Added so you can search after IP in address object instead of name

[cjuhlin]

Like the title saids. To search after IP instead of name in Addresses. Instead of using name/name_regex you use value/value_regex. It will also solve issue number #66

Exemple :

  - name: Get address object with IP with value
    panos_object_facts:
      provider:
        ip_address: '{{ ansible_host }}'
        username: '{{ username_fw }}'
        password: '{{ password_fw }}'
      object_type: 'address'
      value: '192.168.0.0/24'
    register: results
  - debug: msg='{{ results }}'

output :

ok: [fwtest] => {
    "msg": {
        "ansible_module_results": {},
        "changed": false,
        "failed": false,
        "objects": [
            {
                "description": null,
                "name": "localnet",
                "tag": [
                    "local"
                ],
                "type": "ip-netmask",
                "value": "192.168.0.0/24"
            }
        ]
    }
}

Or with value_regex :

  - name: Get address object with IP with value_regex
    panos_object_facts:
      provider:
        ip_address: '{{ ansible_host }}'
        username: '{{ username_fw }}'
        password: '{{ password_fw }}'
      object_type: 'address'
      value_regex: '172.168.229.*'
    register: results
  - debug: msg='{{ results }}'

Output :

ok: [fwtest] => {
    "msg": {
        "ansible_module_results": {},
        "changed": false,
        "failed": false,
        "objects": [
            {
                "description": null,
                "name": "gw",
                "tag": [
                    "gw"
                ],
                "type": "ip-netmask",
                "value": "172.168.229.1/24"
            },
            {
                "description": null,
                "name": "172.168.229.54",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.54/32"
            },
            {
                "description": null,
                "name": "172.168.229.72",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.72"
            },
            {
                "description": "172.168.229.88 ",
                "name": "172.168.229.88",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.88/32"
            },
            {
                "description": "172.168.229.89 ",
                "name": "172.168.229.89",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.89/32"
            },
            {
                "description": null,
                "name": "172.168.229.50",
                "tag": null,
                "type": "ip-netmask",
                "value": "172.168.229.50/32"
            }
        ]
    }
}

[Mattbarr1]

Is there a timeline until this gets put into dev?

[GrayBeard80]

This is my code and output. Can you help me identify what's wrong?

• hosts: localhost
  connection: local

  roles:

  • role: paloaltonetworks.paloaltonetworks

  tasks:

  • name: include login variables (free-form)
    include_vars: vars_login.yml

  • name: search for shared address object
    panos_object_facts:
    provider:
    ip_address: '{{ mgmt_ip }}'
    username: '{{ admin_username }}'
    password: '{{ admin_password }}'
    object_type: 'address'
    value: '192.168.0.34'
    register: results

  • debug: msg='{{ results }}'

** The spaces are a little off from pasting it. **

fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"object_type": "address",
"provider": {
"ip_address": "192.168.0.35",
"password": "password",
"username": "dave"
},
"value": "192.168.0.34"
}
},
"msg": "Unsupported parameters for (panos_object_facts) module: value Supported parameters include: api_key, device_group, ip_address, name, name_regex, object_type, password, port, provider, username, vsys"
}

[cjuhlin]

This is my code and output. Can you help me identify what's wrong?

Which branch did you test with ? To get it to work you need to use my branch until they have accept my merge request.

[GrayBeard80]

I'm sorry, maybe I'm missing it, but I don't see in your branch the search ip address. I see the search object though. Thanks.

[Mattbarr1]

I'm using your branch, I cloned it from your link you provided. I believe I am also running into the issue GrayBeard80 is. I copied your example and modified it for my environment but it doesn't seem to like the value: '192.168.0.0/24' portion.

So I'm unable to search for an object by IP address.

This is the error I get, and in the error output I don't see 'value' specified there under supported parameters, not sure if that's relevant or not.

fatal: [PA1]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (panos_object_facts) module: value Supported pae_group, ip_address, name, name_regex, object_type, password, port, provider, username, vsys"}

snippet of my task:

• name: Find an address object on the firewall
  panos_object_facts:
  provider:
  ip_address: '{{ mgmt_ip }}'
  username: '{{ admin_username }}'
  password: '{{ admin_password }}'
  value: '192.168.1.2'
  object_type: 'address'
  register: result
• debug: msg='{{ result.stdout_lines }}'

Am I using it wrong?

[cjuhlin]

I tried my branch in it's own new virtual-env and no problem .

1. Downloaded my branch with:
   git clone https://github.com/nebi/ansible-pan
2. moved folder into roles folder
3. used this playbook :

- name: Find some objects on the firewall
  hosts: all
  connection: local
  gather_facts: False
  vars:
    ansible_python_interpreter: $HOME/venv/ansible-test/bin/python3
  vars_files:
    - vars/vault.yml
  roles:
    - role: ansible-pan

  tasks:
    - name: Get all address object on the firewall
      panos_object_facts:
        provider: '{{ panos_provider }}'
        object_type: 'address'
        value_regex: '.*'
      register: result
    - name: Print out all address object
      debug: msg='{{ result }}'

    - name: Find a prefix in address object on the firewall
      panos_object_facts:
        provider: '{{ panos_provider }}'
        object_type: 'address'
        value: '1.1.1.1/32'
      register: result

    - name: Print out address object with matched prefix
      debug: msg='{{ result }}'

4. Got this output :

PLAY [Find some objects on the firewall] ****************************************************************************************************************************************************************************************************************************

TASK [ansible-pan : Install pan-python required library] ************************************************************************************************************************************************************************************************************
ok: [testfw]

TASK [ansible-pan : Install pandevice required library] *************************************************************************************************************************************************************************************************************
ok: [testfw]

TASK [ansible-pan : Install xmltodict required library] *************************************************************************************************************************************************************************************************************
ok: [testfw]
 [WARNING]: Found internal 'results' key in module return, renamed to 'ansible_module_results'.


TASK [Get all address object on the firewall] ***********************************************************************************************************************************************************************************************************************
ok: [testfw]

TASK [Print out all address object] *********************************************************************************************************************************************************************************************************************************
ok: [testfw] => 
  msg:
    ansible_module_results: {}
    changed: false
    failed: false
    objects:
    - description: null
      name: CLOUDFLARE_DNS
      tag:
      - TEST
      type: ip-netmask
      value: 1.1.1.1/32
 [WARNING]: Found internal 'results' key in module return, renamed to 'ansible_module_results'.


TASK [Find a prefix in address object on the firewall] **************************************************************************************************************************************************************************************************************
ok: [testfw]

TASK [Print out address object with matched prefix] *****************************************************************************************************************************************************************************************************************
ok: [testfw] => 
  msg:
    ansible_module_results: {}
    changed: false
    failed: false
    objects:
    - description: null
      name: CLOUDFLARE_DNS
      tag:
      - TEST
      type: ip-netmask
      value: 1.1.1.1/32

PLAY RECAP **********************************************************************************************************************************************************************************************************************************************************
testfw                  : ok=7    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[Mattbarr1]

2. moved folder into roles folder

Can you expand on step 2? you moved the ansible-pan folder into roles folder of your branch?

[GrayBeard80]

I have that same question too as well as what your 'panos_provider' variable is.

[GrayBeard80]

sorry, nevermind, I figured out 'provider'

[Mattbarr1]

Well I got it to work. I tried to just use the regex task to see if that would work, and it successfully pulled all the objects. I then changed "value_regex" to just value and put in an IP "value: '192.168.1.2' and it returned the object with that IP. I will say though there seems to be some issues with the IP scheme, palo alto lets you enter in either just an IP or an IP and netmask, for instance either "192.168.1.2" or "192.168.1.2/32" and both are valid addressing schemes. What I have found with this build is that if I have an object with the IP of "192.168.1.2/32" and in the playbook I use value: '192.168.1.2' it returns empty results. If I were to use value: '192.168.1.2/32' it works as it should.

[shinmog]

panos_object_facts reports on facts for more than just address objects, and AddressObject is the name of a class, so naming the variable that is misleading. Also, I don't think storing an object's .about() into a variable so you can do foo["value"] nets you anything since you can just do foo.value and have the same result.

If we're trying to add functionality to this module that would extend beyond just address objects, I think it would be better to add a more flexible set of params to this module:

• one param that accepts the name of the parameter to search (default: value)
• one param that accepts the type of search to perform. This could accept, say, exact / regex, then a new search of cidr regex or something could be added later that would implement better CIDR searching that the comments in this PR are eliciting.

What do you think?

[shinmog]

@Nebi

I'll go ahead and make the tweaks that I've suggested in my comments after I merge this PR; thanks for the work on this!