About rhagen

Unfortunately, the REST API doesn't support inline queries at this time. ... View more

I think there are possibly two issues at hand.   1.  You may need to update your curl package.  This is what I'm running and it has no problem with https.   $ curl --version curl 7.64.1 (x86_64-apple-darwin19.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2 Release-Date: 2019-03-27 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets   2.  The backslash characters in the example were used to split a long command like this over newlines.  If you want to run it all on a single line you'll need to omit the backslashes.   $ curl -k -X POST 'https://api.gpcloudservice.com/getPrismaAccessIP/v2' --header 'header-api-key: {{ key redacted }}' --data-raw '{"serviceType": "gp_gateway","addrType": "all","location": "all"}'   ... View more

Just a few thoughts on this topic:   1.  For those that simply want to know the API calls for uploading certificates and keys to a firewall or Panorama.  This is supported and here are some examples: curl -k -X POST 'https://firewall.someplace.org/api?key={{key}} &type=import&category=certificate&certificate-name=my_cert&format=pem' --form 'file=@cert.pem' curl -k -X POST 'https://firewall.someplace.org/api?key={{key}}&type=import&category=private-key&certificate-name=my_cert&passphrase=%22{{passphrase-or-blank}}%22&format=pem' --form 'file=@privkey.pem'   Note that there was a permissions bug that was fixed in 9.0.8 and 9.1.0.  In prior releases these API calls required superuser permissions.  The fix allowed for any administrator with API import rights to perform these API calls.    There is also a single API call that can upload the certificate and private key simultaneously.  However, that was somehow omitted from the fix in 9.0.8 and 9.1.0. curl -k -XPOST 'https://firewall.someplace.org/api?key={{key}}&type=import&category=keypair&certificate-name=my_cert&passphrase=%22{{passphrase-or-blank}}%22&format=pem' --form 'file=@newcert.pem'   2.  It is highly unlikely that certbot would ever be integrated into PAN-OS.  Not only would this require running third-party software agents on the firewall management plane, but it would also require exposing the management plane to the Internet in order to support LE's issuance/renewal validation process.  That's probably fine for a web server, but not for a security platform.   I've been working with a number of large enterprise customers (particularly in the financial industry) and many of them have been leveraging a Palo Alto Networks technology partner called Venafi to perform certificate lifecycle management on PAN-OS.  It manages certificate discovery/uploads/renewals/revocations as well as authentication profiles, certificate profiles, and SSL decryption profiles.  Best of all they've PKI-neutral.  Their software is simply a broker for whichever PKI you happen to be using.   Check them out here: https://marketplace.venafi.com/details/palo-alto-networks-ngfw/   Hope this helps! ... View more

When testing APIs I always prefer using inline data over working with files.  Give this a try:   curl -k -X POST 'https://api.gpcloudservice.com/getPrismaAccessIP/v2' \ --header 'header-api-key: {{ my_key }}' \ --data-raw '{"serviceType": "gp_gateway","addrType": "all","location": "all"}'   ... View more

It looks like a network problem.  Could it be route reachability to the bootstrap fileshare?  I'd suggest troubleshooting the network access from the management port once the instance comes online.     The docs for the module are located here:  https://registry.terraform.io/modules/stealthllama/panos-bootstrap/azurerm/1.0.3 ... View more

Hi Brian,   The pip installs of pan-python, pandevice, and xmltodict are actually called from the main tasks file in the role itself. I don’t believe there’s anything you can do in your Tower configuration to avoid it.  We’re likely going to remove those tasks going forward since most of the modules check to ensure those libraries are installed and will error out if they’re not found.  Regards, -Bob   ... View more

I like the curated selection approach that @drogers mentions because it will silmplify the request process and require less rework when the wrong application is selected.  Giving an end-user a choice of 3,000+ App-ID signatures would be asking for trouble.   ... View more

Please make sure you are using the Ansible modules for PAN-OS that are published to Ansible Galaxy.   https://galaxy.ansible.com/paloaltonetworks/paloaltonetworks   The modules bundles with Ansible Engine are old and are being deprecated.  The modules in Ansible Galaxy have all the latest features and bug fixes.   Regards, -Bob- ... View more

Hi Robert,   That is actually working as designed.  As a task automation tool, Ansible is idempotent in nature.  This means that any task will be performed exactly as prescribed.  That same task can be performed repeatedly and nothing will change as long as none of the parameters have changed.  However, if any parameter changes from what is currently defined, the new parameter will be applied in whole.   If a parameter such as an address group list contains 1,000 members and you simply need to add one more, you will need to specify all 1,001 members.  Otherwise the 1,000 will be overwritten by the 1.   This concept is much broader than Ansible and is actually a fundamental concept of Infrastructure as Code (IaC) in automation.  All of the Ansible modules for PAN-OS support this notion of idempotent operations.   Hopefully this clears up any confusion.   Regards, -Bob- ... View more

The easiest way to do this is to utilize the Expedition tool to identify resources that are unused and delete them.   https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool   Expedition is a free tool made available by Palo Alto Network to assist with firewall migrations and optimization. ... View more

The API key is basically a hash of your username and password.  You can generate it on the firewall using a cURL command such as:   curl -X POST 'https://192.168.55.5/api?type=keygen&user=admin&password=paloalto'   You'll still want to safeguard the API key from exposure - just like a username and password.  Using an API key just makes it one less field to worry about in your Ansible task definitions.  You may want to place the key in a credentials.yml file and then encrypt it with Ansible Vault. ... View more

I'll defer to @gfreeman on that question.  🙂  ... View more