fix: Handle rule location

Author: adambaumeister

docs/user_guide/new_policy_creation.md

@@ -0,0 +1,37 @@
+# Automatic New Policy Creation
+
+When requests for access fall through and miss the preset policies, it is useful to be able to automate the policy 
+creation anyway to prevent duplication. 
+
+This repository includes handling for creating new policies by following this basic process:
+
+1. Resolve source/destination IP to zones
+2. Check the policy is actually required using `test security-policy match`
+3. Add the required objects 
+4. Add the security rule, using your specified location logic
+
+!!! warning
+    This automation does no computation of "rule location". You should either group your rules by specifying a rule
+    to add all automated rules below using the `default_location_rule_name` and `default_rule_location` variables.
+
+Without any changes, `add_policy.yml` will automatically add new policy and run through the zone resolution and test
+process.
+
+```shell
+ansible-playbook playbooks/orchestrator/lab_policy.yml
+```
+
+![img.png](run_lab_create_new_policy.png)
+
+## Zone resolution behavior
+
+When a new policy is necessary, Panorama is queried for all of the connected devices, then we run a FIB lookup on each,
+then take the outgoing interface and match it to a zone based on `show interface`.
+
+Because of this, we may resolve the one IP address to several zones.
+
+## Test behavior
+
+Before adding a new rule, we test the traffic based on the provided source/destination and application on each
+firewall connected to panorama. If the traffic is not already allowed, the creation will continue.
+

docs/user_guide/preset_policy.md

@@ -137,3 +137,16 @@ Run the `lab_policy.yml` playbook to deploy the policy.
 ```shell
 ansible-playbook playbooks/orchestrator/lab_policy.yml
 ```
+
+In this example, `lab_policy` will prompt for the SIP/DIP values and the application. In your environment, you may
+trigger this playbook (or another playbook for a different set of hosts) using EDA or any other system that can 
+populate these values.
+
+You will see the policy is matched and the relevant address groups updated.
+
+![img.png](run_lab_policy.png)
+
+## What next?
+
+So, what happens for policies that don't match any preset policies? Proceed to the [New Policy Creation](new_policy_creation.md)
+guide.

docs/user_guide/run_lab_create_new_policy.png

@@ -43,6 +43,7 @@ nav:
   - User Guide:
       - Introduction: user_guide/introduction.md
       - Preset Policy: user_guide/preset_policy.md
+      - New Policy Creation: user_guide/new_policy_creation.md
   - Changelog: CHANGELOG.md
 
 extra:

docs/user_guide/run_lab_policy.png

@@ -41,7 +41,7 @@
     description: "Auto-created address object"
     state: present
 
-- name: Create the SECURITY RULE
+- name: Create the SECURITY RULE positional
   paloaltonetworks.panos.panos_security_rule:
     provider: "{{ provider }}"
     device_group: "{{ device_group }}"
@@ -54,6 +54,25 @@
     destination_ip: ["{{ destination_ip }}"]
     application: ["{{ application }}"]
     action: "allow"
+    location: "{{ default_rule_location }}"
+    existing_rule: "{{ default_location_rule_name | default('') }}"
+  when: default_location_rule_name is defined
+
+- name: Create the SECURITY RULE default
+  paloaltonetworks.panos.panos_security_rule:
+    provider: "{{ provider }}"
+    device_group: "{{ device_group }}"
+    rule_name: "{{ rule_name }}"
+    description: "Created by automation at  {{ ansible_date_time.epoch }}"
+    tag_name: ["{{ tag }}"]
+    source_zone: "{{ source_zones }}"
+    source_ip: ["{{ source_ip }}"]
+    destination_zone: "{{ destination_zones }}"
+    destination_ip: ["{{ destination_ip }}"]
+    application: ["{{ application }}"]
+    action: "allow"
+    location: "{{ default_rule_location }}"
+  when: default_location_rule_name is not defined
 
 - name: Update facts
   set_fact: