We have an existing PanOS firewall (with Panorama) that contains an obsolete IP range object. That object is used as a 'source_ip` in several rules. I’d like to use Ansible to update those rules to remove the obsolete source IP, and eventually delete the object entirely.
We have been able to gather a dictionary of all the rules that use this obsolete source IP using state: gathered and gathered_filter. So far, so good.
But we are stuck on updating rules. We started with the simplest possible scenario - update a single rule. The docs for the panos_security_rule module offer two values for state that seem like they are meant to update existing rules - replaced and merged - but there are no examples for either one, and no explanation of the difference between them. There’s also no indication of which fields are required, or what happens to the rule if Ansible passes some fields but not others. Can we just pass the new source_ip value and leave everything else unchanged? Or do we have to pass all existing settings for the rule?
Can anyone point me to examples of tasks that update existing rules in a PanOS firewall? Or if there’s a better way to achieve what we are trying to do, point me in that direction?
Thanks,
Alicia