使用Ansible在PaloAlto中添加地址对象
Ansible 支持PAN-OS 。
Ansible 2.3版本引入了多个模块,支持PAN-OS操作系统。
https://docs.ansible.com/ansible/list_of_network_modules.html#panos
-
- 例
panos_security_policy: セキュリティポリシーを作成する
panos_mgtconfig: 管理系設定を行う
我們這次將使用panos_address來創建地址對象。
2. 安装
2.1.无人机操作
pip install ansible
2.2. 泛 Python,泛设备
为了使用PAN-OS相关的模块,需要安装Python的pan-python和pandevice两个模块。
pip install pan-python pandevice
确认版本
[root@localhost ~]# ansible --version
ansible 2.3.0.0
config file =
configured module search path = Default w/o overrides
python version = 2.7.8 (default, Oct 22 2016, 09:02:55) [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]
没有专门创建ansible.cfg。
3. 创建清单文件
[palo]
192.168.0.15 # 今回は1台だけ
[palo:vars]
ansible_user=admin
ansible_password=passwordpassword
4. 制作Playbook
请将以下文件创建为palo_addr.yml。
---
- hosts: palo
gather_facts: no
connection: local
tasks:
- name: create address object
panos_address:
ip_address: "{{ inventory_hostname }}" # オブジェクトのアドレスではなくPaloaltoのアドレス
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
address_name: "client_pc01"
address: "192.168.0.101/32"
commit: False # 今回はcommitまでしない
这个模块的官方文档是一个很好的参考资料。
动作确认
5.1. 添加地址
5.1.1 预先确认
从没有地址对象的状态开始。
admin@PA-2050# show address
address;
[edit]
admin@PA-2050#
5.1.2 执行Playbook
[root@localhost ~]# ansible-playbook palo_addr.yml
PLAY [palo] **************************************************************************************************
TASK [create address Object] *********************************************************************************
ok: [192.168.1.15]
PLAY RECAP ***************************************************************************************************
192.168.1.15 : ok=1 changed=1 unreachable=0 failed=0
5.1.3 配置确认
已添加政策。
admin@PA-2050# show address
address {
client_pc01 {
ip-netmask 192.168.0.101/32;
}
}
5.2 地址更改
我决定在这里更改现有地址对象的地址。
5.2.1. 更改Playbook
将地址更改为”192.168.0.101/32″。
---
- hosts: palo
gather_facts: no
connection: local
- name: create address Object
panos_address:
ip_address: "{{ inventory_hostname }}"
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
address_name: "client_pc01"
address: "192.168.0.102/32" # ここ変更
commit: False
5.2.2执行Playbook再次
只要更改Playbook,就再次执行。
[root@localhost ~]# ansible-playbook palo_addr.yml
PLAY [palo] **************************************************************************************************
TASK [create address Object] *********************************************************************************
ok: [192.168.1.15]
PLAY RECAP ***************************************************************************************************
192.168.1.15 : ok=1 changed=0 unreachable=0 failed=0
哎呀哎呀?根据某些信息,没有发生任何更改。
看起来,更改IP地址不被视为一次实际的更改。
5.3 地址名称更改
这一次,我们决定不只是修改地址,还要改变地址的名称。
5.3.1. 战术调整
将 address_name 改为”client_pc02″。
---
- hosts: palo
gather_facts: no
connection: local
- name: create address Object
panos_address:
ip_address: "{{ inventory_hostname }}"
username: "{{ ansible_user }}"
password: "{{ ansible_password }}"
address_name: "client_pc02" # ここ変更
address: "192.168.0.101/32"
commit: False
5.3.2 重新执行 Playbook
[root@localhost ~]# ansible-playbook palo_addr.yml
PLAY [palo] **************************************************************************************************
TASK [create address Object] *********************************************************************************
changed: [192.168.1.15]
PLAY RECAP ***************************************************************************************************
192.168.1.15 : ok=1 changed=1 unreachable=0 failed=0
这次变成了 changed=1。
5.3.3 查看配置
并不是进行了更改,而是添加了另一个对象的地址名。
admin@PA-2050# show address
address {
client_pc01 {
ip-netmask 192.168.0.101/32;
}
client_pc02 {
ip-netmask 192.168.0.101/32;
}
}
检查是否有对象名称,如果没有,则添加处理。
6. 关于Python 2.6的错误(补充)
在Python 2.6环境下执行ansible-playbook时,pandevice出现以下错误,导致无法正常执行。因此,我们选择在Python 2.7环境下进行执行。
Using module file /root/ansible/ansible/lib/ansible/modules/network/panos/panos_security_policy.py
<192.168.1.15> ESTABLISH LOCAL CONNECTION FOR USER: root
<192.168.1.15> EXEC /bin/sh -c 'echo ~ && sleep 0'
<192.168.1.15> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412 `" && echo ansible-tmp-1491081586.53-46889509406412="` echo /root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412 `" ) && sleep 0'
<192.168.1.15> PUT /tmp/tmpKdGZ_T TO /root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412/panos_security_policy.py
<192.168.1.15> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412/ /root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412/panos_security_policy.py && sleep 0'
<192.168.1.15> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412/panos_security_policy.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1491081586.53-46889509406412/" > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_JzsakO/ansible_module_panos_security_policy.py", line 264, in <module>
import pandevice.firewall
File "/usr/lib/python2.6/site-packages/pandevice/firewall.py", line 27, in <module>
from pandevice import device
File "/usr/lib/python2.6/site-packages/pandevice/device.py", line 19, in <module>
from base import PanObject, Root, MEMBER, ENTRY
File "/usr/lib/python2.6/site-packages/pandevice/base.py", line 1224
option_paths = {opt: re.sub(r"\([\w\d|-]*\)", opt, path) for opt in options}
^
SyntaxError: invalid syntax
fatal: [192.168.1.15]: FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_JzsakO/ansible_module_panos_security_policy.py\", line 264, in <module>\n import pandevice.firewall\n File \"/usr/lib/python2.6/site-packages/pandevice/firewall.py\", line 27, in <module>\n from pandevice import device\n File \"/usr/lib/python2.6/site-packages/pandevice/device.py\", line 19, in <module>\n from base import PanObject, Root, MEMBER, ENTRY\n File \"/usr/lib/python2.6/site-packages/pandevice/base.py\", line 1224\n option_paths = {opt: re.sub(r\"\\([\\w\\d|-]*\\)\", opt, path) for opt in options}\n ^\nSyntaxError: invalid syntax\n",
"module_stdout": "",
"msg": "MODULE FAILURE",
"rc": 0
}
7. 最后
由于似乎有一些怪癖,最好进行一些验证探究。
