search

gabstopper / ansible-stonesoft

Ansible libraries for automating Stonesoft FW Management
Apache License 2.0
10 stars 3 forks source link

How to manage Switch physical interface with Ansible #30

Closed sebbbastien closed 5 years ago

sebbbastien commented 5 years ago

Hi David,

I need to manage switch_physical_interface and port_group_interface with Ansible (NGFW-110)

engine_facts playbook give the configuration of the firewall:

TASK [debug] **********************************************************************************************************************************************************************************************************************************
Saturday 23 March 2019  20:00:31 +0100 (0:00:03.700)       0:00:03.748 ******** 
ok: [localhost] => {
    "msg": {
        "ansible_facts": {
            "engines": [
                {

                    [.....]

                    "physicalInterfaces": [
                        {
                            "physical_interface": {
                                "aggregate_mode": "none",
                                "arp_entry": [],
                                "comment": "Internet",
                                "cvi_mode": "none",
                                "dhcp_server_on_interface": {
                                    "default_lease_time": 7200,
                                    "dhcp_range_per_node": []
                                },
                                "duplicate_address_detection": true,
                                "include_prefix_info_option_flag": true,
                                "interface_id": "0",
                                "interfaces": [
                                    {
                                        "single_node_interface": {
                                            "auth_request": false,
                                            "auth_request_source": false,
                                            "automatic_default_route": true,
                                            "backup_for_web_access": false,
                                            "backup_heartbeat": false,
                                            "backup_mgt": false,
                                            "domain_specific_dns_queries_source": false,
                                            "dynamic": true,
                                            "dynamic_index": 1,
                                            "igmp_mode": "none",
                                            "key": 136,
                                            "nicid": "0",
                                            "nodeid": 1,
                                            "outgoing": false,
                                            "pppoa": false,
                                            "pppoe": false,
                                            "primary_for_web_access": false,
                                            "primary_heartbeat": false,
                                            "primary_mgt": true,
                                            "relayed_by_dhcp": false,
                                            "reverse_connection": true,
                                            "vrrp": false,
                                            "vrrp_id": -1,
                                            "vrrp_priority": -1
                                        }
                                    }
                                ],
                                "key": 142,
                                "link": [
                                    {
                                        "href": "http://smc-65:8082/6.5/elements/single_fw/1017/physical_interface/142",
                                        "rel": "self",
                                        "type": "physical_interface"
                                    }
                                ],
                                "log_moderation": [],
                                "managed_address_flag": false,
                                "mtu": -1,
                                "name": "Interface 0",
                                "other_configuration_flag": false,
                                "qos_limit": 0,
                                "qos_mode": "no_qos",
                                "route_replies_back_mode": false,
                                "router_advertisement": false,
                                "set_autonomous_address_flag": true,
                                "syn_mode": "default",
                                "sync_parameter": {
                                    "full_sync_interval": 5000,
                                    "heartbeat_group_ip": "224.0.0.221",
                                    "incr_sync_interval": 50,
                                    "statesync_group_ip": "224.0.0.222",
                                    "sync_mode": "sync_all",
                                    "sync_security": "sign"
                                },
                                "virtual_engine_vlan_ok": false,
                                "vlanInterfaces": []
                            }
                        },
                        {
                            "switch_physical_interface": {
                                "aggregate_mode": "none",
                                "arp_entry": [],
                                "dhcp_server_on_interface": {
                                    "default_lease_time": 7200,
                                    "dhcp_range_per_node": []
                                },
                                "duplicate_address_detection": true,
                                "include_prefix_info_option_flag": false,
                                "interface_id": "SWP_0",
                                "interfaces": [],
                                "key": 168,
                                "link": [
                                    {
                                        "href": "http://smc-65:8082/6.5/elements/single_fw/1017/switch_physical_interface/168",
                                        "rel": "self",
                                        "type": "switch_physical_interface"
                                    }
                                ],
                                "log_moderation": [],
                                "managed_address_flag": false,
                                "mtu": -1,
                                "name": "Switch 0",
                                "other_configuration_flag": false,
                                "port_group_interface": [
                                    {
                                        "aggregate_mode": "none",
                                        "arp_entry": [],
                                        "dhcp_server_on_interface": {
                                            "default_lease_time": 7200,
                                            "dhcp_range_per_node": []
                                        },
                                        "duplicate_address_detection": true,
                                        "include_prefix_info_option_flag": false,
                                        "interface_id": "SWP_0.1",
                                        "interfaces": [
                                            {
                                                "single_node_interface": {
                                                    "address": "10.0.1.1",
                                                    "auth_request": true,
                                                    "auth_request_source": true,
                                                    "automatic_default_route": false,
                                                    "backup_for_web_access": false,
                                                    "backup_heartbeat": false,
                                                    "backup_mgt": false,
                                                    "domain_specific_dns_queries_source": false,
                                                    "dynamic": false,
                                                    "igmp_mode": "none",
                                                    "key": 132,
                                                    "network_value": "10.0.1.0/24",
                                                    "nicid": "SWP_0.1",
                                                    "nodeid": 1,
                                                    "outgoing": true,
                                                    "pppoa": false,
                                                    "pppoe": false,
                                                    "primary_for_web_access": false,
                                                    "primary_heartbeat": false,
                                                    "primary_mgt": false,
                                                    "relayed_by_dhcp": false,
                                                    "reverse_connection": false,
                                                    "vrrp": false,
                                                    "vrrp_id": -1,
                                                    "vrrp_priority": -1
                                                }
                                            }
                                        ],
                                        "key": 169,
                                        "log_moderation": [],
                                        "managed_address_flag": false,
                                        "mtu": -1,
                                        "name": "Port Group 0.1 (ports 0-1)",
                                        "other_configuration_flag": false,
                                        "qos_limit": -1,
                                        "qos_mode": "no_qos",
                                        "router_advertisement": false,
                                        "set_autonomous_address_flag": false,
                                        "switch_physical_interface_port": [
                                            {
                                                "switch_physical_interface_port_comment": "",
                                                "switch_physical_interface_port_number": 0
                                            },
                                            {
                                                "switch_physical_interface_port_comment": "",
                                                "switch_physical_interface_port_number": 1
                                            }
                                        ],
                                        "syn_mode": "default"
                                    }
                                ],
                                "qos_limit": -1,
                                "qos_mode": "no_qos",
                                "router_advertisement": false,
                                "set_autonomous_address_flag": false,
                                "switch_physical_interface_switch_module_ref": "http://smc-65:8082/6.5/elements/appliance_switch_module/1",
                                "syn_mode": "default"
                            }
                        }
                    ],
                    }

                    [...]

                }
            ]
        },
        "changed": false,
        "deprecations": [
            {
                "msg": "Setting check_invalid_arguments is deprecated and will be removed. Update the code for this module  In the future, AnsibleModule will always check for invalid arguments.",
                "version": "2.9"
            }
        ],
        "failed": false
    }
}

But with as_yaml: true, the switch_physical_interface disappear: 

TASK [debug] **********************************************************************************************************************************************************************************************************************************
Saturday 23 March 2019  20:19:05 +0100 (0:00:11.432)       0:00:11.479 ******** 
ok: [localhost] => {
    "msg": {
        "ansible_facts": {
            "engines": [
                {
                    "antivirus": false,
                    "bgp": {
                        "enabled": false,
                        "router_id": null
                    },
                    "default_nat": false,
                    "enable_vpn": [
                        "First DHCP Interface ip"
                    ],
                    "file_reputation": false,
                    "interfaces": [
                        {
                            "comment": "Internet",
                            "interface_id": "0",
                            "interfaces": [
                                {
                                    "nodes": [
                                        {
                                            "dynamic": true,
                                            "dynamic_index": 1
                                        }
                                    ]
                                }
                            ]
                        }
                    ],
                    "location": "Internet",
                    "name": "TestFW",
                    "ospf": {
                        "enabled": false,
                        "router_id": null
                    },
                    "policy_vpn": [
                        {
                            "central_gateway": false,
                            "name": "TestVPN",
                            "satellite_gateway": true
                        }
                    ],
                    "snmp": {
                        "snmp_agent": "TestSNMP"
                    },
                    "type": "single_fw"
                }
            ]
        },
        "changed": false,
        "deprecations": [
            {
                "msg": "Setting check_invalid_arguments is deprecated and will be removed. Update the code for this module  In the future, AnsibleModule will always check for invalid arguments.",
                "version": "2.9"
            }
        ],
        "failed": false
    }
}

I can roughly give the yaml version to the engine task and obtain the same firewall.

Do you know if it is possible to use the json format in any way to create switch_physical_interface and port_group_interface?

Is the support of switch_physical_interface possible on your side?

gabstopper commented 5 years ago

So technically switch physical interface is not implemented currently in smc-python. It hasn't really come up I can schedule; what is the priority to accomplish this? Also, I am starting to provide some higher level abstractions for creating elements within ansible that leverage the underlying data structure if possible. For example, you'll now see a new "generic" playbook/library called element. Here is an example of it's usage:

https://github.com/gabstopper/ansible-stonesoft/blob/develop/playbooks/element.yml

The idea is that I can make more generic some of the data structures such as engine allowing for easier implementation when new features arrive in SMC API.

gabstopper commented 5 years ago

Hi Sebbastian, The latest current dev branch of ansible will now support creating these elements. The update_or_create functionality on these interfaces will be complete and uploaded in the next couple of days. This does require the latest smc-python dev package, 0.7.0b7.

gabstopper commented 5 years ago

I have updated both dev branches on ansible and smc-python (0.7.0b8) this evening to support switch physical interfaces (and update_or_create functionality). Please give it a try.

Here is an example playbook:

- name: Firewall Template
  hosts: localhost
  gather_facts: no
  tasks:
  - name: Layer 3 FW template
    engine:
      smc_logging:
        level: 10
        path: ansible-smc.log
      antivirus: false
      backup_mgt: SWP_0.3
      bgp:
        enabled: false
        router_id: null
      default_nat: false
      domain_server_address:
      - name: 8.8.8.8
        type: ipaddress
      file_reputation: false
      interfaces:
      - appliance_switch_module: 110
        interface_id: SWP_0
        port_group_interface:
        - interface_id: SWP_0.1
          interfaces:
          - nodes:
            - address: 12.12.12.12
              network_value: 12.12.12.0/24
              nodeid: 1
          switch_physical_interface_port:
          - switch_physical_interface_port_comment: 'foobar'
            switch_physical_interface_port_number: 0
          zone_ref: Internal
        - interface_id: SWP_0.2
          interfaces:
          - nodes:
            - dynamic: true
              dynamic_index: 3
          switch_physical_interface_port:
          - switch_physical_interface_port_comment: ''
            switch_physical_interface_port_number: 1
          zone_ref: External
        - interface_id: SWP_0.3
          interfaces:
          - nodes:
            - dynamic: true
              dynamic_index: 4
          switch_physical_interface_port:
          - switch_physical_interface_port_comment: ''
            switch_physical_interface_port_number: 3
          zone_ref: External
        - interface_id: SWP_0.4
          switch_physical_interface_port:
          - switch_physical_interface_port_comment: port 2
            switch_physical_interface_port_number: 2
          - switch_physical_interface_port_comment: ''
            switch_physical_interface_port_number: 4
          - switch_physical_interface_port_comment: ''
            switch_physical_interface_port_number: 5
          - switch_physical_interface_port_comment: ''
            switch_physical_interface_port_number: 6
        type: switch_physical_interface
      - interface_id: '0'
        interfaces:
        - nodes:
          - address: 1.1.1.1
            network_value: 1.1.1.0/24
            nodeid: 1
      name: azure
      ospf:
        enabled: false
        router_id: null
      primary_mgt: SWP_0.1
      type: single_fw
sebbbastien commented 5 years ago

Hi David,

Thank for your work. I didn't manage to get the playbook working.

With the playbook you provides I get this error (azure fw was not present on the SMC):

    "msg": "Management interface is not defined. Management was specified on interface: SWP_0.1"

If I replace primary_mgt: SWP_0.1 with primary_mgt: 0, creation is ok. If I switch back to primary_mgt: SWP_0.1, the error disappear, but primary management interface is not updated.

Versions I use:

» pip list | grep smc
smc-python   0.7.0b8 

» grep stone ansible.cfg
library = ansible-stonesoft/library
module_utils = ansible-stonesoft/module_utils

» git --git-dir=ansible-stonesoft/.git reflog
7963882 (HEAD -> develop, origin/develop) HEAD@{0}: checkout: moving from master to develop
d83da5b (origin/master, origin/HEAD, origin/develop, master) HEAD@{1}: clone: from https://github.com/gabstopper/ansible-stonesoft.git
gabstopper commented 5 years ago

Ok, will look at today.

gabstopper commented 5 years ago

Hi Sebastien, please try the latest ansible dev and smc-python dev release. I have a few minor things to fix on the ansible side with respects to changing management interfaces and using the delete_undefined_interfaces switch on these interface types. Otherwise you can make changes to an existing switch ports, add/remove switch ports, etc. Let me know how that goes.

gabstopper commented 5 years ago

BTW, latest smc-python 0.6.0b9 on dev branch

sebbbastien commented 5 years ago

Hi David,

Latest develop versions (gabstopper/ansible-stonesoft@660bceeac34ab43ecd94983ca2be7b25de9b2721 and gabstopper/smc-python@a079deac42fc1e044da2f3e7a76796ad17f961b4) are working fine.

For "documentation":

- name: Firewall Template
  hosts: localhost
  gather_facts: no
  tasks:
    - name: Layer 3 FW template
      engine:
        name: azure
        primary_mgt: 0
        backup_mgt: SWP_0.3
        auth_request: SWP_0.1
        type: single_fw
        domain_server_address:
          - name: 8.8.8.8
            type: ipaddress
        file_reputation: false
        interfaces:
          - interface_id: 0
            interfaces:
              - nodes:
                  - dynamic: true
                    dynamic_index: 1
          - interface_id: 1
            interfaces:
              - nodes:
                  - address: 1.1.1.1
                    network_value: 1.1.1.0/24
                    nodeid: 1
                vlan_id: 10
              - nodes:
                  - address: 1.1.2.1
                    network_value: 1.1.2.0/24
                    nodeid: 1
                vlan_id: 20
          - appliance_switch_module: 110
            interface_id: SWP_0
            type: switch_physical_interface
            port_group_interface:
              - interface_id: SWP_0.1
                interfaces:
                  - nodes:
                      - dynamic: true
                        dynamic_index: 3
                switch_physical_interface_port:
                  - switch_physical_interface_port_comment: ""
                    switch_physical_interface_port_number: 1
                zone_ref: External
              - interface_id: SWP_0.3
                interfaces:
                  - nodes:
                      - dynamic: true
                        dynamic_index: 4
                switch_physical_interface_port:
                  - switch_physical_interface_port_comment: ""
                    switch_physical_interface_port_number: 3
                zone_ref: External
              - interface_id: SWP_0.8
                interfaces:
                  - nodes:
                      - address: 12.12.12.12
                        network_value: 12.12.12.0/24
                        nodeid: 1
                        auth_request: True
                switch_physical_interface_port:
                  - switch_physical_interface_port_comment: "LAN"
                    switch_physical_interface_port_number: 7
                zone_ref: Internal
        smc_logging:
          level: 10
          path: ansible-smc.log

Produces: image

Many thanks for your reactivity!

Best regards