This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Always connect to active firewall

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Always connect to active firewall

DeepakVerma
L2 Linker

‎12-21-2022 11:11 AM

HI @gfreeman @btorresgil 

 

Just checking how we can connect to active firewall using Ansible module .

In python , we are using refresh_ha_active()  and its working , however we need to test using Ansible.
Could you please provide some input here. 

 

Thanks

0 Likes Likes
4 REPLIES 4

nikoolayy1
L6 Presenter

‎02-20-2023 09:55 PM

Why not just use https://ansible-pan.readthedocs.io/en/latest/modules/panos_facts_module.html the facts ansible module and "ansible_net_ha_localstate" and then make the tasks that you want with an Ansible "when" condition to trigger only on the active firewall based on the variable collected by the facts module https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_conditionals.html ?

0 Likes Likes

Gruber_Marco
L0 Member

‎02-20-2023 10:46 PM

We just run the playbook against both Panorama ans stop it if the Panorama is not active. If used in multiple playbooks you could create an "stop passive Panorama" role and run it at the beginning of your playbook.

 

- name: "Panorama HA State - GET Facts"
  paloaltonetworks.panos.panos_facts:
  provider: '{{ device }}'
  gather_subset: ['ha']

- name: "Panorama HA State - Show HA State"
  debug:
  msg: "HA State: {{ ansible_net_ha_localstate }} - {{ ( not ansible_net_ha_localstate.endswith('-active') ) | ternary('Not OK -> Need to Stop running further tasks for this host', 'OK') }}"

- name: "Panorama HA State - Stop running Playbook for Hoost"
  meta: end_host
  when:
    - "not ansible_net_ha_localstate.endswith('-active')"

 

 

 

 

0 Likes Likes

stangri-la
L1 Bithead

‎02-24-2023 09:53 AM

Just connect to the loopback IP of the HA firewall pair which will always be the active firewall.

0 Likes Likes

nikoolayy1
L6 Presenter
In response to stangri-la

‎03-13-2023 11:57 PM

Also if you configure just one floating IP it will be the same deal with connecting to just the active device. It is called active-active but with one floating ip it is actually active-standby:

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/floating-ip...

0 Likes Likes
  • 2057 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks