New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panorama Create FW Rule - Always moves #348
Comments
Evening all, |
Your playbook essentially looks like this right now:
The location So, I can see two solutions.
|
HI @shinmog Happy to work with you in any way. |
What I was suggesting with my "reference the previous rule in the stack" commend is this python pseudo-code: for num, item in enumerate(list_of_json_dicts):
if num == 0:
position = ""
existing_rule = ""
elif num == len(list_of_json_dicts)-1:
position = "bottom"
existing_rule = ""
else:
position = "below"
existing_rule = list_of_json_dicts[num-1].name So, since the first rule doesn't have a specific position mentioned, it will just be wherever. All rules leading up to the last rule will place themselves below the previous rule, thus maintaining their linked order you want. Finally, the last rule will be at the bottom of the policy. If the last rule in your There is most likely a way to accomplish the above using jinja2 templating functions. While diving into what that looks like is outside the scope of the collection, it could be something RedHat would help with if you get stuck..? |
Yes Redhat will help. Appreciate your feedback. |
👍 |
I'm leveraging a json file to iterate through to make FW rules.
rules.txt
The first rule is the default deny rule from a zone called scientific. Thus any rule above it permits traffic from that zone to whatever is needed. The two next rules use that rule name for the automation to appropriately place those allow rules. Each time you run the playbook even if nothing changes, ansible issues a move command and thus a new commit is needed even though nothing changed.
I'm using 2.12.0 of the Ansible Palo Collection. Shouldn't ansible check that the rules are already ahead of the deny rule and do nothing?
I get what the palo module is trying to do, it's ensuring that the rule is DIRECTLY before the deny rule (in my case). Thus as it's looping through the ruleset (see txt file attached), it moves rule 1 above the deny, then iterates through the next rule in the text file and moves rule 2 directly above the deny.
Perhaps a new value could be added of "above" and then the module would check to see "Is the rule above" the Deny rule (in my case). As long as it's higher (above) in the ruleset, no move is needed. The same could be said for if you wanted to ensure a rule is lower in the ruleset and you don't care where. A value of "below" could be used.
Thoughts?
The text was updated successfully, but these errors were encountered: