https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1253478#M3082 <P>Just came across this thread.&nbsp; We struggled with this quite a bit.&nbsp; We did end up pushing out an admin account for access to all firewalls managed by panorama with limited access (think limited GUI, XML, REST, etc.).&nbsp; Then we would run Ansible OP against Panorama to collected the connected devices, then subsequently issue commands to the firewalls we needed to. One of our requirements was to not use the native Ansible URI module because we wanted to obfuscate the API key and keep it so it wasn't cleartext in bash history or something similar.&nbsp; It's a bit of a mix between PANOS modules and Ansible stuff but it works great.&nbsp; Plus if you collect the devices from Panorama first, you can filter on serial numbers, platform type, etc.&nbsp; So it comes in handy if you want to target only firewalls on certain versions, certain types of platforms (PA-14XX) or something like that.&nbsp; Hope this helps!</P> Wed, 06 May 2026 00:23:18 GMT Josh_Warren 2026-05-06T00:23:18Z https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1251091#M3066 <P>I can do this by calling the API manually, but I can't seem to use the operation command module.&nbsp;<BR /><BR /></P> <DIV class="r1PmQe" data-processed="true" data-hveid="CBEQAA" data-sfc-cb="" data-wiz-uids="TFmBxe_4k,TFmBxe_4l,TFmBxe_4m" data-sfc-root="c"> <DIV data-processed="true"> <DIV class="pHpOfb" data-processed="true" data-animation-atomic=""> <DIV class="pCTyYe" dir="ltr" data-processed="true"> <PRE data-processed="true"><CODE data-processed="true"><SPAN class="undefined" data-processed="true">curl --location --globoff </SPAN><SPAN class="CS0cqb" data-processed="true">'https://&lt;Panorama-IP&gt;/api/?type=op&amp;cmd=&lt;show&gt;&lt;system&gt;&lt;info&gt;&lt;/info&gt;&lt;/system&gt;&lt;/show&gt;&amp;target=0123456789&amp;key=&lt;your-api-key&gt;'</SPAN> </CODE></PRE> </DIV> </DIV> </DIV> </DIV> <P>Skrting the issue in Ansible:<BR /><BR /></P> <LI-CODE lang="markup">- name: Run an op command on a firewall from Panorama ansible.builtin.uri: url: "https://{{ ip_address }}/api/?type=op&amp;target={{ active_fw_serial }}&amp;cmd={{ policy_match_xml | urlencode }}&amp;key={{ panorama_api_key }}" </LI-CODE> <DIV>&nbsp;</DIV> <P><BR />Maybe I am missing something, but a quick look at the Python doesn't look like I can use the module for this. To have to manage another set of access, credentials, etc, to reach the firewalls directly for operational commands feels a bit off.&nbsp;</P> Fri, 27 Mar 2026 17:26:04 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1251091#M3066 Eric_B 2026-03-27T17:26:04Z https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1251139#M3067 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/119116">@Eric_B</a>&nbsp;</P> <P>&nbsp;</P> <P>First of all, as a disclaimer, I'm not an expert in ansible.</P> <P>&nbsp;</P> <P>I just looked the doc of the Ansible available modules.<BR /><BR />- panos_op<BR /><A href="https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/content/module/panos_op/" target="_blank">https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/content/module/panos_op/</A></P> <P>-&nbsp;panos_type_cmd</P> <P><A href="https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/content/module/panos_type_cmd/" target="_blank">https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/content/module/panos_type_cmd/</A></P> <P>&nbsp;</P> <P>For both modules, I see there is the "serial_number" which can be used for the target.<BR /><BR /></P> <P>Have you explored that?<BR /><BR /></P> <P>Olivier</P> <P>&nbsp;</P> Mon, 30 Mar 2026 03:09:53 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1251139#M3067 ozheng 2026-03-30T03:09:53Z https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1253478#M3082 <P>Just came across this thread.&nbsp; We struggled with this quite a bit.&nbsp; We did end up pushing out an admin account for access to all firewalls managed by panorama with limited access (think limited GUI, XML, REST, etc.).&nbsp; Then we would run Ansible OP against Panorama to collected the connected devices, then subsequently issue commands to the firewalls we needed to. One of our requirements was to not use the native Ansible URI module because we wanted to obfuscate the API key and keep it so it wasn't cleartext in bash history or something similar.&nbsp; It's a bit of a mix between PANOS modules and Ansible stuff but it works great.&nbsp; Plus if you collect the devices from Panorama first, you can filter on serial numbers, platform type, etc.&nbsp; So it comes in handy if you want to target only firewalls on certain versions, certain types of platforms (PA-14XX) or something like that.&nbsp; Hope this helps!</P> Wed, 06 May 2026 00:23:18 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/no-way-to-use-target-to-send-an-op-command-to-a-firewall-from/m-p/1253478#M3082 Josh_Warren 2026-05-06T00:23:18Z