Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About gfreeman
About gfreeman
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
05-28-2020
136Posts
42Likes
33Solutions
May 28, 2020Last Visited
User
Activity
User
Profile
Latest posts by gfreeman
| Subject | Views | Posted |
|---|---|---|
| 890 | 05-22-2020 09:43 PM | |
| 582 | 05-22-2020 09:30 PM | |
| 601 | 05-22-2020 08:22 PM | |
| 638 | 05-05-2020 09:43 AM | |
| 911 | 05-04-2020 07:03 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 05-01-2020 09:06 AM | |
| 1 | 05-01-2020 08:56 AM | |
| 1 | 05-22-2020 08:22 PM | |
| 1 | 05-01-2020 08:49 AM | |
| 1 | 02-19-2020 09:58 AM |
User Badges
Public Statistics
| Date Registered | 08-29-2016 10:26 AM |
| Date Last Visited | 05-28-2020 02:06 PM |
| Total Messages Posted | 138 |
| Total Likes Received | 42 |
05-22-2020
09:43 PM
You're close.
After you create the panorama object and add the device group to the panorama, you want to do refreshall(), giving the device group as the base. So like this:
from pandevice.panorama import Panorama, DeviceGroup
from pandevice.objects import AddressObject
pano = Panorama(....)
dg = DeviceGroup(devicegroup)
pano.add(dg)
# Now get all the address objects present.
listing = AddressObject.refreshall(dg)
for obj in listing:
print("* {0}".format(obj.about()))
... View more
05-22-2020
09:30 PM
I suspect your connection is not set to "local" at the top of your playbook...? Because panos_op doesn't connect using ssh.
... View more
05-22-2020
08:22 PM
1 Kudo
pandevice actually has an example script that deals with security rules:
https://github.com/PaloAltoNetworks/pandevice/blob/develop/examples/ensure_security_rule.py
... View more
05-05-2020
09:43 AM
Update the pandevice python library. PAN-OS 9.1 has changed the locations for the primary and secondary panorama server IP addresses, and the more recent version of pandevice has the new xpath locations.
... View more
05-04-2020
07:03 PM
The Ansible role (here) has entered maintenance mode as Ansible is pushing non-core modules into the new collections framework. As such, the Palo Alto Networks Ansible collection does not have this same behavior.
... View more
05-04-2020
06:59 PM
I think what you are looking for is this article, the GUI part, then look at the API calls PAN-OS is doing and you can do the same to get the same information.
... View more
05-04-2020
06:54 PM
Looking around, I found this article which seems to suggest the command was just changed a bit. Looks like on firewalls (I just checked 8.1), it's "save device-state", but the article has more details if you're pulling it from Panorama.
... View more
05-04-2020
04:03 PM
First and foremost, you seem to have posted your API key on the internet, which is basically posting your password. Please change the password associated with that account as it is no longer secure.
As for the error, you are not specifying a specific vsys in the xpath, so that might be the error..? It could also be that if the address group "apadr" is currently a dynamic address group, since you're using a set I know PAN-OS will error out, just don't remember off the top of my head if it's this specific error or something else.
In general, it is highly recommended that you use one of the API libraries Palo Alto Networks has made available for free to make it easier to work with the API, such as pan-python (python), pandevice (python), or pango (golang).
... View more
05-04-2020
03:55 PM
If you are suspicious of the pandevice currently hosted on pypi, you can always just download pandevice straight from github. When a tag is referred at and a release is created, that snapshot creates a tarball that you can see in the Releases tab in github. Both the current and any previous release.
Alternatively you can pip download the package, clone the repo, then diff both directories.
I think I remember something about github and checksums at the last github universe late last year, tho, so it's possible they're going to be doing something about this as well..?
... View more
05-01-2020
09:22 AM
If something already exists but it does not yet exist in the local state, then you want to import that resource, assuming the resource can be imported.
... View more
05-01-2020
09:19 AM
...Oh, wow. Ok, so I also just tried it and this doesn't work.
So I used the CLI debugging method to find out what the CLI is sending to PAN-OS and saw that the CLI command "show arp all" is actually this XML: <show><arp><entry name="all"/></arp></show>. So just use that as your command and be sure to specify "cmd_is_xml" as True and it will work.
... View more
05-01-2020
09:12 AM
All but like two Ansible modules interact with the PAN-OS XML API (https port 443 by default), not the CLI. So the client host running Ansible will need 443 access to the PAN-OS management interface to work.
... View more
05-01-2020
09:06 AM
1 Kudo
Uhm, there are currently no Ansible modules for the userID user group functionality. Please open a github issue against the collection so it can be tracked and addressed.
... View more
05-01-2020
09:01 AM
If you're sending <request><license><fetch/></license></request> it seems impossible that it's executing <request><license><info/></license></request> . However, when you do fetch licenses, the XML returned is what you'd get back from running request license info...?
... View more
05-01-2020
08:56 AM
1 Kudo
If I use "panos_security_rule" to add a rule and I set "commit" to False it does not commit. Also the "admins" param requires that your PAN-OS supports that feature (I think it went in around 8.0 timeframe), so you need to be running that or later for that to work.
I guess just make sure you're running a new enough version of PAN-OS and that you're using the Palo Alto Networks Ansible collection (or the role if you're not running Ansible 2.9 or later).
... View more
05-01-2020
08:49 AM
1 Kudo
Ansible will work for this workflow. Generally speaking, you'll need to use the panos_object_facts module to get the list of Address Objects first, then register the output so you can make decisions on it. That will allow you to conditionally execute panos_address_object to create the address object when it's not already present. As for the security rule, create or update is already how "state: present" works, so you don't have anything special to do there.
All the Palo Alto Networks modules and fact modules you'll need to implement this is there, you just need to learn Ansible so you can make it do what you want.
... View more
05-01-2020
08:43 AM
panos_static_route exists both in the Palo Alto Networks role and the collection. The only place it doesn't exist is (most likely) in upstream ansible/Ansible. So I suspect that you're not using either the role or the collection. Make sure you've installed the collection (or the role if you're Ansible 2.8 or lower) and are properly invoking it in your playbooks.
... View more
05-01-2020
08:40 AM
On firewall it defaults to "vsys1", on Panorama the device group defaults to "shared". For firewall, you just tell it what you want:
vsys: 'shared'
... View more
03-29-2020
11:10 PM
Oops: './response/entry' should be './result/entry' and it should work.
I can't see what the code looks like above the print statement, but make sure you've removed xml=True from the fw.op() . You want xml=False (the default) because you want fw.op() to return an ElementTree, not a string or bytes or whatever.
... View more
03-27-2020
07:04 AM
Glad you got it working! fw.op() will return an xml.etree.ElementTree by default, so turning it into a string and then having to re-parse it is a (small) waste. You're using a PanDevice object instead of the Firewall object, so I'd recommend changing that for clarity's sake. Then lastly you know what the result looks like, so you can use xml.etree.ElementTree.findall() to get there directly:
from pandevice.firewall import Firewall
import xml.etree.ElementTree as ET
fw = Firewall('10.10.10.10', api_key='abcdefgh')
result = fw.op(cmd='show global-protect-gateway current-user')
# If you wanted to see the xml response as a string:
# print(ET.tostring(result, encoding='utf-8')
for elm in result.findall('./response/entry'):
print(elm.attrib['name'] + ':')
for e in elm:
print(e.tag + ': ' + e.text)
... View more
03-25-2020
05:21 PM
From what I can see, your xpath is good. This location is a member , so if you're just wanting to add stuff to this location, then do a set with this as the element:
<exclude-access-route>
<member>thing1</member>
<member>thing2</member>
</exclude-access-route>
For set operations, you need to stop a xpath part above, so end the xpath location at "split-tunneling".
... View more
03-25-2020
05:05 PM
First things first: if that is a legit password, you need to change your password immediately.
For even curl to be failing means this isn't specifically an Ansible issue... Something deeper is going on.
Not sure how big a long shot this is: if you're running the script from OSX catalina, then Apple has decided to change what they consider a valid SSL certificate at the OS level:
https://support.apple.com/en-us/HT210176
This means that the self-signed certs that PAN-OS uses (for example, when you launch a new instance in AWS / Azure / GCP) are invalid and you won't be able to connect. Since the above is applicable to certs created after July 1, 2019, any instances you launched before should still work with Catalina.
... View more
03-25-2020
04:50 PM
You need to make a list of provider dicts, then loop over that:
https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html#standard-loops
... View more
03-25-2020
04:40 PM
The reason it's failing is because the GUI API browser is already at the following XML location (per your first screenshot): show > rule-hit-count > vsys > vsys-name
The API browser kinda fails when you need to give multiple params at a specific depth... I don't know if it'd work, but you could try going back to the vsys location, then pasting the entire vsys-name block from opening to close and see if that works..?
... View more
03-25-2020
04:27 PM
So you can assign a custom role to a user, and that will limit what they have access to.. But if you're always getting the same API key back, then there is either a problem with your script (maybe using a static variable or something instead of what you specify) or a huge problem with your firewall / PAN-OS. If you're sure this isn't a script issue, then I would recommend reaching out to Palo Alto Networks tech support.
... View more
03-25-2020
04:22 PM
If I understand your question properly, you're wanting to take a downloaded firewall or Panorama XML config and turn it into an Ansible task that you could invoke in a playbook?
This would be awesome, but doesn't currently exist. It is something we've discussed having to help drive adoption of Ansible and Terraform.
... View more
03-25-2020
04:12 PM
Yes! You can use facts and jinja2 templating functions to accomplish this. I've authored a blog post that explains everything step by step:
https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/ba-p/275173
... View more
03-05-2020
09:42 AM
You can use standard Ansible looping to do this. You have both Ansible filters and Jinja2 templating functions available to use in playbooks. This blog post shows a little bit of looping and walks through using facts modules to do updates to existing config:
https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/ba-p/275173
... View more
03-04-2020
09:40 AM
If you created a file "provider.yml" that has the auth credentials in it, then you just tell Ansible to load that file at the beginning of your "tasks":
tasks:
- name: Grab auth creds
include_vars: 'provider.yml'
no_log: 'yes'
... View more
03-03-2020
09:46 AM
Test security policy is a firewall command.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-28-2020
02:06 PM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
