About gfreeman

From what I can see, your xpath is good.  This location is a member , so if you're just wanting to add stuff to this location, then do a set with this as the element:     <exclude-access-route> <member>thing1</member> <member>thing2</member> </exclude-access-route>     For set operations, you need to stop a xpath part above, so end the xpath location at "split-tunneling".  ... View more

The reason it's failing is because the GUI API browser is already at the following XML location (per your first screenshot):  show > rule-hit-count > vsys > vsys-name   The API browser kinda fails when you need to give multiple params at a specific depth...  I don't know if it'd work, but you could try going back to the vsys location, then pasting the entire vsys-name block from opening to close and see if that works..? ... View more

So you can assign a custom role to a user, and that will limit what they have access to..  But if you're always getting the same API key back, then there is either a problem with your script (maybe using a static variable or something instead of what you specify) or a huge problem with your firewall / PAN-OS.  If you're sure this isn't a script issue, then I would recommend reaching out to Palo Alto Networks tech support. ... View more

If I understand your question properly, you're wanting to take a downloaded firewall or Panorama XML config and turn it into an Ansible task that you could invoke in a playbook?   This would be awesome, but doesn't currently exist.  It is something we've discussed having to help drive adoption of Ansible and Terraform. ... View more

You can use standard Ansible looping to do this.  You have both Ansible filters and Jinja2 templating functions available to use in playbooks.  This blog post shows a little bit of looping and walks through using facts modules to do updates to existing config:   https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/ba-p/275173 ... View more

If you created a file "provider.yml" that has the auth credentials in it, then you just tell Ansible to load that file at the beginning of your "tasks": tasks: - name: Grab auth creds include_vars: 'provider.yml' no_log: 'yes' ... View more

Test security policy is a firewall command. ... View more

provider is a param that you're passing in to panos_security_rule , while the '{{ provider }}' part says, "use the variable "provider" that is somehow being brought into this playbook.   You can specify credentials a few different ways: Load it from a file; this is fine if you're just playing around.  Just create another YAML file in the same directory as your playbook and do this, except with real values: provider: ip_address: '10.1.1.1' username: 'admin' password: 'secret'​ Get the credentials from Ansible Vault; this is the preferred way if you're using Ansible in production   Just as a side note, the Palo Alto Networks Ansible role is now deprecated in favor of the collection, which is on Ansible Galaxy as paloaltonetworks.panos.  The repo for the new collection is here, and also keep in mind that collections require that you are using Ansible 2.9+. ... View more

Maybe, depending on what all you need to configure?   The panos provider has over 100 resources (Panorama and Firewall combined), so there's a lot you can do with it.  I'd check out the documentation and see if what you need to configure has resources for it or not:   https://www.terraform.io/docs/providers/panos/index.html   If something is missing, thumbs up / comment on a pre-existing issue, or open a new one if one doesn't already exist:   https://github.com/terraform-providers/terraform-provider-panos ... View more

I don't think that ping works on PAN-OS appliances because you don't connect to them using ssh, but the API.  I think a better test to verify connectivity is to run a playbook that uses panos_op , and you can use the example from the documentation:   https://ansible-pan.readthedocs.io/en/latest/modules/panos_op_module.html ... View more

You have a few options for how to pass it in.   1. Have pandevice create the XML command:   fw.op('test routing fib-lookup virtual-router "default" ip "10.1.1.1"')   2. Pass in the XML command yourself:   fw.op('<test><routing><fib-lookup><virtual-router>default</virtual-router><ip>10.1.1.1</ip></fib-lookup></routing></test>', cmd_xml=False)   ... View more

If I ask the GUI to show a config diff, I see that it sends an op command that is queued, then when the job finishes, the XML response has a filepath param.  This is making me think that you could script the retrieval of the config diff as HTML, but otherwise the config diff might not accessible via API.. ... View more

In all the examples for the Palo Alto Networks role, the vars.yml file is located in the same directory as the playbook, which is the same directory that you're executing ansible-playbook in.   Seems like you're not using the Palo Alto Networks Ansible Galaxy role in this playbook, so I guess vars.yml just contains the variables that you're referencing in this playbook. ... View more

So if you get the info from the CLI, then just mimic what command the CLI uses with pandevice and then you can invoke the function.   You can see what op command the CLI is executing by doing cli debug enable before executing the command, then styling your pandevice fw.op() similarly. ... View more

If you're using pandevice, there's a function for this specifically:   https://pandevice.readthedocs.io/en/latest/module-base.html#pandevice.base.PanDevice.test_security_policy_match ... View more

You're close, you just need to put double quotes around the word "all":   details = fw.op('show interface "all"') ... View more

This forum has eaten your formatting so it's hard to tell what the real issue is here.  It could be that the YAML is not properly formatted in your playbook; it could be that the variable retrieval is broken somehow (say, the "panorama-secrets.yml" file is improperly formatted or not there); I also notice that you are trying to refer to a param named ip_address in the provider param, but the provider param is expecting a YAML dictionary not a string.   ... View more

This isn't supported yet.  Feel free to open feature requests against the repo itself in the future, but if you could just thumbs up the issue or comment so the issue has better visibility:   https://github.com/PaloAltoNetworks/ansible-pan/issues/456 ... View more