About JZhou4

With AWS ingress routing, the HA pair of ngfw-vm can be leverage to inspect all ingress and egress traffic without ELB to mess up ports/IPs, just like the old days of private datacenter.  See https://aws.amazon.com/blogs/aws/new-vpc-ingress-routing-simplifying-integration-of-third-party-appliances/   However the terraform pan-os provider does not support HA pair config. Basically I have to find out which FW is active in the HA pair, otherwise the commit will fail.   Anyone has better idea how to use terraform to deal with active-passive HA pair? This option is really more attractive compared with any other solution with ELB!!   Suggestion and ideas please. Anyone is making decision for pan-os terraform provider, it would be great to add HA support for terraform!   ... View more

Describe the bug Trying to configure active-passive HA for NGFW-VM on AWS, but got error "ha1-backup unexpected here" Expected behavior The VM series NGFW on AWS is special tailored, according to the admin guide  ' https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/high-availability-for-vm-series-firewall-on-aws/configure-activepassive-ha-on-aws.html' The HA1 port has to be the "management" interface, for the aws routing table requirement, we have to do interface moving HA, can NOT do secondary IP based. Current behavior When configure HA with HA1 without backup, it got error "ha1-backup unexpected here" Possible solution Since ha1-backup is not configured, the SDK should not try to configure ha1-backup by itself. Steps to reproduce The test code: from panos.firewall import Firewall from panos.ha import HA1, HA2, HighAvailability def main(): fw = Firewall('X.X.X.X', 'admin', '########') ha_config = HighAvailability(group_id=1, peer_ip="10.2.240.252", mode="active-passive", state_sync=True) ha1_int = HA1("10.2.240.236", "255.255.255.0", "management") ha2_int = HA2("10.2.224.78", "255.255.255.0", "ethernet1/1") fw.add(ha_config).create() fw.add(ha1_int).create() fw.add(ha2_int).create() fw.commit(sync=True, exception=True) if   name   == "main": main() Screenshots (.venv) 16:00 % python test.py Traceback (most recent call last): File "/Users/jozhou/src/python/ansible/.venv/lib/python3.9/site-packages/panos/base.py", line 3661, in method super_method(self, *args, **kwargs) File "/Users/jozhou/src/python/ansible/.venv/lib/python3.9/site-packages/pan/xapi.py", line 741, in set self.__type_config('set', query, extra_qs) File "/Users/jozhou/src/python/ansible/.venv/lib/python3.9/site-packages/pan/xapi.py", line 805, in __type_config raise PanXapiError(self.status_detail) pan.xapi.PanXapiError: deviceconfig -> high-availability -> interface -> ha1-backup unexpected here deviceconfig -> high-availability -> interface is invalid During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/Users/jozhou/src/python/ansible/panos/test.py", line 17, in main() File "/Users/jozhou/src/python/ansible/panos/test.py", line 10, in main fw.add(ha_config).create() File "/Users/jozhou/src/python/ansible/.venv/lib/python3.9/site-packages/panos/base.py", line 645, in create device.xapi.set(self.xpath_short(), element, retry_on_peer=self.HA_SYNC) File "/Users/jozhou/src/python/ansible/.venv/lib/python3.9/site-packages/panos/base.py", line 3682, in method raise the_exception panos.errors.PanDeviceXapiError: deviceconfig -> high-availability -> interface -> ha1-backup unexpected here deviceconfig -> high-availability -> interface is invalid (.venv) 16:07 % Context NGFW-VM HA pair on AWS same AZ with interface moving of active-passive HA. Your Environment NGFW-VM on AWS Version used: 10.0.6 ... View more

Trying to use ansible setup HA pair in the AWS same availability zone.  But got error: "IndexError: list index out of range", any suggestions please? The github issue report on HA looks no one response for a long time... Big Thanks.   The NGFW-VM documentation over GUI, it demands to use management port for the HA1.   The Playbook: ############## --- - hosts: localhost connection: local gather_facts: no collections: - paloaltonetworks.panos   tasks: - name: Include variables include_vars: provider.yml no_log: yes - name: Set primary HA port panos_interface: provider: '{{ primary }}' state: present if_name: '{{ item }}' mode: "ha" enable_dhcp: false with_items: - ethernet1/1 - name: Config primary control links panos_ha: provider: '{{ primary }}' state: present ha_peer_ip: "10.2.240.252" ha1_ip_address: "10.2.240.236" ha1_netmask: "255.255.255.0" ha1_port: "ethernet0/0" ha2_port: "ethernet1/1" ############################# The ansible error below: ############################# (.venv) 14:26 % ansible-playbook -i 127.0.0.1, -e "ansible_python_interpreter=$(which python)" vm-ha.yml  PLAY [localhost] *************************************************************************************************************************************************************************************************************************** TASK [Include variables] ******************************************************************************************************************************************************************************************************************* ok: [127.0.0.1] TASK [Set primary HA port] ***************************************************************************************************************************************************************************************************************** ok: [127.0.0.1] => (item=ethernet1/1) TASK [Config primary control links] ******************************************************************************************************************************************************************************************************** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: IndexError: list index out of range fatal: [127.0.0.1]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/Users/jozhou/.ansible/tmp/ansible-tmp-1623619631.2409449-82377-159027178184794/AnsiballZ_panos_ha.py\", line 100, in <module>\n _ansiballz_main()\n File \"/Users/jozhou/.ansible/tmp/ansible-tmp-1623619631.2409449-82377-159027178184794/AnsiballZ_panos_ha.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/Users/jozhou/.ansible/tmp/ansible-tmp-1623619631.2409449-82377-159027178184794/AnsiballZ_panos_ha.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.paloaltonetworks.panos.plugins.modules.panos_ha', init_globals=dict(_module_fqn='ansible_collections.paloaltonetworks.panos.plugins.modules.panos_ha', _modlib_path=modlib_path),\n File \"/usr/local/Cellar/python@3.9/3.9.5/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 210, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/local/Cellar/python@3.9/3.9.5/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/local/Cellar/python@3.9/3.9.5/Frameworks/Python.framework/Versions/3.9/lib/python3.9/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/var/folders/qy/dvxp9_ps17z3k5_nmy95vt6mzsqgps/T/ansible_panos_ha_payload_zsopcaxw/ansible_panos_ha_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_ha.py\", line 452, in <module>\n File \"/var/folders/qy/dvxp9_ps17z3k5_nmy95vt6mzsqgps/T/ansible_panos_ha_payload_zsopcaxw/ansible_panos_ha_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_ha.py\", line 439, in main\nIndexError: list index out of range\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1} PLAY RECAP ********************************************************************************************************************************************************************************************************************************* 127.0.0.1 : ok=2 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0   ... View more