This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

No way to use target to send an op command to a firewall from Panorama using the supported Ansible modules?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

No way to use target to send an op command to a firewall from Panorama using the supported Ansible modules?

Eric_B
L1 Bithead

‎03-27-2026 10:26 AM

I can do this by calling the API manually, but I can't seem to use the operation command module. 

curl --location --globoff 'https://<Panorama-IP>/api/?type=op&cmd=<show><system><info></info></system></show>&target=0123456789&key=<your-api-key>'

Skrting the issue in Ansible:

- name: Run an op command on a firewall from Panorama
  ansible.builtin.uri:
    url: "https://{{ ip_address }}/api/?type=op&target={{ active_fw_serial }}&cmd={{ policy_match_xml | urlencode }}&key={{ panorama_api_key }}"
 


Maybe I am missing something, but a quick look at the Python doesn't look like I can use the module for this. To have to manage another set of access, credentials, etc, to reach the firewalls directly for operational commands feels a bit off. 

0 Likes Likes
2 REPLIES 2

ozheng
L4 Transporter

‎03-29-2026 08:09 PM

Hello @Eric_B 

 

First of all, as a disclaimer, I'm not an expert in ansible.

 

I just looked the doc of the Ansible available modules.

- panos_op
https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/content/module/panos_op/

- panos_type_cmd

https://galaxy.ansible.com/ui/repo/published/paloaltonetworks/panos/content/module/panos_type_cmd/

 

For both modules, I see there is the "serial_number" which can be used for the target.

Have you explored that?

Olivier

 

NGFW Engineer - NetSec Analyst - NetSec Architect - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes

Josh_Warren
L0 Member

‎05-05-2026 05:23 PM

Just came across this thread.  We struggled with this quite a bit.  We did end up pushing out an admin account for access to all firewalls managed by panorama with limited access (think limited GUI, XML, REST, etc.).  Then we would run Ansible OP against Panorama to collected the connected devices, then subsequently issue commands to the firewalls we needed to. One of our requirements was to not use the native Ansible URI module because we wanted to obfuscate the API key and keep it so it wasn't cleartext in bash history or something similar.  It's a bit of a mix between PANOS modules and Ansible stuff but it works great.  Plus if you collect the devices from Panorama first, you can filter on serial numbers, platform type, etc.  So it comes in handy if you want to target only firewalls on certain versions, certain types of platforms (PA-14XX) or something like that.  Hope this helps!

0 Likes Likes
  • 345 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks