- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-03-2020 12:09 AM - edited 03-03-2020 12:52 AM
So i am very new to using ansible with Panorama/Palo Alto firewall. I am doing a test on my test lab pano to see if i can push test rule over to panorama. Here is my yml file
---
- name: Create test new rule playbook
hosts: all
connection: local
roles:
- role: paloaltonetworks.paloaltonetworks
tasks:
- name: Add test pre-rule to panorama
panos_security_rule:
provider: '{{ provider }}'
rule_name: 'Ansible test 1'
description: 'An Ansible test pre-rule'
source_zone: ['Corp']
destination_zone: ['cs-user']
source_ip: ['1.2.3.4']
source_user: ['any']
destination_ip: ['any']
category: ['any']
application: ['any']
service: ['any']
hip_profiles: ['any']
action: 'allow'
device_group: 'test-group'
commit: False
When i try to run the playbook this is what i see
PLAY [Create test new rule playbook] ***********************************************************************************
TASK [Gathering Facts] *************************************************************************************************[DEPRECATION WARNING]: Distribution Ubuntu 18.04 on host 10.2.3.10 should use /usr/bin/python3, but is using
/usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to using
the discovered platform python for this host. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. This feature
will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
ok: [10.2.3.10]
TASK [paloaltonetworks.paloaltonetworks : Install pan-python required library] *****************************************changed: [10.2.3.10]
TASK [paloaltonetworks.paloaltonetworks : Install pandevice required library] ******************************************changed: [10.2.3.10]
TASK [paloaltonetworks.paloaltonetworks : Install xmltodict required library] ******************************************changed: [10.2.3.10]
TASK [Add test pre-rule to panorama] ***********************************************************************************fatal: [10.2.3.10]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'provider' is undefined\n\nThe error appears to be in '/etc/ansible/testbook2.yml': line 10, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Add test pre-rule to panorama\n ^ here\n"}
PLAY RECAP *************************************************************************************************************10.2.3.10 : ok=4 changed=3 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
So what could be wrong here? I still don't get the provider setting yet, did i put it wrongly? Also may i ask what does the " provider: '{{ provider }}'" means on the playbook? Is provider some sort of a value i need to add in? I dont get what provider means and what value should i put as i just got this from an example here.
Also is there some library that i am missing form these?
Install pan-python required library
Install pandevice required library
Install xmltodict required library
I see some example it should be "PIP" wording instead of the 3 above right?
Any help would be greatly appreciated.
03-03-2020 09:27 AM - edited 03-03-2020 09:30 AM
provider
is a param that you're passing in to panos_security_rule
, while the '{{ provider }}'
part says, "use the variable "provider" that is somehow being brought into this playbook.
You can specify credentials a few different ways:
provider:
ip_address: '10.1.1.1'
username: 'admin'
password: 'secret'
Just as a side note, the Palo Alto Networks Ansible role is now deprecated in favor of the collection, which is on Ansible Galaxy as paloaltonetworks.panos. The repo for the new collection is here, and also keep in mind that collections require that you are using Ansible 2.9+.
03-03-2020 10:18 PM
Hi,
So does this mean that i need to create a "provider.yml" file on the same folder as my main playbook. I still need to define the ip address and put in the username and password?
Now i am getting this error after changing it to "collections:" from "roles:"
TASK [Add test pre-rule to panorama] ***********************************************************************************
fatal: [10.2.3.10]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'provider' is undefined\n\nThe error appears to be in '/etc/ansible/testbook2.yml': line 10, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: Add test pre-rule to panorama\n ^ here\n"}
PLAY RECAP *************************************************************************************************************
10.2.3.10 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
03-04-2020 08:13 AM
I had the same problem, you can call your provider details in from a script as you described but at the moment I have set my ansible playbook up like this. so i call the the '{{ provider }}' from a variable called provider
---
03-04-2020 09:40 AM
If you created a file "provider.yml" that has the auth credentials in it, then you just tell Ansible to load that file at the beginning of your "tasks":
tasks:
- name: Grab auth creds
include_vars: 'provider.yml'
no_log: 'yes'
03-04-2020 11:25 PM
Okay the VARS works for me now. Thanks for that and now it all make sense.
On another note, what if i have multiple device group on the same pano that i want to add i new rule, take this for example i have "DG1" an "DG2" i want to craete, some how the line below didnt work for me
device_group: 'DG1' 'DG2'
Can't i put both device group name on the same task together? Or must this be done on a separate task that specify only single device group?
03-05-2020 09:42 AM
You can use standard Ansible looping to do this. You have both Ansible filters and Jinja2 templating functions available to use in playbooks. This blog post shows a little bit of looping and walks through using facts modules to do updates to existing config:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!