Use Ansible to backup config

IarnoPagliani · ‎10-13-2019

Ciao,

is there a simple way to backup config using Ansible ?

Thanks

gfreeman · ‎10-14-2019

Not yet, this is still a pending feature request for the Ansible role:

https://github.com/PaloAltoNetworks/ansible-pan/issues/90

I'd recommend commenting or thumbs-up'ing the original issue opener, so that Palo Alto Networks has a way to see how many users want a particular issue / feature request.

sylvaing · ‎04-24-2020

Hi @IarnoPagliani

A bit late on the topic but I created a playbook sometime ago to perform backups of PAN FWs

https://github.com/wpacket/pan-ansible/blob/master/pan_config_pull.yml

Had to reuse it today and I can confirm it still works ( Python3 + Ansible 2.9.7 )

I also put a playbook to push local configs to devices from the same inventory but I guess you already have that

https://github.com/wpacket/pan-ansible/blob/master/pan_config_push.yml

Regards

hbalzac · ‎05-02-2020

Is there any reason to use this insted of the built in backup function with scp?

jmolefe · ‎05-12-2020

Hi @sylvaing

I'm also using Ansible 2.9.7

However the play fails at the "Extract API Key from XML Output" task with error "fatal: [x.x.x.x]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'content'\n\n"

No changes done on the playbook besides referencing my host group

Thank you

John.

jmolefe · ‎05-12-2020

Upgrading to python 3 doesn't help as well

sylvaing · ‎05-14-2020

Hi @hbalzac

If you only manage PAN firewalls , no.

However if you are dealing with a multivendor setup , using ansible as a central point of automation ( backup , config , ops ) can simplify your life.

sylvaing · ‎05-14-2020

Hi @jmolefe

Interresting , this might be related to the format of the API KEY response from the firewall. I ve been dealing with 8.1 and 9.0 atm when creating this playbook mostly. What version are you running on your firewall ?

Sylvain

jmolefe · ‎05-14-2020

Hi @sylvaing

Firewalls run 8.1 and Panorama is on 9.0 and both fail. Please see format of API response below

<key>

KEY_HERE

</key>

</result>

</response>

Br

John.

sylvaing · ‎05-14-2020

Hi @jmolefe

Can you -vvv you ansible-playbook command and show me the output of the Generate API Key task ?

I bet it is not formated as mine and that must be the reason why the API key cannot be extracted. Or maybe one ansible module is missing.

Let s figure that out,

jmolefe · ‎05-14-2020

Hi @sylvaing

Please see output below:

}
skipping: [x.x.x.x] => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"invocation": {
"module_args": {
"method": "GET",
"return_content": true,
"url": "https://x.x.x.x/api/?type=keygen&user=<username>&password=<password>",
"validate_certs": false
}
},
"msg": "remote module (uri) does not support check mode"
}

PS. Items in Bold have been substituted

At the moment I can pull the configs with a script that performs API calls though.

Regards

John.

sylvaing · ‎05-15-2020

Hi @jmolefe

I think you run the playbook with the --check knob which is not compatible with the uri module.

I don t like it but I have change the playbook to force each task to run in un-check mode.

Give it a try with the new version and you should be good,

jmolefe · ‎05-15-2020

Hi @sylvaing

Yes removing the --check mode and installing the lxml python module did the trick.

Thank you

John.

sylvaing · ‎05-15-2020

Hi @jmolefe

Correct lxml is mandatory , I should create a README with the requirement ,

Will do that in the next update,

jmolefe · ‎05-15-2020

Hi @sylvaing

Yes that should help.

I see however that whenever I connect to the devices using the playbook there is no logout task and the connection remains active until a connection-timeout kicks the sessions out. Weird..

* Check logged in users after the play completes.

John.

Use Ansible to backup config

Use Ansible to backup config

Show your appreciation!