panos_security_rule group_profile do not work properly
domel138 opened this issue · 3 comments
Describe the bug
When im trying to update a rule with panos_security_rule module:
- name: Removing object from security policies
paloaltonetworks.panos.panos_security_rule:
provider: "{{ network_provider }}"
action: "{{ item.1.action}}"
antivirus: "{{ item.1.antivirus | default(omit, true) }}"
application: "{{ item.1.application | default(omit, true) }}"
category: "{{ item.1.category | default(omit, true) }}"
data_filtering: "{{ item.1.data_filtering | default(omit, true) }}"
description: "{{ item.1.description | default(omit, true) }}"
destination_ip: "{{ item.1.destination_ip | difference(full_object_search_names_list) }}"
device_group: "{{ item.1.device_group | default('shared') }}"
disable_server_response_inspection: "{{ item.1.disable_server_response_inspection | default(omit, true) }}"
disabled: "{{ item.1.disabled | default(omit, true) }}"
file_blocking: "{{ item.1.file_blocking | default(omit, true) }}"
group_profile: "{{ item.1.group_profile | default(omit, true) }}"
hip_profiles: "{{ item.1.hip_profiles | default(omit, true) }}"
icmp_unreachable: "{{ item.1.icmp_unreachable | default(omit, true) }}"
log_end: "{{ item.1.log_end | default(omit, true) }}"
log_setting: "{{ item.1.log_setting | default(omit, true) }}"
log_start: "{{ item.1.log_start | default(omit, true) }}"
negate_destination: "{{ item.1.negate_destination | default(omit, true) }}"
negate_source: "{{ item.1.negate_source | default(omit, true) }}"
negate_target: "{{ item.1.negate_source | default(omit, true) }}"
rule_name: "{{ item.1.rule_name | mandatory}}"
rule_type: "{{ item.1.rule_type | default(omit, true) }}"
schedule: "{{ item.1.schedule | default(omit, true) }}"
service: "{{ item.1.service | default(omit, true) }}"
source_ip: "{{ item.1.source_ip | difference(full_object_search_names_list) }}"
source_user: "{{ item.1.source_user | default(omit, true) }}"
source_zone: "{{ item.1.source_zone | default(omit, true) }}"
spyware: "{{ item.1.spyware | default(omit, true) }}"
tag_name: "{{ item.1.tag_name | default(omit, true) }}"
target: "{{ item.1.target | default(omit, true) }}"
url_filtering: "{{ item.1.url_filtering | default(omit, true) }}"
vsys: "{{ item.1.vsys | default(omit, true) }}"
vulnerability: "{{ item.1.vulnerability | default(omit, true) }}"
wildfire_analysis: "{{ item.1.wildfire_analysis | default(omit, true) }}"
commit: false
with_nested:- '{{ full_object_search_names_list }}'
- '{{ all_security_policies }}'
loop_control:
label: "rule_name={{ item.1.rule_name | default('skipping') }}"
when: - item.1.source_ip is defined and item.1.destination_ip is defined and item.1.rule_name is defined
- item.0 in item.1.source_ip or item.0 in item.1.destination_ip
Expected behavior
group_profile parameter should work once list is provided as its expected - otherwise updating or creating policy fails.
Current behavior
Im getting below error:
WARNING: The below traceback may *not* be related to the actual failure.
File "/tmp/ansible_paloaltonetworks.panos.panos_security_rule_payload_5VDuK3/ansible_paloaltonetworks.panos.panos_security_rule_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/module_utils/panos.py", line 346, in apply_state
obj.apply()
File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 559, in apply
device.active().xapi.edit(self.xpath(), self.element_str(), retry_on_peer=self.HA_SYNC)
File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 3486, in method
raise the_exception
[WARNING]: The value ['Global-Block'] (type list) in a string field was converted to u"['Global-Block']" (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.
"ansible_loop_var": "item",
"changed": false,
"invocation": {
"module_args": {
"action": "allow",
"antivirus": null,
"api_key": null,
"application": [
"smtp"
],
"category": [
"any"
],
"commit": false,
"data_filtering": null,
"description": "ommited",
"destination_ip": [
"ommited",
"ommited"
],
"destination_zone": [
"any"
],
"devicegroup": null,
"disable_server_response_inspection": false,
"disabled": false,
"existing_rule": null,
"file_blocking": null,
**"group_profile": "['Global-Block']",** -> here you see that list has been converted to string and is not accepeted
"hip_profiles": [
"any"
],
"icmp_unreachable": null,
"ip_address": null,
"location": null,
"log_end": true,
"log_setting": "Global",
"log_start": false,
"negate_destination": false,
"negate_source": false,
"negate_target": null,
"operation": null,
"password": null,
"port": 443,
"provider": {
"api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ip_address": "ommited",
"password": null,
"port": 443,
"serial_number": null,
"username": "ommited"
},
"rule_name": "ommited",
"rule_type": "universal",
"rulebase": null,
"schedule": null,
"service": [
"TCP_25"
],
"source_ip": [
"ommited"
],
"source_user": [
"any"
],
"source_zone": [
"any"
],
"spyware": null,
"state": "present",
"tag_name": null,
"target": null,
"url_filtering": null,
"username": "admin",
"vsys": "vsys1",
"vulnerability": null,
"wildfire_analysis": null
}
},
"msg": "Failed apply: SCOM SMTP Relay -> profile-setting -> group '['Global-Block']' is not a valid reference\n SCOM SMTP Relay -> profile-setting is invalid"
group_profile is expecting list (which im passing to it) however something is converting that list to string type among the way which causing module to fail to update the security rule.
If i disable the group_profile parameter it works but it would be nice to have that functionality working - every other parameter is working fine.
Possible solution
Steps to reproduce
- Try to use panos_security_rule module with group_profile parameter provided
Screenshots
Context
Your Environment
- Version used: 1.1.0 collection, PANOS 9.0.8 (Panorama)
- Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): python 2.7.5, ansible 2.9.7
- Operating System and version (desktop or mobile): RHEL7
i think i found the issue it seems that:
ansible_collections/paloaltonetworks/panos/plugins/modules/panos_security_rule.py has wrong group_profile definition
it is set to dict() instead of dict(type=list) - after change it started to work
i've noticed also other profile actions has that issue - maybe it has change to list after PANOS9 release?
changing below in panos_security_rule.py:
group_profile=dict(),
antivirus=dict(),
spyware=dict(),
vulnerability=dict(),
url_filtering=dict(),
file_blocking=dict(),
wildfire_analysis=dict(),
data_filtering=dict(),
to:
group_profile=dict(type='list', default=None),
antivirus=dict(type='list', default=None),
spyware=dict(type='list', default=None),
vulnerability=dict(type='list', default=None),
url_filtering=dict(type='list', default=None),
file_blocking=dict(type='list', default=None),
wildfire_analysis=dict(type='list', default=None),
data_filtering=dict(type='list', default=None),
seems to solve the issue for Panorama panos9.0.8
All of those elements should be strings, as you can't assign multiple profiles of the same type to a rule.