topic Re: fail to execute ansible command for PANFW in Automation/API Discussions

fail to execute ansible command for PANFW

sjnkic — Thu, 02 Aug 2018 09:30:45 GMT

Seek for solution to fix the problem. Thanks.

1）host vars:

ansible_user: user
ansible_password: xxxxxxxxxxxxx
ansible_connection: network_cli
ansible_network_os: panos

2）command:

ansible --vault-id /xxx/xxx/vault_key -i ./hosts xxxx -m ping

3）error output:

xxxxx | FAILED! => {
"msg": "network os panos is not supported"
}

Re: fail to execute ansible command for PANFW

rhagen — Thu, 02 Aug 2018 13:46:49 GMT

The Ansible modules for PAN-OS do not currently support the network_cli connection method. Today these modules leverage the pandevice libraries to make API calls from the Ansible host. You'll need to change your connection type to localhost.

Example:

---
- name: Panorama configuration demo
hosts: localhost
connection: local
gather_facts: False

tasks:
- name: include variables
include_vars: vars.yml
no_log: 'yes'

- name: create a database server
panos_object:
ip_address: '{{ ip_address }}'
api_key: '{{ api_key }}'
addressobject: 'prod-db1'
address: '10.0.50.10'
description: "Database server 1"

Hope this helps!

Re: fail to execute ansible command for PANFW

hbalzac — Thu, 02 Aug 2018 15:14:21 GMT

When you saying currently/today, does that mean that there are any plans in the future to use network_cli insted of pandevice for ansible?

Re: fail to execute ansible command for PANFW

rhagen — Thu, 02 Aug 2018 16:41:56 GMT

I'll defer to @gfreeman on that question. 🙂

Re: fail to execute ansible command for PANFW

hbalzac — Thu, 02 Aug 2018 18:25:19 GMT

Cool

Its always good to have as few dependenties as possible 🙂

Re: fail to execute ansible command for PANFW

sjnkic — Fri, 03 Aug 2018 08:56:44 GMT

Thanks a lot.

It works when change connection from 'network_cli' to 'local'.

Further questions in vars:

1) how to use the 'api_key', where should I deternmine the value of 'api_key'

2) include vars: vars.yml.

the location of vars.yml is the same with playbook.yml ?

Re: fail to execute ansible command for PANFW

rhagen — Fri, 03 Aug 2018 20:55:58 GMT

The API key is basically a hash of your username and password. You can generate it on the firewall using a cURL command such as:

curl -X POST 'https://192.168.55.5/api?type=keygen&user=admin&password=paloalto'

You'll still want to safeguard the API key from exposure - just like a username and password. Using an API key just makes it one less field to worry about in your Ansible task definitions. You may want to place the key in a credentials.yml file and then encrypt it with Ansible Vault.