def create_tunnel_interface(self, tunnel_name): """ Create a tunnel interface and associate it with a virtual router and security zone """ # Logically create the tunnel interface tunnel_ref = self.tunnel_interfaces.get(tunnel_name) tunnel_intf = network.TunnelInterface(tunnel_ref.name, comment=tunnel_ref.comment) self.fw_dev_hndl.add(tunnel_intf) # Retrieve the existing zones fw_zones = network.Zone(tunnel_ref.security_zone) self.fw_dev_hndl.add(fw_zones) fw_zones.refresh() zone_intfs = fw_zones.interface # Add interface to the zone zone_intfs.append(tunnel_ref.name) fw_zones.interface = zone_intfs # Retrieve the existing list of virtual routers fw_vrs = network.VirtualRouter(tunnel_ref.virtual_router) self.fw_dev_hndl.add(fw_vrs) fw_vrs.refresh() vr_intfs = fw_vrs.interface vr_intfs.append(tunnel_ref.name) fw_vrs.interface = vr_intfs # Push all the configs to the device tunnel_intf.create() fw_zones.apply() fw_vrs.apply()
def setup_state_obj(self, fw, state): state.obj = network.TunnelInterface( 'tunnel.{0}'.format(random.randint(20, 5000)), testlib.random_ip('/24'), mtu=random.randint(800, 1000), comment='Underground interface', ) fw.add(state.obj)
def create_dependencies(self, fw, state): state.ti = network.TunnelInterface( 'tunnel.{0}'.format(random.randint(5, 50)), ip=[testlib.random_ip(), testlib.random_ip()], ) fw.add(state.ti) state.lbi = network.LoopbackInterface( 'loopback.{0}'.format(random.randint(5, 20)), ip=[testlib.random_ip(), testlib.random_ip()], ) fw.add(state.lbi) state.ike_gw = network.IkeGateway( testlib.random_name(), auth_type='pre-shared-key', enable_dead_peer_detection=True, enable_liveness_check=True, enable_passive_mode=True, ikev2_crypto_profile='default', interface=state.lbi.name, liveness_check_interval=5, local_id_type='ipaddr', local_id_value=testlib.random_ip(), local_ip_address_type='ip', local_ip_address=state.lbi.ip[0], peer_ip_type='ip', peer_ip_value=testlib.random_ip(), pre_shared_key='secret', version='ikev2-preferred', ) fw.add(state.ike_gw) state.ti.create() state.lbi.create() state.ike_gw.create()
def config_builder(instanceList): global netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list netObj_ike_list, netObj_ipsec_list, netObj_tunInt_list, netObj_vr_list, netObj_zone_list = [], [], [], [], [] vrDict, zoneDict = {}, {} for item in instanceList: item = [i if i != '' else None for i in item[:]] netObj_tunInt = network.TunnelInterface() netObj_tunInt.name = item[0] netObj_tunInt.comment = item[1] netObj_tunInt.ip = item[2] netObj_tunInt.management_profile = item[3] netObj_tunInt_list.append(pan.add(netObj_tunInt)) if item[4] not in vrDict.keys(): vrDict[item[4]] = [] vrDict[item[4]].append(item[0]) if len(item[5]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[5], item[5][:31])) item[5] = item[5][:31] if item[5] not in zoneDict.keys(): zoneDict[item[5]] = [] zoneDict[item[5]].append(item[0]) if len(item[6]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[6], item[6][:31])) item[6] = item[6][:31] netObj_ike = network.IkeGateway() netObj_ike.name = item[6] netObj_ike.interface = item[7] netObj_ike.local_ip_address_type = 'ip' netObj_ike.local_ip_address = item[8] netObj_ike.peer_ip_type = item[9] if netObj_ike.peer_ip_type != 'dynamic': netObj_ike.peer_ip_value = item[10] netObj_ike.pre_shared_key = item[11] if item[12] is not None: temp_item = item[12].replace(': ', ':').split(':') netObj_ike.local_id_type = temp_item[0] netObj_ike.local_id_value = temp_item[1] if item[13] is not None: temp_item = item[13].replace(': ', ':').split(':') netObj_ike.peer_id_type = temp_item[0] netObj_ike.peer_id_value = temp_item[1] if item[14] is not None and item[14].lower() == 'true': netObj_ike.enable_passive_mode = True else: netObj_ike.enable_passive_mode = False if item[15] is not None and item[15].lower() == 'true': netObj_ike.enable_nat_traversal = True else: netObj_ike.enable_nat_traversal = False netObj_ike.ikev1_exchange_mode = item[16] netObj_ike.ikev1_crypto_profile = item[17] if item[18] is not None and item[18].lower() == 'true': netObj_ike.enable_fragmentation = True else: netObj_ike.enable_fragmentation = False if item[19] is None or item[19].lower() == 'true': netObj_ike.enable_dead_peer_detection = True elif item[19].lower() == 'false': netObj_ike.enable_dead_peer_detection = False else: temp_item = item[19].replace('; ', ';').split(';') netObj_ike.enable_dead_peer_detection = True netObj_ike.dead_peer_detection_interval = temp_item[0] netObj_ike.dead_peer_detection_retry = temp_item[1] netObj_ike_list.append(pan.add(netObj_ike)) if len(item[20]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[20], item[20][:31])) item[20] = item[20][:31] netObj_ipsec = network.IpsecTunnel() netObj_ipsec.name = item[20] netObj_ipsec.tunnel_interface = item[21] if len(item[22]) > 31: print('*' * 6 + ' Warning -- IKE-GW - {} name truncated to {} due to length restriction'.format(item[22], item[22][:31])) item[22] = item[22][:31] netObj_ipsec.ak_ike_gateway = item[22] if item[23] is None: item[23] = 'default' netObj_ipsec.ak_ipsec_crypto_profile = item[23] netObj_ipsec_list.append(pan.add(netObj_ipsec)) print('Building Config --- Tunnel-Int - {} // IKE-GW - {} // IPSec-Tunnel - {}'.format(netObj_tunInt.name, netObj_ike.name, netObj_ipsec.name)) for key, value in vrDict.items(): netObj_vr = network.VirtualRouter() netObj_vr.name = key netObj_vr.interface = value netObj_vr_list.append(pan.add(netObj_vr)) for key, value in zoneDict.items(): netObj_zone = network.Zone() netObj_zone.name = key netObj_zone.interface = value netObj_zone_list.append(pan.add(netObj_zone))
mgmt_int = network.EthernetInterface("ethernet1/2", \ mode = "layer3", \ ip = '{{ item.mgmt_gw }}') fw.add(mgmt_int) mgmt_int.create() print(mgmt_int) # creates tunnel interface for VPN to Knowhere tunnel_int = network.TunnelInterface("tunnel.100", \ ip = '{{ item.remote_p2p_ip }}', \ ipv6_enabled = False) fw.add(tunnel_int) tunnel_int.create() print(tunnel_int) #Creates trust_fwh_vpn secuirty zone vpn_zone = network.Zone("trust_fwh_vpn", \ mode = "layer3", \ interface = "tunnel.100")
def main(): argument_spec = dict( ip_address=dict(required=True), password=dict(no_log=True), username=dict(default='admin'), api_key=dict(no_log=True), operation=dict(default='add', choices=['add', 'update', 'delete']), if_name=dict(required=True), ip=dict(type='list'), ipv6_enabled=dict(type='list', required=False), management_profile=dict(), mtu=dict(), netflow_profile=dict(), comment=dict(), zone_name=dict(required=True), vr_name=dict(default='default'), vsys_dg=dict(default='vsys1'), commit=dict(type='bool', default=True), ) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, required_one_of=[['api_key', 'password']]) if not HAS_LIB: module.fail_json(msg='Missing required libraries.') # Get the firewall / panorama auth. auth = ( module.params['ip_address'], module.params['username'], module.params['password'], module.params['api_key'], ) # Get the object params. spec = { 'name': module.params['if_name'], 'ip': module.params['ip'], 'ipv6_enabled': module.params['ipv6_enabled'], 'management_profile': module.params['management_profile'], 'mtu': module.params['mtu'], 'netflow_profile': module.params['netflow_profile'], 'comment': module.params['comment'], } # Get other info. operation = module.params['operation'] zone_name = module.params['zone_name'] vr_name = module.params['vr_name'] vsys_dg = module.params['vsys_dg'] commit = module.params['commit'] # Open the connection to the PANOS device. con = base.PanDevice.create_from_device(*auth) # Set vsys if firewall, device group if panorama. if hasattr(con, 'refresh_devices'): # Panorama # Normally we want to set the device group here, but there are no # interfaces on Panorama. So if we're given a Panorama device, then # error out. ''' groups = panorama.DeviceGroup.refreshall(con, add=False) for parent in groups: if parent.name == vsys_dg: con.add(parent) break else: module.fail_json(msg="'{0}' device group is not present".format(vsys_dg)) ''' module.fail_json(msg="Ethernet interfaces don't exist on Panorama") else: # Firewall # Normally we should set the vsys here, but since interfaces are # vsys importables, we'll use organize_into_vsys() to help find and # cleanup when the interface is imported into an undesired vsys. # con.vsys = vsys_dg pass # Retrieve the current config. try: interfaces = network.TunnelInterface.refreshall(con, add=False, name_only=True) zones = network.Zone.refreshall(con) routers = network.VirtualRouter.refreshall(con) vsys_list = device.Vsys.refreshall(con) except errors.PanDeviceError: e = get_exception() module.fail_json(msg=e.message) # Build the object based on the user spec. tun = network.TunnelInterface(**spec) con.add(tun) # Which action should we take on the interface? if operation == 'delete': if tun.name not in [x.name for x in interfaces]: module.fail_json( msg='Interface {0} does not exist, and thus cannot be deleted'. format(tun.name)) try: con.organize_into_vsys() set_zone(con, tun, None, zones) set_virtual_router(con, tun, None, routers) tun.delete() except (errors.PanDeviceError, ValueError): e = get_exception() module.fail_json(msg=e.message) elif operation == 'add': if tun.name in [x.name for x in interfaces]: module.fail_json( msg='Interface {0} is already present; use operation "update"'. format(tun.name)) con.vsys = vsys_dg # Create the interface. try: tun.create() set_zone(con, tun, zone_name, zones) set_virtual_router(con, tun, vr_name, routers) except (errors.PanDeviceError, ValueError): e = get_exception() module.fail_json(msg=e.message) elif operation == 'update': if tun.name not in [x.name for x in interfaces]: module.fail_json( msg= 'Interface {0} is not present; use operation "add" to create it' .format(tun.name)) # If the interface is in the wrong vsys, remove it from the old vsys. try: con.organize_into_vsys() except errors.PanDeviceError: e = get_exception() module.fail_json(msg=e.message) if tun.vsys != vsys_dg: try: tun.delete_import() except errors.PanDeviceError: e = get_exception() module.fail_json(msg=e.message) # Move the ethernet object to the correct vsys. for vsys in vsys_list: if vsys.name == vsys_dg: vsys.add(tun) break else: module.fail_json(msg='Vsys {0} does not exist'.format(vsys)) # Update the interface. try: tun.apply() set_zone(con, tun, zone_name, zones) set_virtual_router(con, tun, vr_name, routers) except (errors.PanDeviceError, ValueError): e = get_exception() module.fail_json(msg=e.message) else: module.fail_json(msg="Unsupported operation '{0}'".format(operation)) # Commit if we were asked to do so. #if commit: # try: # con.commit(sync=True, exceptions=True) # except errors.PanDeviceError: # e = get_exception() # module.fail_json(msg='Performed {0} but commit failed: {1}'.format(operation, e.message)) # Done! module.exit_json(changed=True, msg='okey dokey')
def main(): argument_spec = dict( ip_address=dict(required=True), password=dict(no_log=True), username=dict(default='admin'), api_key=dict(no_log=True), state=dict(default='present', choices=['present', 'absent']), if_name=dict(required=True), ip=dict(type='list'), ipv6_enabled=dict(type='bool'), management_profile=dict(), mtu=dict(type='int'), netflow_profile=dict(), comment=dict(), zone_name=dict(default=None), vr_name=dict(default=None), vsys_dg=dict(default='vsys1'), commit=dict(type='bool', default=True), ) module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False, required_one_of=[['api_key', 'password']]) if not HAS_LIB: module.fail_json(msg='Missing required libraries.') # Get the firewall / panorama auth. auth = ( module.params['ip_address'], module.params['username'], module.params['password'], module.params['api_key'], ) # Get the object params. spec = { 'name': module.params['if_name'], 'ip': module.params['ip'], 'ipv6_enabled': module.params['ipv6_enabled'], 'management_profile': module.params['management_profile'], 'mtu': module.params['mtu'], 'netflow_profile': module.params['netflow_profile'], 'comment': module.params['comment'], } # Get other info. # operation = module.params['operation'] state = module.params['state'] zone_name = module.params['zone_name'] vr_name = module.params['vr_name'] vsys_dg = module.params['vsys_dg'] commit = module.params['commit'] # Open the connection to the PANOS device. con = base.PanDevice.create_from_device(*auth) # Set vsys if firewall, device group if panorama. parent = con if hasattr(con, 'refresh_devices'): # Panorama # Normally we want to set the device group here, but there are no # interfaces on Panorama. So if we're given a Panorama device, then # error out. ''' groups = panorama.DeviceGroup.refreshall(con, add=False) for parent in groups: if parent.name == vsys_dg: con.add(parent) break else: module.fail_json(msg="'{0}' device group is not present".format(vsys_dg)) ''' module.fail_json(msg="tunnel interfaces don't exist on Panorama") # Retrieve the current config. try: interfaces = network.TunnelInterface.refreshall(con, add=False, name_only=True) zones = network.Zone.refreshall(con) routers = network.VirtualRouter.refreshall(con) vsys_list = device.Vsys.refreshall(con) except errors.PanDeviceError: e = get_exception() module.fail_json(msg=e.message) # Build the object based on the user spec. iface = network.TunnelInterface(**spec) con.add(iface) if state == 'present': if iface.name not in [x.name for x in interfaces]: # Create the interface. try: iface.create() set_zone(con, iface, zone_name, zones) set_virtual_router(con, iface, vr_name, routers) except (errors.PanDeviceError, ValueError): e = get_exception() module.fail_json(msg=e.message) else: # Update the interface. try: con.organize_into_vsys() except errors.PanDeviceError: e = get_exception() module.fail_json(msg=e.message) if iface.vsys != vsys_dg: try: iface.delete_import() except errors.PanDeviceError: e = get_exception() module.fail_json(msg=e.message) # Move the tunnel object to the correct vsys. for vsys in vsys_list: if vsys.name == vsys_dg: vsys.add(iface) break else: module.fail_json(msg='Vsys {0} does not exist'.format(vsys)) # Update the interface. try: iface.apply() set_zone(con, iface, zone_name, zones) set_virtual_router(con, iface, vr_name, routers) except (errors.PanDeviceError, ValueError): e = get_exception() module.fail_json(msg=e.message) elif state == 'absent': if iface.name in [x.name for x in interfaces]: try: con.organize_into_vsys() set_zone(con, iface, None, zones) set_virtual_router(con, iface, None, routers) iface.delete() except (errors.PanDeviceError, ValueError): e = get_exception() module.fail_json(msg=e.message) if commit: try: con.commit(sync=True) except errors.PanDeviceError: e = get_exception() module.fail_json(msg='Performed {0} but commit failed: {1}'.format( state, e.message)) # Done! module.exit_json(changed=True, msg='Done')