Skip to content

Vulnerability Protection Profile Information Object

Table of Contents

Overview

The vulnerability_protection_profile_info Ansible module provides functionality to gather information about Vulnerability Protection Profile objects in Palo Alto Networks' Strata Cloud Manager (SCM). This is an info module that allows fetching details about specific profiles or listing profiles with various filtering options.

Core Methods

Method Description Parameters Return Type
fetch() Gets a specific profile by name name: str, container: str VulnerabilityProtectionProfileResponseModel
list() Lists profiles with filtering folder: str, **filters List[VulnerabilityProtectionProfileResponseModel]

Vulnerability Protection Profile Info Parameters

Parameter Type Required Description
name str No Name of a specific vulnerability protection profile to retrieve
gather_subset list No Determines which information to gather (default: config)
folder str One container* Filter profiles by folder container
snippet str One container* Filter profiles by snippet container
device str One container* Filter profiles by device container
exact_match bool No When True, only return objects defined exactly in the specified container
exclude_folders list No List of folder names to exclude from results
exclude_snippets list No List of snippet values to exclude from results
exclude_devices list No List of device values to exclude from results
severity list No Filter by severity levels in rules
category list No Filter by vulnerability category in rules
host list No Filter by host type in rules
cve list No Filter by CVE IDs in rules

*One container parameter is required when name is not specified.

Exceptions

Exception Description
InvalidObjectError Invalid request data or format
MissingQueryParameterError Missing required parameters
ObjectNotPresentError Profile not found
AuthenticationError Authentication failed
ServerError Internal server error

Basic Configuration

The Vulnerability Protection Profile Info module requires proper authentication credentials to access the Strata Cloud Manager API.

- name: Basic Vulnerability Protection Profile Info Configuration
  hosts: localhost
  gather_facts: false
  vars:
    provider:
      client_id: "your_client_id"
      client_secret: "your_client_secret"
      tsg_id: "your_tsg_id"
      log_level: "INFO"
  tasks:
    - name: Get information about vulnerability protection profiles
      cdot65.scm.vulnerability_protection_profile_info:
        provider: "{{ provider }}"
        folder: "Shared"
      register: profiles_result

    - name: Display retrieved vulnerability protection profiles
      debug:
        var: profiles_result

Usage Examples

Getting Information about a Specific Vulnerability Protection Profile

Retrieve details about a specific vulnerability protection profile by name and container.

- name: Get information about a specific vulnerability protection profile
  cdot65.scm.vulnerability_protection_profile_info:
    provider: "{{ provider }}"
    name: "Critical-Vulnerabilities"
    folder: "Texas"
  register: profile_info

- name: Display vulnerability protection profile information
  debug:
    var: profile_info.vulnerability_protection_profile

- name: Check if profile has Critical RCE rules
  debug:
    msg: "Profile contains rules for Remote Code Execution"
  when: >
    profile_info.vulnerability_protection_profile.rules is defined and
    profile_info.vulnerability_protection_profile.rules | selectattr('category', 'equalto', 'remote-code-execution') | list | length > 0

Listing All Vulnerability Protection Profiles in a Folder

List all vulnerability protection profiles in a specific folder.

- name: List all vulnerability protection profiles in a folder
  cdot65.scm.vulnerability_protection_profile_info:
    provider: "{{ provider }}"
    folder: "Texas"
  register: all_profiles

- name: Display all vulnerability protection profiles
  debug:
    var: all_profiles.vulnerability_protection_profiles

- name: Display count of vulnerability protection profiles
  debug:
    msg: "Found {{ all_profiles.vulnerability_protection_profiles | length }} vulnerability protection profiles"

- name: List names of all vulnerability protection profiles
  debug:
    msg: "{{ all_profiles.vulnerability_protection_profiles | map(attribute='name') | list }}"

Using Advanced Filtering Options

Use advanced filtering options to refine your query results.

- name: List profiles for critical severity vulnerabilities
  cdot65.scm.vulnerability_protection_profile_info:
    provider: "{{ provider }}"
    folder: "Texas"
    severity: [ "critical" ]
  register: critical_profiles

- name: Process critical profiles
  debug:
    msg: "Critical profile: {{ item.name }}"
  loop: "{{ critical_profiles.vulnerability_protection_profiles }}"

- name: List profiles with filtering by specific CVE
  cdot65.scm.vulnerability_protection_profile_info:
    provider: "{{ provider }}"
    folder: "Texas"
    cve: [ "CVE-2021-44228" ]
  register: cve_profiles

- name: Filter vulnerability protection profiles by category
  cdot65.scm.vulnerability_protection_profile_info:
    provider: "{{ provider }}"
    folder: "Texas"
    category: [ "sql-injection" ]
  register: category_result

- name: List profiles with exact match and exclusions
  cdot65.scm.vulnerability_protection_profile_info:
    provider: "{{ provider }}"
    folder: "Texas"
    exact_match: true
    exclude_folders: [ "All" ]
    exclude_snippets: [ "default" ]
  register: filtered_profiles

Managing Configuration Changes

As an info module, vulnerability_protection_profile_info does not make any configuration changes. However, you can use the information it retrieves to make decisions about other configuration operations.

- name: Use vulnerability profile information for security rule configuration
  block:
    - name: Get vulnerability protection profiles for critical severity
      cdot65.scm.vulnerability_protection_profile_info:
        provider: "{{ provider }}"
        folder: "Texas"
        severity: [ "critical" ]
      register: critical_profiles

    - name: Create security profile group with critical vulnerability profiles
      cdot65.scm.security_profiles_group:
        provider: "{{ provider }}"
        name: "Critical-Security-Group"
        folder: "Texas"
        vulnerability_protection_profile: "{{ critical_profiles.vulnerability_protection_profiles[0].name }}"
        description: "Security profile group with critical vulnerability protection"
        state: "present"
      when: critical_profiles.vulnerability_protection_profiles | length > 0

Error Handling

It's important to handle potential errors when retrieving information about vulnerability protection profiles.

- name: Get information about vulnerability protection profiles with error handling
  block:
    - name: Try to retrieve information about a vulnerability protection profile
      cdot65.scm.vulnerability_protection_profile_info:
        provider: "{{ provider }}"
        name: "Critical-Vulnerabilities"
        folder: "Texas"
      register: info_result

    - name: Display vulnerability protection profile information
      debug:
        var: info_result.vulnerability_protection_profile

  rescue:
    - name: Handle errors
      debug:
        msg: "Failed to retrieve vulnerability protection profile information: {{ ansible_failed_result.msg }}"

    - name: Check if it's a 'not found' error
      debug:
        msg: "The specified vulnerability protection profile does not exist, creating it..."
      when: "'not found' in ansible_failed_result.msg"

Best Practices

Efficient Querying

  • Use specific filters to reduce API load and improve performance
  • When looking for a specific profile, use the name parameter instead of filtering results
  • Use container parameters consistently across queries
  • Structure queries to minimize the number of API calls
  • Document common query patterns for reuse

Result Processing

  • Always register the module output to a variable for later use
  • Check if the expected data is present before processing it
  • Use appropriate Ansible filters and tests when processing complex nested structures
  • Create reusable tasks for common processing patterns
  • Consider using set_fact for intermediate data transformation

Filter Usage

  • Use exact_match when you only want profiles defined directly in the specified container
  • Use exclusion filters to refine results without overcomplicating queries
  • Combine multiple filters for more precise results
  • Test filter combinations to ensure they return the expected results
  • Document filter combinations for complex scenarios

Error Handling

  • Implement try/except blocks to handle potential errors
  • Verify that the profiles exist before attempting operations on them
  • Provide meaningful error messages for troubleshooting
  • Create recovery paths for common error scenarios
  • Log errors with sufficient context for later analysis

Integration with Other Modules

  • Use the info module to check for existing profiles before creating new ones
  • Combine with the vulnerability_protection_profile module for complete profile management
  • Use the retrieved information to make decisions in your playbooks
  • Build helper roles for common vulnerability management tasks
  • Create workflows that combine multiple modules for end-to-end processes

Performance Considerations

  • Cache results when making multiple queries for the same information
  • Limit the data retrieved to only what's needed for your task
  • Consider batching operations when processing multiple profiles
  • Structure playbooks to minimize redundant queries
  • Use gather_subset parameter to limit data retrieval to necessary fields