Gather info with panos_security_rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Gather info with panos_security_rule

L1 Bithead

Hi
I dont fully understand how to use the panos_security_rule module to find rule panos_security_rule to find rules since https://github.com/PaloAltoNetworks/pan-os-ansible/blob/develop/plugins/modules/panos_security_rule_... seems to be deprecated.
What i do want is to get all the defined rules in the firewall.

My supersimple playbook looks like this:

--
- name: Network Playbook
hosts: all
connection: local
gather_facts: false

vars:
sec_rules:
ip_address: 1.1.1.1
vars_prompt:

- name: password
prompt: password
- name: username
prompt: username
private: no


collections:
- paloaltonetworks.panos

tasks:
- name: Get all rules
panos_security_rule:
ip_address: " {{ ip_address }} "
username: " {{ username }} "
password: " {{ password }} "
rulebase: rulebase
state: 'gathered'
register: sec_rules


- debug:
msg: '{{ sec_rules }}'

I get this output.


ansible-playbook [core 2.12.3]
config file = None
configured module search path = ['/home/labb/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/labb/.local/lib/python3.9/site-packages/ansible
ansible collection location = /home/labb/.ansible/collections:/usr/share/ansible/collections
executable location = /home/labb/.local/bin/ansible-playbook
python version = 3.9.10 (main, Mar 16 2022, 15:24:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
jinja version = 3.0.3
libyaml = True
No config file found; using defaults
host_list declined parsing /ansible/ansible/fwtest as it did not pass its verify_file() method
script declined parsing /ansible/ansible/fwtest as it did not pass its verify_file() method
auto declined parsing /ansible/ansible/fwtest as it did not pass its verify_file() method
[WARNING]: While constructing a mapping from /ansible/ansible/fwtest, line 4, column 5, found a duplicate dict key (ansible_connection). Using last defined value only.
Parsed /ansible/ansible/fwtest inventory source with yaml plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: palo.yaml ******************************************************************************************************************************************************
1 plays in palo.yaml
password:
username: alo

PLAY [Network Playbook] **************************************************************************************************************************************************
META: ran handlers

TASK [Get all rules] *****************************************************************************************************************************************************
task path: /ansibles/FW/palo.yaml:23
<1.1.1.1> ESTABLISH LOCAL CONNECTION FOR USER: labb
<1.1.1.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/labb/.ansible/tmp/ansible-local-9234529bmja22 `"&& mkdir "` echo /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340 `" && echo ansible-tmp-1664879620.1387732-92355-183172280362340="` echo /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340 `" ) && sleep 0'
Using module file /home/labb/.ansible/collections/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_security_rule.py
<1.1.1.1> PUT /home/labb/.ansible/tmp/ansible-local-9234529bmja22/tmp80mh80tb TO /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/AnsiballZ_panos_security_rule.py
<1.1.1.1> EXEC /bin/sh -c 'chmod u+x /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/ /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/AnsiballZ_panos_security_rule.py && sleep 0'
<1.1.1.1> EXEC /bin/sh -c '/usr/local/bin/python3.9 /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/AnsiballZ_panos_security_rule.py && sleep 0'
<1.1.1.1> EXEC /bin/sh -c 'rm -f -r /home/labb/.ansible/tmp/ansible-local-9234529bmja22/ansible-tmp-1664879620.1387732-92355-183172280362340/ > /dev/null 2>&1 && sleep 0'
fatal: [1.1.1.1]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"action": "allow",
"antivirus": null,
"api_key": null,
"application": [
"any"
],
"audit_comment": null,
"category": [
"any"
],
"commit": null,
"data_filtering": null,
"description": null,
"destination_ip": [
"any"
],
"destination_zone": [
"any"
],
"device_group": "shared",
"devicegroup": null,
"disable_server_response_inspection": false,
"disabled": false,
"existing_rule": null,
"file_blocking": null,
"group_profile": null,
"group_tag": null,
"hip_profiles": null,
"icmp_unreachable": null,
"ip_address": " 1.1.1.1 ",
"location": null,
"log_end": true,
"log_setting": null,
"log_start": false,
"negate_destination": false,
"negate_source": false,
"negate_target": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"provider": null,
"rule_name": null,
"rule_type": "universal",
"rulebase": "rulebase",
"schedule": null,
"service": [
"application-default"
],
"source_ip": [
"any"
],
"source_user": [
"any"
],
"source_zone": [
"any"
],
"spyware": null,
"state": "gathered",
"tag_name": null,
"target": null,
"url_filtering": null,
"username": " ansible ",
"uuid": null,
"vsys": "vsys1",
"vulnerability": null,
"wildfire_analysis": null
}
},
"msg": "missing required arguments: rule_name"
}

PLAY RECAP ***************************************************************************************************************************************************************
1.1.1.1 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0


Im runing against a single device not panorama, if that matter?

1 accepted solution

Accepted Solutions

L5 Sessionator

The Ansible collection was just updated (v2.11.0) with a new parameter, gathered_filter.  You can use this parameter to finally fully replace the panos_security_rule_facts module.  If you want everything, then it's as simple as doing this:

 

 

 

 

  - name: Get all security rules
    panos_security_rule:
      provider: '{{ provider_dict }}'
      state: 'gathered'
      gathered_filter: '*'
    register: ans

  - debug:
      msg: '{{ ans }}'

 

 

 

View solution in original post

3 REPLIES 3

L5 Sessionator

Hi @zol123, the panos_security_rule_facts module still works, it is not fully deprecated, so at this time I would recommend continuing to utilise it for this use case

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L5 Sessionator

The Ansible collection was just updated (v2.11.0) with a new parameter, gathered_filter.  You can use this parameter to finally fully replace the panos_security_rule_facts module.  If you want everything, then it's as simple as doing this:

 

 

 

 

  - name: Get all security rules
    panos_security_rule:
      provider: '{{ provider_dict }}'
      state: 'gathered'
      gathered_filter: '*'
    register: ans

  - debug:
      msg: '{{ ans }}'

 

 

 

Thanks

  • 1 accepted solution
  • 3752 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!