This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Security rule automation via "panos_security_rule" returned error

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security rule automation via "panos_security_rule" returned error

kenchung
L0 Member

‎06-11-2023 09:41 PM - edited ‎06-11-2023 09:43 PM

I am new to Ansible and trying to set up automation for PA security rule via Ansible for customer. We have installed the panos module from Ansible galaxy and the required python libraries like pan-os-python. However, we encountered two issues when we tried to use the panos_security_rule module in our playbook.
1. If we include the log_setting parameter, the playbook will return error stating "unsupported parameter: log_setting", but from documentation it should not be the case.
2. if we exclude the log_setting parameter, the playbook will return error stating "hip-profiles unexpected here", but we don't use any hip profile in our case.

 

Error message screenshot attached. My playbook is something like below.

---
- name: PA configs
hosts: "{{ device_name }}"
connection: local
collections:
- paloaltonetworks.panos
gather_facts: no

vars:
date: "{{lookup('pipe','date \"+%Y-%m-%d\"')}}"
ansible_user: "ansible"
ansible_password: "password"
provider:
ip_address: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_password}}"

tasks:

- name: Get REST API Key
uri:
validate_certs: no
url: 'https://{{ ansible_host }}/api/?type=keygen&user={{ ansible_user }}&password={{ ansible_password }}'
return_content: yes
method: GET
register: response_api_key

- name: Read XML response
xml:
content: 'text'
xmlstring: '{{ response_api_key.content }}'
xpath: '/response/result/key'
register: api_key

 - name: Push PA config
panos_security_rule:
ip_address: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_password}}"
rule_name: 'Ansible Test Rule'
source_zone: ['srczone']
source_ip: ['any']
destination_zone: ['dstzone']
destination_ip: ['1.1.1.1']
application: ['any']
log_end: true

log_setting: ['syslog profile']
group_profile: ['Sec_Profile_Grp']
action: 'allow'

- name: Commit
panos_commit:
ip_address: "{{ ansible_host}}"
username: "{{ ansible_host }}"
password: "{{ ansible_password }}"

 

Any help? Thanks.

Preview file
139 KB
Preview file
190 KB
0 Likes Likes
1 REPLY 1

SimonT
L2 Linker

‎07-10-2023 11:26 PM

hi @kenchung  have a look at the reference documentation:

 

 

"log_setting" is a string but you put it in brackets which converts it to a list:

log_setting: ['syslog profile']. 

 

you want: log_setting: 'syslog profile' 

 

Same for group profile.

 

Unsure about the hip profile. There is a note in the documention saying not to use it. Maybe if you set gather facts to yes then version will correct that?

  • 1705 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks