Ansible modules for Palo Alto Networks NGFWs
License: Other
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
As the ansible raw module is not working fine on PANOS. It would be nice to create a module that is able to
run arbitrary commands on a panos device like the junos_command module or eos_command
Requirements.txt is currently out of date; installing the versions of ansible (and other libraries) in it causes ansible-pan to not work properly.
Need module that can support userid for Ignite.
Hi,
Would be nice to see enhancement with creating admin not with just local password, but with auth_profile (maybe also module for creating/checking auth_profile and its relations)
would like to have this module enhanced a bit to add a “wait_for” option, so the module doesn’t exit until the condition is satisfied in the wait_for.
Eg. Cmd: run request system software download version 8.0.5, run show jobs id xxx, wait_for: result[1] contains FIN
Hi folks,
would it be possible to add a feature to negate source / destination?
Many thanks in advance!
P.s. thanks for the great job you've done!
I'm getting a timeout on the panos_import command.
I see a reference to xapi.keygen() in the traceback... Showing my playbook and the traceback below.
Thanks for any tips,
Chris.
---
- name: Initialize the Palo Alto Networks firewall
hosts: localhost
connection: local
gather_facts: False
roles:
- role: PaloAltoNetworks.paloaltonetworks
vars:
config_file: "/opt/ansible/files/pan/PA-test-Preliminary.xml"
ip_address: 10.255.5.45
username: "admin"
password: "wackydoo"
tasks:
- name: set admin password
panos_admpwd:
ip_address: "{{ ip_address }}"
key_filename: "/home/me/.ssh/my.pem"
username: "{{ username }}"
newpassword: "{{ password }}"
- name: import configuration xml file into PAN-OS
panos_import:
ip_address: "{{ ip_address }}"
username: "{{ username }}"
password: "{{ password }}"
file: "{{ config_file }}"
category: "configuration"
register: result
- name: load configuration
panos_loadcfg:
ip_address: "{{ ip_address }}"
password: "{{ password }}"
file: "{{result.filename}}"
The error with -vvv on the command line:
The full traceback is:
File "/tmp/ansible_aAF16c/ansible_module_panos_import.py", line 179, in main
changed, filename = import_file(xapi, module, ip_address, file_, category)
File "/tmp/ansible_aAF16c/ansible_module_panos_import.py", line 98, in import_file
xapi.keygen()
File "/usr/lib/python2.7/site-packages/pan/xapi.py", line 637, in keygen
raise PanXapiError(self.status_detail)
fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"category": "configuration",
"file": "/opt/ansible/files/pan/PA-test-Preliminary.xml",
"ip_address": "10.255.5.45",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"url": null,
"username": "admin"
}
},
"msg": "URLError: reason: [Errno 110] Connection timed out"
}
I'm trying to seach for an IP address with panos_object
I'm using Role and ansible 2.4.3 with python 3.6.4, PA 8.0.8.
Tested with ansible 2.5.0rc1 without role - same
when I run that I get: "msg": "No object type defined!" with failed.
Looks like something missing in the module, can't find referrence to value of the objectadress which should be IP.
failed: [192.168.77.250 -> localhost] (item={u'primary': u'3.3.3.3', u'secondary': u'4.4.4.4'}) => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"commit": "False",
"ip_address": "192.168.77.250",
"ntp_server_primary": "3.3.3.3",
"ntp_server_secondary": "4.4.4.4",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}
},
"item": {
"primary": "3.3.3.3",
"secondary": "4.4.4.4"
},
"msg": "Unsupported parameters for (panos_mgtconfig) module: ntp_server_primary,ntp_server_secondary Supported parameters include: commit,dns_server_primary,dns_server_secondary,ip_address,panorama_primary,panorama_secondary,password,username"
}
Hi there
i'm trying the ansible playbook aws/provision_fw_w_srule.yml
at first i missed that i should set "aws configure" and fill in my account. now that that is done, from within python i can list my s3 buckets, so the account is working.
now when i run the playbook i get the following output error:
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_lAMqTZ/ansible_module_cloudformation.py", line 604, in
main()
File "/tmp/ansible_lAMqTZ/ansible_module_cloudformation.py", line 540, in main
stack_info = get_stack_facts(cfn, stack_params['StackName'])
File "/tmp/ansible_lAMqTZ/ansible_module_cloudformation.py", line 443, in get_stack_facts
stack_response = cfn.describe_stacks(StackName=stack_name)
File "/tmp/ansible_lAMqTZ/ansible_modlib.zip/ansible/module_utils/cloud.py", line 153, in retry_func
botocore.exceptions.NoCredentialsError: Unable to locate credentials
fatal: [localhost]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File "/tmp/ansible_lAMqTZ/ansible_module_cloudformation.py", line 604, in \n main()\n File "/tmp/ansible_lAMqTZ/ansible_module_cloudformation.py", line 540, in main\n stack_info = get_stack_facts(cfn, stack_params['StackName'])\n File "/tmp/ansible_lAMqTZ/ansible_module_cloudformation.py", line 443, in get_stack_facts\n stack_response = cfn.describe_stacks(StackName=stack_name)\n File "/tmp/ansible_lAMqTZ/ansible_modlib.zip/ansible/module_utils/cloud.py", line 153, in retry_func\nbotocore.exceptions.NoCredentialsError: Unable to locate credentials\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 0
}
it seems not able to find my credentials, but how to solve this? (Unable to locate credentials)
when running aws configure list, my account just shows up
any idea?
Hello,
I believe that all of the tasks are not idempotent, which relies each task to be supplied with an 'operation' task.
If you need to delete, the defacto approach is 'absent: True/False' vs 'operation: delete'.
If you need to update, remove 'absent' and let it adjust as expected.
If you're being super cautious with what the user changes on PANOS, perhaps add new task for commit.
Cheers
I need to create a security rule in a specific vsys but that feature doesn't seem to exist in the panos_security_rule module. It will only create the rule in the default vsys 1.
In panos_match_rule you can specify the vsys but you can't specify it in any modules that create anything.
Have tried a few variations including an example from the ansiblie-playbooks repo. Keep getting the following error:
fatal: [fw-a]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/rulebase/nat/rules\n"}
when using any task with panos_nat_rule.
Example:
- name: NAT rule for Web SSH
panos_nat_rule:
ip_address: "{{ inventory_hostname }}"
username: "{{ un }}"
password: "{{pwd}}"
operation: 'add'
rule_name: "WebSSH"
source_zone: ["external"]
destination_zone: "external"
source_ip: ["any"]
destination_ip: ["10.0.0.100"]
service: "service-tcp-221"
snat_type: "dynamic-ip-and-port"
snat_interface: "ethernet1/2"
dnat_address: "10.0.1.101"
dnat_port: "22"
commit: "False"
tags: nat3
Running 7.0.1 PAN-VM and Ansible stable-2.4.
Any help would be appreciated.
This is an enhancement request for a module to support an SSL certificate workflow. The requirements would be:
While the existing self-signed cert module can do most of #1, it is missing many certificate options and requires ssh keys. It would be ideal for this module to utilize HTTPS API calls instead of ssh.
thanks!
To create generic NAT rule
To use lists instead of single elements as parameters
Documentation in panos_nat_rule.py states Supported values are I(translated-address)/I(translated-address)
I believe that the values should be translated-address / interface-address
I received the error below when attempting to add an address object with a tag. Running ansible version 2.4.2.0
Using module file /Library/Python/2.7/site-packages/ansible/modules/network/panos/panos_object.py
failed: [pa3020-001] (item=1.1.1.1) => {
"changed": false,
"invocation": {
"module_args": {
"address": "1.1.1.1/32",
"addressobject": "test-1.1.1.1",
"ip_address": "pa3020-001,
"operation": "add",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"tag_name": "test"
}
},
"item": "1.1.1.1",
"msg": "parameters are mutually exclusive: ['addressobject', 'addressgroup', 'serviceobject', 'servicegroup', 'tag_name']"
}
Can we use ansible to manage address groups?
When I try to use the panos_dag_tags task to create ip -> tag mapping, I get an unexpected error. Here's my yaml snip:
- name: update tag panos_dag_tags: ip_address: "{{ inventory_hostname }}" username: "{{ pan_user }}" password: "{{ pan_pass }}" tag_names: "{{ new_address_tag }}" ip_to_register: "{{ new_address_cidr }}" operation: "add" tags: "{{ new_address_tag }}"
And here's the python error from -vvv:
`TASK [update tag] ************************************************************************************************************************************************************************************
task path: /home/scott/Scripts/Playbooks/paloalto/tag_address.yml:47
The full traceback is:
Traceback (most recent call last):
File "/home/scott/.local/lib/python3.5/site-packages/ansible/executor/task_executor.py", line 125, in run
res = self._execute()
File "/home/scott/.local/lib/python3.5/site-packages/ansible/executor/task_executor.py", line 522, in _execute
result = self._handler.run(task_vars=variables)
File "/home/scott/.local/lib/python3.5/site-packages/ansible/plugins/action/normal.py", line 45, in run
results = merge_hash(results, self._execute_module(tmp=tmp, task_vars=task_vars, wrap_async=wrap_async))
File "/home/scott/.local/lib/python3.5/site-packages/ansible/plugins/action/init.py", line 632, in _execute_module
(module_style, shebang, module_data, module_path) = self._configure_module(module_name=module_name, module_args=module_args, task_vars=task_vars)
File "/home/scott/.local/lib/python3.5/site-packages/ansible/plugins/action/init.py", line 157, in _configure_module
task_vars=task_vars, module_compression=self._play_context.module_compression)
File "/home/scott/.local/lib/python3.5/site-packages/ansible/executor/module_common.py", line 796, in modify_module
(b_module_data, module_style, shebang) = _find_module_utils(module_name, b_module_data, module_path, module_args, task_vars, module_compression)
File "/home/scott/.local/lib/python3.5/site-packages/ansible/executor/module_common.py", line 678, in _find_module_utils
recursive_finder(module_name, b_module_data, py_module_names, py_module_cache, zf)
File "/home/scott/.local/lib/python3.5/site-packages/ansible/executor/module_common.py", line 462, in recursive_finder
tree = ast.parse(data)
File "/usr/lib/python3.5/ast.py", line 35, in parse
return compile(source, filename, mode, PyCF_ONLY_AST)
File "", line 89
except Exception, e:
^
SyntaxError: invalid syntax
fatal: [10.7.2.7]: FAILED! => {
"failed": true,
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
to retry, use: --limit @/home/scott/Scripts/Playbooks/paloalto/tag_address.retry
PLAY RECAP *******************************************************************************************************************************************************************************************10.7.2.7 : ok=5 changed=0 unreachable=0 failed=1
`
Right now in Panorama, we are unable to create a security policy in the post rule only in pre rule
I wanted to try some modules to check the config on palo alto firewalls, before trying the action modules like panos_lic. There are only two such modules that I see on http://panwansible.readthedocs.io/en/latest/modules.html
panos_check
panos_query_rules
I don't see panos_query_rules on,
https://github.com/ansible/ansible/tree/devel/lib/ansible/modules/network/panos
Could you please tell me where can I avail that?
Thanks.
ansible --version
ansible 2.5.1
config file = /path/to/config/ansible.cfg
configured module search path = [u'/path/to/lib/library']
ansible python module location = /path/to/virtualenv/python2.7/site-packages/ansible
executable location = /path/to/virtualenv/bin/ansible
python version = 2.7.14 (default, Oct 2 2017, 12:37:40) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
Running Ansible on Mac OS X 10.13.3
Using the panos_op module to query for info on an interface with a / in its name results in an "UnboundLocalError"
Command I am trying to execute:
show interface ethernet1/12
output from ansible-playbook command:
ansible-playbook -i inventory/inventory.ini -l pan_host playbooks/pan/show_pan_interfaces.yml --ask-vault-pass -e "interface=ethernet1/12"
PLAY [show pan interfaces] *************************************************************************************************************************************************************************************************************************************************************************************************************************************************
TASK [show_pan_interfaces : debug] *****************************************************************************************************************************************************************************************************************************************************************************************************************************************
ok: [my_firewall_host_name] => {
"interface": "ethernet1/12"
}
TASK [show_pan_interfaces : get interface info] ****************************************************************************************************************************************************************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnboundLocalError: local variable 'xml_output' referenced before assignment
fatal: [pd-net-panfw-01.explorys.net]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/var/folders/zl/7hnwrqyj649cgqxw528fl_mh0000gn/T/ansible_c_TN29/ansible_module_panos_op.py\", line 160, in <module>\n main()\n File \"/var/folders/zl/7hnwrqyj649cgqxw528fl_mh0000gn/T/ansible_c_TN29/ansible_module_panos_op.py\", line 153, in main\n obj_dict = xmltodict.parse(xml_output)\nUnboundLocalError: local variable 'xml_output' referenced before assignment\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
From that error, it's pretty obvious that the issue is that the variable xml_output is not being assigned a value. So I debugged the module code manually and found where the problem is:
lines 133 to 140 of panos_op.py:
try:
xml_output = device.op(cmd, xml=True)
changed = True
except PanXapiError:
exc = get_exception()
if 'non NULL value' in exc.message:
# rewrap and call again
if the first device.op call fails, it checks the exception message for the string 'non NULL value'. If the response then does not contain that string, xml_output is never assigned a value, resulting in an "UnboundLocalError" failure.
When executing this module with the cmd show interface ethernet1/12, the response returned by xml_output = device.op(cmd, xml=True) is a 400 reason: bad request, and as such, it never assigns a value to xml_output. If I allow the module to continue past that exception by modifying the conditional to read:
if 'non NULL value' or '400 reason: bad request' in exc.message:,
it executes successfully. And if I manually execute the code in cmd_array/cmd2 creation, it executes successfully as well.
Here is the debugging I've done so far, running through panos_op.py:
>>> import pan.xapi
>>> from pan.xapi import PanXapiError
>>> import pandevice
>>> from pandevice import base
>>> from pandevice import firewall
>>> from pandevice import panorama
>>> import xmltodict
>>> import json
>>> ip_address = "[redacted]"
>>> username = "[redacted]"
>>> password = "[redacted]"
>>> cmd = "show interface ethernet1/12"
>>> device = base.PanDevice.create_from_device(ip_address, username, password)
>>> xml_output = device.op(cmd, xml=True)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/path/to/virtualenv/lib/python2.7/site-packages/pandevice/firewall.py", line 180, in op
return super(Firewall, self).op(cmd, vsys, xml, cmd_xml, extra_qs, retry_on_peer)
File "/path/to/virtualenv/lib/python2.7/site-packages/pandevice/base.py", line 3296, in op
element = self.xapi.op(cmd, vsys, cmd_xml, extra_qs, retry_on_peer=retry_on_peer)
File "/path/to/virtualenv/lib/python2.7/site-packages/pandevice/base.py", line 3173, in method
raise the_exception
pandevice.errors.PanURLError: URLError: code: 400 reason: Bad Request
>>> cmd_array = cmd.split()
>>> cmd_array_len = len(cmd_array)
>>> cmd_array[cmd_array_len - 1] = '\"' + cmd_array[cmd_array_len - 1] + '\"'
>>> cmd2 = ' '.join(cmd_array)
>>> xml_output = device.op(cmd2, xml=True)
>>> obj_dict = xmltodict.parse(xml_output)
>>> json_output = json.dumps(obj_dict)
>>> print(json_output)
{"response": {"@status": "success", "result": ...
This is where I start to get lost. Presumably, the format of cmd being passed to return super(Firewall, self).op(cmd, vsys, xml, cmd_xml, extra_qs, retry_on_peer) in firewall.py is being parsed in such a way that the remote device is interpreting it as a bad request, but I'm not entirely sure how to continue debugging this issue. And I do not think it prudent to allow the module to continue execution if the response from the remote device is a "400 reason: bad request".
Any help would be appreciated.
Hi,
Would like to see if we could automate PAN-OS upgrades and downgrades. Thanks!
- name: Add an address object to PA
panos_object:
ip_address: '{{ ansible_ssh_host }}'
username: '{{ ansible_ssh_user }}'
password: '{{ ansible_ssh_pass }}'
addressobject: "test1"
address: "192.168.1.0/24"
address_type: 'ip-netmask'
operation: 'add'
- name: Add an Another address object to PA
panos_object:
ip_address: '{{ ansible_ssh_host }}'
username: '{{ ansible_ssh_user }}'
password: '{{ ansible_ssh_pass }}'
addressobject: "**test2**"
address: "192.168.2.0/24"
address_type: 'ip-netmask'
operation: 'add'
- name: Add an Object to Object group to the PA
panos_object:
ip_address: '{{ ansible_ssh_host }}'
username: '{{ ansible_ssh_user }}'
password: '{{ ansible_ssh_pass }}'
addressgroup: "GROUP-Test123"
static_value: [ test1, test2 ]
operation: 'add'
- name: Remove an address object to PA
panos_object:
ip_address: '{{ ansible_ssh_host }}'
username: '{{ ansible_ssh_user }}'
password: '{{ ansible_ssh_pass }}'
addressobject: "**test1**"
address: "192.168.1.0/24"
address_type: 'ip-netmask'
operation: 'delete'
Error Appear
TASK [Remove an address object to PA] **********************************************************************************************************************************
failed: [pafw] =>----
"msg": "test1 cannot be deleted because of references from:\nstatic address-group -> GROUP-Test123 -> static"
Hi,
I was trying to attach an already existing antivirus profile to a security policy by using "panos_security_rule" module's "antivirus" parameter as given at PaloAlto Ansible Doc
The profile-name of antivirus i.e. (default) is getting passed when ansible-playbook is executed (as seen in ansible verbose mode ), but its not getting set to the Palo Alto Dashboard.
Below is the output in verbose mode, after execution of playbook :-
"changed": true,
"invocation": {
"module_args": {
"action": "allow",
"antivirus": "default",
"api_key": null,
"application": [
"any"
],
"category": [
"any"
],
"commit": true,
"data_filtering": null,
"description": "Description",
"destination_ip": [
"4.2.2.1/32"
],
"destination_zone": [
"External"
],
"devicegroup": null,
"file_blocking": null,
"group_profile": null,
"hip_profiles": [
"any"
],
"ip_address": "10.100.100.100",
"log_end": true,
"log_start": false,
"operation": "add",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"rule_name": "Access-List-1",
"rule_type": "universal",
"service": [
"service-https"
],
"source_ip": [
"10.10.10.1/32"
],
"source_user": [
"any"
],
"source_zone": [
"Internal"
],
"spyware": null,
"tag_name": null,
"url_filtering": null,
"username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"vulnerability": null,
"wildfire_analysis": null
}
},
"msg": "Rule 'Access-List-1' successfully added"
}
But its not coming at Dashboard as shown below:
Below is the existing default antivirus profile:
Can you please check the issue....
Thanks,
Tushar
This would be great for automating provisioning of vm series firewalls which have dynamic serial numbers.
Thanks for the great work!
I keep getting "SSL: CERTIFICATE_VERIFY_FAILED" when running panos_interface. Is there a way to disable certificate validation?
Thanks,
Steven.
TASK [configure ethernet1/1 for DHCP] ************************************************************************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: pan.xapi.PanXapiError: URLError: reason: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
fatal: [smc_pan_demo1_rtr]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File "/tmp/ansible_HsidFQ/ansible_module_panos_interface.py", line 184, in \n main()\n File "/tmp/ansible_HsidFQ/ansible_module_panos_interface.py", line 167, in main\n ifexists = if_exists(xapi, if_name)\n File "/tmp/ansible_HsidFQ/ansible_module_panos_interface.py", line 133, in if_exists\n xapi.get(xpath=xpath)\n File "/usr/lib/python2.7/site-packages/pan/xapi.py", line 727, in get\n self.__type_config('get', query, extra_qs)\n File "/usr/lib/python2.7/site-packages/pan/xapi.py", line 789, in __type_config\n self.__set_api_key()\n File "/usr/lib/python2.7/site-packages/pan/xapi.py", line 583, in __set_api_key\n self.keygen()\n File "/usr/lib/python2.7/site-packages/pan/xapi.py", line 637, in keygen\n raise PanXapiError(self.status_detail)\npan.xapi.PanXapiError: URLError: reason: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}
I have successfully created a security policy on my PAN instance, however the rule is populated at the bottom of the security policies which in some instances is undesirable. A alternate approach would be to identify either specific rule number, or name of rule above/below new rule.
I'm digging into the pandevice code a bit, so I'm not 100% sure if it is a constraint of pandevice, or there is the opportunity to add additional parameters to panos_security_policy.
Would be nice to have native panorama support. i.e. adding a rule to a particular device group or performing the different panorama commit types. I will probably implement these two features soon.
failed: [10.x.x.x -> localhost] (item={u'name': u'test4', u'device_group': u'Shared'}) => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"address": null,
"address_type": "ip-netmask",
"addressgroup": null,
"addressobject": null,
"api_key": null,
"color": null,
"description": null,
"destination_port": null,
"devicegroup": "Shared",
"dynamic_value": null,
"ip_address": "10.x.x.x",
"operation": "add",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"protocol": null,
"servicegroup": null,
"serviceobject": null,
"services": null,
"source_port": null,
"static_value": null,
"tag_name": "test4",
"username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}
},
"item": {
"device_group": "Shared",
"name": "test4"
},
"msg": "'Shared' device group not found in Panorama. Is the name correct?"
}
the module works as expected when running "show" commands, but when running "set" commands it throws an error like below:
The full traceback is:
Traceback (most recent call last):
File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/base.py", line 3085, in method
super_method(self, *args, **kwargs)
File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pan/xapi.py", line 951, in op
self.__type_op(cmd, vsys, extra_qs)
File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pan/xapi.py", line 974, in __type_op
raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: set -> deviceconfig is unexpected
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/folders/zj/j2h7f63x3kv7wh3fnn_zmc680000gp/T/ansible_l3jx_z2_/ansible_module_panos_op.py", line 128, in main
xml_output = device.op(cmd, xml=True)
File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/firewall.py", line 179, in op
return super(Firewall, self).op(cmd, vsys, xml, cmd_xml, extra_qs, retry_on_peer)
File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/base.py", line 3223, in op
element = self.xapi.op(cmd, vsys, cmd_xml, extra_qs, retry_on_peer=retry_on_peer)
File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/base.py", line 3102, in method
raise the_exception
pandevice.errors.PanDeviceXapiError: set -> deviceconfig is unexpected
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/folders/zj/j2h7f63x3kv7wh3fnn_zmc680000gp/T/ansible_l3jx_z2_/ansible_module_panos_op.py", line 153, in
main()
File "/var/folders/zj/j2h7f63x3kv7wh3fnn_zmc680000gp/T/ansible_l3jx_z2_/ansible_module_panos_op.py", line 133, in main
if 'non NULL value' in exc.message:
AttributeError: 'PanDeviceXapiError' object has no attribute 'message'
failed: [DJPSAIKAWP52E1] (item=set deviceconfig system hostname test) => {
"changed": false,
"failed": true,
"item": "set deviceconfig system hostname test",
"module_stderr": "Traceback (most recent call last):\n File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/base.py", line 3085, in method\n super_method(self, *args, **kwargs)\n File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pan/xapi.py", line 951, in op\n self._type_op(cmd, vsys, extra_qs)\n File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pan/xapi.py", line 974, in type_op\n raise PanXapiError(self.status_detail)\npan.xapi.PanXapiError: set -> deviceconfig is unexpected\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/var/folders/zj/j2h7f63x3kv7wh3fnn_zmc680000gp/T/ansible_l3jx_z2/ansible_module_panos_op.py", line 128, in main\n xml_output = device.op(cmd, xml=True)\n File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/firewall.py", line 179, in op\n return super(Firewall, self).op(cmd, vsys, xml, cmd_xml, extra_qs, retry_on_peer)\n File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/base.py", line 3223, in op\n element = self.xapi.op(cmd, vsys, cmd_xml, extra_qs, retry_on_peer=retry_on_peer)\n File "/usr/local/Cellar/python3/3.6.4_2/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/pandevice/base.py", line 3102, in method\n raise the_exception\npandevice.errors.PanDeviceXapiError: set -> deviceconfig is unexpected\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/var/folders/zj/j2h7f63x3kv7wh3fnn_zmc680000gp/T/ansible_l3jx_z2/ansible_module_panos_op.py", line 153, in \n main()\n File "/var/folders/zj/j2h7f63x3kv7wh3fnn_zmc680000gp/T/ansible_l3jx_z2/ansible_module_panos_op.py", line 133, in main\n if 'non NULL value' in exc.message:\nAttributeError: 'PanDeviceXapiError' object has no attribute 'message'\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 0
}
Current panos_security_rule module does not support rule id or placement in a particular area please add this feature
Hello
The panos_object task can't create new tags as well as assign the tag to an address object.
I think tags or addresses need to be their own task instead. This can then be
{"changed": false, "failed": true, "msg": "parameters are mutually exclusive: ['addressobject', 'addressgroup', 'serviceobject', 'servicegroup', 'tag_name']"}
Cheers,
Pan OS version 8
Platform: vm-100
Tried with both panos_security_policy and panos_security_rule
- name: Create security rule panos_security_policy: ip_address: '{{ vfw_fqdn }}' username: '{{ vpan_admin }}' password: '{{ vpan_password }}' rule_name: 'Trust to Trust' description: 'Allow intra Trust zone' from_zone: ['Trust'] to_zone: ['Trust'] application: ['any'] service: ['any'] action: 'allow' commit: False
Results in:
TASK [Create security rule] ****************************************************************************************************************************************************************************************************** fatal: [hostname]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/rulebase/security/rules\n"} to retry, use: --limit @/path/to/basic_network_config.retry
I also manually created a rule to try to force creation of that part of the schema. It did get created, however it seems to be under:
`/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules'
The full traceback is:
File "/tmp/ansible_Nw_VUh/ansible_module_panos_object.py", line 426, in main
changed = add_object(device, dev_group, new_object)
File "/tmp/ansible_Nw_VUh/ansible_module_panos_object.py", line 281, in add_object
new_object.create()
File "/usr/local/lib/python2.7/dist-packages/pandevice/base.py", line 542, in create
device.active().xapi.set(self.xpath_short(), element, retry_on_peer=self.HA_SYNC)
File "/usr/local/lib/python2.7/dist-packages/pandevice/base.py", line 3098, in method
raise the_exception
failed: [192.168.77.250 -> localhost] (item={u'colour': u'orange', u'name': u'test3'}) => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"address": null,
"address_type": "ip-netmask",
"addressgroup": null,
"addressobject": null,
"api_key": null,
"color": "orange",
"description": null,
"destination_port": null,
"devicegroup": null,
"dynamic_value": null,
"ip_address": "192.168.77.250",
"operation": "add",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"protocol": null,
"servicegroup": null,
"serviceobject": null,
"services": null,
"source_port": null,
"static_value": null,
"tag_name": "test3",
"username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
}
},
"item": {
"colour": "orange",
"name": "test3"
},
"msg": " test3 -> color 'orange' is not an allowed keyword\n test3 -> color is invalid"
}
Panos version: 8
ansible-pan==1.0.4
pan-python==0.12.0
pandevice==0.5.1
- name: Generic management settings
panos_mgtconfig:
ip_address: '{{ ip }}'
username: '{{ user }}'
password: '{{ password }}'
timezone: 'UTC'
login_banner: |
+-------------------------------------------------------------+
| !!! Authorized access only !!! |
| You are authorized to use this System for approved |
| business purposes only. Use for any other purpose |
| is prohibited. |
| |
| All transactional records generated by using this |
| System are the property of ABC and may be |
| used by ABC for any purpose. Authorized |
| and unauthorized activities will be monitored. |
+-------------------------------------------------------------+
+-------------------------------------------------------------+
| Disconnect IMMEDIATELY if you are not authorized |
| For access to this system contact: |
| |
| [email protected] |
+-------------------------------------------------------------+
commit: true
Expected results:
deviceconfig section of config should contain timezone UTC and the above login-banner section
Ansible task should come back as changed
Actual results:
No changes made, ansible command returns OK
TASK [pan-azure-security : Generic management settings] **************************************************************************************************************************************************************************
ok: [hostname.example.com]
Same as #44 but for panos_security_rule.
There isn't too much commentary in the docstring, so a few questions:
file param need to point to a FULL config file? Can we send a partial config?I am trying to configure some address objects using this module for ansible. When I run the playbook everything except adding the address object is fine.
This is my task:
tasks:
- name: Add an address object to Panorama
panos_object:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
addressobject: 'Test_Address_Object'
address: '{{ item[1] }}'
address_type: 'ip-netmask'
description: '{{ item[2] }}'
devicegroup: 'Test_Device_Group'
operation: 'add'
with_items:
- "{{ tmpdata }}"
This is the output that I get:
"msg": "Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address\n"
I am using Python 2.7 and a Panorama M500 appliance with PAN-OS 8.0.4
How can i do a regex search for address groups in panos_objects in the 'find' operation?
Being able to set an interface statically from the panos_interface command rather than having to run the verbatim cli command in a config file, load and import would be much appreciated.
would be nice to have partial config load module - very useful.
Thanks
Write a module for easy VPN site-to-site configuration.
The full traceback is:
Traceback (most recent call last):
File "/home/matt/.local/lib/python3.5/site-packages/pandevice/base.py", line 3085, in method
super_method(self, *args, **kwargs)
File "/home/matt/.local/lib/python3.5/site-packages/pan/xapi.py", line 749, in edit
self.__type_config('edit', query, extra_qs)
File "/home/matt/.local/lib/python3.5/site-packages/pan/xapi.py", line 805, in __type_config
raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: system -> ntp-servers -> primary-ntp-server -> ntp-server-address is a duplicate node
system -> ntp-servers -> primary-ntp-server is invalid
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/tmp/ansible_58x5rx_j/ansible_module_panos_mgtconfig.py", line 241, in main
ss.apply()
File "/home/matt/.local/lib/python3.5/site-packages/pandevice/base.py", line 522, in apply
device.xapi.edit(self.xpath(), self.element_str(), retry_on_peer=self.HA_SYNC)
File "/home/matt/.local/lib/python3.5/site-packages/pandevice/base.py", line 3102, in method
raise the_exception
pandevice.errors.PanDeviceXapiError: system -> ntp-servers -> primary-ntp-server -> ntp-server-address is a duplicate node
system -> ntp-servers -> primary-ntp-server is invalid
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/tmp/ansible_58x5rx_j/ansible_module_panos_mgtconfig.py", line 251, in
main()
File "/tmp/ansible_58x5rx_j/ansible_module_panos_mgtconfig.py", line 246, in main
module.fail_json(msg=exc.message)
AttributeError: 'PanDeviceXapiError' object has no attribute 'message'
failed: [192.168.77.250 -> localhost] (item={'primary': '1.1.1.1', 'secondary': '2.2.2.2'}) => {
"changed": false,
"failed": true,
"item": {
"primary": "1.1.1.1",
"secondary": "2.2.2.2"
},
"module_stderr": "Traceback (most recent call last):\n File "/home/matt/.local/lib/python3.5/site-packages/pandevice/base.py", line 3085, in method\n super_method(self, *args, **kwargs)\n File "/home/matt/.local/lib/python3.5/site-packages/pan/xapi.py", line 749, in edit\n self.__type_config('edit', query, extra_qs)\n File "/home/matt/.local/lib/python3.5/site-packages/pan/xapi.py", line 805, in __type_config\n raise PanXapiError(self.status_detail)\npan.xapi.PanXapiError: system -> ntp-servers -> primary-ntp-server -> ntp-server-address is a duplicate node\n system -> ntp-servers -> primary-ntp-server is invalid\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/tmp/ansible_58x5rx_j/ansible_module_panos_mgtconfig.py", line 241, in main\n ss.apply()\n File "/home/matt/.local/lib/python3.5/site-packages/pandevice/base.py", line 522, in apply\n device.xapi.edit(self.xpath(), self.element_str(), retry_on_peer=self.HA_SYNC)\n File "/home/matt/.local/lib/python3.5/site-packages/pandevice/base.py", line 3102, in method\n raise the_exception\npandevice.errors.PanDeviceXapiError: system -> ntp-servers -> primary-ntp-server -> ntp-server-address is a duplicate node\n system -> ntp-servers -> primary-ntp-server is invalid\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File "/tmp/ansible_58x5rx_j/ansible_module_panos_mgtconfig.py", line 251, in \n main()\n File "/tmp/ansible_58x5rx_j/ansible_module_panos_mgtconfig.py", line 246, in main\n module.fail_json(msg=exc.message)\nAttributeError: 'PanDeviceXapiError' object has no attribute 'message'\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 1
}
Using an api_key with panos_commit to a firewall returns the following error:
fatal: [lab-firewall]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible__ffhBr/ansible_module_panos_commit.py\", line 148, in <module>\n main()\n File \"/tmp/ansible__ffhBr/ansible_module_panos_commit.py\", line 128, in main\n device = base.PanDevice.create_from_device(ip_address, username, password)\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 2970, in create_from_device\n system_info = device.refresh_system_info()\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3379, in refresh_system_info\n system_info = self.show_system_info()\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3336, in show_system_info\n root = self.xapi.op(cmd=\"show system info\", cmd_xml=True)\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3201, in xapi\n self._xapi_private = self.generate_xapi()\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3243, in generate_xapi\n kwargs = {'api_key': self.api_key,\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3195, in api_key\n self._api_key = self._retrieve_api_key()\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3327, in _retrieve_api_key\n timeout=self.timeout\n File \"/usr/local/lib/python2.7/dist-packages/pandevice/base.py\", line 3002, in __init__\n pan.xapi.PanXapi.__init__(self, *args, **kwargs)\n File \"/usr/local/lib/python2.7/dist-packages/pan/xapi.py\", line 182, in __init__\n 'api_password arguments required')\npan.xapi.PanXapiError: api_key or api_username and api_password arguments required\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}
to retry, use: --limit @/home/jpetrini/git/networking/ansible/commit.retry
Here's the playbook:
hosts: all
connection: local
gather_facts: False
vars:
api_key: "LUFRPT0xTUxncTBqeXByZmM3aVJWMU55L0RySzF6R2s9YnI5VkkvNnliK1k0eGMzbDdpOUFaUHA5YzdDNklKS2QyWkNTcTdyUmxkbz0="
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: commit changes
panos_commit:
ip_address: "{{ panos_ip }}"
api_key: "{{ api_key }}"
It's not clear in the documentation whether this should work or not as api_key is not listed in the available options.
However the option is shown in one of the examples. The provided example is using panorama though not a firewall directly so it's possible that this option is not expected to work with a firewall.
If this is not a bug then it's a feature request. API keys are supported for just about every other module and it's a shame to write a playbook based around an API key but then be forced to use password auth in order to commit the changes.
Code references but does import AnsibleModule
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.