04-07-2020 10:25 PM
i'm trying to run the following task in my play to create a bunch of new L3 subinterfaces on ae2 and then add them to the appropriate security zone. if i try to assign the zone as part of the panos_l3_subinterface, or through a different play (as shown in code vs commented out section) i get the same error message.
my understanding is that if i dont have the zone created it should create it .. however it keeps complaining about the mode..
failed: [my-panorama] (item=adding zone: Z-VL-1200 ) => {"ansible_loop_var": "item", "changed": false, "item": {"brm_srv_fw_interface": "ae2", "brm_srv_fw_vlan_ip_address": "10.218.0", "kam_srv_fw_interface": "ae2", "kam_srv_fw_vlan_ip_address": "10.11.0", "srv_fw_zone_name": "Z-VL-1200", "vic_srv_fw_interface": "ae2", "vic_srv_fw_vlan_ip_address": "10.11.128", "vlan_id": "1200", "vlan_name": "Seg-VL-1200"}, "msg": "Failed apply: Z-VL-1200 -> network -> layer3 '[ae2.1200]' is not a valid reference\n Z-VL-1200 -> network -> layer3 is invalid"}
tasks:
- name: make Interfaces in Test-Template
panos_l3_subinterface:
provider: '{{ PANO_Provider }}'
enable_dhcp: no
name: "ae2.{{ item.vlan_id }}"
tag: '{{ item.vlan_id }}'
vr_name: vr-inside
#zone_name: '{{ item.srv_fw_zone_name }}'
ip: ["{{ item.kam_srv_fw_vlan_ip_address }}.1/24"]
template: Test-Template
loop: '{{ build_vlan }}'
loop_control:
label: "adding interface: ae2.{{ item.vlan_id }}"
- name: make zones on Test-Template
panos_zone:
provider: '{{ PANO_Provider }}'
zone: '{{ item.srv_fw_zone_name }}'
mode: "layer3"
enable_userid: yes
interface: "[ae2.{{ item.vlan_id }}]"
template: Test-Template
loop: '{{ build_vlan }}'
loop_control:
label: 'adding zone: {{ item.srv_fw_zone_name }} '
04-09-2020 08:49 AM
Fixed the issue - it seems that if the aggregate was created manually and it was NOT PUT INTO a VR then the subinterfaces through scripting get that error.. panorama seems to manually allow this to get bypassed.. however most of my firewalls have their AE created by a partner and they weren't put into a VR... adding them to VR allowed the scripts to run.
04-08-2020 09:32 AM
in case anyone can help here, i ran a simpler play with -vvvv enabled
The full traceback is:
File "/tmp/ansible_panos_l3_subinterface_payload_qkpcbcde/ansible_panos_l3_subinterface_payload.zip/ansible/modules/panos_l3_subinterface.py", line 273, in main
File "/usr/local/lib/python3.6/site-packages/pandevice/network.py", line 325, in set_zone
update, running_config, return_type, False, mode=mode)
File "/usr/local/lib/python3.6/site-packages/pandevice/base.py", line 1522, in _set_reference
obj.update(reference_var)
File "/usr/local/lib/python3.6/site-packages/pandevice/base.py", line 633, in update
retry_on_peer=self.HA_SYNC)
File "/usr/local/lib/python3.6/site-packages/pandevice/base.py", line 3486, in method
raise the_exception
fatal: [my-panorama]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"adjust_tcp_mss": null,
"api_key": null,
"comment": null,
"create_default_route": false,
"dhcp_default_route_metric": null,
"enable_dhcp": false,
"ip": [
"10.11.1.1/24"
],
"ip_address": null,
"ipv4_mss_adjust": null,
"ipv6_enabled": null,
"ipv6_mss_adjust": null,
"management_profile": null,
"mtu": null,
"name": "ae2.1200",
"netflow_profile": null,
"password": null,
"port": 443,
"provider": {
"api_key": null,
"ip_address": "vic-panora-lpr1",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"serial_number": null,
"username": "ansible-play"
},
"state": "present",
"tag": 1200,
"template": "xxx-KAM-SRV-FW",
"username": "admin",
"vr_name": "default",
"vsys": null,
"zone_name": "TEST3"
}
},
"msg": "Failed setref: TEST3 -> network -> layer3 'ae2.1200' is not a valid reference\n TEST3 -> network -> layer
this was the play:
- name: adds security zones, interfaces and firewall rules
hosts: my-panorama
connection: local
gather_facts: False
vars_files:
- 'build-vlan.yml'
- 'firewall-rules.yml'
- 'my-secrets.yml'
#- 'ios.yml'
#{{ item.patunnel_name }}
# -e 'ansible_python_interpreter=/usr/bin/python3'
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: make Interfaces in Test-Template
panos_l3_subinterface:
provider: '{{ PANO_Provider }}'
enable_dhcp: no
name: "ae2.1200"
tag: 1200
zone_name: TEST3
ip: ["10.11.1.1/24"]
template: xxx-KAM-SRV-FW04-09-2020 08:49 AM
Fixed the issue - it seems that if the aggregate was created manually and it was NOT PUT INTO a VR then the subinterfaces through scripting get that error.. panorama seems to manually allow this to get bypassed.. however most of my firewalls have their AE created by a partner and they weren't put into a VR... adding them to VR allowed the scripts to run.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
