search

PaloAltoNetworks / pan-os-ansible

Ansible collection for easy automation of Palo Alto Networks next generation firewalls and Panorama, in both physical and virtual form factors.
https://pan.dev/ansible/docs/panos
Apache License 2.0
202 stars 97 forks source link

panos_commit_panorama do not commit ot running in PANOS11 #569

Closed antoinekh closed 2 months ago

antoinekh commented 2 months ago

Describe the bug

The commit is successful, but the configuration remains on the candidate and so cannot be pushed to the device.

Bug since upgrade Panorama in 11.x Issue at least on Panorama version 11.0.4-h2 11.1.2-h4 11.1.2-h3 11.1.3-h1

No issue on 10.2.8, was working fine for months.

Expected behavior

Commit the configuration to the running of the panorama

Current behavior

The rule is well created on the Panorama but the commit does not fully commit the rule. The panorma thinks that everything is committed because the commit was successful but the configuration remained in the candidate.

Possible solution

Steps to reproduce

  1. Create an item in a DG, for example a rule with paloaltonetworks.panos.panos_security_rule
  2. Commit with paloaltonetworks.panos.panos_commit_panorama
  3. Check if there is commit waiting in Panorama (normally no)
  4. Preview changes on commit to panorama (the changes will be in candidat)
  5. Push to device -> The rule will not be there.

The rule pushed

{'state': 'present', 'rule_name': 'TEST14 - testing_rule_14', 'service': 'tcp_66', 'source_ip': ['H_6_6_8_8'], 'destination_ip': ['H_7_7_8_9'], 'tag_name': ['TEST14'], 'group_tag': 'TEST14', 'source_zone': 'any', 'destination_zone': 'any', 'location': 'top'}

The commit task

- name: '[Commit] Commit candidate configs on panorama'
  paloaltonetworks.panos.panos_security_rule:
    provider: '{{ provider }}'
    device_groups: '{{ device_group  }}'
    admins: '{{ username }}'
    force: true
  when: commit is true
  register: commit_result

I have tried without and with force:true, but no difference

Screenshots

image-2024-06-10-14-21-24-823 image-2024-06-10-14-21-29-551

image-2024-06-10-14-21-34-306 image-2024-06-10-14-21-39-128 image-2024-06-10-14-21-42-894 image-2024-06-10-14-21-47-491

Context

Your Environment

awl-palo-py3.10 ~/palo/pa_manage_fw_rules   fix/push$ ±  ansible-galaxy collection list | grep palo 
paloaltonetworks.panos 2.20.0 
awl-palo-py3.10 ~/palo/pa_manage_fw_rules   fix/push$ ±  ansible --version                         
/usr/lib/python3/dist-packages/paramiko/transport.py:220: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
ansible [core 2.13.8]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/w132231/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/w132231/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/w132231/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/w132231/.local/bin/ansible
  python version = 3.10.13 (main, Aug 25 2023, 13:20:03) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
antoinekh commented 2 months ago

Version issue, fix in 11.0.5

PAN-244746 | Fixed an issue where changes committed on Panorama were not reflected on the firewall after a successful push.