pan-os-ansible
pan-os-ansible copied to clipboard
PaloAltoNetworks
panos_interface fails to configure a L2 interface.
Describe the bug
#Here is my output from the play: TASK [configure interfaces] ***************************************************************************************************************************************************************************************************************** changed: [Wall] => (item={'name': 'ethernet1/1', 'mode': 'layer3', 'enable_dhcp': True, 'create_default_route': True, 'ipv6_enabled': False, 'zone_name': 'External', 'comment': 'External internet facing interface'}) [WARNING]: The value "False" (type bool) was converted to "'False'" (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. failed: [Wall] (item={'name': 'ethernet1/8', 'mode': 'layer2', 'vlan_name': 'Management', 'lldp_enabled': False, 'zone_name': 'VLANs'}) => {"ansible_loop_var": "item", "changed": false, "item": {"lldp_enabled": false, "mode": "layer2", "name": "ethernet1/8", "vlan_name": "Management", "zone_name": "VLANs"}, "msg": "Failed setref: interface 'ethernet1/8' is not a valid reference"}
#Note, the L3 configuration was accepted but the L2 configuration was rejected with the interface not being a valid reference.
#Here is the specific play I am using: paloaltonetworks.panos.panos_interface: provider: '{{ device }}' state: present if_name: '{{ item.name }}' mode: '{{ item.mode | default(omit) }}' ip: '{{ item.ip | default(omit) }}' enable_dhcp: '{{ item.enable_dhcp | default(omit) }}' create_default_route: '{{ item.create_default_route | default(omit) }}' ipv6_enabled: '{{ item.ipv6_enabled | default(omit) }}' vlan_name: '{{ item.vlan | default(omit) }}' lldp_enabled: '{{ item.lldp_enabled | default(omit) }}' zone_name: '{{ item.zone_name | default(omit) }}' management_profile: '{{ item.management_profile | default(omit) }}' comment: '{{ item.comment | default(omit) }}' commit: 'False' loop: "{{ interfaces }}"
#Here are the variables I am using:
interfaces: { name: ethernet1/1, mode: layer3, enable_dhcp: yes, create_default_route: yes, ipv6_enabled: no, zone_name: External, comment: External internet facing interface } { name: ethernet1/8, mode: layer2, vlan_name: Management, lldp_enabled: no, zone_name: VLANs }
#If I comment out the ethernet1/8 line in variables, the play is successful and I am able to then manually assign ethernet1/8 to vlan Management in the VLANs L2 zone with only the lldp_e4nabled: no being added if the change is compared before commit. The commit is successful and working if performed manually.
Context
I am attempting to configure a new palo alto out of the box over the out of band management interface 192.168.1.1 and have so far been successful at using an expect script to set the initial password (which allows Ansible to connect successfully). Ansible is able to gather facts and configure: management, zones, vlans, management profiles, service routes, security rules, nat rules, L3 interfaces and i'm just stuck at L2 interfaces.
Your Environment
Proof of concept environment for initial configuration, incident response or emergency recovery. Raspberry Pi using Debian 10.6 Attached to and powered by a PA-220
#output of ansible --version ansible 2.10.3 config file = /home/user/Ansible/PA-220/ansible.cfg configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/user/.local/lib/python3.7/site-packages/ansible executable location = /home/user/.local/bin/ansible python version = 3.7.3 (default, Jul 25 2020, 13:03:44) [GCC 8.3.0]
It looks like the GUI does the interface setup as two actions... first setting lldp_enabled: no by itself, then setting all the options. If you replicate that, does the play succeed?
Split the configuration into two plays... Can give that a shot, thanks a million especially if it works :)
That works! Going to have to figure out how to get it to run without having to go through all the interface variables twice. Tried using blocks but will have to get better at them. Thanks a million!
Hit an issue with this one again, change is accepted but commit fails. Will reopen this bug, restore the firewall to factory defaults and see if I can replicate.
Here is the error I'm getting when the commit play runs:
fatal: [Wall]: FAILED! => {"changed": false, "msg": "Validation Error: | network -> virtual-router -> default -> interface 'ethernet1/8' is not a valid reference | network -> virtual-router -> default -> interface is invalid"}
Excluding the variable for ethernet1/8 results in a successful commit, the "validate full" report is:
admin@Wall> show jobs id 11
Enqueued Dequeued ID Type Status Result Completed
2021/01/13 18:57:19 18:57:19 11 Validate FIN FAIL 18:57:40 Warnings: Details:Validation Error: network -> virtual-router -> default -> interface 'ethernet1/8' is not a valid reference network -> virtual-router -> default -> interface is invalid network -> virtual-router is invalid network is invalid devices is invalid
The issue in the "show config diff" appears to be:
-set config devices localhost.localdomain network virtual-router default interface [ vlan.253 ethernet1/1 ] +set config devices localhost.localdomain network virtual-router default interface [ vlan.253 ethernet1/1 ethernet1/8 ]
Will try to remove ethernet1/8 from the default virtual router as part of my interface configs for layer2 interfaces. Think it would be best to modify the panos_interface with these exceptions to prevent more complicated plays.
This is what it should look like:
- name: configure interfaces paloaltonetworks.panos.panos_interface: provider: '{{ device }}' state: present if_name: '{{ item.name }}' mode: '{{ item.mode | default(omit) }}' ip: '{{ item.ip | default(omit) }}' enable_dhcp: '{{ item.enable_dhcp | default(omit) }}' create_default_route: '{{ item.create_default_route | default(omit) }}' ipv6_enabled: '{{ item.ipv6_enabled | default(omit) }}' vlan_name: '{{ item.vlan | default(omit) }}' zone_name: '{{ item.zone_name | default(omit) }}' management_profile: '{{ item.management_profile | default(omit) }}' comment: '{{ item.comment | default(omit) }}' commit: 'False' loop: "{{ interfaces }}"
This is what it looks like now:
-
name: preconfigure layer2 interfaces paloaltonetworks.panos.panos_interface: provider: '{{ device }}' state: present if_name: '{{ item.name }}' lldp_enabled: '{{ item.lldp_enabled | default(omit) }}' commit: 'False' when: item.mode == "layer2" loop: "{{ interfaces }}"
-
name: configure interfaces paloaltonetworks.panos.panos_interface: provider: '{{ device }}' state: present if_name: '{{ item.name }}' mode: '{{ item.mode | default(omit) }}' ip: '{{ item.ip | default(omit) }}' enable_dhcp: '{{ item.enable_dhcp | default(omit) }}' create_default_route: '{{ item.create_default_route | default(omit) }}' ipv6_enabled: '{{ item.ipv6_enabled | default(omit) }}' vlan_name: '{{ item.vlan | default(omit) }}' zone_name: '{{ item.zone_name | default(omit) }}' management_profile: '{{ item.management_profile | default(omit) }}' comment: '{{ item.comment | default(omit) }}' commit: 'False' loop: "{{ interfaces }}"
-
name: remove layer2 interfaces from virtual router paloaltonetworks.panos.panos_virtual_router: provider: '{{ device }}' state: absent interface: '{{ item.name }}' commit: 'False' when: item.mode == "layer2" loop: "{{ interfaces }}"
Not sure how to remove an interface from a virtual router, the panos_virtual_router does not make this easy. I would have to manually recreate the list of interfaces to remove the correct interface.
Hi Mate, I wish I could say this was resolved. I ended up just manually configuring this portion. Glad it's not just me! Let's hope it gets noticed and we all benefit.
From: kendococaine @.> Sent: Thursday, 17 June 2021 12:15 PM To: PaloAltoNetworks/pan-os-ansible @.> Cc: Tacmatricx @.>; State change @.> Subject: Re: [PaloAltoNetworks/pan-os-ansible] panos_interface fails to configure a L2 interface. (#173)
Any luck on this? I'm stuck on the same exact step. I tried removing the virtual router and re-adding a new virtual router, even assigning the interface to no virtual router but commit still fails, stating the same invalid reference error with no virtual router mentioned.
You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHubhttps://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FPaloAltoNetworks%2Fpan-os-ansible%2Fissues%2F173%23issuecomment-862861548&data=04%7C01%7C%7C82324a840b6346009dfd08d93135b635%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637594929021841630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4oqJp6m79rx0qYf4zL6rl7BBlmphFOrFGynZ%2B28uaKM%3D&reserved=0, or unsubscribehttps://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FARVTACA3WY2AW42JZRX7F3TTTFLCJANCNFSM4VS7HO6A&data=04%7C01%7C%7C82324a840b6346009dfd08d93135b635%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637594929021841630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gCHyH3%2B0H5Xj7YjnxWuHPiXvIzQACwrSNJvwWwXhkIM%3D&reserved=0.
I'm also seeing this issue. It looks like the module is trying to add the layer2 interface to the virtual router. I'm not sure if this is intended but config via GUI and set commands don't do this.
Submitted a fix in pan-os-python for this issue, awaiting review and release
Everyone tracking this issue, please can you install pan-os-python v1.8.1 (for example, pip install pan-os-python==1.8.1) and re-test? Thanks
The fix in pan-os-python v1.8.1 has worked in a few test scenarios, so I will close this issue. If anyone has any outstanding queries or problems, just reply here or reopen the issue. Thanks :-)