Security rule automation via "panos_security_rule" returned error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security rule automation via "panos_security_rule" returned error

L0 Member

I am new to Ansible and trying to set up automation for PA security rule via Ansible for customer. We have installed the panos module from Ansible galaxy and the required python libraries like pan-os-python. However, we encountered two issues when we tried to use the panos_security_rule module in our playbook.
1. If we include the log_setting parameter, the playbook will return error stating "unsupported parameter: log_setting", but from documentation it should not be the case.
2. if we exclude the log_setting parameter, the playbook will return error stating "hip-profiles unexpected here", but we don't use any hip profile in our case.

 

Error message screenshot attached. My playbook is something like below.

---
- name: PA configs
hosts: "{{ device_name }}"
connection: local
collections:
- paloaltonetworks.panos
gather_facts: no

vars:
date: "{{lookup('pipe','date \"+%Y-%m-%d\"')}}"
ansible_user: "ansible"
ansible_password: "password"
provider:
ip_address: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_password}}"

tasks:

- name: Get REST API Key
uri:
validate_certs: no
url: 'https://{{ ansible_host }}/api/?type=keygen&user={{ ansible_user }}&password={{ ansible_password }}'
return_content: yes
method: GET
register: response_api_key

- name: Read XML response
xml:
content: 'text'
xmlstring: '{{ response_api_key.content }}'
xpath: '/response/result/key'
register: api_key

 - name: Push PA config
panos_security_rule:
ip_address: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_password}}"
rule_name: 'Ansible Test Rule'
source_zone: ['srczone']
source_ip: ['any']
destination_zone: ['dstzone']
destination_ip: ['1.1.1.1']
application: ['any']
log_end: true

log_setting: ['syslog profile']
group_profile: ['Sec_Profile_Grp']
action: 'allow'

- name: Commit
panos_commit:
ip_address: "{{ ansible_host}}"
username: "{{ ansible_host }}"
password: "{{ ansible_password }}"

 

Any help? Thanks.

1 REPLY 1

L2 Linker

hi @kenchung  have a look at the reference documentation:

 

 

"log_setting" is a string but you put it in brackets which converts it to a list:

log_setting: ['syslog profile']. 

 

you want: log_setting: 'syslog profile' 

 

Same for group profile.

 

Unsure about the hip profile. There is a note in the documention saying not to use it. Maybe if you set gather facts to yes then version will correct that?

  • 1762 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!