pan-os-ansible
pan-os-ansible copied to clipboard
PaloAltoNetworks
`default` vr is created and assigned when configuring interfaces without vr
Describe the bug
Running the panos_interface module and its related modules like panos_aggregate_interface for the first time creates a default vr, which gets associated with the interface.
It also causes the task to always be changed on every run.
Expected behavior
Virtual routers should be optional in Ansible when they're not required by the firewall.
A virtual router does not need to be specified (web shows None) to obtain a valid configuration when creating this configuration outside of Ansible.
Current behavior
See description.
Possible solution
I don't think it's safe to skip the vr assignment when vr_name is set to an empty string (equivalent to None when passed to the module) without breaking backwards compatibility.
I'm not sure if there's a good solution for this other than exposing this through a new parameter to explicitly not assign it to a vr.
Steps to reproduce
- name: Gather VRs
paloaltonetworks.panos.panos_virtual_router:
provider: "{{ provider }}"
gathered_filter: "*"
state: gathered
register: routers
- name: List routers
ansible.builtin.debug:
msg: "{{ routers.gathered | community.general.json_query('[].{key: name, value: interface}') | ansible.builtin.items2dict }}"
- name: Create interface
paloaltonetworks.panos.panos_interface:
provider: "{{ provider }}"
enable_dhcp: false
if_name: ethernet1/5
mode: layer3
state: present
vr_name: ""
commit: false
diff: true
- name: Gather VRs again
paloaltonetworks.panos.panos_virtual_router:
provider: "{{ provider }}"
gathered_filter: "*"
state: gathered
register: routers
- name: List routers again
ansible.builtin.debug:
msg: "{{ routers.gathered | community.general.json_query('[].{key: name, value: interface}') | ansible.builtin.items2dict }}"
- name: Create interface
paloaltonetworks.panos.panos_interface:
provider: "{{ provider }}"
enable_dhcp: false
if_name: ethernet1/5
mode: layer3
state: present
vr_name: ""
commit: false
diff: true
- name: Gather VRs again again
paloaltonetworks.panos.panos_virtual_router:
provider: "{{ provider }}"
gathered_filter: "*"
state: gathered
register: routers
- name: List routers again again
ansible.builtin.debug:
msg: "{{ routers.gathered | community.general.json_query('[].{key: name, value: interface}') | ansible.builtin.items2dict }}"
Screenshots
Context
I'm trying to create an interface without vr assignment. This interface will have subinterfaces on vlans with associated virtual routers, but the parent interface should not have a vr assigned.
I could not find a viable workaround for devices where the limit of virtual routers is already reached, as the entire task will fail due to it being unable to create a new default zone.
The only way to deal with this for now seems to be explicitly assigning the interfaces to a vr they don't really belong to.
Your Environment
- Collection: 2.19.1
- Python: 3.11.6
- Ansible: core 2.16.2
- PAN-OS Python Library & version:
-
pan-os-python==1.11.0 -
pan-python==0.17.0
-
Hello @Nothing4You !
This isn't really a bug - as the default value of that variable is default :
vr_name:
description:
- Name of the virtual router; it must already exist.
type: str
default: "default"
If I understand correctly - you are creating the interfaces and then using them within aggregates and then associating that aggregate to the VR?
I'm trying to create an interface that only holds subinterfaces and is not used directly, as I'm not using untagged traffic. The interface has therefore no IP and no traffic is routed there. There is no need for a virtual router on this interface, only on the subinterfaces with VLAN tags.