panos_object IP lookup

[fallenfuzz]

I'm trying to seach for an IP address with panos_object

I'm using Role and ansible 2.4.3 with python 3.6.4, PA 8.0.8.

Tested with ansible 2.5.0rc1 without role - same

• name: PaloAlto Object check
  panos_object:
  ip_address: '{{ ip_address }}'
  username: '{{ username }}'
  password: '{{ password }}'
  address: '192.168.100.89/24'
  operation: 'find'

when I run that I get: "msg": "No object type defined!" with failed.

Looks like something missing in the module, can't find referrence to value of the objectadress which should be IP.

[arkaraung1993]

Hi CJloHuK,
Try with this one
- name: Check and Add an address object to PA
panos_object:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
addressobject: 'test'
address: '192.168.100.89/24'
address_type: 'ip-netmask'
operation: 'find'

[fallenfuzz]

Hi,

It won't work since it will check the addressobject and will not proceed to address check - that is also should be fixed imho.

What I want to achieve is to search per object name or per object IP (with or without CIDR notation, since object could be 1.1.1.1 or 1.1.1.1/32)

In your example it should search and make correlation with object name and IP and give error if that doesn't match or ok if that match.

address_type - ip-netmask is the default one + you have fqdn also (not documented, but present in the code)

[arkaraung1993]

Hi fallenfuzz,

In your example it should search and make correlation with object name and IP and give error if that doesn't match or ok if that match.
--------> yes, it search and match with per "object name", I think it is meet with your requirement "search per Object name"

But "Per Object IP(with or withour CIDR notation)", i am also looking for solution.

[fallenfuzz]

arkaraung1993,

Let me clarify.

Lets say you have obj with IP 1.1.1.1 and name TEST

You check it with the bellow play:
- name: search for shared address object
panos_object:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'find'
addressobject: 'TEST'
address: '2.2.2.2'

What you get on the output:

ok: [localhost] => {
"changed": false,
"invocation": {
"module_args": {
"address": "2.2.2.2",
"address_type": "ip-netmask",
"addressgroup": null,
"addressobject": "TEST",
"api_key": null,
"color": null,
"description": null,
"destination_port": null,
"devicegroup": null,
"dynamic_value": null,
"ip_address": "x.x.x.x",
"operation": "find",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"protocol": null,
"servicegroup": null,
"serviceobject": null,
"services": null,
"source_port": null,
"static_value": null,
"tag_name": null,
"username": "ansible"
}
},
"msg": "Object matched",
"stdout_lines": "{\n "entry": {\n "@name": "TEST",\n "ip-netmask": "1.1.1.1/32"\n }\n}"

As you can see it doesn't correlate IP to Name

[arkaraung1993]

@fallenfuzz

I see, it doesn't correlate between IP and Object Name.

As my testing result, Currently Ansible Module for Palo Alto is only support to search with "Object Name", not IP. In this way, we cannot check duplicate IP Address in Firewall before we add IP Address to Object.

[fallenfuzz]

@ivanbojer Hi, any input on that one ?

[LoganRoss747]

Any movement on doing object lookup by IPs?

[tmorje]

I agree that there should be a way to check for duplicates and track the objects by IP.

[megakoresh]

Need this use-case as well.

[d3nisko]

I hit the same issue when tried search by IP address only. Lets say I don't know what's the address object name and would like to find it by IP address as I would normally do in the web ui through search. IMHO proper search should support both options: IP to address_object name and vice versa.

[d3nisko]

https://live.paloaltonetworks.com/t5/Automation-API-Discussions/panos-object/m-p/202243/highlight/false#M1600
Same issue is described on the paloalto portal.
Yet this is ignored :(