def set_zone(con, tun, zone_name, zones):
    changed = False
    desired_zone = None

    # Remove the interface from the zone.
    for z in zones:
        if z.name == zone_name:
            desired_zone = z
        elif tun.name in z.interface:
            z.interface.remove(tun.name)
            z.update('interface')
            changed = True

    if desired_zone is not None:
        if desired_zone.interface is None:
            desired_zone.interface = []
        if tun.name not in desired_zone.interface:
            desired_zone.interface.append(tun.name)
            desired_zone.update('interface')
            changed = True
    elif zone_name is not None:
        z = Zone(zone_name, interface=[tun.name])
        con.add(z)
        z.create()
        changed = True

    return changed
def set_zone(con, eth, zone_name, zones):
    changed = False
    desired_zone = None

    # Remove the interface from the zone.
    for z in zones:
        if z.name == zone_name:
            desired_zone = z
        elif eth.name in z.interface:
            z.interface.remove(eth.name)
            z.update('interface')
            changed = True

    if desired_zone is not None:
        if desired_zone.mode != eth.mode:
            raise ValueError('Mode mismatch: {0} is {1}, zone is {2}'.format(
                eth.name, eth.mode, z.mode))
        if desired_zone.interface is None:
            desired_zone.interface = []
        if eth.name not in desired_zone.interface:
            desired_zone.interface.append(eth.name)
            desired_zone.update('interface')
            changed = True
    elif zone_name is not None:
        z = Zone(zone_name, interface=[
            eth.name,
        ], mode=eth.mode)
        con.add(z)
        z.create()
        changed = True

    return changed
Exemple #3
0
def configure_network(device):
    eth1 = EthernetInterface(name='ethernet1/1',
                             mode='layer3',
                             ip=('192.168.55.20/24', ))
    eth2 = EthernetInterface(name='ethernet1/2',
                             mode='layer3',
                             ip=('192.168.45.20/24', ))
    eth3 = EthernetInterface(name='ethernet1/3',
                             mode='layer3',
                             ip=('192.168.35.20/24', ))

    device.add(eth1)
    device.add(eth2)
    device.add(eth3)

    eth1.create()
    eth2.create()
    eth3.create()

    untrust = Zone(name='untrust', mode='layer3', interface=['ethernet1/1'])
    web = Zone(name='web', mode='layer3', interface=['ethernet1/2'])
    db = Zone(name='db', mode='layer3', interface=['ethernet1/3'])

    device.add(untrust)
    device.add(web)
    device.add(db)

    untrust.create()
    web.create()
    db.create()

    vr_default = VirtualRouter(
        name='default',
        interface=['ethernet1/1', 'ethernet1/2', 'ethernet1/3'])
    device.add(vr_default)
    vr_default.create()

    default_route = StaticRoute(name='default',
                                destination='0.0.0.0/0',
                                nexthop='192.168.55.2')
    vr_default.add(default_route)
    default_route.create()
Exemple #4
0
def main():
    argument_spec = dict(ip_address=dict(required=True),
                         password=dict(no_log=True),
                         username=dict(default='admin'),
                         api_key=dict(no_log=True),
                         zone=dict(required=True),
                         mode=dict(choices=[
                             'tap', 'virtual-wire', 'layer2', 'layer3',
                             'external'
                         ],
                                   default='layer3'),
                         interface=dict(type='list'),
                         zone_profile=dict(),
                         log_setting=dict(),
                         enable_userid=dict(type='bool', default=False),
                         include_acl=dict(type='list'),
                         exclude_acl=dict(type='list'),
                         vsys=dict(default='vsys1'),
                         template=dict(),
                         state=dict(choices=['present', 'absent'],
                                    default='present'))
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=True,
                           required_one_of=[['api_key', 'password']])
    if not HAS_LIB:
        module.fail_json(msg='Missing required libraries.')

    # Get the firewall / panorama auth.
    auth = (
        module.params['ip_address'],
        module.params['username'],
        module.params['password'],
        module.params['api_key'],
    )

    # Set the Zone object params
    zone_spec = {
        'name': module.params['zone'],
        'mode': module.params['mode'],
        'interface': module.params['interface'],
        'zone_profile': module.params['zone_profile'],
        'log_setting': module.params['log_setting'],
        'enable_user_identification': module.params['enable_userid'],
        'include_acl': module.params['include_acl'],
        'exclude_acl': module.params['exclude_acl']
    }

    # Get other info
    vsys = module.params['vsys']
    template = module.params['template']
    state = module.params['state']

    # Open the connection to the PAN-OS device
    device = None
    try:
        device = PanDevice.create_from_device(*auth)
    except PanDeviceError:
        e = get_exception()
        module.fail_json(msg=e.message)

    # Set the attachment point for the Zone object
    parent = None
    if isinstance(device, Firewall):
        parent = device
    elif isinstance(device, Panorama):
        if template is not None:
            template_list = Template.refreshall(device)
            parent = get_template(template, template_list)
            if parent is None:
                module.fail_json(
                    msg='Template not found: {0}'.format(template))
        else:
            module.fail_json(
                msg=
                'A template parameter is required when device type is Panorama'
            )
    if vsys is not None:
        v = Vsys(vsys)
        parent.add(v)
        parent = v

    # Retrieve the current list of zones
    try:
        zones = Zone.refreshall(parent)
    except PanDeviceError:
        e = get_exception()
        module.fail_json(msg=e.message)

    # Build the zone and attach to the parent
    new_zone = Zone(**zone_spec)
    parent.add(new_zone)

    # Which action shall we take on the Zone object?
    changed = False
    if state == 'present':
        match = find_zone(zones, new_zone)
        if match:
            # Change an existing zone
            if not match.equal(new_zone):
                try:
                    if not module.check_mode:
                        new_zone.create()
                except PanDeviceError as e:
                    module.fail_json(
                        msg='Failed "present" create: {0}'.format(e))
                else:
                    changed = True
        else:
            # Add a new zone
            try:
                if not module.check_mode:
                    new_zone.apply()
            except PanDeviceError as e:
                module.fail_json(msg='Failed "present" apply: {0}'.format(e))
            else:
                changed = True
    elif state == 'absent':
        match = find_zone(zones, new_zone)
        if match:
            # Delete an existing zone
            try:
                if not module.check_mode:
                    new_zone.delete()
            except PanDeviceError as e:
                module.fail_json(msg='Failed "absent" delete: {0}'.format(e))
            else:
                changed = True

    # Done!
    module.exit_json(changed=changed, msg='Done')