About JimmyHolland

Hi @JideAj, that might be one to ask in the XSOAR forum? ... View more

Hi @scoobyboy, I started with your tasks and tried to replicate the error, and I could not. There are a few things that I had to tweak along the way to get the playbook working, and hopefully the notes below could help you though? the delegate_to :  Global  line isn't needed in the address group creation task the group_profile: ['Global-Block-Url'] and log_setting: ['NA_Log_Forward'] lines need just strings instead of arrays of strings, like this: group_profile : 'Global-Block-Url' and  log_setting : 'NA_Log_Forward' the device_group: "Azure_Perimeter_Prod" line is placing the rule inside the context of a Device Group, implying targeting a Panorama, I didn't use this line as the previous tasks had no Device Group context so I targeted a NGFW. If you still need help, maybe you could clarify the target and whether the objects are intended to be shared or not, in Device Groups or not, etc Here's my working playbook targeting a PA-Series NGFW   - name : Read CSV file read_csv : path : test.csv key : hostname register : srcr1hosts - name : Create address objects panos_address_object : provider : "{{ palo_provider }}" state : present name : '{{ item.value.hostname }}' value : '{{ item.value.ip}}' with_items : "{{ srcr1hosts.dict | dict2items }}" - set_fact : hosts_in_group : "{{ srcr1hosts.dict | dict2items | map(attribute='key') | list }}" - name : Add address objects to address group panos_address_group : provider : "{{ palo_provider }}" name : test_group state : present static_value : "{{ hosts_in_group }}" #delegate_to : Global - name : Add a rule panos_security_rule : provider : "{{ palo_provider }}" #device_group : "Azure_Perimeter_Prod" state : 'present' rule_name : 'Test rule' source_zone : [ 'lab_trust' ] destination_zone : [ 'lab_untrust' ] source_ip : [ 'test_group' ] source_user : [ 'any' ] destination_ip : [ 'any' ] application : [ 'ssl' ] group_profile : 'default' log_setting : 'test' location : before existing_rule : 'test' action : 'allow'     Hope this helps! ... View more

Hi @RyanBess, thanks for the reply. The PAN-OS GUI does a few steps in the background to achieve Global Find functionality, and these steps could be replicated in Ansible if that's your organisation's chosen tool. Whilst I have not tried to create this myself, I could foresee that a combination of rule facts and object facts could be used, with parsing in between, to take a given IP and search for its use in objects and rules. This would require some logic code inside the Ansible playbook, our the logic lives outside of multiple Ansible playbooks if your organisation has other tools/programming in-place which could do the logic via smaller single-purpose playbooks.   Unfortunately I have no experience of the SOAR product. ... View more

This is quite a subjective topic. My personal opinion, is that to automate (using tools like Ansible) one needs a consistent and reliable source of truth for the data required to describe your configuration. With a good data source and data model, tools like Ansible can read the data and make the changes, hopefully only making the changes of the 'diff', and making them idempotently. This means the target is to have your address objects, groups etc defined somewhere in a data source, such that Ansible can convert these into PAN-OS objects. The same with rules. Ansible pushes all the relevant config into Device Groups and Templates, to be consumed by your PAN-OS NGFWs. The steps required to retrofit into a non-greenfield scenario are not trivial though, so tread carefully. That's just summary level detail of course, this is a much bigger topic. Folks like NetworkToCode have some great longer-form content, and there is plenty of other content around the Internet on configuration-as-code, policy-as-code, etc. ... View more

Hi @riahc3, the direct NFGW API command for this would be:    https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/shared/ssl-tls-service-profile&element=<entry name="{{profile-name}}"><protocol-settings><min-version>tls1-2</min-version><max-version>max</max-version></protocol-settings><certificate>{{cert-name}}</certificate></entry>   ... View more

Hi @morahman,  I can confirm I can see the same behaviour. I have raised a ticket with engineering to investigate further. Thanks for bringing this to our attention! ... View more