PaloAltoNetworks / ansible-pan

Ansible modules for Palo Alto Networks NGFWs
Other
229 stars 161 forks source link

panos_security_rule group_profile do not work properly #483

Closed domel138 closed 4 years ago

domel138 commented 4 years ago

Describe the bug

When im trying to update a rule with panos_security_rule module:

Expected behavior

group_profile parameter should work once list is provided as its expected - otherwise updating or creating policy fails.

Current behavior

Im getting below error:

WARNING: The below traceback may *not* be related to the actual failure.
  File "/tmp/ansible_paloaltonetworks.panos.panos_security_rule_payload_5VDuK3/ansible_paloaltonetworks.panos.panos_security_rule_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/module_utils/panos.py", line 346, in apply_state
    obj.apply()
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 559, in apply
    device.active().xapi.edit(self.xpath(), self.element_str(), retry_on_peer=self.HA_SYNC)
  File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 3486, in method
    raise the_exception
[WARNING]: The value ['Global-Block'] (type list) in a string field was converted to u"['Global-Block']" (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.

       "ansible_loop_var": "item", 
    "changed": false, 
    "invocation": {
        "module_args": {
            "action": "allow", 
            "antivirus": null, 
            "api_key": null, 
            "application": [
                "smtp"
            ], 
            "category": [
                "any"
            ], 
            "commit": false, 
            "data_filtering": null, 
            "description": "ommited", 
            "destination_ip": [
                "ommited", 
                "ommited"
            ], 
            "destination_zone": [
                "any"
            ], 
            "devicegroup": null, 
            "disable_server_response_inspection": false, 
            "disabled": false, 
            "existing_rule": null, 
            "file_blocking": null, 
            **"group_profile": "['Global-Block']",**  -> here you see that list has been converted to string and is not accepeted
            "hip_profiles": [
                "any"
            ], 
            "icmp_unreachable": null, 
            "ip_address": null, 
            "location": null, 
            "log_end": true, 
            "log_setting": "Global", 
            "log_start": false, 
            "negate_destination": false, 
            "negate_source": false, 
            "negate_target": null, 
            "operation": null, 
            "password": null, 
            "port": 443, 
            "provider": {
                "api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
                "ip_address": "ommited", 
                "password": null, 
                "port": 443, 
                "serial_number": null, 
                "username": "ommited"
            }, 
            "rule_name": "ommited", 
            "rule_type": "universal", 
            "rulebase": null, 
            "schedule": null, 
            "service": [
                "TCP_25"
            ], 
            "source_ip": [
                "ommited"
            ], 
            "source_user": [
                "any"
            ], 
            "source_zone": [
                "any"
            ], 
            "spyware": null, 
            "state": "present", 
            "tag_name": null, 
            "target": null, 
            "url_filtering": null, 
            "username": "admin", 
            "vsys": "vsys1", 
            "vulnerability": null, 
            "wildfire_analysis": null
        }
    }, 
    "msg": "Failed apply:  SCOM SMTP Relay -> profile-setting -> group '['Global-Block']' is not a valid reference\n SCOM SMTP Relay -> profile-setting is invalid"

group_profile is expecting list (which im passing to it) however something is converting that list to string type among the way which causing module to fail to update the security rule.

If i disable the group_profile parameter it works but it would be nice to have that functionality working - every other parameter is working fine.

Possible solution

Steps to reproduce

  1. Try to use panos_security_rule module with group_profile parameter provided

Screenshots

Context

Your Environment

domel138 commented 4 years ago

i think i found the issue it seems that: ansible_collections/paloaltonetworks/panos/plugins/modules/panos_security_rule.py has wrong group_profile definition it is set to dict() instead of dict(type=list) - after change it started to work

domel138 commented 4 years ago

i've noticed also other profile actions has that issue - maybe it has change to list after PANOS9 release?

changing below in panos_security_rule.py: group_profile=dict(), antivirus=dict(), spyware=dict(), vulnerability=dict(), url_filtering=dict(), file_blocking=dict(), wildfire_analysis=dict(), data_filtering=dict(),

to: group_profile=dict(type='list', default=None), antivirus=dict(type='list', default=None), spyware=dict(type='list', default=None), vulnerability=dict(type='list', default=None), url_filtering=dict(type='list', default=None), file_blocking=dict(type='list', default=None), wildfire_analysis=dict(type='list', default=None), data_filtering=dict(type='list', default=None),

seems to solve the issue for Panorama panos9.0.8

mrichardson03 commented 4 years ago

All of those elements should be strings, as you can't assign multiple profiles of the same type to a rule.