def create_tunnel_interface(self, tunnel_name):
"""
Create a tunnel interface and associate it with a virtual router and security zone
"""
# Logically create the tunnel interface
tunnel_ref = self.tunnel_interfaces.get(tunnel_name)
tunnel_intf = network.TunnelInterface(tunnel_ref.name,
comment=tunnel_ref.comment)
self.fw_dev_hndl.add(tunnel_intf)
# Retrieve the existing zones
fw_zones = network.Zone(tunnel_ref.security_zone)
self.fw_dev_hndl.add(fw_zones)
fw_zones.refresh()
zone_intfs = fw_zones.interface
# Add interface to the zone
zone_intfs.append(tunnel_ref.name)
fw_zones.interface = zone_intfs
# Retrieve the existing list of virtual routers
fw_vrs = network.VirtualRouter(tunnel_ref.virtual_router)
self.fw_dev_hndl.add(fw_vrs)
fw_vrs.refresh()
vr_intfs = fw_vrs.interface
vr_intfs.append(tunnel_ref.name)
fw_vrs.interface = vr_intfs
# Push all the configs to the device
tunnel_intf.create()
fw_zones.apply()
fw_vrs.apply()
def setup_state_obj(self, fw, state):
state.obj = network.TunnelInterface(
'tunnel.{0}'.format(random.randint(20, 5000)),
testlib.random_ip('/24'),
mtu=random.randint(800, 1000),
comment='Underground interface',
)
fw.add(state.obj)
def create_dependencies(self, fw, state):
state.ti = network.TunnelInterface(
'tunnel.{0}'.format(random.randint(5, 50)),
ip=[testlib.random_ip(), testlib.random_ip()],
)
fw.add(state.ti)
state.lbi = network.LoopbackInterface(
'loopback.{0}'.format(random.randint(5, 20)),
ip=[testlib.random_ip(), testlib.random_ip()],
)
fw.add(state.lbi)
state.ike_gw = network.IkeGateway(
testlib.random_name(),
auth_type='pre-shared-key',
enable_dead_peer_detection=True,
enable_liveness_check=True,
enable_passive_mode=True,
ikev2_crypto_profile='default',
interface=state.lbi.name,
liveness_check_interval=5,
local_id_type='ipaddr',
local_id_value=testlib.random_ip(),
local_ip_address_type='ip',
local_ip_address=state.lbi.ip[0],
peer_ip_type='ip',
peer_ip_value=testlib.random_ip(),
pre_shared_key='secret',
version='ikev2-preferred',
)
fw.add(state.ike_gw)
state.ti.create()
state.lbi.create()
state.ike_gw.create()
def config_builder(instanceList):
global netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list
netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list = [], [], [], [], []
vrDict, zoneDict = {}, {}
for item in instanceList:
item = [i if i != '' else None for i in item[:]]
netObj_tunInt = network.TunnelInterface()
netObj_tunInt.name = item[0]
netObj_tunInt.comment = item[1]
netObj_tunInt.ip = item[2]
netObj_tunInt.management_profile = item[3]
netObj_tunInt_list.append(pan.add(netObj_tunInt))
if item[4] not in vrDict.keys():
vrDict[item[4]] = []
vrDict[item[4]].append(item[0])
if len(item[5]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[5], item[5][:31]))
item[5] = item[5][:31]
if item[5] not in zoneDict.keys():
zoneDict[item[5]] = []
zoneDict[item[5]].append(item[0])
if len(item[6]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[6], item[6][:31]))
item[6] = item[6][:31]
netObj_ike = network.IkeGateway()
netObj_ike.name = item[6]
netObj_ike.interface = item[7]
netObj_ike.local_ip_address_type = 'ip'
netObj_ike.local_ip_address = item[8]
netObj_ike.peer_ip_type = item[9]
if netObj_ike.peer_ip_type != 'dynamic':
netObj_ike.peer_ip_value = item[10]
netObj_ike.pre_shared_key = item[11]
if item[12] is not None:
temp_item = item[12].replace(': ', ':').split(':')
netObj_ike.local_id_type = temp_item[0]
netObj_ike.local_id_value = temp_item[1]
if item[13] is not None:
temp_item = item[13].replace(': ', ':').split(':')
netObj_ike.peer_id_type = temp_item[0]
netObj_ike.peer_id_value = temp_item[1]
if item[14] is not None and item[14].lower() == 'true':
netObj_ike.enable_passive_mode = True
else:
netObj_ike.enable_passive_mode = False
if item[15] is not None and item[15].lower() == 'true':
netObj_ike.enable_nat_traversal = True
else:
netObj_ike.enable_nat_traversal = False
netObj_ike.ikev1_exchange_mode = item[16]
netObj_ike.ikev1_crypto_profile = item[17]
if item[18] is not None and item[18].lower() == 'true':
netObj_ike.enable_fragmentation = True
else:
netObj_ike.enable_fragmentation = False
if item[19] is None or item[19].lower() == 'true':
netObj_ike.enable_dead_peer_detection = True
elif item[19].lower() == 'false':
netObj_ike.enable_dead_peer_detection = False
else:
temp_item = item[19].replace('; ', ';').split(';')
netObj_ike.enable_dead_peer_detection = True
netObj_ike.dead_peer_detection_interval = temp_item[0]
netObj_ike.dead_peer_detection_retry = temp_item[1]
netObj_ike_list.append(pan.add(netObj_ike))
if len(item[20]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[20], item[20][:31]))
item[20] = item[20][:31]
netObj_ipsec = network.IpsecTunnel()
netObj_ipsec.name = item[20]
netObj_ipsec.tunnel_interface = item[21]
if len(item[22]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[22], item[22][:31]))
item[22] = item[22][:31]
netObj_ipsec.ak_ike_gateway = item[22]
if item[23] is None:
item[23] = 'default'
netObj_ipsec.ak_ipsec_crypto_profile = item[23]
netObj_ipsec_list.append(pan.add(netObj_ipsec))
print('Building Config --- Tunnel-Int - {} // IKE-GW - {} // IPSec-Tunnel - {}'.format(netObj_tunInt.name, netObj_ike.name, netObj_ipsec.name))
for key, value in vrDict.items():
netObj_vr = network.VirtualRouter()
netObj_vr.name = key
netObj_vr.interface = value
netObj_vr_list.append(pan.add(netObj_vr))
for key, value in zoneDict.items():
netObj_zone = network.Zone()
netObj_zone.name = key
netObj_zone.interface = value
netObj_zone_list.append(pan.add(netObj_zone))
mgmt_int = network.EthernetInterface("ethernet1/2", \
mode = "layer3", \
ip = '{{ item.mgmt_gw }}')
fw.add(mgmt_int)
mgmt_int.create()
print(mgmt_int)
# creates tunnel interface for VPN to Knowhere
tunnel_int = network.TunnelInterface("tunnel.100", \
ip = '{{ item.remote_p2p_ip }}', \
ipv6_enabled = False)
fw.add(tunnel_int)
tunnel_int.create()
print(tunnel_int)
#Creates trust_fwh_vpn secuirty zone
vpn_zone = network.Zone("trust_fwh_vpn", \
mode = "layer3", \
interface = "tunnel.100")
def main():
argument_spec = dict(
ip_address=dict(required=True),
password=dict(no_log=True),
username=dict(default='admin'),
api_key=dict(no_log=True),
operation=dict(default='add', choices=['add', 'update', 'delete']),
if_name=dict(required=True),
ip=dict(type='list'),
ipv6_enabled=dict(type='list', required=False),
management_profile=dict(),
mtu=dict(),
netflow_profile=dict(),
comment=dict(),
zone_name=dict(required=True),
vr_name=dict(default='default'),
vsys_dg=dict(default='vsys1'),
commit=dict(type='bool', default=True),
)
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False,
required_one_of=[['api_key', 'password']])
if not HAS_LIB:
module.fail_json(msg='Missing required libraries.')
# Get the firewall / panorama auth.
auth = (
module.params['ip_address'],
module.params['username'],
module.params['password'],
module.params['api_key'],
)
# Get the object params.
spec = {
'name': module.params['if_name'],
'ip': module.params['ip'],
'ipv6_enabled': module.params['ipv6_enabled'],
'management_profile': module.params['management_profile'],
'mtu': module.params['mtu'],
'netflow_profile': module.params['netflow_profile'],
'comment': module.params['comment'],
}
# Get other info.
operation = module.params['operation']
zone_name = module.params['zone_name']
vr_name = module.params['vr_name']
vsys_dg = module.params['vsys_dg']
commit = module.params['commit']
# Open the connection to the PANOS device.
con = base.PanDevice.create_from_device(*auth)
# Set vsys if firewall, device group if panorama.
if hasattr(con, 'refresh_devices'):
# Panorama
# Normally we want to set the device group here, but there are no
# interfaces on Panorama. So if we're given a Panorama device, then
# error out.
'''
groups = panorama.DeviceGroup.refreshall(con, add=False)
for parent in groups:
if parent.name == vsys_dg:
con.add(parent)
break
else:
module.fail_json(msg="'{0}' device group is not present".format(vsys_dg))
'''
module.fail_json(msg="Ethernet interfaces don't exist on Panorama")
else:
# Firewall
# Normally we should set the vsys here, but since interfaces are
# vsys importables, we'll use organize_into_vsys() to help find and
# cleanup when the interface is imported into an undesired vsys.
# con.vsys = vsys_dg
pass
# Retrieve the current config.
try:
interfaces = network.TunnelInterface.refreshall(con,
add=False,
name_only=True)
zones = network.Zone.refreshall(con)
routers = network.VirtualRouter.refreshall(con)
vsys_list = device.Vsys.refreshall(con)
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg=e.message)
# Build the object based on the user spec.
tun = network.TunnelInterface(**spec)
con.add(tun)
# Which action should we take on the interface?
if operation == 'delete':
if tun.name not in [x.name for x in interfaces]:
module.fail_json(
msg='Interface {0} does not exist, and thus cannot be deleted'.
format(tun.name))
try:
con.organize_into_vsys()
set_zone(con, tun, None, zones)
set_virtual_router(con, tun, None, routers)
tun.delete()
except (errors.PanDeviceError, ValueError):
e = get_exception()
module.fail_json(msg=e.message)
elif operation == 'add':
if tun.name in [x.name for x in interfaces]:
module.fail_json(
msg='Interface {0} is already present; use operation "update"'.
format(tun.name))
con.vsys = vsys_dg
# Create the interface.
try:
tun.create()
set_zone(con, tun, zone_name, zones)
set_virtual_router(con, tun, vr_name, routers)
except (errors.PanDeviceError, ValueError):
e = get_exception()
module.fail_json(msg=e.message)
elif operation == 'update':
if tun.name not in [x.name for x in interfaces]:
module.fail_json(
msg=
'Interface {0} is not present; use operation "add" to create it'
.format(tun.name))
# If the interface is in the wrong vsys, remove it from the old vsys.
try:
con.organize_into_vsys()
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg=e.message)
if tun.vsys != vsys_dg:
try:
tun.delete_import()
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg=e.message)
# Move the ethernet object to the correct vsys.
for vsys in vsys_list:
if vsys.name == vsys_dg:
vsys.add(tun)
break
else:
module.fail_json(msg='Vsys {0} does not exist'.format(vsys))
# Update the interface.
try:
tun.apply()
set_zone(con, tun, zone_name, zones)
set_virtual_router(con, tun, vr_name, routers)
except (errors.PanDeviceError, ValueError):
e = get_exception()
module.fail_json(msg=e.message)
else:
module.fail_json(msg="Unsupported operation '{0}'".format(operation))
# Commit if we were asked to do so.
#if commit:
# try:
# con.commit(sync=True, exceptions=True)
# except errors.PanDeviceError:
# e = get_exception()
# module.fail_json(msg='Performed {0} but commit failed: {1}'.format(operation, e.message))
# Done!
module.exit_json(changed=True, msg='okey dokey')
def main():
argument_spec = dict(
ip_address=dict(required=True),
password=dict(no_log=True),
username=dict(default='admin'),
api_key=dict(no_log=True),
state=dict(default='present', choices=['present', 'absent']),
if_name=dict(required=True),
ip=dict(type='list'),
ipv6_enabled=dict(type='bool'),
management_profile=dict(),
mtu=dict(type='int'),
netflow_profile=dict(),
comment=dict(),
zone_name=dict(default=None),
vr_name=dict(default=None),
vsys_dg=dict(default='vsys1'),
commit=dict(type='bool', default=True),
)
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False,
required_one_of=[['api_key', 'password']])
if not HAS_LIB:
module.fail_json(msg='Missing required libraries.')
# Get the firewall / panorama auth.
auth = (
module.params['ip_address'],
module.params['username'],
module.params['password'],
module.params['api_key'],
)
# Get the object params.
spec = {
'name': module.params['if_name'],
'ip': module.params['ip'],
'ipv6_enabled': module.params['ipv6_enabled'],
'management_profile': module.params['management_profile'],
'mtu': module.params['mtu'],
'netflow_profile': module.params['netflow_profile'],
'comment': module.params['comment'],
}
# Get other info.
# operation = module.params['operation']
state = module.params['state']
zone_name = module.params['zone_name']
vr_name = module.params['vr_name']
vsys_dg = module.params['vsys_dg']
commit = module.params['commit']
# Open the connection to the PANOS device.
con = base.PanDevice.create_from_device(*auth)
# Set vsys if firewall, device group if panorama.
parent = con
if hasattr(con, 'refresh_devices'):
# Panorama
# Normally we want to set the device group here, but there are no
# interfaces on Panorama. So if we're given a Panorama device, then
# error out.
'''
groups = panorama.DeviceGroup.refreshall(con, add=False)
for parent in groups:
if parent.name == vsys_dg:
con.add(parent)
break
else:
module.fail_json(msg="'{0}' device group is not present".format(vsys_dg))
'''
module.fail_json(msg="tunnel interfaces don't exist on Panorama")
# Retrieve the current config.
try:
interfaces = network.TunnelInterface.refreshall(con,
add=False,
name_only=True)
zones = network.Zone.refreshall(con)
routers = network.VirtualRouter.refreshall(con)
vsys_list = device.Vsys.refreshall(con)
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg=e.message)
# Build the object based on the user spec.
iface = network.TunnelInterface(**spec)
con.add(iface)
if state == 'present':
if iface.name not in [x.name for x in interfaces]:
# Create the interface.
try:
iface.create()
set_zone(con, iface, zone_name, zones)
set_virtual_router(con, iface, vr_name, routers)
except (errors.PanDeviceError, ValueError):
e = get_exception()
module.fail_json(msg=e.message)
else:
# Update the interface.
try:
con.organize_into_vsys()
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg=e.message)
if iface.vsys != vsys_dg:
try:
iface.delete_import()
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg=e.message)
# Move the tunnel object to the correct vsys.
for vsys in vsys_list:
if vsys.name == vsys_dg:
vsys.add(iface)
break
else:
module.fail_json(msg='Vsys {0} does not exist'.format(vsys))
# Update the interface.
try:
iface.apply()
set_zone(con, iface, zone_name, zones)
set_virtual_router(con, iface, vr_name, routers)
except (errors.PanDeviceError, ValueError):
e = get_exception()
module.fail_json(msg=e.message)
elif state == 'absent':
if iface.name in [x.name for x in interfaces]:
try:
con.organize_into_vsys()
set_zone(con, iface, None, zones)
set_virtual_router(con, iface, None, routers)
iface.delete()
except (errors.PanDeviceError, ValueError):
e = get_exception()
module.fail_json(msg=e.message)
if commit:
try:
con.commit(sync=True)
except errors.PanDeviceError:
e = get_exception()
module.fail_json(msg='Performed {0} but commit failed: {1}'.format(
state, e.message))
# Done!
module.exit_json(changed=True, msg='Done')
