06-17-2019 10:53 AM
Newly Ansible Module ver 2.2 does not support sec rule update. operation keyword is deprecated and state key only has absent or present values.
I have also experienced after creating sec-rule, objects are not created automatically. I can see the rule is created with the specified source and destination ips but objects of the ip addresses not present in the objects section.
06-18-2019 10:27 AM
In your playbook, you need to use IP addresses when you want a freeform IP address, or names (for example, names of address objects) if you want to use a named object.
Let me use your "Action Test" rule as an example, as it has two IPs. Since I don't know what the name of "1.2.3.4" is in your firewall, I'll just name it "ansible-address-object".
Here's my full playbook:
- name: Network Playbook
hosts: fw
connection: local
gather_facts: false
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: Grab auth creds
include_vars: 'vars.yml'
no_log: 'yes'
- name: create address object
panos_address_object:
provider: '{{ aws_provider }}'
name: 'ansible-address-object'
value: '1.2.3.4'
description: 'created by Ansible'
commit: false
- name: create security rule using the address object
panos_security_rule:
provider: '{{ aws_provider }}'
rule_name: 'Action Test'
source_ip: ['ansible-address-object', '2.3.4.5']
action: 'deny'
service: ['service-http']
commit: false
This playbook results in a new address object being created named "ansible-address-object", and then that object is used in the source address field of my "Action Test" rule.
06-17-2019 11:23 AM
Regarding operation being replaced with state, this is intended. Using state, you either assert you want something to exist (and be configured as specified) or not exist (whether it was there previously or not). This is a huge quality of life improvement as you no longer need pre-existing knowledge to use the modules effectively.
Regarding address objects being "created automatically," I am not sure I understand what you're saying. Are you saying that an object would not exist previously and then would exist and be defined after calling panos_security_rule...? Or that you specify address objects in the source and destinations but those are not present in the resulting security rule..?
06-17-2019 11:49 AM
Thank You gfreeman for your reply
As far as i understand from your explaining i can update an existing sec-rule by just using its name .
Let me ask the second part other way.
Do i have to create address objects before i add security rule ?.
Or if i add a security rule via ansible, shouldn't be objects created automatically in the firewall ?
In my case i see the security rule is created and in the rule row i can see the source ip but in the objects tab i cannot see the object i have used in the rule.
06-18-2019 10:27 AM
In your playbook, you need to use IP addresses when you want a freeform IP address, or names (for example, names of address objects) if you want to use a named object.
Let me use your "Action Test" rule as an example, as it has two IPs. Since I don't know what the name of "1.2.3.4" is in your firewall, I'll just name it "ansible-address-object".
Here's my full playbook:
- name: Network Playbook
hosts: fw
connection: local
gather_facts: false
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: Grab auth creds
include_vars: 'vars.yml'
no_log: 'yes'
- name: create address object
panos_address_object:
provider: '{{ aws_provider }}'
name: 'ansible-address-object'
value: '1.2.3.4'
description: 'created by Ansible'
commit: false
- name: create security rule using the address object
panos_security_rule:
provider: '{{ aws_provider }}'
rule_name: 'Action Test'
source_ip: ['ansible-address-object', '2.3.4.5']
action: 'deny'
service: ['service-http']
commit: false
This playbook results in a new address object being created named "ansible-address-object", and then that object is used in the source address field of my "Action Test" rule.
06-18-2019 11:21 PM
Thank You for your detailed reply @gfreeman I have used the sample you have sent and see the added address object in the firewall.
01-27-2020 08:39 AM
I am having a similar issue with not being able to update an existing rule. Has this functionality been completely removed?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
