fail to execute ansible command for PANFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

fail to execute ansible command for PANFW

L0 Member

Seek for solution to fix the problem. Thanks.

1)host vars:

ansible_user: user
ansible_password: xxxxxxxxxxxxx
ansible_connection: network_cli
ansible_network_os: panos

2)command:

ansible --vault-id /xxx/xxx/vault_key -i ./hosts xxxx -m ping

3)error output:

xxxxx | FAILED! => {
"msg": "network os panos is not supported"
}

1 accepted solution

Accepted Solutions

L3 Networker

The Ansible modules for PAN-OS do not currently support the network_cli connection method.  Today these modules leverage the pandevice libraries to make API calls from the Ansible host.  You'll need to change your connection type to localhost.

 

Example:

---
- name: Panorama configuration demo
  hosts: localhost
  connection: local
  gather_facts: False

 

  tasks:
  - name: include variables
    include_vars: vars.yml
    no_log: 'yes'

 

  - name: create a database server
    panos_object:
      ip_address: '{{ ip_address }}'
      api_key: '{{ api_key }}'
      addressobject: 'prod-db1'
      address: '10.0.50.10'
      description: "Database server 1"

 

Hope this helps!

 

View solution in original post

6 REPLIES 6

L3 Networker

The Ansible modules for PAN-OS do not currently support the network_cli connection method.  Today these modules leverage the pandevice libraries to make API calls from the Ansible host.  You'll need to change your connection type to localhost.

 

Example:

---
- name: Panorama configuration demo
  hosts: localhost
  connection: local
  gather_facts: False

 

  tasks:
  - name: include variables
    include_vars: vars.yml
    no_log: 'yes'

 

  - name: create a database server
    panos_object:
      ip_address: '{{ ip_address }}'
      api_key: '{{ api_key }}'
      addressobject: 'prod-db1'
      address: '10.0.50.10'
      description: "Database server 1"

 

Hope this helps!

 

When you saying currently/today, does that mean that there are any plans in the future to use network_cli insted of pandevice for ansible?

I'll defer to @gfreeman on that question.  🙂 

Cool

Its always good to have as few dependenties as possible 🙂

Thanks a lot.

It works when change connection from 'network_cli' to 'local'.

 

Further questions in vars:

1) how to use the 'api_key', where should I deternmine the value of 'api_key'

2) include vars: vars.yml.

  the location of vars.yml is the same with playbook.yml ?

The API key is basically a hash of your username and password.  You can generate it on the firewall using a cURL command such as:

 

curl -X POST 'https://192.168.55.5/api?type=keygen&user=admin&password=paloalto'

 

You'll still want to safeguard the API key from exposure - just like a username and password.  Using an API key just makes it one less field to worry about in your Ansible task definitions.  You may want to place the key in a credentials.yml file and then encrypt it with Ansible Vault.

  • 1 accepted solution
  • 6220 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!