def set_zone(con, eth, zone_name, zones):
desired_zone = None
# Remove the interface from the zone.
for z in zones:
if z.name == zone_name:
desired_zone = z
elif eth.name in z.interface:
z.interface.remove(eth.name)
z.update('interface')
if desired_zone is not None:
if desired_zone.mode != eth.mode:
raise ValueError('Mode mismatch: {0} is {1}, zone is {2}'.format(
eth.name, eth.mode, z.mode))
if desired_zone.interface is None:
desired_zone.interface = []
if eth.name not in desired_zone.interface:
desired_zone.interface.append(eth.name)
desired_zone.update('interface')
elif zone_name is not None:
z = network.Zone(zone_name, interface=[
eth.name,
], mode=eth.mode)
con.add(z)
z.create()
def create_tunnel_interface(self, tunnel_name):
"""
Create a tunnel interface and associate it with a virtual router and security zone
"""
# Logically create the tunnel interface
tunnel_ref = self.tunnel_interfaces.get(tunnel_name)
tunnel_intf = network.TunnelInterface(tunnel_ref.name,
comment=tunnel_ref.comment)
self.fw_dev_hndl.add(tunnel_intf)
# Retrieve the existing zones
fw_zones = network.Zone(tunnel_ref.security_zone)
self.fw_dev_hndl.add(fw_zones)
fw_zones.refresh()
zone_intfs = fw_zones.interface
# Add interface to the zone
zone_intfs.append(tunnel_ref.name)
fw_zones.interface = zone_intfs
# Retrieve the existing list of virtual routers
fw_vrs = network.VirtualRouter(tunnel_ref.virtual_router)
self.fw_dev_hndl.add(fw_vrs)
fw_vrs.refresh()
vr_intfs = fw_vrs.interface
vr_intfs.append(tunnel_ref.name)
fw_vrs.interface = vr_intfs
# Push all the configs to the device
tunnel_intf.create()
fw_zones.apply()
fw_vrs.apply()
def setup_state_obj(self, fw, state):
state.obj = network.Zone(
testlib.random_name(),
'layer2',
state.eths[0],
enable_user_identification=False,
include_acl=testlib.random_ip('/24'),
exclude_acl=testlib.random_ip('/24'),
)
fw.add(state.obj)
def test_vsys_xpath_unchanged():
expected = "/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys3']"
c = firewall.Firewall('127.0.0.1', 'admin', 'admin')
c.vsys = 'vsys3'
assert expected == c.xpath_vsys()
c.vsys = None
vsys = device.Vsys('vsys3')
c.add(vsys)
assert expected == vsys.xpath_vsys()
zone = network.Zone('myzone')
vsys.add(zone)
assert expected == zone.xpath_vsys()
def set_zone(con, loopback, zone_name, zones):
desired_zone = None
# Remove the interface from the zone.
for z in zones:
if z.name == zone_name:
desired_zone = z
elif loopback.name in z.interface:
z.interface.remove(loopback.name)
z.update('interface')
if desired_zone is not None:
if desired_zone.interface is None:
desired_zone.interface = []
if loopback.name not in desired_zone.interface:
desired_zone.interface.append(loopback.name)
desired_zone.update('interface')
elif zone_name is not None:
z = network.Zone(zone_name, interface=[
loopback.name,
])
con.add(z)
z.create()
def setup_state_obj(self, fw, state):
state.obj = network.Zone(
testlib.random_name(),
mode='layer3',
)
fw.add(state.obj)
def config_builder(instanceList):
global netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list
netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list = [], [], [], [], []
vrDict, zoneDict = {}, {}
for item in instanceList:
item = [i if i != '' else None for i in item[:]]
netObj_tunInt = network.TunnelInterface()
netObj_tunInt.name = item[0]
netObj_tunInt.comment = item[1]
netObj_tunInt.ip = item[2]
netObj_tunInt.management_profile = item[3]
netObj_tunInt_list.append(pan.add(netObj_tunInt))
if item[4] not in vrDict.keys():
vrDict[item[4]] = []
vrDict[item[4]].append(item[0])
if len(item[5]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[5], item[5][:31]))
item[5] = item[5][:31]
if item[5] not in zoneDict.keys():
zoneDict[item[5]] = []
zoneDict[item[5]].append(item[0])
if len(item[6]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[6], item[6][:31]))
item[6] = item[6][:31]
netObj_ike = network.IkeGateway()
netObj_ike.name = item[6]
netObj_ike.interface = item[7]
netObj_ike.local_ip_address_type = 'ip'
netObj_ike.local_ip_address = item[8]
netObj_ike.peer_ip_type = item[9]
if netObj_ike.peer_ip_type != 'dynamic':
netObj_ike.peer_ip_value = item[10]
netObj_ike.pre_shared_key = item[11]
if item[12] is not None:
temp_item = item[12].replace(': ', ':').split(':')
netObj_ike.local_id_type = temp_item[0]
netObj_ike.local_id_value = temp_item[1]
if item[13] is not None:
temp_item = item[13].replace(': ', ':').split(':')
netObj_ike.peer_id_type = temp_item[0]
netObj_ike.peer_id_value = temp_item[1]
if item[14] is not None and item[14].lower() == 'true':
netObj_ike.enable_passive_mode = True
else:
netObj_ike.enable_passive_mode = False
if item[15] is not None and item[15].lower() == 'true':
netObj_ike.enable_nat_traversal = True
else:
netObj_ike.enable_nat_traversal = False
netObj_ike.ikev1_exchange_mode = item[16]
netObj_ike.ikev1_crypto_profile = item[17]
if item[18] is not None and item[18].lower() == 'true':
netObj_ike.enable_fragmentation = True
else:
netObj_ike.enable_fragmentation = False
if item[19] is None or item[19].lower() == 'true':
netObj_ike.enable_dead_peer_detection = True
elif item[19].lower() == 'false':
netObj_ike.enable_dead_peer_detection = False
else:
temp_item = item[19].replace('; ', ';').split(';')
netObj_ike.enable_dead_peer_detection = True
netObj_ike.dead_peer_detection_interval = temp_item[0]
netObj_ike.dead_peer_detection_retry = temp_item[1]
netObj_ike_list.append(pan.add(netObj_ike))
if len(item[20]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[20], item[20][:31]))
item[20] = item[20][:31]
netObj_ipsec = network.IpsecTunnel()
netObj_ipsec.name = item[20]
netObj_ipsec.tunnel_interface = item[21]
if len(item[22]) > 31:
print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[22], item[22][:31]))
item[22] = item[22][:31]
netObj_ipsec.ak_ike_gateway = item[22]
if item[23] is None:
item[23] = 'default'
netObj_ipsec.ak_ipsec_crypto_profile = item[23]
netObj_ipsec_list.append(pan.add(netObj_ipsec))
print('Building Config --- Tunnel-Int - {} // IKE-GW - {} // IPSec-Tunnel - {}'.format(netObj_tunInt.name, netObj_ike.name, netObj_ipsec.name))
for key, value in vrDict.items():
netObj_vr = network.VirtualRouter()
netObj_vr.name = key
netObj_vr.interface = value
netObj_vr_list.append(pan.add(netObj_vr))
for key, value in zoneDict.items():
netObj_zone = network.Zone()
netObj_zone.name = key
netObj_zone.interface = value
netObj_zone_list.append(pan.add(netObj_zone))
def main():
argument_spec = dict(ip_address=dict(required=True),
username=dict(default='admin'),
password=dict(no_log=True),
api_key=dict(no_log=True),
name=dict(type='str', required=True),
devicegroup=dict(type='str', required=False),
panorama_template=dict(),
state=dict(default='present',
choices=['present', 'absent']))
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False)
if not HAS_LIB:
module.fail_json(
msg='pan-python and pandevice are required for this module.')
ip_address = module.params['ip_address']
username = module.params['username']
password = module.params['password']
api_key = module.params['api_key']
name = module.params['name']
devicegroup = module.params['devicegroup']
state = module.params['state']
changed = False
try:
device = base.PanDevice.create_from_device(ip_address,
username,
password,
api_key=api_key)
dev_group = None
if devicegroup and isinstance(device, panorama.Panorama):
dev_group = get_devicegroup(device, devicegroup)
if dev_group:
device.add(dev_group)
else:
module.fail_json(
msg=
'\'%s\' device group not found in Panorama. Is the name correct?'
% devicegroup)
active_zones = network.Zone.refreshall(device)
found = False
for current_zone in active_zones:
if current_zone.name == name:
found = True
del_obj = current_zone
break
#exit()
# only change when present, and does not already exist
if state == 'present' and not found:
changed = True
zone = network.Zone(name=name)
device.add(zone)
zone.create()
# only change when absent, and does already exist
elif state == 'absent' and found:
changed = True
device.add(del_obj)
del_obj.delete()
except PanDeviceError as e:
module.fail_json(msg=e.message)
module.exit_json(changed=changed)
tunnel_int = network.TunnelInterface("tunnel.100", \
ip = '{{ item.remote_p2p_ip }}', \
ipv6_enabled = False)
fw.add(tunnel_int)
tunnel_int.create()
print(tunnel_int)
#Creates trust_fwh_vpn secuirty zone
vpn_zone = network.Zone("trust_fwh_vpn", \
mode = "layer3", \
interface = "tunnel.100")
fw.add(vpn_zone)
vpn_zone.create()
print(vpn_zone)
#Creates trust_management secuirty zone
mgmt_zone = network.Zone("trust_management", \
mode = "layer3", \
interface = "ethernet1/2")
def test_xpath_for_vsys_root(vsys, with_pano):
obj = network.Zone('myzone')
_check(obj, vsys, with_pano)
