topic Re: ansible initial configuration in Automation/API Discussions

ansible initial configuration

ryanniemes — Tue, 20 Feb 2018 14:26:27 GMT

Hello all - I have a factory-reset 3020 I'm trying to access via ansible to do inital configuration. I installed ansible galaxy on my mac and I'm running version 2.4.3.0 of ansible. I am able to connect but it doesn't appear to do anything in the playbook. Any help is appreciated - here's the relevant configuration.

$ ansible --version

ansible 2.4.3.0

config file = /Users/rniemes/dev/ansible/ansible.cfg

configured module search path = [u'/Users/rniemes/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible

executable location = /usr/local/bin/ansible

python version = 2.7.10 (default, Feb 7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]

Here's my ansible.cfg:

rniemes$ more ansible.cfg

[defaults]

remote_user = admin

ask_pass = True

firewalls.yaml:

---

- hosts: firewalls

gather_facts: False

tasks:

- name: set dns and panorama

panos_mgtconfig:

name: set stuff

dns_server_primary: "1.1.1.1"

When I run ansible-playbook it doesn't appear to do anything but login:

rniemes$ ansible-playbook -vvvv firewalls.yaml -i hosts

ansible-playbook 2.4.3.0

config file = /Users/rniemes/dev/ansible/ansible.cfg

configured module search path = [u'/Users/rniemes/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible

executable location = /usr/local/bin/ansible-playbook

python version = 2.7.10 (default, Feb 7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]

Using /Users/rniemes/dev/ansible/ansible.cfg as config file

SSH password:

setting up inventory plugins

Parsed /Users/rniemes/dev/ansible/hosts inventory source with ini plugin

Loading callback plugin default of type stdout, v2.0 from /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: firewalls.yaml *****************************************************************************************************************

1 plays in firewalls.yaml

PLAY [firewalls] *************************************************************************************************************************

META: ran handlers

TASK [set dns and panorama] **************************************************************************************************************

task path: /Users/rniemes/dev/ansible/firewalls.yaml:5

Using module file /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible/modules/network/panos/panos_mgtconfig.py

<10.18.8.65> ESTABLISH CONNECTION FOR USER: admin on PORT 22 TO 10.18.8.65

<10.18.8.65> EXEC /bin/sh -c 'echo ~ && sleep 0'

I see an open session after doing this:

admin@PA-3020> show admins

Admin From Client Session-start Idle-for

--------------------------------------------------------------------------

admin 10.16.251.231 CLI 02/20 07:00:32 00:00:00s

admin 10.16.251.231 CLI 02/20 07:01:03 00:00:04s

Re: ansible initial configuration

samzhang — Mon, 21 May 2018 23:56:23 GMT

Hi ryanniemes，

I got the same issue. I tried accessing with both username+password as well as certificate based authentication, neither works. I also tried on PAN-OS 8.1 and 8.0 but with same result.

My ansible version is 2.5.2

Have you resovled this problem?

Thanks.

Regars,

Sam

Re: ansible initial configuration

bkeifer — Mon, 18 Jun 2018 21:45:52 GMT

Same problem here. Has anyone solved this yet?

Re: ansible initial configuration

vvenkatara — Mon, 18 Jun 2018 21:49:48 GMT

Hi guys,

Do the logs on the firewall UI show that there was an operation attemtped? I'm curious to understand if the ansible framework is actually able to reach into the firewalls at all?

Additionally, can you guys verify that you can ssh into the firewall (depending upon the mgmt config / profile) with the username and password?

Thanks.

Re: ansible initial configuration

gfreeman — Mon, 18 Jun 2018 21:57:35 GMT

Hi all,

1) Right now, the best way to use Ansible is with the Ansible Galaxy Palo Alto Networks role. Palo Alto Networks has been updating the role more frequently than what libraries come with "pip install ansible" due to ease of getting code to users faster. So, I'd recommending using the role first and foremost:

ansible-galaxy install PaloAltoNetworks.paloaltonetworks

2) Once you're using that, you need to tell your playbook to use that role. You do that like so:

roles:

- role: PaloAltoNetworks.paloaltonetworks

3) Now that you're using the role, you actually need to be telling the module "panos_mgtconfig" what the authentication credentials of your firewall are, as vvenkatara hinted at. There are "ip_address", "username", "password", and "api_key" params that the "panos_mgtconfig" module is expecting in your playbook so that it knows how to connect to your PAN-OS system. Full documentation for Ansible is on readthedocs (as well as the instructions for installing the ansible-galaxy role):

http://panwansible.readthedocs.io/en/latest/

Hope this helps!

Re: ansible initial configuration

bkeifer — Mon, 18 Jun 2018 22:30:08 GMT

I'm doing all that. It hangs at:

< TASK [PaloAltoNetworks.paloaltonetworks : pip] >
task path: /Users/brian/.ansible/roles/PaloAltoNetworks.paloaltonetworks/tasks/main.yml:5

The contents of the playbook are:

---
- hosts: azfw02.domain.com
gather_facts: False

roles:
- role: PaloAltoNetworks.paloaltonetworks

tasks:

- name: Set DNS Servers
panos_mgtconfig:
ip_address: '{{ mgmt_ip }}'
username: 'admin'
password: 'secretpasswordhere'
dns_server_primary: "10.1.1.94"

Re: ansible initial configuration

bkeifer — Mon, 18 Jun 2018 22:36:42 GMT

The firewall UI logs show an SSH connection, but not the change to the DNS servers. The username/password works from the command line.

Re: ansible initial configuration

gfreeman — Tue, 19 Jun 2018 17:02:04 GMT

So it looks like it's not even getting to your tasks. What do you see if you run `ansible-playbook` with -vvv to increase the verbosity?

Re: ansible initial configuration

bkeifer — Tue, 19 Jun 2018 17:21:30 GMT

$ ansible-playbook -vvv --ask-pass go.yml
ansible-playbook 2.5.5
  config file = None
  configured module search path = [u'/Users/brian/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /Library/Python/2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 2.7.10 (default, Oct  6 2017, 22:29:07) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)]
No config file found; using defaults
SSH password:
Parsed /Users/brian/playbooks/azure_pan/hosts inventory source with ini plugin
 __________________
< PLAYBOOK: go.yml >
 ------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

1 plays in go.yml
 _______________________________
< PLAY [azfw02.domain.com] >
 -------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

META: ran handlers
 ________________________________________________
< TASK [PaloAltoNetworks.paloaltonetworks : pip] >
 ------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

task path: /Users/brian/.ansible/roles/PaloAltoNetworks.paloaltonetworks/tasks/main.yml:5
Using module file /Library/Python/2.7/site-packages/ansible/modules/packaging/language/pip.py
<azfw02.domain.com> ESTABLISH CONNECTION FOR USER: admin on PORT 22 TO azfw02.ops.desales.edu
<azfw02.domain.com> EXEC /bin/sh -c 'echo ~admin && sleep 0'

Re: ansible initial configuration

gfreeman — Tue, 19 Jun 2018 17:49:26 GMT

I think you are missing "connection: local" in your playbook. Without that, you're telling ansible to SSH to PAN-OS, then it's trying to execute the modules there, which won't work. I think this is why you see a bunch of SSH connections to your PAN-OS, which is wrong, as the Ansible modules connect via API, not SSH.

Re: ansible initial configuration

ibojer — Tue, 19 Jun 2018 17:51:46 GMT

Garfield is right, without connection: local Ansible will try to SSH into the firewall.

Here is a working example:

https://github.com/PaloAltoNetworks/ansible-pan/blob/develop/examples/fw_mgtconfig.yml