Panos_Security_Rule - "msg": "dictionary requested, could not parse JSON or key=value"

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Panos_Security_Rule - "msg": "dictionary requested, could not parse JSON or key=value"

L1 Bithead

Hi, if some one can advise or help, why I am getting this error within Ansible


I am creating a load of hosts from a csv, creating a object group and then creating a security rule that references that newly created object group as a source


Error is "msg": "dictionary requested, could not parse JSON or key=value"


Below is my code


Host creation : 


- name: read-r1-host-csv-file
path: Intenet Access - Azure Data Pub-R1-Hosts.csv
key: hostname
register: srcr1hosts

- name: Create R1 address objects
provider: "{{ palo_provider }}"
state: present
name: '{{ item.value.hostname }}'
value: '{{ item.value.ip}}'
with_items: "{{ srcr1hosts.dict | dict2items }}"

- set_fact:
r1hosts_in_group: "{{ srcr1hosts.dict | dict2items | map(attribute='key') | list }}"

- name: add-r1-source-hosts-network-group
provider: "{{ palo_provider }}"
name: srcr1group
state: present
static_value: "{{ r1hosts_in_group }}"
delegate_to: Global


Rule Creation : 

- name: add a rule Internet Access - Azure Databricks pub - ANY-01
provider: "palo_provider"
device_group: "Azure_Perimeter_Prod"
state: 'present'
rule_name: 'Internet Access - Azure Databricks pub - ANY-01'
source_zone: ['internet']
destination_zone: ['azure']
source_ip: ['srcr1group']
source_user: ['any']
destination_ip: ['H-***********']
application: ['ssl']
group_profile: ['Global-Block-Url']
log_setting: ['NA_Log_Forward']
location: before
existing_rule: before Internet Access - Azure Databricks pub - ANY
action: 'allow'


Cheers, any help appreciated





L5 Sessionator

Hi @scoobyboy, I started with your tasks and tried to replicate the error, and I could not. There are a few things that I had to tweak along the way to get the playbook working, and hopefully the notes below could help you though?

  • the delegate_toGlobal line isn't needed in the address group creation task
  • the group_profile: ['Global-Block-Url'] and log_setting: ['NA_Log_Forward'] lines need just strings instead of arrays of strings, like this: group_profile: 'Global-Block-Url' and log_setting: 'NA_Log_Forward'
  • the device_group: "Azure_Perimeter_Prod" line is placing the rule inside the context of a Device Group, implying targeting a Panorama, I didn't use this line as the previous tasks had no Device Group context so I targeted a NGFW. If you still need help, maybe you could clarify the target and whether the objects are intended to be shared or not, in Device Groups or not, etc

Here's my working playbook targeting a PA-Series NGFW


    - name : Read CSV file
      read_csv :
        path : test.csv
        key : hostname
      register : srcr1hosts

    - name : Create address objects
      panos_address_object :
        provider : "{{ palo_provider }}"
        state : present
        name : '{{ item.value.hostname }}'
        value : '{{ item.value.ip}}'
      with_items : "{{ srcr1hosts.dict | dict2items }}"

    - set_fact :
        hosts_in_group : "{{ srcr1hosts.dict | dict2items | map(attribute='key') | list }}"

    - name : Add address objects to address group
      panos_address_group :
        provider : "{{ palo_provider }}"
        name : test_group
        state : present
        static_value : "{{ hosts_in_group }}"
        #delegate_to : Global

    - name : Add a rule
      panos_security_rule :
        provider : "{{ palo_provider }}"
        #device_group : "Azure_Perimeter_Prod"
        state : 'present'
        rule_name : 'Test rule'
        source_zone : [ 'lab_trust' ]
        destination_zone : [ 'lab_untrust' ]
        source_ip : [ 'test_group' ]
        source_user : [ 'any' ]
        destination_ip : [ 'any' ]
        application : [ 'ssl' ]
        group_profile : 'default'
        log_setting : 'test'
        location : before
        existing_rule : 'test'
        action : 'allow'



Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Hi @JimmyHolland, many thanks for taking a look at this for me, it is appreciated 


In answer to your questions, its targeting a Panorama, and yes it is been created in certain device groups, and yes they are supposed to be shared


I got this working on a NGFW, but when i tried targeting the Pan i started to get this error, the only change I did was add the device_group value to the "add rule" task


But no matter, thanks for assisting 🙂 



  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!