- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-25-2020 04:26 AM
Hello,
I have three virtual machines, each hosting a PA Firewall. One VM - test one, has no SSL installed, the other two have a self-signed SSL certs installed. I can access the firewall web GUI on all three VMs using a web browser. When I run the following playbook, Ansible can not connect to hosts with SSL certs in place:
I get the following error:
Please note, I use API keys.
If I try to run:
curl -k -X GET 'https://iaas0102/api/?type=keygen&user=admin&password=8372hl'
I get:
curl: (7) Failed connect to iaas0102:443; Connection timed out
If I run the same command against the vm without SSL, I get the API Key. I run out of ideas how to approach this. Would appreciate any help.
Regards,
Michael
03-25-2020 11:06 PM
I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.
03-25-2020 05:05 PM
First things first: if that is a legit password, you need to change your password immediately.
For even curl to be failing means this isn't specifically an Ansible issue... Something deeper is going on.
Not sure how big a long shot this is: if you're running the script from OSX catalina, then Apple has decided to change what they consider a valid SSL certificate at the OS level:
https://support.apple.com/en-us/HT210176
This means that the self-signed certs that PAN-OS uses (for example, when you launch a new instance in AWS / Azure / GCP) are invalid and you won't be able to connect. Since the above is applicable to certs created after July 1, 2019, any instances you launched before should still work with Catalina.
03-25-2020 11:06 PM
I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!