https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/524791#M3278 <P>HI&nbsp;<SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46544">@gfreeman</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15566">@btorresgil</a>&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Just checking how we can connect to active firewall using Ansible module .<BR /><BR />In python , we are using&nbsp;refresh_ha_active()&nbsp; and its working , however we need to test using Ansible.<BR />Could you please provide some input here.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Wed, 21 Dec 2022 19:11:49 GMT DeepakVerma 2022-12-21T19:11:49Z https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/524791#M3278 <P>HI&nbsp;<SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/46544">@gfreeman</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15566">@btorresgil</a>&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Just checking how we can connect to active firewall using Ansible module .<BR /><BR />In python , we are using&nbsp;refresh_ha_active()&nbsp; and its working , however we need to test using Ansible.<BR />Could you please provide some input here.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Wed, 21 Dec 2022 19:11:49 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/524791#M3278 DeepakVerma 2022-12-21T19:11:49Z https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/531819#M3314 <P>Why not just use <A href="https://ansible-pan.readthedocs.io/en/latest/modules/panos_facts_module.html" target="_blank">https://ansible-pan.readthedocs.io/en/latest/modules/panos_facts_module.html</A> the facts ansible module and "<STRONG>ansible_net_ha_localstate</STRONG>" and then make the tasks that you want with an Ansible "when" condition to trigger only on the active firewall based on the variable collected by the facts module <A href="https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_conditionals.html" target="_blank">https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_conditionals.html</A> ?</P> Tue, 21 Feb 2023 05:55:18 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/531819#M3314 nikoolayy1 2023-02-21T05:55:18Z https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/531821#M3316 <P>We just run the playbook against both Panorama ans stop it if the Panorama is not active. If used in multiple playbooks you could create an "stop passive Panorama" role and run it at the beginning of your playbook.</P><P>&nbsp;</P><PRE>- name: "Panorama HA State - GET Facts"<BR /> paloaltonetworks.panos.panos_facts:<BR /> provider: '{{ device }}'<BR /> gather_subset: ['ha']<BR /><BR />- name: "Panorama HA State - Show HA State"<BR /> debug:<BR /> msg: "HA State: {{ ansible_net_ha_localstate }} - {{ ( not ansible_net_ha_localstate.endswith('-active') ) | ternary('Not OK -&gt; Need to Stop running further tasks for this host', 'OK') }}"<BR /><BR />- name: "Panorama HA State - Stop running Playbook for Hoost"<BR /> meta: end_host<BR /> when:<BR /> - "not ansible_net_ha_localstate.endswith('-active')"</PRE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Feb 2023 06:46:27 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/531821#M3316 Gruber_Marco 2023-02-21T06:46:27Z https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/532204#M3318 <P>Just connect to the loopback IP of the HA firewall pair which will always be the active firewall.</P> Fri, 24 Feb 2023 17:53:35 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/532204#M3318 stangri-la 2023-02-24T17:53:35Z https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/534309#M3330 <P>Also if you configure just one floating IP it will be the same deal with connecting to just the active device. It is called active-active but with one floating ip it is actually active-standby:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address</A></P> Tue, 14 Mar 2023 06:57:52 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/always-connect-to-active-firewall/m-p/534309#M3330 nikoolayy1 2023-03-14T06:57:52Z