02-20-2018 06:26 AM
Hello all - I have a factory-reset 3020 I'm trying to access via ansible to do inital configuration. I installed ansible galaxy on my mac and I'm running version 2.4.3.0 of ansible. I am able to connect but it doesn't appear to do anything in the playbook. Any help is appreciated - here's the relevant configuration.
$ ansible --version
ansible 2.4.3.0
config file = /Users/rniemes/dev/ansible/ansible.cfg
configured module search path = [u'/Users/rniemes/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 2.7.10 (default, Feb 7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]
Here's my ansible.cfg:
rniemes$ more ansible.cfg
[defaults]
remote_user = admin
ask_pass = True
firewalls.yaml:
---
- hosts: firewalls
gather_facts: False
tasks:
- name: set dns and panorama
panos_mgtconfig:
name: set stuff
dns_server_primary: "1.1.1.1"
When I run ansible-playbook it doesn't appear to do anything but login:
rniemes$ ansible-playbook -vvvv firewalls.yaml -i hosts
ansible-playbook 2.4.3.0
config file = /Users/rniemes/dev/ansible/ansible.cfg
configured module search path = [u'/Users/rniemes/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 2.7.10 (default, Feb 7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]
Using /Users/rniemes/dev/ansible/ansible.cfg as config file
SSH password:
setting up inventory plugins
Parsed /Users/rniemes/dev/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc
PLAYBOOK: firewalls.yaml *****************************************************************************************************************
1 plays in firewalls.yaml
PLAY [firewalls] *************************************************************************************************************************
META: ran handlers
TASK [set dns and panorama] **************************************************************************************************************
task path: /Users/rniemes/dev/ansible/firewalls.yaml:5
Using module file /usr/local/Cellar/ansible/2.4.3.0/libexec/lib/python2.7/site-packages/ansible/modules/network/panos/panos_mgtconfig.py
<10.18.8.65> ESTABLISH CONNECTION FOR USER: admin on PORT 22 TO 10.18.8.65
<10.18.8.65> EXEC /bin/sh -c 'echo ~ && sleep 0'
I see an open session after doing this:
admin@PA-3020> show admins
Admin From Client Session-start Idle-for
--------------------------------------------------------------------------
admin 10.16.251.231 CLI 02/20 07:00:32 00:00:00s
admin 10.16.251.231 CLI 02/20 07:01:03 00:00:04s
05-21-2018 04:56 PM
Hi ryanniemes,
I got the same issue. I tried accessing with both username+password as well as certificate based authentication, neither works. I also tried on PAN-OS 8.1 and 8.0 but with same result.
My ansible version is 2.5.2
Have you resovled this problem?
Thanks.
Regars,
Sam
06-18-2018 02:45 PM
Same problem here. Has anyone solved this yet?
06-18-2018 02:49 PM
Hi guys,
Do the logs on the firewall UI show that there was an operation attemtped? I'm curious to understand if the ansible framework is actually able to reach into the firewalls at all?
Additionally, can you guys verify that you can ssh into the firewall (depending upon the mgmt config / profile) with the username and password?
Thanks.
06-18-2018 02:57 PM
Hi all,
1) Right now, the best way to use Ansible is with the Ansible Galaxy Palo Alto Networks role. Palo Alto Networks has been updating the role more frequently than what libraries come with "pip install ansible" due to ease of getting code to users faster. So, I'd recommending using the role first and foremost:
ansible-galaxy install PaloAltoNetworks.paloaltonetworks
2) Once you're using that, you need to tell your playbook to use that role. You do that like so:
roles:
- role: PaloAltoNetworks.paloaltonetworks
3) Now that you're using the role, you actually need to be telling the module "panos_mgtconfig" what the authentication credentials of your firewall are, as vvenkatara hinted at. There are "ip_address", "username", "password", and "api_key" params that the "panos_mgtconfig" module is expecting in your playbook so that it knows how to connect to your PAN-OS system. Full documentation for Ansible is on readthedocs (as well as the instructions for installing the ansible-galaxy role):
http://panwansible.readthedocs.io/en/latest/
Hope this helps!
06-18-2018 03:30 PM
I'm doing all that. It hangs at:
< TASK [PaloAltoNetworks.paloaltonetworks : pip] >
task path: /Users/brian/.ansible/roles/PaloAltoNetworks.paloaltonetworks/tasks/main.yml:5
The contents of the playbook are:
---
- hosts: azfw02.domain.com
gather_facts: False
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: Set DNS Servers
panos_mgtconfig:
ip_address: '{{ mgmt_ip }}'
username: 'admin'
password: 'secretpasswordhere'
dns_server_primary: "10.1.1.94"
06-18-2018 03:36 PM
The firewall UI logs show an SSH connection, but not the change to the DNS servers. The username/password works from the command line.
06-19-2018 10:02 AM
So it looks like it's not even getting to your tasks. What do you see if you run `ansible-playbook` with -vvv to increase the verbosity?
06-19-2018 10:21 AM
$ ansible-playbook -vvv --ask-pass go.yml
ansible-playbook 2.5.5
config file = None
configured module search path = [u'/Users/brian/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /Library/Python/2.7/site-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 2.7.10 (default, Oct 6 2017, 22:29:07) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)]
No config file found; using defaults
SSH password:
Parsed /Users/brian/playbooks/azure_pan/hosts inventory source with ini plugin
__________________
< PLAYBOOK: go.yml >
------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
1 plays in go.yml
_______________________________
< PLAY [azfw02.domain.com] >
-------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
META: ran handlers
________________________________________________
< TASK [PaloAltoNetworks.paloaltonetworks : pip] >
------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
task path: /Users/brian/.ansible/roles/PaloAltoNetworks.paloaltonetworks/tasks/main.yml:5
Using module file /Library/Python/2.7/site-packages/ansible/modules/packaging/language/pip.py
<azfw02.domain.com> ESTABLISH CONNECTION FOR USER: admin on PORT 22 TO azfw02.ops.desales.edu
<azfw02.domain.com> EXEC /bin/sh -c 'echo ~admin && sleep 0'
06-19-2018 10:49 AM
I think you are missing "connection: local" in your playbook. Without that, you're telling ansible to SSH to PAN-OS, then it's trying to execute the modules there, which won't work. I think this is why you see a bunch of SSH connections to your PAN-OS, which is wrong, as the Ansible modules connect via API, not SSH.
06-19-2018 10:51 AM
Garfield is right, without connection: local Ansible will try to SSH into the firewall.
Here is a working example:
https://github.com/PaloAltoNetworks/ansible-pan/blob/develop/examples/fw_mgtconfig.yml
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
