Ansible module to send part of XML trees to PaloAlto devices
- name: "[Panorama] Push services"
pan_xpath:
hostname: "{{ inventory_hostname }}"
api_key: "{{ pan_api_key }}"
xml_file: "build/{{ inventory_hostname }}/tmp/PAN-Office-Firewalls.xml"
file_xpath: ".//devices/entry/vsys/entry/service"
configuration: "candidate"
device_xpath: "/config/devices/entry/device-group/entry[@name='xionox-test']/service"
diff_file: "{{ logs_dir }}/{{ inventory_hostname }}-services.diff"
register: push_services
I used this module to send firewall configurations (addresses, services, policies, etc) generated by Capirca google/capirca#113 to a Palo Alto Panorama deivce.
It will first try to run a diff between what is about to be sent and what is already on the device. If any differences and not in check_mode it will push it.
It will load the changes to the candidate configuration, which needs to be commited on Panorama.
A future improvment could be to commit the change if the configuration argument is set to "active".
changed: True will be returned if there is a difference, not only if a change is actually made.