search

PaloAltoNetworks / ansible-pan

Ansible modules for Palo Alto Networks NGFWs
Other
229 stars 159 forks source link

Added so you can search after IP in address object instead of name #420

Closed cjuhlin closed 4 years ago

cjuhlin commented 5 years ago

Like the title saids. To search after IP instead of name in Addresses. Instead of using name/name_regex you use value/value_regex. It will also solve issue number #66

Exemple : 

  - name: Get address object with IP with value
    panos_object_facts:
      provider:
        ip_address: '{{ ansible_host }}'
        username: '{{ username_fw }}'
        password: '{{ password_fw }}'
      object_type: 'address'
      value: '192.168.0.0/24'
    register: results
  - debug: msg='{{ results }}'

output : 

ok: [fwtest] => {
    "msg": {
        "ansible_module_results": {},
        "changed": false,
        "failed": false,
        "objects": [
            {
                "description": null,
                "name": "localnet",
                "tag": [
                    "local"
                ],
                "type": "ip-netmask",
                "value": "192.168.0.0/24"
            }
        ]
    }
}

Or with value_regex : 

  - name: Get address object with IP with value_regex
    panos_object_facts:
      provider:
        ip_address: '{{ ansible_host }}'
        username: '{{ username_fw }}'
        password: '{{ password_fw }}'
      object_type: 'address'
      value_regex: '172.168.229.*'
    register: results
  - debug: msg='{{ results }}'

Output : 

ok: [fwtest] => {
    "msg": {
        "ansible_module_results": {},
        "changed": false,
        "failed": false,
        "objects": [
            {
                "description": null,
                "name": "gw",
                "tag": [
                    "gw"
                ],
                "type": "ip-netmask",
                "value": "172.168.229.1/24"
            },
            {
                "description": null,
                "name": "172.168.229.54",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.54/32"
            },
            {
                "description": null,
                "name": "172.168.229.72",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.72"
            },
            {
                "description": "172.168.229.88 ",
                "name": "172.168.229.88",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.88/32"
            },
            {
                "description": "172.168.229.89 ",
                "name": "172.168.229.89",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.89/32"
            },
            {
                "description": null,
                "name": "172.168.229.50",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.50/32"
            }
        ]
    }
}
Mattbarr1 commented 5 years ago

Is there a timeline until this gets put into dev?

GrayBeard80 commented 5 years ago

This is my code and output. Can you help me identify what's wrong?

The spaces are a little off from pasting it.

fatal: [localhost]: FAILED! => { "changed": false, "invocation": { "module_args": { "object_type": "address", "provider": { "ip_address": "192.168.0.35", "password": "password", "username": "dave" }, "value": "192.168.0.34" } }, "msg": "Unsupported parameters for (panos_object_facts) module: value Supported parameters include: api_key, device_group, ip_address, name, name_regex, object_type, password, port, provider, username, vsys" }

cjuhlin commented 5 years ago

This is my code and output. Can you help me identify what's wrong?

Which branch did you test with ? To get it to work you need to use my branch until they have accept my merge request.

GrayBeard80 commented 5 years ago

I'm sorry, maybe I'm missing it, but I don't see in your branch the search ip address. I see the search object though. Thanks.

Mattbarr1 commented 5 years ago

I'm using your branch, I cloned it from your link you provided. I believe I am also running into the issue GrayBeard80 is. I copied your example and modified it for my environment but it doesn't seem to like the value: '192.168.0.0/24' portion.

So I'm unable to search for an object by IP address.

This is the error I get, and in the error output I don't see 'value' specified there under supported parameters, not sure if that's relevant or not.

fatal: [PA1]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (panos_object_facts) module: value Supported pae_group, ip_address, name, name_regex, object_type, password, port, provider, username, vsys"}

snippet of my task:

Am I using it wrong?

cjuhlin commented 5 years ago

I tried my branch in it's own new virtual-env and no problem .

  1. Downloaded my branch with: git clone https://github.com/nebi/ansible-pan
  2. moved folder into roles folder
  3. used this playbook : 
- name: Find some objects on the firewall
  hosts: all
  connection: local
  gather_facts: False
  vars:
    ansible_python_interpreter: $HOME/venv/ansible-test/bin/python3
  vars_files:
    - vars/vault.yml
  roles:
    - role: ansible-pan

  tasks:
    - name: Get all address object on the firewall
      panos_object_facts:
        provider: '{{ panos_provider }}'
        object_type: 'address'
        value_regex: '.*'
      register: result
    - name: Print out all address object
      debug: msg='{{ result }}'

    - name: Find a prefix in address object on the firewall
      panos_object_facts:
        provider: '{{ panos_provider }}'
        object_type: 'address'
        value: '1.1.1.1/32'
      register: result

    - name: Print out address object with matched prefix
      debug: msg='{{ result }}'
  1. Got this output : 
    
PLAY [Find some objects on the firewall] ****************************************************************************************************************************************************************************************************************************

TASK [ansible-pan : Install pan-python required library] **** ok: [testfw]

TASK [ansible-pan : Install pandevice required library] ***** ok: [testfw]

TASK [ansible-pan : Install xmltodict required library] ***** ok: [testfw] [WARNING]: Found internal 'results' key in module return, renamed to 'ansible_module_results'.

TASK [Get all address object on the firewall] *** ok: [testfw]

TASK [Print out all address object] ***** ok: [testfw] => msg: ansible_module_results: {} changed: false failed: false objects:

TASK [Find a prefix in address object on the firewall] ** ok: [testfw]

TASK [Print out address object with matched prefix] ***** ok: [testfw] => msg: ansible_module_results: {} changed: false failed: false objects:

PLAY RECAP ** testfw : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Mattbarr1 commented 5 years ago

2. moved folder into roles folder

Can you expand on step 2? you moved the ansible-pan folder into roles folder of your branch?

GrayBeard80 commented 5 years ago

I have that same question too as well as what your 'panos_provider' variable is.

GrayBeard80 commented 5 years ago

sorry, nevermind, I figured out 'provider'

Mattbarr1 commented 5 years ago

Well I got it to work. I tried to just use the regex task to see if that would work, and it successfully pulled all the objects. I then changed "value_regex" to just value and put in an IP "value: '192.168.1.2' and it returned the object with that IP. I will say though there seems to be some issues with the IP scheme, palo alto lets you enter in either just an IP or an IP and netmask, for instance either "192.168.1.2" or "192.168.1.2/32" and both are valid addressing schemes. What I have found with this build is that if I have an object with the IP of "192.168.1.2/32" and in the playbook I use value: '192.168.1.2' it returns empty results. If I were to use value: '192.168.1.2/32' it works as it should.