@GFRDA thanks a lot. I cribbed this to edit a rule (removing an object from destination field) and its works a charm! For anyone else here is my playbook: - name: Network Playbook
hosts: panorama
connection: local
gather_facts: false
vars:
rmadr: 'simon-test-address2'
myrule: 'REQ0001-RITM00009'
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: Get auth creds
include_vars: 'vars.yml'
#no_log: 'yes'
- name: Get the definition for rule '{{ myrule }}'
paloaltonetworks.panos.panos_security_rule_facts:
provider: '{{ lab_provider }}'
device_group: 'LAB-VM-virtual-FW-DG'
rule_name: '{{ myrule | quote }}'
register: result
- debug:
msg: '{{ result }}'
- name: edit destination for rule '{{ myrule }}'
paloaltonetworks.panos.panos_security_rule:
provider: '{{ lab_provider }}'
device_group: 'LAB-VM-virtual-FW-DG'
rule_name: '{{ item.rule_name }}'
action: '{{ item.action }}'
source_zone: '{{ item.source_zone | default(omit, true) }}'
destination_zone: '{{ item.destintaion_zone | default(omit, true) }}'
log_start: 'false'
log_end: 'true'
application: '{{ item.application | default(omit, true) }}'
category: '{{ item.category | default(omit, true) }}'
description: '{{ item.description | default(omit, true) }}'
destination_ip: '{{ item.destination_ip | difference([rmadr]) }}'
disabled: '{{ item.disabled }}'
source_ip: '{{ item.source_ip | default(omit, true) }}'
service: '{{ item.service | default(omit, true) }}'
tag_name: '{{ item.tag | default(omit, true) }}'
commit: false
loop: '{{ result.rule_details }}'
loop_control:
label: '{{ item.rule_name }}'
- name: Get the new definition for rule '{{ myrule }}'
paloaltonetworks.panos.panos_security_rule_facts:
provider: '{{ lab_provider }}'
device_group: 'LAB-VM-virtual-FW-DG'
rule_name: '{{ myrule | quote }}'
register: new_result
- debug:
msg: '{{ new_result }}' Note that "destintaion_zone" is a typo in the tool. And the output when run - I get the rule twice so you can see the difference: (python3_9) [admin@host]$ ansible-playbook -i inventory -v remove_address_object_from_source.yml
No config file found; using defaults
PLAY [Network Playbook] *************************************************************************************************************************************************************
TASK [Get auth creds] ***************************************************************************************************************************************************************
ok: [panorama] => {"ansible_facts": {}
TASK [Get the definition for rule 'REQ0001-RITM00009'] ******************************************************************************************************************************
[DEPRECATION WARNING]: Deprecated; use panos_security_rule with state=gathered instead. This feature will be removed from paloaltonetworks.panos in version 3.0.0. Deprecation
warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Please use the names parameter instead of rule_name. This feature will be removed from paloaltonetworks.panos in version 3.0.0. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [panorama] => {"changed": false, "rule_details": [{"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32", "simon-test-address2"], "destintaion_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}]}
TASK [debug] ************************************************************************************************************************************************************************
ok: [panorama] => {
"msg": {
"changed": false,
"deprecations": [
{
"collection_name": "paloaltonetworks.panos",
"msg": "Deprecated; use panos_security_rule with state=gathered instead",
"version": "3.0.0"
},
{
"collection_name": "paloaltonetworks.panos",
"msg": "Please use the names parameter instead of rule_name.",
"version": "3.0.0"
}
],
"failed": false,
"rule_details": [
{
"action": "allow",
"antivirus": null,
"application": [
"any"
],
"category": [
"any"
],
"data_filtering": null,
"description": "REQ0001",
"destination_devices": [
"any"
],
"destination_ip": [
"H-192.168.52.1-32",
"simon-test-address2"
],
"destintaion_zone": [
"pubinternet"
],
"disable_server_response_inspection": false,
"disabled": true,
"file_blocking": null,
"group_profile": null,
"group_tag": null,
"hip_profiles": null,
"icmp_unreachable": null,
"log_end": true,
"log_setting": null,
"log_start": false,
"negate_destination": false,
"negate_source": false,
"negate_target": null,
"rule_name": "REQ0001-RITM00009",
"rule_type": "universal",
"schedule": null,
"service": [
"tcp_443"
],
"source_devices": [
"any"
],
"source_ip": [
"H-8.8.8.8-32"
],
"source_user": [
"any"
],
"source_zone": [
"UNDEFINED"
],
"spyware": null,
"tag_name": null,
"target": null,
"url_filtering": null,
"uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77",
"vulnerability": null,
"wildfire_analysis": null
}
]
}
}
TASK [edit destination for rule 'REQ0001-RITM00009'] ********************************************************************************************************************************
changed: [panorama] => (item=REQ0001-RITM00009) => {"after": {"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32"], "destination_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}, "ansible_loop_var": "item", "before": {"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32", "simon-test-address2"], "destination_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}, "changed": true, "item": {"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32", "simon-test-address2"], "destintaion_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}}
TASK [Get the new definition for rule 'REQ0001-RITM00009'] **************************************************************************************************************************
ok: [panorama] => {"changed": false, "rule_details": [{"action": "allow", "antivirus": null, "application": ["any"], "category": ["any"], "data_filtering": null, "description": "REQ0001", "destination_devices": ["any"], "destination_ip": ["H-192.168.52.1-32"], "destintaion_zone": ["pubinternet"], "disable_server_response_inspection": false, "disabled": true, "file_blocking": null, "group_profile": null, "group_tag": null, "hip_profiles": null, "icmp_unreachable": null, "log_end": true, "log_setting": null, "log_start": false, "negate_destination": false, "negate_source": false, "negate_target": null, "rule_name": "REQ0001-RITM00009", "rule_type": "universal", "schedule": null, "service": ["tcp_443"], "source_devices": ["any"], "source_ip": ["H-8.8.8.8-32"], "source_user": ["any"], "source_zone": ["UNDEFINED"], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77", "vulnerability": null, "wildfire_analysis": null}]}
TASK [debug] ************************************************************************************************************************************************************************
ok: [panorama] => {
"msg": {
"changed": false,
"deprecations": [
{
"collection_name": "paloaltonetworks.panos",
"msg": "Deprecated; use panos_security_rule with state=gathered instead",
"version": "3.0.0"
},
{
"collection_name": "paloaltonetworks.panos",
"msg": "Please use the names parameter instead of rule_name.",
"version": "3.0.0"
}
],
"failed": false,
"rule_details": [
{
"action": "allow",
"antivirus": null,
"application": [
"any"
],
"category": [
"any"
],
"data_filtering": null,
"description": "REQ0001",
"destination_devices": [
"any"
],
"destination_ip": [
"H-192.168.52.1-32"
],
"destintaion_zone": [
"pubinternet"
],
"disable_server_response_inspection": false,
"disabled": true,
"file_blocking": null,
"group_profile": null,
"group_tag": null,
"hip_profiles": null,
"icmp_unreachable": null,
"log_end": true,
"log_setting": null,
"log_start": false,
"negate_destination": false,
"negate_source": false,
"negate_target": null,
"rule_name": "REQ0001-RITM00009",
"rule_type": "universal",
"schedule": null,
"service": [
"tcp_443"
],
"source_devices": [
"any"
],
"source_ip": [
"H-8.8.8.8-32"
],
"source_user": [
"any"
],
"source_zone": [
"UNDEFINED"
],
"spyware": null,
"tag_name": null,
"target": null,
"url_filtering": null,
"uuid": "0a966a5b-66ff-451e-8f74-e1f6f9547c77",
"vulnerability": null,
"wildfire_analysis": null
}
]
}
}
PLAY RECAP **************************************************************************************************************************************************************************
panorama : ok=6 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
(python3_9) [admin@host]$
... View more