search

PaloAltoNetworks / pan-os-ansible

Ansible collection for easy automation of Palo Alto Networks next generation firewalls and Panorama, in both physical and virtual form factors.
https://pan.dev/ansible/docs/panos
Apache License 2.0
208 stars 97 forks source link

PanOS 10.2 has some syntax changes that break creating security rules #305

Closed natebeck72 closed 2 years ago

natebeck72 commented 2 years ago

Describe the bug

I am using code that I have utilized for a year to help configure FW's created for a use case. I normally create a security rule to allow traffic through to the device behind this. It has functioned up until the 10.2 version of the NGFW's.

CODE :

- name : create inbound panorama security rule
  panos_security_rule:
    provider: '{{ firewall }}'
    rule_name: 'Inbound_Panorama_NAT'
    source_zone: ['PA_Untrust']
    destination_zone: ['PA_Trust']
    source_ip: ['any']
    destination_ip: ['{{ untrust_sub | ansible.netcommon.nthhost(4) }}']
    application: ['any']
    service: ['panorama-access']
    action: 'allow'

Expected behavior

This should create a security rule successfully.

Current behavior

I get the following message currently when using this code in AWX against a 10.2 FW

"msg": "Failed create: security -> rules -> Inbound_Panorama_NAT -> hip-profiles unexpected here\n security -> rules is invalid",

When I disect the module I see that the variable that is there is "hip-profiles" but when I look at the XML of the 10.2 FW I see "source-hip" and "destination-hip" as the objects in the tree.

Possible solution

Steps to reproduce

Screenshots

![Uploading Screen Shot 2022-03-31 at 10.34.49 AM.png…]()

2ps commented 2 years ago

We have this issue as well, support ticket 02154262

baldy2811 commented 2 years ago

Hey guys,

we fixed it with a work arround by deleting in the panos libary the hip_profiles. On OracleOS you will find it here:

/usr/local/lib/python3.6/site-packages/panos/policies.py

In that file search for: ("hip_profiles", "hip-profiles"), and change it to:

#("hip_profiles", "hip-profiles"),

In the Collection file you also need to remove the hip-profile settings:

cat .ansible/collections/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_security_rule.py |grep hip

"hip_profiles": module.params["hip_profiles"],

and replace with:

#"hip_profiles": module.params["hip_profiles"],

patrikkaren commented 2 years ago

We have the same problem starting with Panorama 10.0.9 as well. Can be worked around using the fix mentioned by baldy2811.

2ps commented 2 years ago

This has been resolved with the latest merge to pan-os-python (ISSUE-441). You can 

pip install git+https://github.com/paloaltonetworks/pan-os-python

to give it a spin.

shinmog commented 2 years ago

A bunch of handling for hip_profiles is going in to the next release. As long as your play doesn't specify hip_profiles explicitly, it will be ignored for all PAN-OS >= 10.0.0.