search

PaloAltoNetworks / pan-os-ansible

Ansible collection for easy automation of Palo Alto Networks next generation firewalls and Panorama, in both physical and virtual form factors.
https://pan.dev/ansible/docs/panos
Apache License 2.0
203 stars 97 forks source link

panos_security_rule.py has wrong var type for group_profile. It is str but should be list #376

Open sinontaylor opened 1 year ago

sinontaylor commented 1 year ago

Describe the bug

editing rule throws an error when group profile is used

Expected behavior

faithfully edit rule

Current behavior

invalid for group_profile

Possible solution

I simply edited local copy of panos_security_rule.py: group_profile=dict(type="list", element="str", default="[any"]),

Working now for me.

Your Environment

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

jamesholland-uk commented 1 year ago

Hi @sinontaylor, I can't reproduce this one. I tried:

In PAN-OS, you can only have one security profile group attached to a rule, so a string does seem correct as opposed to a list.

What was the error, and are you able to share the code being used maybe?

sinontaylor commented 1 year ago

hi, so the error was this:

"msg": "Failed apply: INC1480768-1 -> profile-setting -> group '['security-profile-group']' is not a valid reference\n INC1480768-1 -> profile-setting is invalid"

In the playbook I am editing existing rules (just the source/destination fields using the difference filter). For group_profile (which is present on the rules) I'm not changing it:

group_profile: '{{ rule.group_profile | default(omit, true) }}'

I see there was a similar issue in the old module. https://github.com/PaloAltoNetworks/ansible-pan/issues/483

jamesholland-uk commented 1 year ago

Hi @sinontaylor, it looks like the gathering is bringing back a list of strings, that's the root cause. Your workaround to patch the code to accept a list works for you and would only work for a list of a single string. The other workaround would be to use group_profile: "{{ rule.group_profile[0] | default(omit, true) }}". The input to group_profile should be a string not a list though, PAN-OS only accepts one Security Profile Group per rule, so the fix is in the gathering part of the module, not the configuration setting part of the module.

sinontaylor commented 1 year ago

@jamesholland-uk, thanks for looking at this (and for all the other work btw (pan-ansible is great!)). As you point out its in the collection. I did a quick test and we can see panos_security_rule_facts returns a list for group_profile:

name: Get the definition of device group '{{item.mmc_device_group }}' security rule '{{ item.mmc_rule }}'
  paloaltonetworks.panos.panos_security_rule_facts:
    provider: '{{ lab_provider }}'
    device_group: "{{ item.mmc_device_group | quote }}"
    rule_name: '{{ item.mmc_rule }}'
  register: result

- name: print
  debug:
    msg: "{{ result }}"

yields:

"rule_details": [
            {
                "action": "allow",
                "antivirus": null,
                "application": [
                    "any"
                ],
                "category": [
                    "any"
                ],
                "data_filtering": null,
                "description": "PASSES",
                "destination_devices": [
                    "any"
                ],
                "destination_ip": [
                    "H-8.8.8.8-32"
                ],
                "destintaion_zone": [
                    "any"
                ],
                "disable_server_response_inspection": false,
                "disabled": true,
                "file_blocking": null,
                "group_profile": [
                    "security-profile-group"
                ],

I'll use your suggestion above.