コード例 #1
0
def set_zone(con, tun, zone_name, zones):
    changed = False
    desired_zone = None

    # Remove the interface from the zone.
    for z in zones:
        if z.name == zone_name:
            desired_zone = z
        elif tun.name in z.interface:
            z.interface.remove(tun.name)
            z.update('interface')
            changed = True

    if desired_zone is not None:
        if desired_zone.interface is None:
            desired_zone.interface = []
        if tun.name not in desired_zone.interface:
            desired_zone.interface.append(tun.name)
            desired_zone.update('interface')
            changed = True
    elif zone_name is not None:
        z = Zone(zone_name, interface=[tun.name])
        con.add(z)
        z.create()
        changed = True

    return changed
コード例 #2
0
def set_zone(con, eth, zone_name, zones):
    changed = False
    desired_zone = None

    # Remove the interface from the zone.
    for z in zones:
        if z.name == zone_name:
            desired_zone = z
        elif eth.name in z.interface:
            z.interface.remove(eth.name)
            z.update('interface')
            changed = True

    if desired_zone is not None:
        if desired_zone.mode != eth.mode:
            raise ValueError('Mode mismatch: {0} is {1}, zone is {2}'.format(
                eth.name, eth.mode, z.mode))
        if desired_zone.interface is None:
            desired_zone.interface = []
        if eth.name not in desired_zone.interface:
            desired_zone.interface.append(eth.name)
            desired_zone.update('interface')
            changed = True
    elif zone_name is not None:
        z = Zone(zone_name, interface=[
            eth.name,
        ], mode=eth.mode)
        con.add(z)
        z.create()
        changed = True

    return changed
コード例 #3
0
def main():
    helper = get_connection(
        vsys=True,
        template=True,
        template_stack=True,
        with_state=True,
        with_classic_provider_spec=True,
        argument_spec=dict(
            zone=dict(required=True),
            mode=dict(choices=[
                'tap', 'virtual-wire', 'layer2', 'layer3', 'external'
            ],
                      default='layer3'),
            interface=dict(type='list'),
            zone_profile=dict(),
            log_setting=dict(),
            enable_userid=dict(type='bool', default=False),
            include_acl=dict(type='list'),
            exclude_acl=dict(type='list'),
        ),
    )
    module = AnsibleModule(
        argument_spec=helper.argument_spec,
        supports_check_mode=True,
        required_one_of=helper.required_one_of,
    )

    # Verify imports, build pandevice object tree.
    parent = helper.get_pandevice_parent(module)

    # Set the Zone object params
    zone_spec = {
        'name': module.params['zone'],
        'mode': module.params['mode'],
        'interface': module.params['interface'],
        'zone_profile': module.params['zone_profile'],
        'log_setting': module.params['log_setting'],
        'enable_user_identification': module.params['enable_userid'],
        'include_acl': module.params['include_acl'],
        'exclude_acl': module.params['exclude_acl']
    }

    # Retrieve the current list of zones
    try:
        zones = Zone.refreshall(parent, add=False)
    except PanDeviceError as e:
        module.fail_json(msg='Failed refresh: {0}'.format(e))

    # Build the zone and attach to the parent
    new_zone = Zone(**zone_spec)
    parent.add(new_zone)

    # Perform the requeseted action.
    changed = helper.apply_state(new_zone, zones, module)

    # Done!
    module.exit_json(changed=changed, msg='Done')
コード例 #4
0
    def populate_facts(self):
        # Get session usage XML
        session_root = self.parent.op('show session meter')

        # Loop through all VSYS
        virtual_systems = []
        vsys_list = Vsys.refreshall(self.parent, name_only=True)
        for vsys in vsys_list:
            for var in ('display_name', 'interface', 'virtual_routers'):
                vsys.refresh_variable(var)

            zones = [x.name for x in Zone.refreshall(vsys, name_only=True)]
            vsys_id = vsys.name[4:]
            vsys_sessions = session_root.find(".//entry/[vsys='" + vsys_id + "']")
            vsys_currentsessions = vsys_sessions.find('.//current').text
            vsys_maxsessions = vsys_sessions.find('.//maximum').text

            virtual_systems.append({
                'vsys_id': vsys_id,
                'vsys_name': vsys.name,
                'vsys_description': vsys.display_name,
                'vsys_iflist': vsys.interface,
                'vsys_vrlist': vsys.virtual_routers,
                'vsys_zonelist': zones,
                'vsys_maxsessions': vsys_maxsessions,
                'vsys_currentsessions': vsys_currentsessions,
            })

        self.facts.update({
            'virtual-systems': virtual_systems
        })
コード例 #5
0
def main():
    helper = get_connection(
        vsys=True,
        template=True,
        template_stack=True,
        with_classic_provider_spec=True,
        argument_spec=dict(
            name=dict(),
        ),
    )
    module = AnsibleModule(
        argument_spec=helper.argument_spec,
        supports_check_mode=False,
        required_one_of=helper.required_one_of,
    )

    # Verify imports, build pandevice object tree.
    parent = helper.get_pandevice_parent(module)

    renames = (
        ('name', 'zone'),
        ('enable_user_identification', 'enable_userid'),
    )

    name = module.params['name']
    if name is None:
        try:
            listing = Zone.refreshall(parent)
        except PanDeviceError as e:
            module.fail_json(msg='Failed refreshall: {0}'.format(e))

        zones = helper.to_module_dict(listing, renames)
        module.exit_json(changed=False, zones=zones)

    zone = Zone(name)
    parent.add(zone)
    try:
        zone.refresh()
    except PanDeviceError as e:
        module.fail_json(msg='Failed refresh: {0}'.format(e))

    spec = helper.to_module_dict(zone, renames)
    module.exit_json(changed=False, spec=spec)
コード例 #6
0
def main():
    argument_spec = dict(
        ip_address=dict(required=True),
        password=dict(no_log=True),
        username=dict(default='admin'),
        api_key=dict(no_log=True),
        operation=dict(default='add', choices=['add', 'update', 'delete']),
        state=dict(choices=['present', 'absent']),
        if_name=dict(required=True),
        ip=dict(type='list'),
        ipv6_enabled=dict(),
        management_profile=dict(),
        mtu=dict(),
        netflow_profile=dict(),
        comment=dict(),
        zone_name=dict(required=True),
        vr_name=dict(default='default'),
        vsys_dg=dict(default='vsys1'),
        commit=dict(type='bool', default=True),
    )
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=False,
                           required_one_of=[['api_key', 'password']])
    if not HAS_LIB:
        module.fail_json(msg='Missing required libraries.')

    # Get the firewall / panorama auth.
    auth = [
        module.params[x]
        for x in ('ip_address', 'username', 'password', 'api_key')
    ]

    # Get the object params.
    spec = {
        'name': module.params['if_name'],
        'ip': module.params['ip'],
        'ipv6_enabled': module.params['ipv6_enabled'],
        'management_profile': module.params['management_profile'],
        'mtu': module.params['mtu'],
        'netflow_profile': module.params['netflow_profile'],
        'comment': module.params['comment'],
    }

    # Get other info.
    operation = module.params['operation']
    state = module.params['state']
    zone_name = module.params['zone_name']
    vr_name = module.params['vr_name']
    vsys_dg = module.params['vsys_dg']
    commit = module.params['commit']
    if_name = module.params['if_name']

    # Open the connection to the PANOS device.
    con = PanDevice.create_from_device(*auth)

    # Set vsys if firewall, device group if panorama.
    if hasattr(con, 'refresh_devices'):
        # Panorama
        # Normally we want to set the device group here, but there are no
        # interfaces on Panorama.  So if we're given a Panorama device, then
        # error out.
        '''
        groups = panorama.DeviceGroup.refreshall(con, add=False)
        for parent in groups:
            if parent.name == vsys_dg:
                con.add(parent)
                break
        else:
            module.fail_json(msg="'{0}' device group is not present".format(vsys_dg))
        '''
        module.fail_json(msg="Ethernet interfaces don't exist on Panorama")
    else:
        # Firewall
        # Normally we should set the vsys here, but since interfaces are
        # vsys importables, we'll use organize_into_vsys() to help find and
        # cleanup when the interface is imported into an undesired vsys.
        # con.vsys = vsys_dg
        pass

    # Retrieve the current config.
    try:
        interfaces = TunnelInterface.refreshall(con, add=False, name_only=True)
        zones = Zone.refreshall(con)
        routers = VirtualRouter.refreshall(con)
        vsys_list = Vsys.refreshall(con)
    except PanDeviceError:
        e = get_exception()
        module.fail_json(msg=e.message)

    # Build the object based on the user spec.
    tun = TunnelInterface(**spec)
    con.add(tun)

    # Which action should we take on the interface?
    changed = False
    if state == 'present':
        if tun.name in [x.name for x in interfaces]:
            i = TunnelInterface(tun.name)
            con.add(i)
            try:
                i.refresh()
            except PanDeviceError as e:
                module.fail_json(msg='Failed "present" refresh: {0}'.format(e))
            if not i.equal(tun, compare_children=False):
                tun.extend(i.children)
                try:
                    tun.apply()
                    changed = True
                except PanDeviceError as e:
                    module.fail_json(
                        msg='Failed "present" apply: {0}'.format(e))
        else:
            try:
                tun.create()
                changed = True
            except PanDeviceError as e:
                module.fail_json(msg='Failed "present" create: {0}'.format(e))
        try:
            changed |= set_zone(con, tun, zone_name, zones)
            changed |= set_virtual_router(con, tun, vr_name, routers)
        except PanDeviceError as e:
            module.fail_json(msg='Failed zone/vr assignment: {0}'.format(e))
    elif state == 'absent':
        try:
            changed |= set_zone(con, tun, None, zones)
            changed |= set_virtual_router(con, tun, None, routers)
        except PanDeviceError as e:
            module.fail_json(
                msg='Failed "absent" zone/vr cleanup: {0}'.format(e))
            changed = True
        if tun.name in [x.name for x in interfaces]:
            try:
                tun.delete()
                changed = True
            except PanDeviceError as e:
                module.fail_json(msg='Failed "absent" delete: {0}'.format(e))
    elif operation == 'delete':
        if tun.name not in [x.name for x in interfaces]:
            module.fail_json(
                msg='Interface {0} does not exist, and thus cannot be deleted'.
                format(tun.name))

        try:
            con.organize_into_vsys()
            set_zone(con, tun, None, zones)
            set_virtual_router(con, tun, None, routers)
            tun.delete()
            changed = True
        except (PanDeviceError, ValueError):
            e = get_exception()
            module.fail_json(msg=e.message)
    elif operation == 'add':
        if tun.name in [x.name for x in interfaces]:
            module.fail_json(
                msg='Interface {0} is already present; use operation "update"'.
                format(tun.name))

        con.vsys = vsys_dg
        # Create the interface.
        try:
            tun.create()
            set_zone(con, tun, zone_name, zones)
            set_virtual_router(con, tun, vr_name, routers)
            changed = True
        except (PanDeviceError, ValueError):
            e = get_exception()
            module.fail_json(msg=e.message)
    elif operation == 'update':
        if tun.name not in [x.name for x in interfaces]:
            module.fail_json(
                msg=
                'Interface {0} is not present; use operation "add" to create it'
                .format(tun.name))

        # If the interface is in the wrong vsys, remove it from the old vsys.
        try:
            con.organize_into_vsys()
        except PanDeviceError:
            e = get_exception()
            module.fail_json(msg=e.message)
        if tun.vsys != vsys_dg:
            try:
                tun.delete_import()
            except PanDeviceError:
                e = get_exception()
                module.fail_json(msg=e.message)

        # Move the ethernet object to the correct vsys.
        for vsys in vsys_list:
            if vsys.name == vsys_dg:
                vsys.add(tun)
                break
        else:
            module.fail_json(msg='Vsys {0} does not exist'.format(vsys))

        # Update the interface.
        try:
            tun.apply()
            set_zone(con, tun, zone_name, zones)
            set_virtual_router(con, tun, vr_name, routers)
            changed = True
        except (PanDeviceError, ValueError):
            e = get_exception()
            module.fail_json(msg=e.message)
    else:
        module.fail_json(msg="Unsupported operation '{0}'".format(operation))

    # Commit if we were asked to do so.
    if changed and commit:
        try:
            con.commit(sync=True)
        except PanDeviceError:
            e = get_exception()
            module.fail_json(msg='Performed {0} but commit failed: {1}'.format(
                operation, e.message))

    # Done!
    module.exit_json(changed=changed, msg='okey dokey')
コード例 #7
0
def main():
    argument_spec = dict(ip_address=dict(required=True),
                         password=dict(no_log=True),
                         username=dict(default='admin'),
                         api_key=dict(no_log=True),
                         zone=dict(required=True),
                         mode=dict(choices=[
                             'tap', 'virtual-wire', 'layer2', 'layer3',
                             'external'
                         ],
                                   default='layer3'),
                         interface=dict(type='list'),
                         zone_profile=dict(),
                         log_setting=dict(),
                         enable_userid=dict(type='bool', default=False),
                         include_acl=dict(type='list'),
                         exclude_acl=dict(type='list'),
                         vsys=dict(default='vsys1'),
                         template=dict(),
                         state=dict(choices=['present', 'absent'],
                                    default='present'))
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=True,
                           required_one_of=[['api_key', 'password']])
    if not HAS_LIB:
        module.fail_json(msg='Missing required libraries.')

    # Get the firewall / panorama auth.
    auth = (
        module.params['ip_address'],
        module.params['username'],
        module.params['password'],
        module.params['api_key'],
    )

    # Set the Zone object params
    zone_spec = {
        'name': module.params['zone'],
        'mode': module.params['mode'],
        'interface': module.params['interface'],
        'zone_profile': module.params['zone_profile'],
        'log_setting': module.params['log_setting'],
        'enable_user_identification': module.params['enable_userid'],
        'include_acl': module.params['include_acl'],
        'exclude_acl': module.params['exclude_acl']
    }

    # Get other info
    vsys = module.params['vsys']
    template = module.params['template']
    state = module.params['state']

    # Open the connection to the PAN-OS device
    device = None
    try:
        device = PanDevice.create_from_device(*auth)
    except PanDeviceError:
        e = get_exception()
        module.fail_json(msg=e.message)

    # Set the attachment point for the Zone object
    parent = None
    if isinstance(device, Firewall):
        parent = device
    elif isinstance(device, Panorama):
        if template is not None:
            template_list = Template.refreshall(device)
            parent = get_template(template, template_list)
            if parent is None:
                module.fail_json(
                    msg='Template not found: {0}'.format(template))
        else:
            module.fail_json(
                msg=
                'A template parameter is required when device type is Panorama'
            )
    if vsys is not None:
        v = Vsys(vsys)
        parent.add(v)
        parent = v

    # Retrieve the current list of zones
    try:
        zones = Zone.refreshall(parent)
    except PanDeviceError:
        e = get_exception()
        module.fail_json(msg=e.message)

    # Build the zone and attach to the parent
    new_zone = Zone(**zone_spec)
    parent.add(new_zone)

    # Which action shall we take on the Zone object?
    changed = False
    if state == 'present':
        match = find_zone(zones, new_zone)
        if match:
            # Change an existing zone
            if not match.equal(new_zone):
                try:
                    if not module.check_mode:
                        new_zone.create()
                except PanDeviceError as e:
                    module.fail_json(
                        msg='Failed "present" create: {0}'.format(e))
                else:
                    changed = True
        else:
            # Add a new zone
            try:
                if not module.check_mode:
                    new_zone.apply()
            except PanDeviceError as e:
                module.fail_json(msg='Failed "present" apply: {0}'.format(e))
            else:
                changed = True
    elif state == 'absent':
        match = find_zone(zones, new_zone)
        if match:
            # Delete an existing zone
            try:
                if not module.check_mode:
                    new_zone.delete()
            except PanDeviceError as e:
                module.fail_json(msg='Failed "absent" delete: {0}'.format(e))
            else:
                changed = True

    # Done!
    module.exit_json(changed=changed, msg='Done')
コード例 #8
0
def configure_network(device):
    eth1 = EthernetInterface(name='ethernet1/1',
                             mode='layer3',
                             ip=('192.168.55.20/24', ))
    eth2 = EthernetInterface(name='ethernet1/2',
                             mode='layer3',
                             ip=('192.168.45.20/24', ))
    eth3 = EthernetInterface(name='ethernet1/3',
                             mode='layer3',
                             ip=('192.168.35.20/24', ))

    device.add(eth1)
    device.add(eth2)
    device.add(eth3)

    eth1.create()
    eth2.create()
    eth3.create()

    untrust = Zone(name='untrust', mode='layer3', interface=['ethernet1/1'])
    web = Zone(name='web', mode='layer3', interface=['ethernet1/2'])
    db = Zone(name='db', mode='layer3', interface=['ethernet1/3'])

    device.add(untrust)
    device.add(web)
    device.add(db)

    untrust.create()
    web.create()
    db.create()

    vr_default = VirtualRouter(
        name='default',
        interface=['ethernet1/1', 'ethernet1/2', 'ethernet1/3'])
    device.add(vr_default)
    vr_default.create()

    default_route = StaticRoute(name='default',
                                destination='0.0.0.0/0',
                                nexthop='192.168.55.2')
    vr_default.add(default_route)
    default_route.create()
コード例 #9
0
def main():
    argument_spec = dict(
        ip_address=dict(required=True),
        password=dict(no_log=True),
        username=dict(default='admin'),
        api_key=dict(no_log=True),
        operation=dict(default='add', choices=['add', 'update', 'delete']),
        state=dict(choices=['present', 'absent']),
        if_name=dict(required=True),
        mode=dict(default='layer3',
                  choices=[
                      'layer3', 'layer2', 'virtual-wire', 'tap', 'ha',
                      'decrypt-mirror', 'aggregate-group'
                  ]),
        ip=dict(type='list'),
        ipv6_enabled=dict(),
        management_profile=dict(),
        mtu=dict(),
        adjust_tcp_mss=dict(),
        netflow_profile=dict(),
        lldp_enabled=dict(),
        lldp_profile=dict(),
        netflow_profile_l2=dict(),
        link_speed=dict(),
        link_duplex=dict(),
        link_state=dict(),
        aggregate_group=dict(),
        comment=dict(),
        ipv4_mss_adjust=dict(),
        ipv6_mss_adjust=dict(),
        enable_dhcp=dict(type='bool', default=True),
        create_default_route=dict(type='bool', default=False),
        create_dhcp_default_route=dict(type='bool', default=False),
        dhcp_default_route_metric=dict(),
        dhcp_default_route=dict(type='str', default="no"),
        zone_name=dict(required=True),
        vr_name=dict(default='default'),
        vsys_dg=dict(default='vsys1'),
        commit=dict(type='bool', default=True),
    )
    module = AnsibleModule(argument_spec=argument_spec,
                           supports_check_mode=False,
                           required_one_of=[['api_key', 'password']])
    if not HAS_LIB:
        module.fail_json(msg='Missing required libraries.')

    # Get the firewall / panorama auth.
    auth = [
        module.params[x]
        for x in ('ip_address', 'username', 'password', 'api_key')
    ]

    # Get the object params.
    spec = {
        'name': module.params['if_name'],
        'mode': module.params['mode'],
        'ip': module.params['ip'],
        'ipv6_enabled': module.params['ipv6_enabled'],
        'management_profile': module.params['management_profile'],
        'mtu': module.params['mtu'],
        'adjust_tcp_mss': module.params['adjust_tcp_mss'],
        'netflow_profile': module.params['netflow_profile'],
        'lldp_enabled': module.params['lldp_enabled'],
        'lldp_profile': module.params['lldp_profile'],
        'netflow_profile_l2': module.params['netflow_profile_l2'],
        'link_speed': module.params['link_speed'],
        'link_duplex': module.params['link_duplex'],
        'link_state': module.params['link_state'],
        'aggregate_group': module.params['aggregate_group'],
        'comment': module.params['comment'],
        'ipv4_mss_adjust': module.params['ipv4_mss_adjust'],
        'ipv6_mss_adjust': module.params['ipv6_mss_adjust'],
        'enable_dhcp': module.params['enable_dhcp'] or None,
        'create_dhcp_default_route': module.params['create_default_route']
        or None,
        'dhcp_default_route_metric':
        module.params['dhcp_default_route_metric'],
    }

    # Get other info.
    enable_dhcp = module.params['enable_dhcp']
    operation = module.params['operation']
    state = module.params['state']
    zone_name = module.params['zone_name']
    vr_name = module.params['vr_name']
    vsys_dg = module.params['vsys_dg']
    commit = module.params['commit']
    dhcp_default_route = module.params['dhcp_default_route']
    management_profile = module.params['management_profile']
    if_name = module.params['if_name']

    dhcpe = (
        '<entry name="%s"><layer3><dhcp-client><enable>yes</enable><create-default-route>%s</create-default-route>'
        '</dhcp-client><interface-management-profile>%s</interface-management-profile></layer3></entry>'
        % (if_name, dhcp_default_route, management_profile))
    dhcpx = (
        "/config/devices/entry[@name='localhost.localdomain']/network/interface/ethernet/entry[@name='%s']"
        % (if_name))

    # Open the connection to the PANOS device.
    con = PanDevice.create_from_device(*auth)

    # Set vsys if firewall, device group if panorama.
    if hasattr(con, 'refresh_devices'):
        # Panorama
        # Normally we want to set the device group here, but there are no
        # interfaces on Panorama.  So if we're given a Panorama device, then
        # error out.
        '''
        groups = panorama.DeviceGroup.refreshall(con, add=False)
        for parent in groups:
            if parent.name == vsys_dg:
                con.add(parent)
                break
        else:
            module.fail_json(msg="'{0}' device group is not present".format(vsys_dg))
        '''
        module.fail_json(msg="Ethernet interfaces don't exist on Panorama")
    else:
        # Firewall
        # Normally we should set the vsys here, but since interfaces are
        # vsys importables, we'll use organize_into_vsys() to help find and
        # cleanup when the interface is imported into an undesired vsys.
        # con.vsys = vsys_dg
        pass

    # Retrieve the current config.
    try:
        interfaces = EthernetInterface.refreshall(con,
                                                  add=False,
                                                  name_only=True)
        zones = Zone.refreshall(con)
        routers = VirtualRouter.refreshall(con)
        vsys_list = Vsys.refreshall(con)
    except PanDeviceError:
        e = get_exception()
        module.fail_json(msg=e.message)

    # Build the object based on the user spec.
    eth = EthernetInterface(**spec)
    con.add(eth)

    # Which action should we take on the interface?
    changed = False
    if state == 'present':
        if eth.name in [x.name for x in interfaces]:
            i = EthernetInterface(eth.name)
            con.add(i)
            try:
                i.refresh()
            except PanDeviceError as e:
                module.fail_json(msg='Failed "present" refresh: {0}'.format(e))
            if not i.equal(eth, compare_children=False):
                eth.extend(i.children)
                try:
                    eth.apply()
                    changed = True
                except PanDeviceError as e:
                    module.fail_json(
                        msg='Failed "present" apply: {0}'.format(e))
        else:
            try:
                eth.create()
                changed = True
            except PanDeviceError as e:
                module.fail_json(msg='Failed "present" create: {0}'.format(e))
        try:
            changed |= set_zone(con, eth, zone_name, zones)
            changed |= set_virtual_router(con, eth, vr_name, routers)
            if enable_dhcp is True:
                con.xapi.edit(xpath=dhcpx, element=dhcpe)
        except PanDeviceError as e:
            module.fail_json(msg='Failed zone/vr assignment: {0}'.format(e))
    elif state == 'absent':
        try:
            changed |= set_zone(con, eth, None, zones)
            changed |= set_virtual_router(con, eth, None, routers)
        except PanDeviceError as e:
            module.fail_json(
                msg='Failed "absent" zone/vr cleanup: {0}'.format(e))
            changed = True
        if eth.name in [x.name for x in interfaces]:
            try:
                eth.delete()
                changed = True
            except PanDeviceError as e:
                module.fail_json(msg='Failed "absent" delete: {0}'.format(e))
    elif operation == 'delete':
        if eth.name not in [x.name for x in interfaces]:
            module.fail_json(
                msg='Interface {0} does not exist, and thus cannot be deleted'.
                format(eth.name))

        try:
            con.organize_into_vsys()
            set_zone(con, eth, None, zones)
            set_virtual_router(con, eth, None, routers)
            eth.delete()
            changed = True
        except (PanDeviceError, ValueError):
            e = get_exception()
            module.fail_json(msg=e.message)
    elif operation == 'add':
        if eth.name in [x.name for x in interfaces]:
            module.fail_json(
                msg='Interface {0} is already present; use operation "update"'.
                format(eth.name))

        con.vsys = vsys_dg
        # Create the interface.
        try:
            eth.create()
            set_zone(con, eth, zone_name, zones)
            set_virtual_router(con, eth, vr_name, routers)
            changed = True
        except (PanDeviceError, ValueError):
            e = get_exception()
            module.fail_json(msg=e.message)
    elif operation == 'update':
        if eth.name not in [x.name for x in interfaces]:
            module.fail_json(
                msg=
                'Interface {0} is not present; use operation "add" to create it'
                .format(eth.name))

        # If the interface is in the wrong vsys, remove it from the old vsys.
        try:
            con.organize_into_vsys()
        except PanDeviceError:
            e = get_exception()
            module.fail_json(msg=e.message)
        if eth.vsys != vsys_dg:
            try:
                eth.delete_import()
            except PanDeviceError:
                e = get_exception()
                module.fail_json(msg=e.message)

        # Move the ethernet object to the correct vsys.
        for vsys in vsys_list:
            if vsys.name == vsys_dg:
                vsys.add(eth)
                break
        else:
            module.fail_json(msg='Vsys {0} does not exist'.format(vsys))

        # Update the interface.
        try:
            eth.apply()
            set_zone(con, eth, zone_name, zones)
            set_virtual_router(con, eth, vr_name, routers)
            changed = True
        except (PanDeviceError, ValueError):
            e = get_exception()
            module.fail_json(msg=e.message)
    else:
        module.fail_json(msg="Unsupported operation '{0}'".format(operation))

    # Commit if we were asked to do so.
    if changed and commit:
        try:
            con.commit(sync=True, exceptions=True)
        except PanDeviceError:
            e = get_exception()
            module.fail_json(msg='Performed {0} but commit failed: {1}'.format(
                operation, e.message))

    # Done!
    module.exit_json(changed=changed, msg='okey dokey')