Ansible PAN OS Collection - Can not connect to PA firewall.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ansible PAN OS Collection - Can not connect to PA firewall.

L1 Bithead

Hello,

 

I have three virtual machines, each hosting a PA Firewall. One VM - test one, has no SSL installed, the other two have a self-signed SSL certs installed. I can access the firewall web GUI on all three VMs using a web browser. When I run the following playbook, Ansible can not connect to hosts with SSL certs in place:

 

Spoiler
---
- name: 'Palo Alto PAN OS: Create a new tag object.'
hosts: all
connection: local
gather_facts: true
collections:
- paloaltonetworks.panos
 
tasks:
- name: Create a tag object.
when: operation == "create"
panos_tag_object:
provider: '{{ provider }}'
name: '{{ tag_name }}'
color: '{{ tag_color }}'
comments: '{{ tag_comment }}'
 
- name: Remove a tag object.
when: operation == "remove"
panos_tag_object:
provider: '{{ provider }}'
name: '{{ tag_name }}'
color: '{{ tag_color }}'
state: absent

I get the following error:

Spoiler
The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
File "/tmp/ansible_panos_tag_object_payload_sPdkhl/ansible_panos_tag_object_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/module_utils/panos.py", line 146, in get_pandevice_parent
self.device = PanDevice.create_from_device(*pan_device_auth)
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3358, in create_from_device
system_info = device.refresh_system_info()
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3766, in refresh_system_info
system_info = self.show_system_info()
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3723, in show_system_info
root = self.xapi.op(cmd="show system info", cmd_xml=True)
File "/home/kubicm01/.local/lib/python2.7/site-packages/pandevice/base.py", line 3484, in method
raise the_exception
fatal: [iaas0102]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"color": "red",
"comments": "comment",
"commit": true,
"device_group": "shared",
"ip_address": null,
"name": "new_sample_tag",
"password": null,
"port": 443,
"provider": {
"api_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ip_address": "iaas0102",
"password": null,
"port": 443,
"serial_number": null,
"username": "admin"
},
"state": "present",
"username": "admin",
"vsys": "vsys1"
}
},
"msg": "Failed connection: URLError: reason: [Errno 110] Connection timed out"
}

Please note, I use API keys.

 

If I try to run:

curl -k -X GET 'https://iaas0102/api/?type=keygen&user=admin&password=8372hl'

I get:

curl: (7) Failed connect to iaas0102:443; Connection timed out

If I run the same command against the vm without SSL, I get the API Key. I run out of ideas how to approach this. Would appreciate any help.

 

Regards,

Michael

1 accepted solution

Accepted Solutions

I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.

View solution in original post

2 REPLIES 2

L5 Sessionator

First things first:  if that is a legit password, you need to change your password immediately.

 

For even curl to be failing means this isn't specifically an Ansible issue...  Something deeper is going on.

 

Not sure how big a long shot this is:  if you're running the script from OSX catalina, then Apple has decided to change what they consider a valid SSL certificate at the OS level:

 

https://support.apple.com/en-us/HT210176

 

This means that the self-signed certs that PAN-OS uses (for example, when you launch a new instance in AWS / Azure / GCP) are invalid and you won't be able to connect.  Since the above is applicable to certs created after July 1, 2019, any instances you launched before should still work with Catalina.

I have literally no prior experience with Palo Alto firewalls so it took me a while to figure it out. The problem was not related to SSL or Ansible. The test firewall has an empty list of permitted IP addresses which is located under Device --> Interfaces --> Management so every host can manage the firewall. The other two had some IP specified and my one was not there. This is why I couldn't connect to API.

  • 1 accepted solution
  • 4404 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!