Currently panos_security_rule_facts module with all_details parameter being used against panorama do not return in the rule information any device_group membership. Its problematic when you are looping through multiple device-groups register the response and then want to work with rule-set as information about device_group has been lost. Below example of what information rule contains with all_details enabled:
"policy": [
{
"action": "allow",
"antivirus": null,
"application": [
"ssl"
],
"category": [
"any"
],
"data_filtering": null,
"description": "ommited",
"destination_ip": [
"ommited"
],
"destination_zone": [
"outside"
],
"disable_server_response_inspection": null,
"disabled": null,
"file_blocking": null,
"group_profile": [
"ommited"
],
"hip_profiles": null,
"icmp_unreachable": null,
"log_end": null,
"log_setting": "Global",
"log_start": null,
"negate_destination": null,
"negate_source": null,
"negate_target": false,
"rule_name": "ommited",
"rule_type": null,
"schedule": null,
"service": [
"ommited"
],
"source_ip": [
"ommited",
"ommited",
"ommited"
],
"source_user": [
"any"
],
"source_zone": [
"inside"
],
"spyware": null,
"tag_name": null,
"target": null,
"url_filtering": null,
"uuid": null,
"vulnerability": null,
"wildfire_analysis": null
}, ... (ommited as next policies will be displayed)
Describe the solution you'd like
Can you ensure that panos_security_rule_facts with all_details parameter enabled will return device_group field for each policy? The output should looks like:
"policy": [
{
"action": "allow",
"antivirus": null,
"application": [
"ssl"
],
"category": [
"any"
],
"data_filtering": null,
"description": "ommited",
"destination_ip": [
"ommited"
],
"destination_zone": [
"outside"
],
"device_group": "device_group_name",
"disable_server_response_inspection": null,
"disabled": null,
"file_blocking": null,
"group_profile": [
"ommited"
],
"hip_profiles": null,
"icmp_unreachable": null,
"log_end": null,
"log_setting": "Global",
"log_start": null,
"negate_destination": null,
"negate_source": null,
"negate_target": false,
"rule_name": "ommited",
"rule_type": null,
"schedule": null,
"service": [
"ommited"
],
"source_ip": [
"ommited",
"ommited",
"ommited"
],
"source_user": [
"any"
],
"source_zone": [
"inside"
],
"spyware": null,
"tag_name": null,
"target": null,
"url_filtering": null,
"uuid": null,
"vulnerability": null,
"wildfire_analysis": null
}, ... (ommited as next policies will be displayed)
Describe alternatives you've considered
Currently i have to use two loops to map device-group to rule (which is very slow) with_subelement option - would be very beneficial and much more faster to have device_group information within rule definition.
mrichardson03
commented
4 years ago
Is your feature request related to a problem?
Currently panos_security_rule_facts module with all_details parameter being used against panorama do not return in the rule information any device_group membership. Its problematic when you are looping through multiple device-groups register the response and then want to work with rule-set as information about device_group has been lost. Below example of what information rule contains with all_details enabled: "policy": [ { "action": "allow", "antivirus": null, "application": [ "ssl" ], "category": [ "any" ], "data_filtering": null, "description": "ommited", "destination_ip": [ "ommited" ], "destination_zone": [ "outside" ], "disable_server_response_inspection": null, "disabled": null, "file_blocking": null, "group_profile": [ "ommited" ], "hip_profiles": null, "icmp_unreachable": null, "log_end": null, "log_setting": "Global", "log_start": null, "negate_destination": null, "negate_source": null, "negate_target": false, "rule_name": "ommited", "rule_type": null, "schedule": null, "service": [ "ommited" ], "source_ip": [ "ommited", "ommited", "ommited" ], "source_user": [ "any" ], "source_zone": [ "inside" ], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": null, "vulnerability": null, "wildfire_analysis": null }, ... (ommited as next policies will be displayed)
Describe the solution you'd like
Can you ensure that panos_security_rule_facts with all_details parameter enabled will return device_group field for each policy? The output should looks like: "policy": [ { "action": "allow", "antivirus": null, "application": [ "ssl" ], "category": [ "any" ], "data_filtering": null, "description": "ommited", "destination_ip": [ "ommited" ], "destination_zone": [ "outside" ], "device_group": "device_group_name", "disable_server_response_inspection": null, "disabled": null, "file_blocking": null, "group_profile": [ "ommited" ], "hip_profiles": null, "icmp_unreachable": null, "log_end": null, "log_setting": "Global", "log_start": null, "negate_destination": null, "negate_source": null, "negate_target": false, "rule_name": "ommited", "rule_type": null, "schedule": null, "service": [ "ommited" ], "source_ip": [ "ommited", "ommited", "ommited" ], "source_user": [ "any" ], "source_zone": [ "inside" ], "spyware": null, "tag_name": null, "target": null, "url_filtering": null, "uuid": null, "vulnerability": null, "wildfire_analysis": null }, ... (ommited as next policies will be displayed)
Describe alternatives you've considered
Currently i have to use two loops to map device-group to rule (which is very slow) with_subelement option - would be very beneficial and much more faster to have device_group information within rule definition.
Additional context