fail to execute ansible command for PANFW

Reply
L0 Member

fail to execute ansible command for PANFW

Seek for solution to fix the problem. Thanks.

1)host vars:

ansible_user: user
ansible_password: xxxxxxxxxxxxx
ansible_connection: network_cli
ansible_network_os: panos

2)command:

ansible --vault-id /xxx/xxx/vault_key -i ./hosts xxxx -m ping

3)error output:

xxxxx | FAILED! => {
"msg": "network os panos is not supported"
}

L3 Networker

Re: fail to execute ansible command for PANFW

The Ansible modules for PAN-OS do not currently support the network_cli connection method.  Today these modules leverage the pandevice libraries to make API calls from the Ansible host.  You'll need to change your connection type to localhost.

 

Example:

---
- name: Panorama configuration demo
  hosts: localhost
  connection: local
  gather_facts: False

 

  tasks:
  - name: include variables
    include_vars: vars.yml
    no_log: 'yes'

 

  - name: create a database server
    panos_object:
      ip_address: '{{ ip_address }}'
      api_key: '{{ api_key }}'
      addressobject: 'prod-db1'
      address: '10.0.50.10'
      description: "Database server 1"

 

Hope this helps!

 

L3 Networker

Re: fail to execute ansible command for PANFW

When you saying currently/today, does that mean that there are any plans in the future to use network_cli insted of pandevice for ansible?

L3 Networker

Re: fail to execute ansible command for PANFW

I'll defer to @gfreeman on that question.  :-) 

L3 Networker

Re: fail to execute ansible command for PANFW

Cool

Its always good to have as few dependenties as possible :)

L0 Member

Re: fail to execute ansible command for PANFW

Thanks a lot.

It works when change connection from 'network_cli' to 'local'.

 

Further questions in vars:

1) how to use the 'api_key', where should I deternmine the value of 'api_key'

2) include vars: vars.yml.

  the location of vars.yml is the same with playbook.yml ?

L3 Networker

Re: fail to execute ansible command for PANFW

The API key is basically a hash of your username and password.  You can generate it on the firewall using a cURL command such as:

 

curl -X POST 'https://192.168.55.5/api?type=keygen&user=admin&password=paloalto'

 

You'll still want to safeguard the API key from exposure - just like a username and password.  Using an API key just makes it one less field to worry about in your Ansible task definitions.  You may want to place the key in a credentials.yml file and then encrypt it with Ansible Vault.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!