This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ANSIBLE: panos_match_rule.py - 'NoneType' object has no attribute 'element_str'\n",

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ANSIBLE: panos_match_rule.py - 'NoneType' object has no attribute 'element_str'\n",

alejandro.luna
L1 Bithead

‎04-19-2018 09:06 AM - edited ‎04-19-2018 10:25 AM

Hi there.
I have a licensed VM100 running.
I'm trying to use the module "panos_match_rule.py", but for some reason is not working.

From the 20 modules that are available with the ansible default instalation, this is the only one not working.
I tried to use the dev version of the modules from the github repo (ansible-pan/library/panos_match_rule.py) also, but it did not make any difference.
I tried to debug it on my own, but I could not find what is wrong.
I've been trying to fix it for four days (yeah, I'm not a Python dev... yet :P)

Could someone suggest me something?

Thanks in advance

 

show system info:

Spoiler
admin@fwpasbx01> show system info

hostname: fwpasbx01
ip-address: XXX.XXX.46.179
public-ip-address: unknown
netmask: 255.255.254.0
default-gateway: XXX.XXX.46.1
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::XXXX:XXXX:XXXX:XXXX/64
ipv6-default-gateway:
mac-address: XX:XX:XX:XX:c0:bb
time: Thu Apr 19 10:36:31 2018
uptime: 9 days, 1:17:20
family: vm
model: PA-VM
serial: XXXXXXXXXXXXXXX
vm-mac-base: XX:XX:XX:XX:A0:00
vm-mac-count: 256
vm-uuid: XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
vm-cpuid: ESX:XXXXXXXXXXXXXXXX
vm-license: VM-100
vm-mode: VMWare ESXi
cloud-mode: non-cloud
sw-version: 8.1.0
global-protect-client-package-version: 0.0.0
app-version: 769-4439
app-release-date:
av-version: 0
av-release-date:
threat-version: 0
threat-release-date:
wf-private-version: 0
wf-private-release-date: unknown
url-db: paloaltonetworks
wildfire-version: 0
wildfire-release-date:
url-filtering-version: 0000.00.00.000
global-protect-datafile-version: unknown
global-protect-datafile-release-date: unknown
global-protect-clientless-vpn-version: 0
global-protect-clientless-vpn-release-date:
logdb-version: 8.1.8
platform-family: vm
vpn-disable-mode: off
multi-vsys: off
operational-mode: normal

Testing matching policy from SSH:

Spoiler
admin@fwpasbx01> test security-policy-match protocol 6 source 1.2.3.4 destination 8.8.4.4 destination-port 8889

"DenyAll; index: 3" {
        from any;
        source any;
        source-region none;
        to any;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service 0:any/any/any/any;
        action drop;
        icmp-unreachable: no
        terminal no;
}

My playbook:

Spoiler
---
# how to call this
# ansible-playbook panos_pbk_12_match_rule.yml --extra-vars "hosts_to_use='fwpa01'"  -vvvv

- name: check match rule test
  hosts: "{{ hosts_to_use }}"
  gather_facts: false
  connection: local

  vars_files:
  - /home/XXXXXXXXX/ansible/vault.yml
#  - ../vault.yml

  tasks:

  - debug:  msg={{"Working on host"}}{{ ":" }}{{ " " }}{{ inventory_hostname}}{{"   IP"}}{{ ":" }}{{ " " }}{{ansible_host}}{{"   username"}}{{ ":" }}{{ " " }}{{vault_fwpa01_username}}{{"   password"}}{{ ":" }}{{ " " }}{{vault_fwpa01_password}}

  - name: check security rules for Google DNS
    panos_match_rule:
      ip_address: "{{ansible_host}}"
      username: "{{vault_fwpa01_username}}"
      password: '{{vault_fwpa01_password}}'
      rule_type: 'security'
      source_ip: '1.2.3.4'
      destination_ip: '8.8.4.4'
      destination_port: '8889'
      protocol: '6'
    register: result

  - debug: msg='{{result.stdout_lines}}'

The full error message I'm receiving:

Spoiler
[HIDDENUSERNAME@rh_vm_ansible-sbx_ip_dot6 plays_BUG]$ ansible-playbook panos_pbk_12_match_rule.yml --extra-vars "hosts_to_use='fwpa01'"  -vvvv
ansible-playbook 2.5.0
  config file = /home/HIDDENUSERNAME/.ansible.cfg
  configured module search path = [u'/home/HIDDENUSERNAME/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.5 (default, May  3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
Using /home/HIDDENUSERNAME/.ansible.cfg as config file
setting up inventory plugins
Parsed /home/HIDDENUSERNAME/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: panos_pbk_12_match_rule.yml ************************************************************************************************************************************
1 plays in panos_pbk_12_match_rule.yml
Trying secret FileVaultSecret(filename='/home/HIDDENUSERNAME/ansible/.vault_pass_file.txt') for vault_id=default
Read vars_file '/home/HIDDENUSERNAME/ansible/vault.yml'
Read vars_file '/home/HIDDENUSERNAME/ansible/vault.yml'

PLAY [check match rule test] *********************************************************************************************************************************************
META: ran handlers
Read vars_file '/home/HIDDENUSERNAME/ansible/vault.yml'

TASK [debug] *************************************************************************************************************************************************************
task path: /home/HIDDENUSERNAME/ansible/git_ansible-pan_modules_and_playbooks/playbooks/plays_BUG/panos_pbk_12_match_rule.yml:18
ok: [fwpa01] => {
    "msg": "Working on host: fwpa01   IP: XXX.XXX.46.179   username: testadmin   password: HIDDENPASSWORD"
}
Read vars_file '/home/HIDDENUSERNAME/ansible/vault.yml'

TASK [check security rules for Google DNS] *******************************************************************************************************************************
task path: /home/HIDDENUSERNAME/ansible/git_ansible-pan_modules_and_playbooks/playbooks/plays_BUG/panos_pbk_12_match_rule.yml:20
Using module file /usr/lib/python2.7/site-packages/ansible/modules/network/panos/panos_match_rule.py
<XXX.XXX.46.179> ESTABLISH LOCAL CONNECTION FOR USER: HIDDENUSERNAME
<XXX.XXX.46.179> EXEC /bin/sh -c 'echo ~ && sleep 0'
<XXX.XXX.46.179> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559 `" && echo ansible-tmp-1524153472.65-57023960501559="` echo /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559 `" ) && sleep 0'
<XXX.XXX.46.179> PUT /home/HIDDENUSERNAME/.ansible/tmp/ansible-local-1288640VldIv/tmpoAkT7S TO /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559/panos_match_rule.py
<XXX.XXX.46.179> EXEC /bin/sh -c 'chmod u+x /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559/ /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559/panos_match_rule.py && sleep 0'
<XXX.XXX.46.179> EXEC /bin/sh -c '/usr/bin/python /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559/panos_match_rule.py && sleep 0'
<XXX.XXX.46.179> EXEC /bin/sh -c 'rm -f -r /home/HIDDENUSERNAME/.ansible/tmp/ansible-tmp-1524153472.65-57023960501559/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_s7iVn5/ansible_module_panos_match_rule.py", line 379, in <module>
    main()
  File "/tmp/ansible_s7iVn5/ansible_module_panos_match_rule.py", line 373, in main
    stdout_lines=json.dumps(xmltodict.parse(rule_match.element_str()), indent=2),
AttributeError: 'NoneType' object has no attribute 'element_str'

fatal: [fwpa01]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_s7iVn5/ansible_module_panos_match_rule.py\", line 379, in <module>\n    main()\n  File \"/tmp/ansible_s7iVn5/ansible_module_panos_match_rule.py\", line 373, in main\n    stdout_lines=json.dumps(xmltodict.parse(rule_match.element_str()), indent=2),\nAttributeError: 'NoneType' object has no attribute 'element_str'\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE",
    "rc": 1
}

PLAY RECAP ***************************************************************************************************************************************************************
fwpa01                     : ok=1    changed=0    unreachable=0    failed=1

I really appreciate any kind of help you could give me.

 

Best regards.

0 Likes Likes
3 REPLIES 3

alejandro.luna
L1 Bithead

‎04-19-2018 12:51 PM

Something I would like to add:
I did a bit more of debug.
The XML string that is generated with xapi.py is correct:

 

<test><security-policy-match><source>1.2.3.4</source><destination>8.8.4.4</destination><destination-port>8889</destination-port><protocol>6</protocol></security-policy-match></test>

 

Using manually that string on the API (the browser version of it), returned this address:

 

https://XXX.XXX.XXX.179/api/?REST_API_TOKEN=XXXXXXXXXX&type=op&cmd=<test><security-policy-match><source>1.2.3.4<%2Fsource><destination>8.8.4.4<%2Fdestination><destination-port>8889<%2Fdestination-port><protocol>6<%2Fprotocol><%2Fsecurity-policy-match><%2Ftest>+

 

And finally, with that address, I did got on the browser the rule displayed:

 

This XML file does not appear to have any style information associated with it. The document tree is shown below.
___________________________________________________________________________
<response cmd="status" status="success">
  <result>
    <rules>
      <entry name="DenyAll">
        <index>3</index>
        <from>any</from>
        <source>any</source>
        <source-region>none</source-region>
        <to>any</to>
        <destination>any</destination>
        <destination-region>none</destination-region>
        <user>any</user>
        <category>any</category>
        <application_service>0:any/any/any/any</application_service>
        <action>drop</action>
        <icmp-unreachable>no</icmp-unreachable>
        <terminal>no</terminal>
      </entry>
    </rules>
  </result>
</response>

So, in other words:
Everything is working on the XML string generation of the panos_match_rule.py

I'll keep debugging... Wish me luck 🙂

0 Likes Likes

chrisjx
L0 Member
In response to alejandro.luna

‎05-03-2018 02:43 PM

Sad to see your effort elicits no response...  Seems a lame forum group.  Hardly worth the time to register.

 

Your's is the most technical I've seen on this group and I have one regarding ansible panos_import error but I doubt it would get any love in this desert...

 

Good luck, alejandro

Chris.

0 Likes Likes

alejandro.luna
L1 Bithead
In response to chrisjx

‎05-04-2018 06:55 AM

Yeah, I werent able to fix it, so I moved to other stuff.
I didn't want to spend more time on this.

I will return to fixing this some day, but right now I need to start doing the real automation.

0 Likes Likes
  • 5346 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks