Ansible PAN OS Collection - Can not connect to PA firewall.

michael082 — Wed, 25 Mar 2020 11:26:35 GMT

Hello,

I have three virtual machines, each hosting a PA Firewall. One VM - test one, has no SSL installed, the other two have a self-signed SSL certs installed. I can access the firewall web GUI on all three VMs using a web browser. When I run the following playbook, Ansible can not connect to hosts with SSL certs in place:

---

- name: 'Palo Alto PAN OS: Create a new tag object.'

hosts: all

connection: local

gather_facts: true

collections:

- paloaltonetworks.panos

tasks:

- name: Create a tag object.

when: operation == "create"

panos_tag_object:

provider: '{{ provider }}'

name: '{{ tag_name }}'

color: '{{ tag_color }}'

comments: '{{ tag_comment }}'

- name: Remove a tag object.

when: operation == "remove"

panos_tag_object:

provider: '{{ provider }}'

name: '{{ tag_name }}'

color: '{{ tag_color }}'

state: absent

I get the following error:

The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
File "/tmp/ansible_panos_tag_object_payload_sPdkhl/ansible_panos_tag_object_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/module_utils/panos.py", line 146, in get_pandevice_parent
self.device = PanDevice.create_from_device(*pan_device_auth)
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3358, in create_from_device
system_info = device.refresh_system_info()
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3766, in refresh_system_info
system_info = self.show_system_info()
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3723, in show_system_info
root = self.xapi.op(cmd="show system info", cmd_xml=True)
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3484, in method
raise the_exception
fatal: [iaas0102]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"color": "red",
"comments": "comment",
"commit": true,
"device_group": "shared",
"ip_address": null,
"name": "new_sample_tag",
"password": null,
"port": 443,
"provider": {
"api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ip_address": "iaas0102",
"password": null,
"port": 443,
"serial_number": null,
"username": "admin"
},
"state": "present",
"username": "admin",
"vsys": "vsys1"
}
},
"msg": "Failed connection: URLError: reason: [Errno 110] Connection timed out"
}

Please note, I use API keys.

If I try to run:

curl -k -X GET 'https://iaas0102/api/?type=keygen&user=admin&password=8372hl'

I get:

curl: (7) Failed connect to iaas0102:443; Connection timed out

If I run the same command against the vm without SSL, I get the API Key. I run out of ideas how to approach this. Would appreciate any help.

Regards,

Michael

Re: Ansible PAN OS Collection - Can not connect to PA firewall.

gfreeman — Thu, 26 Mar 2020 00:05:59 GMT

First things first: if that is a legit password, you need to change your password immediately.

For even curl to be failing means this isn't specifically an Ansible issue... Something deeper is going on.

Not sure how big a long shot this is: if you're running the script from OSX catalina, then Apple has decided to change what they consider a valid SSL certificate at the OS level:

https://support.apple.com/en-us/HT210176

This means that the self-signed certs that PAN-OS uses (for example, when you launch a new instance in AWS / Azure / GCP) are invalid and you won't be able to connect. Since the above is applicable to certs created after July 1, 2019, any instances you launched before should still work with Catalina.

Re: Ansible PAN OS Collection - Can not connect to PA firewall.

michael082 — Thu, 26 Mar 2020 06:06:51 GMT

I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.

topic Re: Ansible PAN OS Collection - Can not connect to PA firewall. in Automation/API Discussions

Ansible PAN OS Collection - Can not connect to PA firewall.

Re: Ansible PAN OS Collection - Can not connect to PA firewall.

Re: Ansible PAN OS Collection - Can not connect to PA firewall.