{{ item.tunnel_id }}'
ip: '{{ item.ip }}/30'
management_profile: 'PING-ONLY'
state: 'present'
# template: 'NA-LAB_stack'
zone_name: 'XYZ'
vr_name: 'default'
commit: False
comment: "to-aws-{{ item.id }}"
with_items:
- { ip : '4.4.4.4' , tunnel_id : 'tunnel.119', id : '1' }
- { ip : '4.4.4.5' , tunnel_id : 'tunnel.120' , id : '2'}
07-07-2022 05:36 AM
Hi @MAULIK_NUTA ,
Let me check if I get your setup correctly:
- You have Panorama that push Zones definition to managed firewalls
- You are using Anisible to create IPsec tunnel locally on the firewall (not through the Panorama)
Correct?
Although the GUI allow you to define the zone under the interface, the actual configuration is the opposite - interfaces are assigned to zones
zone {
VPN-Tunnel {
network {
layer3 [ tunnel.2 tunnel.1];
log-setting default;
enable-packet-buffer-protection yes;
}
}
}So when you push Zone definition from Panorama it is not part of the firewall local config - you cannot see it in the extract running-config.xml, nor under CLI (in config mode # show zone). So when you create the tunnel interface locally it cannot be assigned to the required zone, because it is not part of the local configuration so it definition does not exist.
As the error suggest you need to override the zone definition pushed by Panorama template. This will create zone definition in the local fw config, to which you can add the new local tunnel interface.
07-11-2022 05:49 AM
that's correct.. that's what i was looking for...i made adjustment and created tunnel config first then created zone , attached interface as a layer 3 to it,...still getting same error...
- name: Create tunnel interfaces
panos_tunnel:
provider: '{{ provider }}'
if_name: '{{ item.tunnel_id }}'
ip: '{{ item.ip }}/30'
management_profile: 'PING-ONLY'
state: 'present'
# template: 'NA-LAB_stack'
#zone_name: 'AWS-REMOTE-ZONE'
vr_name: 'default'
commit: False
comment: "to-aws-{{ item.id }}"
with_items:
- { ip: '{{parsed_vpn.vpn_connection.ipsec_tunnel[0].customer_gateway.tunnel_inside_address.ip_address}}' ,tunnel_id : '{{ tunnel_id_1 }}', id : '1'} ##
- { ip: '{{parsed_vpn.vpn_connection.ipsec_tunnel[1].customer_gateway.tunnel_inside_address.ip_address}}' ,tunnel_id : '{{ tunnel_id_2 }}', id : '2'}
- name: create zone and attached to interface
panos_zone:
provider: '{{ provider }}'
state: 'present'
zone: 'AWS-REMOTE-ZONE'
mode: 'layer3'
interface: ['tunnel.109']
error: FAILED! => {"changed": false, "msg": "Failed apply: edit failed, may need to override template object AWS-REMOTE-ZONE first"}
07-11-2022 01:55 PM
Hi @MAULIK_NUTA
If you search for the error "may need to override template" in the forum search you can see couple of people also received such error, but in most case the problem was in their syntax, so I am wondering if the error is actually misleading and your real problem is something else.
Have you tried to create the tunnel interfaces without assigning them to zone and without creating the zone.
Another approach would be to try to override the zone, not creating it. https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_type_cmd.html?highlight=override
07-18-2022 05:25 AM
@aleksandar.astardzhiev i have create the tunnel interfaces without assigning them to zone and that did work...also as you suggested i tried to overrid zone using xpath/xml api , it did work too.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
