PaloAltoNetworks · adambaumeister · Jan 30, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -47,7 +47,7 @@ jobs:
         run: |
           cd ansible_collections/paloaltonetworks/panos_policy_automation
           ls -l
-          ansible-lint . --offline
+          ansible-lint --profile production
 
       - name: Ansible Sanity Tests
         run: |

diff --git a/.github/workflows/release_to_galaxy.yml b/.github/workflows/release_to_galaxy.yml
@@ -43,7 +43,7 @@ jobs:
           git config --global user.name 'Github Actions Release Pipeline'
           git config --global user.email 'githubactions@users.noreply.github.com'
           git commit -am "chore: Update Ansible Galaxy file [skip ci]"
-          git push
+          git push origin HEAD:master
         # This can fail in cases where CI is being re-run but we've already bumped the version, so allow it to fail.
         continue-on-error: true
 

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 ![GitHub Release](https://img.shields.io/github/v/release/adambaumeister/ansible_panos_policy_orchestration)
 ![Github Pages](https://img.shields.io/badge/github-pages-black?logo=githubpages&link=https%3A%2F%2Fadambaumeister.github.io%2Fansible_panos_policy_orchestration%2F)
 
-Docs: https://paloaltonetworks.github.io/ansible_panos_policy_orchestration/
+[Documentation](https://paloaltonetworks.github.io/ansible_panos_policy_orchestration/)
 
 This repository provides a framework and a philosophy for creating PAN-OS security policies
 via Automation.
@@ -125,36 +125,10 @@ policy_creation_policy_files:
   - example_outbound_policy_file.yml  # <---- Note we included your "policy file" here!
 ```
 
-### Create your playbook and include the role
-
-```yaml
----
-- hosts: lab # <---- Replace this with your group 
-  connection: local
-  gather_facts: false
-  name: Test the Lookup Policy playbook
-
-  vars:
-    provider:
-      ip_address: "{{ ansible_host }}"
-      username: "{{ lookup('env', 'PAN_USERNAME') }}"
-      password: "{{ lookup('env', 'PAN_PASSWORD') }}"
-
-  roles:
-    - paloaltonetworks.panos_policy_automation.policy_creation # Note the included role
-
-  tasks:
-    - name: Print the results
-      ansible.builtin.debug:
-        msg: "{{ policy_creation_security_policy_match_result }}"
-```
-
-### Execute the playbook
-
 Note, replace the playbook and vars file names with your versions.
 
 ```shell
-ansible-playbook your_playbook.yml -i inventory.yml --extra-vars=@vars_file.yml
+ansible-playbook -i inventory.yml --extra-vars=@./policy_file.yml paloaltonetworks.panos_policy_automation.examples.create_policy
 ```
 
 ## Use Cases

diff --git a/docs/index.md b/docs/index.md
@@ -123,7 +123,7 @@ policy_creation_policy_files:
   tasks:
     - name: Print the results
       ansible.builtin.debug:
-        msg: "{{ policy_creation_security_policy_match_result }}"
+        msg: "{{ lookup_policy_security_policy_match_result }}"
 ```
 
 ### Execute the playbook

diff --git a/docs/reference/add_application_to_preset_group.md b/docs/reference/add_application_to_preset_group.md
@@ -22,7 +22,7 @@ flowchart TD
 
 | Variable | Description |
 |----------|-------------|
-| `policy_creation_application` | The application to add to the group |
+| `lookup_policy_application` | The application to add to the group |
 | `application_group` | The name of the application group to update |
 | `policy_creation_device_group` | The device group where the application group exists |
 | `provider` | PAN-OS connection details (ip_address, username, password) |
@@ -48,7 +48,7 @@ This returns the existing `value` list of member applications.
 ### Adding New Member
 The application is **prepended** to the existing list:
 ```yaml
-value: "{{ [policy_creation_application] + existing_applications }}"
+value: "{{ [lookup_policy_application] + existing_applications }}"
 ```
 
 This places the new application at the beginning of the group's member list.
@@ -75,7 +75,7 @@ This file is included from `main.yml` when preset policies match:
     file: preset/add_application_to_preset_group.yml
   when:
     - application_group is defined
-    - policy_creation_application is defined
+    - lookup_policy_application is defined
 ```
 
 ## Preset Policy Integration
@@ -92,7 +92,7 @@ Example preset policy task:
     policy_creation_policy_match: true
     application_group: "api-applications"
   when:
-    - policy_creation_application is match(".*-api")
+    - lookup_policy_application is match(".*-api")
 ```
 
 ## Output Display
@@ -157,7 +157,7 @@ The task is **partially idempotent**:
 - ⚠️ Consider adding duplicate detection:
 
 ```yaml
-when: policy_creation_application not in policy_creation_existing_group.gathered.value
+when: lookup_policy_application not in policy_creation_existing_group.gathered.value
 ```
 
 ## Prerequisites

diff --git a/docs/reference/create_policy.md b/docs/reference/create_policy.md
@@ -32,15 +32,15 @@ flowchart TD
 |----------|-------------|
 | `policy_creation_source_ip` | Source IP address or CIDR block |
 | `policy_creation_destination_ip` | Destination IP address or CIDR block |
-| `policy_creation_application` | Application name for the rule |
+| `lookup_policy_application` | Application name for the rule |
 | `provider` | PAN-OS connection details (ip_address, username, password) |
 
 ## Optional Variables
 
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `policy_creation_source_zones` | Source zones | `['any']` |
-| `policy_creation_destination_zones` | Destination zones | `['any']` |
+| `policy_creation__security_matches_existing_policy` | Destination zones | `['any']` |
 | `policy_creation_tag` | Policy tag | `default_new_policy_tag` |
 | `policy_creation_device_group` | Target device group | `default_new_policy_device_group` |
 | `default_rule_location` | Rule placement (before/after) | N/A |
@@ -153,7 +153,7 @@ This file is included from `main.yml`:
       ansible.builtin.set_fact:
         policy_creation_config_changed: true
   when:
-    - not policy_creation_security_matches_existing_policy
+    - not lookup_policy_security_matches_existing_policy
 ```
 
 Only runs when:

diff --git a/docs/reference/get_zone_by_ip.md b/docs/reference/get_zone_by_ip.md
@@ -37,14 +37,14 @@ flowchart TD
 
 | Variable | Description |
 |----------|-------------|
-| `policy_creation__show_route` | List to accumulate routing table results (persists across loop iterations) |
-| `policy_creation__show_route_result` | Raw result from the routing table command |
-| `policy_creation__show_route_result_dict` | Parsed JSON dictionary of routing table |
-| `policy_creation__virtual_routers` | List of all virtual routers found in the routing table |
-| `policy_creation__test_routing_result` | Results from FIB lookup tests on each virtual router |
-| `policy_creation_interface_list` | List of outbound interfaces for the target IP |
-| `policy_creation__show_interfaces_result` | Raw result from show interface all command |
-| `policy_creation_destination_zones` | List of zones associated with the target IP (accumulated across devices) |
+| `lookup_policy__show_route` | List to accumulate routing table results (persists across loop iterations) |
+| `lookup_policy__show_route_result` | Raw result from the routing table command |
+| `lookup_policy__show_route_result_dict` | Parsed JSON dictionary of routing table |
+| `lookup_policy__virtual_routers` | List of all virtual routers found in the routing table |
+| `lookup_policy__test_routing_result` | Results from FIB lookup tests on each virtual router |
+| `lookup_policy_interface_list` | List of outbound interfaces for the target IP |
+| `lookup_policy__show_interfaces_result` | Raw result from show interface all command |
+| `lookup_policy__destination_zones` | List of zones associated with the target IP (accumulated across devices) |
 
 ## Dependencies
 
@@ -94,7 +94,7 @@ This determines which interface would be used to route traffic to the target IP.
 1. **Routing Analysis** - Determines outbound interface(s) via FIB lookup
 2. **Interface Query** - Gets all interface configurations with `show interface all`
 3. **Zone Mapping** - Matches interface names to their assigned zones
-4. **Accumulation** - Adds zones to `policy_creation_destination_zones` list
+4. **Accumulation** - Adds zones to `lookup_policy__destination_zones` list
 
 ## Important Behavior
 
@@ -105,12 +105,12 @@ This determines which interface would be used to route traffic to the target IP.
 ### Multiple Devices
 - When called in a loop across multiple devices, zones are accumulated
 - A single IP may resolve to different zones on different firewalls
-- The `policy_creation_destination_zones` variable grows with each device iteration
+- The `lookup_policy__destination_zones` variable grows with each device iteration
 
 ### Zone List Accumulation
 The zones are accumulated using this pattern:
 ```yaml
-policy_creation_destination_zones | default([]) + [new_zones] | default([])
+lookup_policy__destination_zones | default([]) + [new_zones] | default([])
 ```
 This ensures zones from multiple devices are combined into a single list.
 
@@ -124,16 +124,16 @@ This file is included from `lookup_policy.yml`:
     file: get_zone_by_ip.yml
   vars:
     _target_ip: "{{ policy_creation_destination_ip }}"
-  with_items: "{{ policy_creation___device_list }}"
+  with_items: "{{ lookup_policy__device_list }}"
   when:
-    - not policy_creation_security_matches_existing_policy
+    - not lookup_policy_security_matches_existing_policy
 ```
 
 Key points:
 - Only runs when no existing policy matches
 - Runs once per device in the device list
 - The `_target_ip` variable is set to the destination IP
-- Results accumulate in `policy_creation_destination_zones`
+- Results accumulate in `lookup_policy__destination_zones`
 
 ## Example Scenario
 
@@ -144,7 +144,7 @@ Given:
 - Firewall 2: Routes via interface `ethernet1/2` in zone `internet`
 
 Result:
-- `policy_creation_destination_zones` = `['untrust', 'internet']`
+- `lookup_policy__destination_zones` = `['untrust', 'internet']`
 
 ## Performance Notes
 

diff --git a/docs/reference/lookup_policy.md b/docs/reference/lookup_policy.md
@@ -34,9 +34,9 @@ flowchart TD
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `policy_creation_destination_port` | Destination port for testing | `443` |
-| `policy_creation_protocol` | IP protocol number (6=TCP, 17=UDP) | `6` |
-| `policy_creation_application` | Application for testing | `ssl` |
+| `lookup_policy_destination_port` | Destination port for testing | `443` |
+| `lookup_policy_protocol` | IP protocol number (6=TCP, 17=UDP) | `6` |
+| `lookup_policy_application` | Application for testing | `ssl` |
 | `policy_creation_device_group` | Target device group | N/A |
 | `default_new_policy_device_group` | Fallback device group | N/A |
 | `default_test_policy_serial_number` | Specific firewall serial for testing | N/A |
@@ -45,12 +45,12 @@ flowchart TD
 
 | Variable | Description |
 |----------|-------------|
-| `_policy_creation_device_group` | Internal variable for the operating device group |
-| `policy_creation__show_devices_output` | Raw output from `show devices connected` command |
-| `policy_creation__show_devices_output_dict` | Parsed JSON dictionary of connected devices |
-| `policy_creation___device_list` | List of devices to test against |
-| `policy_creation_security_matches_existing_policy` | Boolean indicating if traffic is already permitted |
-| `policy_creation_destination_zones` | List of calculated destination zones |
+| `lookup_policy__device_group` | Internal variable for the operating device group |
+| `lookup_policy__show_devices_output` | Raw output from `show devices connected` command |
+| `lookup_policy__show_devices_output_dict` | Parsed JSON dictionary of connected devices |
+| `lookup_policy__device_list` | List of devices to test against |
+| `lookup_policy_security_matches_existing_policy` | Boolean indicating if traffic is already permitted |
+| `lookup_policy__destination_zones` | List of calculated destination zones |
 
 ## Dependencies
 
@@ -73,7 +73,7 @@ flowchart TD
   - Improves performance in large environments
 
 ### Zone Calculation
-- Only runs if `policy_creation_security_matches_existing_policy` is false
+- Only runs if `lookup_policy_security_matches_existing_policy` is false
 - Determines destination zones by:
   - Getting routing table from each device
   - Running FIB lookup for the destination IP

diff --git a/docs/reference/policy_creation_role.md b/docs/reference/policy_creation_role.md
@@ -37,8 +37,8 @@ See [argument_specs.yml](../../roles/policy_creation/meta/argument_specs.yml) fo
 | `source_user` | str | N/A | Source user for the new policy |
 | `policy_creation_source_ip` | str | N/A | Source IP address or CIDR block |
 | `policy_creation_destination_ip` | str | N/A | Destination IP address or CIDR block |
-| `policy_creation_application` | str | `ssl` | PAN-OS compatible application name |
-| `policy_creation_destination_port` | str | `443` | TCP or UDP port used by the traffic |
+| `lookup_policy_application` | str | `ssl` | PAN-OS compatible application name |
+| `lookup_policy_destination_port` | str | `443` | TCP or UDP port used by the traffic |
 
 ### Common Additional Variables
 
@@ -60,7 +60,7 @@ These variables are commonly used but not defined in argument_specs (referenced
 |----------|-------------|
 | `policy_creation_config_changed` | Boolean indicating if any configuration changes were made |
 | `policy_creation_policy_match` | Boolean indicating if a preset policy matched |
-| `policy_creation_security_matches_existing_policy` | Boolean indicating if traffic is already permitted |
+| `lookup_policy_security_matches_existing_policy` | Boolean indicating if traffic is already permitted |
 
 ## Task File Reference
 
@@ -106,8 +106,8 @@ The role is organized into several task files, each handling specific functional
           - preset_policies/webserver_outbound.yml
         policy_creation_source_ip: "10.1.1.5/32"
         policy_creation_destination_ip: "8.8.8.8/32"
-        policy_creation_application: "dns"
-        policy_creation_destination_port: "53"
+        lookup_policy_application: "dns"
+        lookup_policy_destination_port: "53"
         provider:
           ip_address: "{{ panorama_ip }}"
           username: "{{ panorama_username }}"

diff --git a/docs/reference/security_policy_match.md b/docs/reference/security_policy_match.md
@@ -35,15 +35,15 @@ flowchart TD
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `policy_creation_application` | Application to test | `ssl` |
+| `lookup_policy_application` | Application to test | `ssl` |
 
 ## Generated Variables
 
 | Variable | Description |
 |----------|-------------|
-| `policy_creation_test_xml` | XML command for the security-policy-match test |
-| `policy_creation_security_policy_match_result` | Raw result from the panos_op command |
-| `policy_creation_security_matches_existing_policy` | Boolean indicating if traffic matches an existing policy |
+| `lookup_policy_test_xml` | XML command for the security-policy-match test |
+| `lookup_policy_security_policy_match_result` | Raw result from the panos_op command |
+| `lookup_policy_security_matches_existing_policy` | Boolean indicating if traffic matches an existing policy |
 
 ## Test XML Format
 
@@ -97,7 +97,7 @@ This file is included from `lookup_policy.yml` in a loop:
 - name: Test the security policy - determines if a new policy is needed
   ansible.builtin.include_tasks:
     file: security_policy_match.yml
-  with_items: "{{ policy_creation___device_list }}"
+  with_items: "{{ lookup_policy__device_list }}"
 ```
 
 Each iteration tests against a different firewall serial number from the device list.
@@ -108,7 +108,7 @@ Each iteration tests against a different firewall serial number from the device
 - Line 9 contains a typo: `policy_creation_sourcce_ip` (should be `policy_creation_source_ip`)
   - This may cause the source IP to be undefined in the test
 - Protocol and port are hardcoded rather than using role variables
-  - Does not respect `policy_creation_protocol` or `policy_creation_destination_port`
+  - Does not respect `lookup_policy_protocol` or `lookup_policy_destination_port`
 
 ### Behavior
 - Tests are executed against individual firewalls using their serial numbers

diff --git a/docs/user_guide/playbook_variables.md b/docs/user_guide/playbook_variables.md
@@ -21,11 +21,11 @@
 - Default: `ssl`
 - Example: `ssh`, `dns`, `web-browsing`
 
-**`policy_creation_destination_port`** - Destination port number
+**`lookup_policy_destination_port`** - Destination port number
 - Default: `443`
 - Example: `22`, `53`, `80`
 
-**`policy_creation_protocol`** - IP protocol number
+**`lookup_policy_protocol`** - IP protocol number
 - Default: `6` (TCP)
 - Example: `17` (UDP), `1` (ICMP)
 

diff --git a/docs/user_guide/preset_policy.md b/docs/user_guide/preset_policy.md
@@ -100,7 +100,7 @@ at runtime.
     policy_match: true # Set the fact that we did match a policy
     policy_creation_source_address_group: PRESET_JUMPHOST_INBOUND_SOURCE # In this case, the policy preset is an address_group type
     policy_creation_destination_address_group: PRESET_JUMPHOST_INBOUND_DESTINATION # In this case, the policy preset is an address_group type
-    policy_creation_application_group: PRESET_JUMPHOST_APPS # If an application is passed, we should also include it in the policy.
+    lookup_policy_application_group: PRESET_JUMPHOST_APPS # If an application is passed, we should also include it in the policy.
     policy_creation_device_group: Lab # Finally, we set the device group!
   when:
     - policy_creation_source_ip is defined
@@ -133,7 +133,7 @@ in the one file - it's up to you!
       password: "{{ lookup('env', 'PAN_PASSWORD') }}"
     policy_creation_source_ip: 8.8.8.8
     policy_creation_destination_ip: 10.10.11.5
-    policy_creation_application: ssh
+    lookup_policy_application: ssh
     policy_creation_policy_files:
       - ssh_jumpserver_inbound_access.yml # <---- Replace with the path to your policy file, or files
 
@@ -143,7 +143,7 @@ in the one file - it's up to you!
   tasks:
     - name: Print the results
       ansible.builtin.debug:
-        msg: "{{ policy_creation_security_policy_match_result }}"
+        msg: "{{ lookup_policy_security_policy_match_result }}"
 ```
 
 ```shell

diff --git a/example_outbound_policy_file.yml b/example_outbound_policy_file.yml
@@ -5,7 +5,7 @@
   ansible.builtin.set_fact:
     policy_creation_policy_match: true # Set the fact that we did match a policy
     policy_creation_source_address_group: PRESET_LAB_TRUSTED_OUTBOUND # In this case, the policy preset is an address_group type
-    policy_creation_application_group: PRESET_LAB_TRUSTED_OUTBOUND # If an application is passed, we should also include it in the policy.
+    application_group: PRESET_LAB_TRUSTED_OUTBOUND # If an application is passed, we should also include it in the policy.
     policy_creation_device_group: Lab # Finally, we set the device group!
   when:
     - policy_creation_source_ip is defined

diff --git a/example_playbook.yml b/example_playbook.yml
@@ -16,4 +16,4 @@
   tasks:
     - name: Print the results
       ansible.builtin.debug:
-        msg: "{{ policy_creation_security_policy_match_result }}"
+        msg: "{{ lookup_policy_security_policy_match_result }}"
diff --git a/example_vars_file_add_new.yml b/example_vars_file_add_new.yml
@@ -1,7 +1,7 @@
 ---
 policy_creation_source_ip: 110.33.122.75
 policy_creation_destination_ip: 10.10.10.5
-policy_creation_application: ssh
+lookup_policy_application: ssh
 policy_creation_policy_files:
   - example_outbound_policy_file.yml
   - example_web_to_database_policy_file.yml