def set_zone(con, tun, zone_name, zones): changed = False desired_zone = None # Remove the interface from the zone. for z in zones: if z.name == zone_name: desired_zone = z elif tun.name in z.interface: z.interface.remove(tun.name) z.update('interface') changed = True if desired_zone is not None: if desired_zone.interface is None: desired_zone.interface = [] if tun.name not in desired_zone.interface: desired_zone.interface.append(tun.name) desired_zone.update('interface') changed = True elif zone_name is not None: z = Zone(zone_name, interface=[tun.name]) con.add(z) z.create() changed = True return changed
def set_zone(con, eth, zone_name, zones): changed = False desired_zone = None # Remove the interface from the zone. for z in zones: if z.name == zone_name: desired_zone = z elif eth.name in z.interface: z.interface.remove(eth.name) z.update('interface') changed = True if desired_zone is not None: if desired_zone.mode != eth.mode: raise ValueError('Mode mismatch: {0} is {1}, zone is {2}'.format( eth.name, eth.mode, z.mode)) if desired_zone.interface is None: desired_zone.interface = [] if eth.name not in desired_zone.interface: desired_zone.interface.append(eth.name) desired_zone.update('interface') changed = True elif zone_name is not None: z = Zone(zone_name, interface=[ eth.name, ], mode=eth.mode) con.add(z) z.create() changed = True return changed
def configure_network(device): eth1 = EthernetInterface(name='ethernet1/1', mode='layer3', ip=('192.168.55.20/24', )) eth2 = EthernetInterface(name='ethernet1/2', mode='layer3', ip=('192.168.45.20/24', )) eth3 = EthernetInterface(name='ethernet1/3', mode='layer3', ip=('192.168.35.20/24', )) device.add(eth1) device.add(eth2) device.add(eth3) eth1.create() eth2.create() eth3.create() untrust = Zone(name='untrust', mode='layer3', interface=['ethernet1/1']) web = Zone(name='web', mode='layer3', interface=['ethernet1/2']) db = Zone(name='db', mode='layer3', interface=['ethernet1/3']) device.add(untrust) device.add(web) device.add(db) untrust.create() web.create() db.create() vr_default = VirtualRouter( name='default', interface=['ethernet1/1', 'ethernet1/2', 'ethernet1/3']) device.add(vr_default) vr_default.create() default_route = StaticRoute(name='default', destination='0.0.0.0/0', nexthop='192.168.55.2') vr_default.add(default_route) default_route.create()
def main(): argument_spec = dict(ip_address=dict(required=True), password=dict(no_log=True), username=dict(default='admin'), api_key=dict(no_log=True), zone=dict(required=True), mode=dict(choices=[ 'tap', 'virtual-wire', 'layer2', 'layer3', 'external' ], default='layer3'), interface=dict(type='list'), zone_profile=dict(), log_setting=dict(), enable_userid=dict(type='bool', default=False), include_acl=dict(type='list'), exclude_acl=dict(type='list'), vsys=dict(default='vsys1'), template=dict(), state=dict(choices=['present', 'absent'], default='present')) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True, required_one_of=[['api_key', 'password']]) if not HAS_LIB: module.fail_json(msg='Missing required libraries.') # Get the firewall / panorama auth. auth = ( module.params['ip_address'], module.params['username'], module.params['password'], module.params['api_key'], ) # Set the Zone object params zone_spec = { 'name': module.params['zone'], 'mode': module.params['mode'], 'interface': module.params['interface'], 'zone_profile': module.params['zone_profile'], 'log_setting': module.params['log_setting'], 'enable_user_identification': module.params['enable_userid'], 'include_acl': module.params['include_acl'], 'exclude_acl': module.params['exclude_acl'] } # Get other info vsys = module.params['vsys'] template = module.params['template'] state = module.params['state'] # Open the connection to the PAN-OS device device = None try: device = PanDevice.create_from_device(*auth) except PanDeviceError: e = get_exception() module.fail_json(msg=e.message) # Set the attachment point for the Zone object parent = None if isinstance(device, Firewall): parent = device elif isinstance(device, Panorama): if template is not None: template_list = Template.refreshall(device) parent = get_template(template, template_list) if parent is None: module.fail_json( msg='Template not found: {0}'.format(template)) else: module.fail_json( msg= 'A template parameter is required when device type is Panorama' ) if vsys is not None: v = Vsys(vsys) parent.add(v) parent = v # Retrieve the current list of zones try: zones = Zone.refreshall(parent) except PanDeviceError: e = get_exception() module.fail_json(msg=e.message) # Build the zone and attach to the parent new_zone = Zone(**zone_spec) parent.add(new_zone) # Which action shall we take on the Zone object? changed = False if state == 'present': match = find_zone(zones, new_zone) if match: # Change an existing zone if not match.equal(new_zone): try: if not module.check_mode: new_zone.create() except PanDeviceError as e: module.fail_json( msg='Failed "present" create: {0}'.format(e)) else: changed = True else: # Add a new zone try: if not module.check_mode: new_zone.apply() except PanDeviceError as e: module.fail_json(msg='Failed "present" apply: {0}'.format(e)) else: changed = True elif state == 'absent': match = find_zone(zones, new_zone) if match: # Delete an existing zone try: if not module.check_mode: new_zone.delete() except PanDeviceError as e: module.fail_json(msg='Failed "absent" delete: {0}'.format(e)) else: changed = True # Done! module.exit_json(changed=changed, msg='Done')