Ansible PAN OS Collection - Can not connect to PA firewall.

michael082 · ‎03-25-2020

Hello,

I have three virtual machines, each hosting a PA Firewall. One VM - test one, has no SSL installed, the other two have a self-signed SSL certs installed. I can access the firewall web GUI on all three VMs using a web browser. When I run the following playbook, Ansible can not connect to hosts with SSL certs in place:

Spoiler

---

- name: 'Palo Alto PAN OS: Create a new tag object.'

hosts: all

connection: local

gather_facts: true

collections:

- paloaltonetworks.panos

tasks:

- name: Create a tag object.

when: operation == "create"

panos_tag_object:

provider: '{{ provider }}'

name: '{{ tag_name }}'

color: '{{ tag_color }}'

comments: '{{ tag_comment }}'

- name: Remove a tag object.

when: operation == "remove"

panos_tag_object:

provider: '{{ provider }}'

name: '{{ tag_name }}'

color: '{{ tag_color }}'

state: absent

---- name: 'Palo Alto PAN OS: Create a new tag object.'hosts: allconnection: localgather_facts: truecollections:- paloaltonetworks.panos tasks: - name: Create a tag object.when: operation == "create"panos_tag_object:provider: '{{ provider }}'name: '{{ tag_name }}'color: '{{ tag_color }}'comments: '{{ tag_comment }}' - name: Remove a tag object.when: operation == "remove"panos_tag_object:provider: '{{ provider }}'name: '{{ tag_name }}'color: '{{ tag_color }}'state: absent

I get the following error:

Spoiler

The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
File "/tmp/ansible_panos_tag_object_payload_sPdkhl/ansible_panos_tag_object_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/module_utils/panos.py", line 146, in get_pandevice_parent
self.device = PanDevice.create_from_device(*pan_device_auth)
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3358, in create_from_device
system_info = device.refresh_system_info()
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3766, in refresh_system_info
system_info = self.show_system_info()
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3723, in show_system_info
root = self.xapi.op(cmd="show system info", cmd_xml=True)
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3484, in method
raise the_exception
fatal: [iaas0102]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"color": "red",
"comments": "comment",
"commit": true,
"device_group": "shared",
"ip_address": null,
"name": "new_sample_tag",
"password": null,
"port": 443,
"provider": {
"api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ip_address": "iaas0102",
"password": null,
"port": 443,
"serial_number": null,
"username": "admin"
},
"state": "present",
"username": "admin",
"vsys": "vsys1"
}
},
"msg": "Failed connection: URLError: reason: [Errno 110] Connection timed out"
}

The full traceback is:WARNING: The below traceback may *not* be related to the actual failure.File "/tmp/ansible_panos_tag_object_payload_sPdkhl/ansible_panos_tag_object_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/module_utils/panos.py", line 146, in get_pandevice_parentself.device = PanDevice.create_from_device(*pan_device_auth)File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3358, in create_from_devicesystem_info = device.refresh_system_info()File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3766, in refresh_system_infosystem_info = self.show_system_info()File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3723, in show_system_inforoot = self.xapi.op(cmd="show system info", cmd_xml=True)File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3484, in methodraise the_exceptionfatal: [iaas0102]: FAILED! => {"changed": false,"invocation": {"module_args": {"api_key": null,"color": "red","comments": "comment","commit": true,"device_group": "shared","ip_address": null,"name": "new_sample_tag","password": null,"port": 443,"provider": {"api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER","ip_address": "iaas0102","password": null,"port": 443,"serial_number": null,"username": "admin"},"state": "present","username": "admin","vsys": "vsys1"}},"msg": "Failed connection: URLError: reason: [Errno 110] Connection timed out"}

Please note, I use API keys.

If I try to run:

curl -k -X GET 'https://iaas0102/api/?type=keygen&user=admin&password=8372hl'

I get:

curl: (7) Failed connect to iaas0102:443; Connection timed out

If I run the same command against the vm without SSL, I get the API Key. I run out of ideas how to approach this. Would appreciate any help.

Regards,

Michael

michael082 · ‎03-25-2020

I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.

View solution in original post

gfreeman · ‎03-25-2020

First things first: if that is a legit password, you need to change your password immediately.

For even curl to be failing means this isn't specifically an Ansible issue... Something deeper is going on.

Not sure how big a long shot this is: if you're running the script from OSX catalina, then Apple has decided to change what they consider a valid SSL certificate at the OS level:

https://support.apple.com/en-us/HT210176

This means that the self-signed certs that PAN-OS uses (for example, when you launch a new instance in AWS / Azure / GCP) are invalid and you won't be able to connect. Since the above is applicable to certs created after July 1, 2019, any instances you launched before should still work with Catalina.

michael082 · ‎03-25-2020

I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.

Unlock your full community experience!

Ansible PAN OS Collection - Can not connect to PA firewall.

Ansible PAN OS Collection - Can not connect to PA firewall.

Show your appreciation!