ansible initial configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ansible initial configuration

L0 Member

Hello all - I have a factory-reset 3020 I'm trying to access via ansible to do inital configuration. I installed ansible galaxy on my mac and I'm running version 2.4.3.0 of ansible. I am able to connect but it doesn't appear to do anything in the playbook. Any help is appreciated - here's the relevant configuration.

 

$ ansible --version

ansible 2.4.3.0

  config file = /Users/rniemes/dev/ansible/ansible.cfg

  configured module search path = [u'/Users/rniemes/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible

  executable location = /usr/local/bin/ansible

  python version = 2.7.10 (default, Feb  7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]

 

Here's my ansible.cfg:

rniemes$ more ansible.cfg

[defaults]

remote_user = admin

ask_pass = True

 

firewalls.yaml:

---

- hosts: firewalls

  gather_facts: False

  tasks:

    - name: set dns and panorama

      panos_mgtconfig:

        name: set stuff

        dns_server_primary: "1.1.1.1"

 

 

When I run ansible-playbook it doesn't appear to do anything but login:

 

rniemes$ ansible-playbook -vvvv firewalls.yaml -i hosts

ansible-playbook 2.4.3.0

  config file = /Users/rniemes/dev/ansible/ansible.cfg

  configured module search path = [u'/Users/rniemes/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible

  executable location = /usr/local/bin/ansible-playbook

  python version = 2.7.10 (default, Feb  7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]

Using /Users/rniemes/dev/ansible/ansible.cfg as config file

SSH password:

setting up inventory plugins

Parsed /Users/rniemes/dev/ansible/hosts inventory source with ini plugin

Loading callback plugin default of type stdout, v2.0 from /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

 

PLAYBOOK: firewalls.yaml *****************************************************************************************************************

1 plays in firewalls.yaml

 

PLAY [firewalls] *************************************************************************************************************************

META: ran handlers

 

TASK [set dns and panorama] **************************************************************************************************************

task path: /Users/rniemes/dev/ansible/firewalls.yaml:5

Using module file /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible/modules/network/panos/panos_mgtconfig.py

<10.18.8.65> ESTABLISH CONNECTION FOR USER: admin on PORT 22 TO 10.18.8.65

<10.18.8.65> EXEC /bin/sh -c 'echo ~ && sleep 0'

 

I see an open session after doing this:

 

admin@PA-3020> show admins

 

Admin                           From   Client Session-start      Idle-for

--------------------------------------------------------------------------

admin                  10.16.251.231      CLI 02/20 07:00:32     00:00:00s

admin                  10.16.251.231      CLI 02/20 07:01:03     00:00:04s

 

 

 

10 REPLIES 10

L1 Bithead

Hi ryanniemes

 

I got the same issue.   I tried accessing with both username+password  as well as certificate based authentication, neither works.  I also tried on PAN-OS 8.1 and 8.0 but with same result. 

 

My ansible version is 2.5.2

 

Have you resovled this problem? 


Thanks.


Regars,

Sam

Same problem here.  Has anyone solved this yet?

L2 Linker

Hi guys,

 

Do the logs on the firewall UI show that there was an operation attemtped? I'm curious to understand if the ansible framework is actually able to reach into the firewalls at all? 

Additionally, can you guys verify that you can ssh into the firewall (depending upon the mgmt config / profile) with the username and password? 

 

Thanks.

Hi all,

 

 

1) Right now, the best way to use Ansible is with the Ansible Galaxy Palo Alto Networks role.  Palo Alto Networks has been updating the role more frequently than what libraries come with "pip install ansible" due to ease of getting code to users faster.  So, I'd recommending using the role first and foremost:

 

ansible-galaxy install PaloAltoNetworks.paloaltonetworks

 

2) Once you're using that, you need to tell your playbook to use that role.  You do that like so:

 

roles:

  - role:  PaloAltoNetworks.paloaltonetworks

 

3) Now that you're using the role, you actually need to be telling the module "panos_mgtconfig" what the authentication credentials of your firewall are, as vvenkatara hinted at.  There are "ip_address", "username", "password", and "api_key" params that the "panos_mgtconfig" module is expecting in your playbook so that it knows how to connect to your PAN-OS system.  Full documentation for Ansible is on readthedocs (as well as the instructions for installing the ansible-galaxy role):

 

http://panwansible.readthedocs.io/en/latest/

 

Hope this helps!

 

I'm doing all that.  It hangs at:

 

< TASK [PaloAltoNetworks.paloaltonetworks : pip] >
task path: /Users/brian/.ansible/roles/PaloAltoNetworks.paloaltonetworks/tasks/main.yml:5

 

The contents of the playbook are:

 

---
- hosts: azfw02.domain.com
  gather_facts: False

 

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:


  - name: Set DNS Servers
    panos_mgtconfig:
      ip_address: '{{ mgmt_ip }}'
      username: 'admin'
      password: 'secretpasswordhere'
      dns_server_primary: "10.1.1.94"

The firewall UI logs show an SSH connection, but not the change to the DNS servers.  The username/password works from the command line.

So it looks like it's not even getting to your tasks.  What do you see if you run `ansible-playbook` with -vvv to increase the verbosity?

$ ansible-playbook -vvv --ask-pass go.yml
ansible-playbook 2.5.5
  config file = None
  configured module search path = [u'/Users/brian/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /Library/Python/2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 2.7.10 (default, Oct  6 2017, 22:29:07) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)]
No config file found; using defaults
SSH password:
Parsed /Users/brian/playbooks/azure_pan/hosts inventory source with ini plugin
 __________________
< PLAYBOOK: go.yml >
 ------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

1 plays in go.yml
 _______________________________
< PLAY [azfw02.domain.com] >
 -------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

META: ran handlers
 ________________________________________________
< TASK [PaloAltoNetworks.paloaltonetworks : pip] >
 ------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

task path: /Users/brian/.ansible/roles/PaloAltoNetworks.paloaltonetworks/tasks/main.yml:5
Using module file /Library/Python/2.7/site-packages/ansible/modules/packaging/language/pip.py
<azfw02.domain.com> ESTABLISH CONNECTION FOR USER: admin on PORT 22 TO azfw02.ops.desales.edu
<azfw02.domain.com> EXEC /bin/sh -c 'echo ~admin && sleep 0'

I think you are missing "connection: local" in your playbook.  Without that, you're telling ansible to SSH to PAN-OS, then it's trying to execute the modules there, which won't work.  I think this is why you see a bunch of SSH connections to your PAN-OS, which is wrong, as the Ansible modules connect via API, not SSH.

Garfield is right, without connection: local Ansible will try to SSH into the firewall.

 

Here is a working example:

https://github.com/PaloAltoNetworks/ansible-pan/blob/develop/examples/fw_mgtconfig.yml

 

  • 8978 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!