pan-os-ansible
pan-os-ansible copied to clipboard
PaloAltoNetworks
panos_commit_push does not push to devices
Describe the bug
panos_commit_push does not push to devices after commit to device group.
Expected behavior
Configuration should be committed to Panorama and pushed to devices with changes.
Current behavior
Commit happens, but no push to devices. Specifying the devices parameter with device serial number throws an error as shown below.
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: panos.errors.PanDeviceXapiError: Could not get vsys info for device XXXXXXXXXXXX in dg Lab Firewalls
failed: [10.206.180.25] (item=Lab Firewalls) => {"ansible_loop_var": "item", "changed": false, "item": "Lab Firewalls", "module_stderr": "Traceback (most recent call last):\n File \"/workspaces/panos_create_object/lib/python3.8/site-packages/panos/base.py\", line 3661, in method\n super_method(self, *args, **kwargs)\n File \"/workspaces/panos_create_object/lib/python3.8/site-packages/pan/xapi.py\", line 902, in commit\n raise PanXapiError(self.status_detail)\npan.xapi.PanXapiError: Could not get vsys info for device XXXXXXXXXXXX in dg Lab Firewalls\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/home/vscode/.ansible/tmp/ansible-tmp-1630439018.6962886-78002-29698821661360/AnsiballZ_panos_commit_push.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/vscode/.ansible/tmp/ansible-tmp-1630439018.6962886-78002-29698821661360/AnsiballZ_panos_commit_push.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/vscode/.ansible/tmp/ansible-tmp-1630439018.6962886-78002-29698821661360/AnsiballZ_panos_commit_push.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.paloaltonetworks.panos.plugins.modules.panos_commit_push', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/local/lib/python3.8/runpy.py\", line 207, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/local/lib/python3.8/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/local/lib/python3.8/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_paloaltonetworks.panos.panos_commit_push_payload__s_vfcs_/ansible_paloaltonetworks.panos.panos_commit_push_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_commit_push.py\", line 206, in <module>\n File \"/tmp/ansible_paloaltonetworks.panos.panos_commit_push_payload__s_vfcs_/ansible_paloaltonetworks.panos.panos_commit_push_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_commit_push.py\", line 188, in main\n File \"/workspaces/panos_create_object/lib/python3.8/site-packages/panos/base.py\", line 4535, in commit\n return self._commit(\n File \"/workspaces/panos_create_object/lib/python3.8/site-packages/panos/base.py\", line 4611, in _commit\n commit_response = self.xapi.commit(\n File \"/workspaces/panos_create_object/lib/python3.8/site-packages/panos/base.py\", line 3682, in method\n raise the_exception\npanos.errors.PanDeviceXapiError: Could not get vsys info for device XXXXXXXXXXXX in dg Lab Firewalls\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Possible solution
Push should push changes to devices that changed via modification of the device group, similar to behavior in web gui "commit and push"
Steps to reproduce
vars:
object_device_group:
- "Lab Firewalls"
commit_description: "Updated via Ansible"
Run task after making changes to a device group in panorama.
- name: push panorama
paloaltonetworks.panos.panos_commit_push:
provider: "{{ panos_provider }}"
style: 'device group'
name: '{{ item }}'
description: "{{ commit_description }}"
include_template: false
loop: "{{ object_device_group }}"
Screenshots
Red is commit via panos_commit_push, green is commit/push via web GUI.
Context
Trying to push new address objects via ansible to Panorama, then commit and push to firewalls.
Your Environment
- Collection: paloaltonetworks.panos - 2.7.0
- Python: 3.8.11
- Ansible:
-
ansible 2.10.13 config file = /workspaces/panos_create_object/ansible.cfg configured module search path = ['/home/vscode/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/vscode/.local/lib/python3.8/site-packages/ansible executable location = /home/vscode/.local/bin/ansible python version = 3.8.11 (default, Aug 17 2021, 15:56:41) [GCC 10.2.1 20210110]
- PAN-OS Python Library & version (e.g. pandevice 0.14.0, pan-os-python 1.0.2): pan-os-python - 1.4.0
:tada: Thanks for opening your first issue here! Welcome to the community!
![welcome-to-palo-alto-networks[bot] avatar](https://avatars.githubusercontent.com/in/77985?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @bile0026, the flow here would be a commit to Panorama first:
- name: Commit candidate configuration
paloaltonetworks.panos.panos_commit_panorama:
provider: "{{ device }}"
Then a push from Panorama to the managed devices in the Device Group specified (or multiple looped Device Groups in your example):
- name: Commit and Push template configuration
paloaltonetworks.panos.panos_commit_push:
provider: "{{ device }}"
style: "device group"
name: "{{ device_group }}"
include_template: false
Doing these two tasks is the equivalent of "Commit and Push" in the GUI. Under the hood, the GUI does two separate tasks as well, it is just presented in the GUI as a single operation. If there is still anything outstanding related to this issue, please reopen it and let us know.
