We have an existing PanOS firewall (with Panorama) that contains an obsolete IP range object. That object is used as a 'source_ip` in several rules. I’d like to use Ansible to update those rules to remove the obsolete source IP, and eventually delete the object entirely.
We have been able to gather a dictionary of all the rules that use this obsolete source IP using state: gathered and gathered_filter. So far, so good.
But we are stuck on updating rules. We started with the simplest possible scenario - update a single rule. The docs for the panos_security_rule module offer two values for state that seem like they are meant to update existing rules - replaced and merged - but there are no examples for either one, and no explanation of the difference between them. There’s also no indication of which fields are required, or what happens to the rule if Ansible passes some fields but not others. Can we just pass the new source_ip value and leave everything else unchanged? Or do we have to pass all existing settings for the rule?
Can anyone point me to examples of tasks that update existing rules in a PanOS firewall? Or if there’s a better way to achieve what we are trying to do, point me in that direction?
In the interim we tried a different approach - we exported the entire contents of our test firewall as an XML document, changed the XML, then re-imported the entire document. This worked - the rules we wanted to change were updated and we were able to delete the obsolete object.
There was one surprise: one of the changed rules got ruletype: universal added to it in the test firewall, even though we did not add that to the XML.
We’ll try state replaced next to see how updating a subsection works, though we also want to have the contents of the firewall under source control, so I suspect we will use the all-rules approach in the long run.