Ansible Panos_security_rule "find" option isn't working?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ansible Panos_security_rule "find" option isn't working?

L1 Bithead

Hi All,

 

I am testing all PaloAlto's Ansible modules here and I'm keep getting the following error when using "operation: find"

Here is my playbook:

 

---
- name: Testing Palo Alto Panorama Panos_Security_rule module
connection: local
hosts: panorama
vars:
pan_username: palo_ansible
pan_password: somepasswd

tasks:
- name: Find a specific security rule
panos_security_rule:
ip_address: '1.2.3.4'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
operation: 'find'
rule_name: 'NTP_permit'
register: result

- debug: msg='{{result.stdout_lines}}'

 

And here is the error:

 

       Rule 'NTP_permit' not found. Is the name correct?

I already register this new rule and commit all changes. I can delete the same policy without any issues; however, the operation "find" isn't working as recommended here: http://paloaltonetworks.github.io/ansible-pan/modules/panos_security_rule_module.html or https://docs.ansible.com/ansible/2.4/panos_security_rule_module.html

 

I am running Ansible core v2.7.8 with Python 2.7.5 and Panorama v8.1.3. Any idea if this option works?

 

Thanks,

Roberto

1 accepted solution

Accepted Solutions

Thanks for the information and your help here; however, this isn't working either. When running "panos_match_rule" module I got the following error:

========================

fatal: [mypanorama]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"application": "ntp",
"category": null,
"destination_ip": "any",
"destination_port": 123,
"destination_zone": null,
"ip_address": "1.2.3.4",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"protocol": null,
"rule_type": "security",
"source_ip": "any",
"source_port": null,
"source_user": null,
"source_zone": null,
"to_interface": null,
"username": "ansiblepan",
"vsys_id": "vsys3456"
}
}
}

MSG:


Panorama is not supported.

========================

However!, what I did find out was that "panos_query_rules" works when using the following playbook:

 

tasks:
- name: Find a specific security rule
panos_query_rules:
ip_address: '{{ firewall_host }}'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
tag_name: 'NTP_permit'
devicegroup: 'LABGroup'
register: result

 

I really appreciate you guys helped me here. My concern is that the official PAN and Ansible documentation isn't accurate, as you can see in the last example described at https://docs.ansible.com/ansible/latest/modules/panos_security_rule_module.html.

 

Thanks!

View solution in original post

5 REPLIES 5

L0 Member

Hi Robero,

Mine works fine. can you make yours like this(added #state: 'present'):

 

---
- name: Testing Palo Alto Panorama Panos_Security_rule module
connection: local
hosts: panorama
vars:
pan_username: palo_ansible
pan_password: somepasswd

tasks:
- name: Find a specific security rule
panos_security_rule:
ip_address: '1.2.3.4'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
operation: 'find'

#state: 'present'
rule_name: 'NTP_permit'
register: result

- debug: msg='{{result.stdout_lines}}'

Hi There!,

Thanks for your reply. I understand the "state" variable is not supported by panos_security_rule module; thus adding or removing this option will not make any difference.

 

Per some unknown reason this playbook still reporting the same error and I don't know how to escalate it.

Best regards,

Roberto

 

L5 Sessionator

A few things:

 

I don't see you pulling in the Ansible role with your playbook.  Palo Alto Networks is using Ansible Galaxy roles to distribute the latest versions of the modules, so you should be using that.  Here is the link:  https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks

 

The operation parameter is being removed (from all modules) in favor of state, which is more inline with Ansible standards.  Having said that, if you are trying to determine, "if I run this kind of traffic, what rule will that match?" then the module you want to use is panos_match_rule.

 

Hope this helps!

Thanks for the information and your help here; however, this isn't working either. When running "panos_match_rule" module I got the following error:

========================

fatal: [mypanorama]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"application": "ntp",
"category": null,
"destination_ip": "any",
"destination_port": 123,
"destination_zone": null,
"ip_address": "1.2.3.4",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"protocol": null,
"rule_type": "security",
"source_ip": "any",
"source_port": null,
"source_user": null,
"source_zone": null,
"to_interface": null,
"username": "ansiblepan",
"vsys_id": "vsys3456"
}
}
}

MSG:


Panorama is not supported.

========================

However!, what I did find out was that "panos_query_rules" works when using the following playbook:

 

tasks:
- name: Find a specific security rule
panos_query_rules:
ip_address: '{{ firewall_host }}'
username: '{{ pan_username }}'
password: '{{ pan_password }}'
tag_name: 'NTP_permit'
devicegroup: 'LABGroup'
register: result

 

I really appreciate you guys helped me here. My concern is that the official PAN and Ansible documentation isn't accurate, as you can see in the last example described at https://docs.ansible.com/ansible/latest/modules/panos_security_rule_module.html.

 

Thanks!

So, this is part of the confusion that we are trying to handle.

 

There are two distinct groups of panos_* Ansible modules.  The first is what you get when you install Ansible.  The second is what you get when you use the Ansible Galaxy role.  Your link is the documentation for what you get when you install Ansible.  The documentation for the Ansible Galaxy role is located here:  https://paloaltonetworks.github.io/ansible-pan/

  • 1 accepted solution
  • 5791 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!