panos_security_rule - not a valid reference

Question

panos_security_rule - not a valid reference

stefano-di-chio opened this issue a year ago · 5 comments

stefano-di-chio commented a year ago

Describe the bug

using the module panos_security_rule. failed to apply config to attribute antivirus.

Expected behavior

update existing security rule in panorama using data saved in a variable list.

MSG:

Failed apply: Poly Lens VC devices -> profile-setting -> profiles -> virus '['Global Antivirus Profile']' is not a valid reference
Poly Lens VC devices -> profile-setting -> profiles -> virus is invalid

Current behavior

TASK [3.2.3 - edit rules source list] **********************************************************************************************************************************************************
Friday 15 September 2023 14:54:01 +0100 (0:00:00.035) 0:08:44.305 ******
fatal: [brlfwm03]: FAILED! => {
"changed": false
}

MSG:

Possible solution

no idea

Steps to reproduce

Context

trying to modify existing rule.

using this task:

name: 3.2.3 - edit rules source list
paloaltonetworks.panos.panos_security_rule:
provider: '{{ device }}'
device_group: '{{ devgroups_outer_item }}'
rulebase: 'post-rulebase'
commit: false
action: '{{ sec_outer_item.action }}'
antivirus: '{{ sec_outer_item.antivirus | default(omit, true) }}'
application: '{{ sec_outer_item.application | default(omit, true) }}'
category: '{{ sec_outer_item.category | default(omit, true) }}'
data_filtering: '{{ sec_outer_item.data_filtering | default(omit, true) }}'
description: '{{ sec_outer_item.description | default(omit, true) }}'
destination_ip: '{{ sec_outer_item.destination_ip | default(omit, true) }}'
destination_zone: '{{ sec_outer_item.destination_zone | default(omit, true) }}'
disable_server_response_inspection: '{{ sec_outer_item.disable_server_response_inspection | default(omit, true) }}'
disabled: '{{ sec_outer_item.disabled | default(omit, true) }}'
file_blocking: '{{ sec_outer_item.file_blocking | default(omit, true) }}'
group_profile: '{{ sec_outer_item.group_profile | default(omit, true) }}'
group_tag: '{{ sec_outer_item.group_tag | default(omit, true) }}'
hip_profiles: '{{ sec_outer_item.hip_profiles | default(omit, true) }}'
icmp_unreachable: '{{ sec_outer_item.icmp_unreachable | default(omit, true) }}'
log_end: '{{ sec_outer_item.log_end | default(omit, true) }}'
log_setting: '{{ sec_outer_item.log_setting | default(omit, true) }}'
log_start: '{{ sec_outer_item.log_start | default(omit, true) }}'
negate_destination: '{{ sec_outer_item.negate_destination | default(omit, true) }}'
negate_source: '{{ sec_outer_item.negate_source | default(omit, true) }}'
negate_target: '{{ sec_outer_item.negate_target | default(omit, true) }}'
rule_name: '{{ sec_outer_item.rule_name | default(omit, true) }}'
rule_type: '{{ sec_outer_item.rule_type | default(omit, true) }}'
schedule: '{{ sec_outer_item.schedule | default(omit, true) }}'
service: '{{ sec_outer_item.service | default(omit, true) }}'
source_ip: '{{ sec_outer_item.source_ip | difference([rmname,rmname|upper,rmname|lower]) }}'
source_user: '{{ sec_outer_item.source_user | default(omit, true) }}'
source_zone: '{{ sec_outer_item.source_zone | default(omit, true) }}'
spyware: '{{ sec_outer_item.spyware | default(omit, true) }}'
tag_name: '{{ sec_outer_item.tag_name | default(omit, true) }}'
target: '{{ sec_outer_item.target | default(omit, true) }}'
uuid: '{{ sec_outer_item.uuid | default(omit, true) }}'
vulnerability: '{{ sec_outer_item.vulnerability | default(omit, true) }}'
wildfire_analysis: '{{ sec_outer_item.wildfire_analysis | default(omit, true) }}'
when:
- sec_outer_item.source_ip|length > 1
- rmname in sec_outer_item.source_ip or
  rmname|upper in sec_outer_item.source_ip or
  rmname|lower in sec_outer_item.source_ip

Your Environment

Python: 3.8.13
Ansible: core 2.12.1
PAN-OS Python Library & version : panos 10.1.6

Answer 1 · 2023-09-15T14:33:56.000Z

🎉 Thanks for opening your first issue here! Welcome to the community!

Answer 2 · 2023-09-18T09:48:04.000Z

This is a duplicate of #376. Until there is a permanent fix, there is a workaround (mentioned here) to use the first item of the returned list, which would would look something like: group_profile: '{{ sec_outer_item.group_profile[0] | default(omit, true) }}'

Answer 3 · 2023-09-20T10:26:22.000Z

Hello James, I have applied the workaround suggested (group_profile: '{{ sec_outer_item.group_profile[0] | default(omit, true) }}) But I have got the exact same error. Shall I reopen the case? Thank you. From: James Holland ***@***.***> Sent: 18 September 2023 10:48 To: PaloAltoNetworks/pan-os-ansible ***@***.***> Cc: Stefano Di Chio ***@***.***>; Author ***@***.***> Subject: Re: [PaloAltoNetworks/pan-os-ansible] panos_security_rule - not a valid reference (Issue #491) [This message originated from an external source] [The REPLY TO address does not match the SENDER, potential phishing, marketing or tracking]

…

________________________________ This is a duplicate of #376<#376>. Until there is a permanent fix, there is a workaround (mentioned here<#376 (comment)>) to use the first item of the returned list, which would would look something like: group_profile: '{{ sec_outer_item.group_profile[0] | default(omit, true) }}' — Reply to this email directly, view it on GitHub<#491 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BCQZUBI7HOVDCDTHMRTUIILX3AKF7ANCNFSM6AAAAAA4Z5DQZI>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Any market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of BlueCrest Capital Management (UK) LLP, its subsidiaries or affiliates. BlueCrest Capital Management (UK) LLP is authorised and regulated by the Financial Conduct Authority. BlueCrest Capital Management (UK) LLP is registered in England and Wales with registered number OC349662. Registered Office: Nova North, 11 Bressenden Place, London SW1E 5BY, United Kingdom. Tel: +44 (0)20 3180 3000 Fax: +44 (0)20 3180 3001

Answer 4 · 2023-09-20T12:13:33.000Z

Hi @stefano-di-chio, apologies, I was not accurate on the workaround. Try antivirus: '{{ sec_outer_item.antivirus[0] | default(omit, true) }}' instead of antivirus: '{{ sec_outer_item.antivirus | default(omit, true) }}'

Answer 5 · 2023-09-27T11:42:13.000Z

Please reopen this issue if problems persist