Comments (17)
@jamesholland-uk That is a great tip. that command now works with the playbook. Many Thanks.
from pan-os-ansible.
@ishuguru : i did find the software module panos_software: to upgrade using Ansible.But do you know how can we import the image from Palo Alto Server to device using Ansible ?is there a existing module for that ?
from pan-os-ansible.
Not at the moment :)
Lets hope for it in the future.
from pan-os-ansible.
@ishuguru : Panos_software allows to download and upgrade both at the same time.So functionality has been included.Hope this helps
from pan-os-ansible.
Yes, but from what i have seen you have to dl from internet, no support for pusing it with panorama? Or if i upload the image with panorama first, and then run the install jobb. Perhaps it will use the image i uploaded?
from pan-os-ansible.
Current panos_software
module would have to be extended to support batch mode (download updates from Panorama instead of update server).
from pan-os-ansible.
From what i can see in the api the firewall are referenced by serialnr when using batch mode. So it will be quite messy to write a module for this i guess.
from pan-os-ansible.
This can be accomplished using panos_op
.
from pan-os-ansible.
@mrichardson03 I am currently facing same issue where I want to upload image to firewall from Panorama then install that image locally to firewall. You mentioned same can be accomplished using panos_op. please can you advise on that? also if there has been any feature released for this issue? Thanks in advance.
from pan-os-ansible.
Hi @appandya84, we have a guide that goes through a very similar process with panos_op
, it should be extendable to include the Panorama part. I hope that helps
from pan-os-ansible.
@jamesholland-uk I will have a read on that guide and test it out. Thanks much.
from pan-os-ansible.
@jamesholland-uk I was wondering if PAN-OS module will work with Panorama cli? From Panorama cli, there are commands we can run to upload software to firewall then install and reboot firewall directly from Panorama cli. So running this Automation guide directly on panorama may be another fix if it supports panorama. Has this been tested? Thanks
from pan-os-ansible.
Hi @appandya84, I don't think I have personally tested that exact use case. However, if you look at the code in the guide, you will see how to use the panos_op
module to perform the equivalent of request
CLI commands:
- name: Start content installation
paloaltonetworks.panos.panos_op:
provider: "{{ device }}"
cmd: "<request><content><upgrade><install><skip-content-validity-check>yes</skip-content-validity-check><file>{{ content_file }}</file></install></upgrade></content></request>"
cmd_is_xml: true
register: contentinstall
You should be able to reuse that approach to achieve your goal if the CLI commands you're referring to are able to be executed using an XML API call like that example I gave here. Hope that helps
from pan-os-ansible.
@jamesholland-uk no problem. I will try it out this on panorama to see how it works. Thanks
from pan-os-ansible.
@jamesholland-uk @mrichardson03 Hi both, I tried above guide to achieve offline download/upload using panos_op from Panorama to Firewall as firewall doesn't have access to internet and they are managed by panorama so only panorama has access to internet basically. I am downloading required s/w file on panorama first from internet and monitoring this download. Once downloaded on panorama then I will use that file to upload it to firewall itself from panorama. You can run cli command on panorama to achieve this. I am getting success using ansible where I am able to download s/w file successfully on panorama. But when ansible try to run upload command on panorama, it fails. I have tried two ways - using xml command and non-xml and both time it fails. Below is my task
- name: Upload software file to firewall from Panorama
paloaltonetworks.panos.panos_op:
provider:
ip_address: '{{ panorama_ip }}'
username: 'admin'
password: '{{ panorama_pwd }}'
cmd: "{{ fw_serial }}{{ sw_version}}"
cmd_is_xml: true
cmd: 'request batch software upload devices {{ fw_serial }} file {{ sw_version}}'
register: uploadsw
when: sw_version != "" and (panodownload_result.stdout | from_json).response.result.job.result == "OK"
Below is error I get:
TASK [01_software_upgrade : Upload software file to firewall from Panorama] ****************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to run command : request batch software upload devices 015351000035061 file "PanOS_vm-8.1.15" : URLError: code: 400 reason: Illegal parameter [request]"}
TASK [01_software_upgrade : Upload software file to firewall from Panorama] ***************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to run XML command : 015351000035061PanOS_vm-8.1.16 : Command failed with no output"}
Here is verbose output for this task:
TASK [01_software_upgrade : Upload software file to firewall from Panorama] ***********************************************************************
task path: /etc/ansible/roles/01_software_upgrade/tasks/main.yaml:134
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp
"&& mkdir "echo /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602
" && echo ansible-tmp-1673872645.3731675-31652-165805562480602="echo /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602
" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_op.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-31388a40_umw5/tmp6lme4_e9 TO /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/AnsiballZ_panos_op.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/ /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/AnsiballZ_panos_op.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/etc/ansible/python-venv/ansiblevenv/bin/python3 /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/AnsiballZ_panos_op.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_paloaltonetworks.panos.panos_op_payload_7n6jcv6e/ansible_paloaltonetworks.panos.panos_op_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_op.py", line 144, in main
File "/etc/ansible/python-venv/ansiblevenv/lib64/python3.6/site-packages/panos/panorama.py", line 447, in op
retry_on_peer=retry_on_peer,
File "/etc/ansible/python-venv/ansiblevenv/lib64/python3.6/site-packages/panos/base.py", line 3823, in op
cmd, vsys, cmd_xml, extra_qs, retry_on_peer=retry_on_peer
File "/etc/ansible/python-venv/ansiblevenv/lib64/python3.6/site-packages/panos/base.py", line 3682, in method
raise the_exception
fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"cmd": "015351000035061PanOS_vm-8.1.16",
"cmd_is_xml": true,
"ip_address": null,
"password": null,
"port": 443,
"provider": {
"api_key": null,
"ip_address": "10.44.82.70",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"serial_number": null,
"username": "admin"
},
"username": "admin",
"vsys": "vsys1"
}
},
"msg": "Failed to run XML command : 015351000035061PanOS_vm-8.1.16 : Command failed with no output"
}
I have tested and made sure this command actually runs OK on panorama cli itself and it works perfectly fine - see below
admin@LOSEC-PANORAMA-VM1> request batch software upload devices 015351000035061 file PanOS_vm-8.1.16
Job enqueued with jobid 2157
2157
admin@LOSEC-PANORAMA-VM1>
admin@LOSEC-PANORAMA-VM1> show jobs id 2157
Enqueued Dequeued ID Type Status Result Completed
2023/01/16 05:49:50 05:49:50 2157 DeployUpload FIN OK 100 %
015351000035061 DeployFin OK
Warnings:
Details:
015351000035061:
Image uploaded
Please can you advise here what could be an issue here and possible fix? Many Thanks
from pan-os-ansible.
looks like in above comment, it doesn't take xml command/lines so I have created a file for above comment and attached here
upgrade.txt
from pan-os-ansible.
Hi @appandya84,
The XML command provided in panso_op
is invalid. When trying to get the correct XML to represent a CLI command, the best approach is to use "debug cli on" in the PAN-OS CLI, then execute the command, and it will show you the correct XML format.
In this case, the following XML:
<request><batch><software><upload><devices>{{ fw_serial }}<file>{{ sw_version }}</file></devices></upload></software></batch></request>
needs to be changed to:
<request><batch><software><upload><devices>{{ fw_serial }}</devices><file>{{ sw_version }}</file></upload></software></batch></request>
Hope this helps
from pan-os-ansible.
Related Issues (20)
- Requirement typo in panos_active_in_ha
- Create a list of downloaded software versions HOT 2
- Policy Match Rule Fails to Retry
- Configure Path Monitoring for a Static Route HOT 2
- Feature request: Custom timeout HOT 3
- state: merged doesn't merge deep enough. HOT 1
- Get module created for security profiles
- paloaltonetworks.panos.panos_template issue on second run HOT 1
- Bug: Software Upgrade Doesn't Allow for Larger Major Version Change
- panos_import no longer imports trusted certificates HOT 2
- pan-os ansible to add Firewall device in panorama
- Modules used as libraries in upgrade automation playbooks
- When using state "merged" in panos_security_rule if there is an existing rule with an existing group_profile the job fails
- "state: merged" merges default values in with existing ones HOT 2
- chore: Change branching model
- pan_os_python requirements issue
- panos_commit_panorama do not commit ot running in PANOS11 HOT 1
- Minimum Pytohn version is 3.9
- result["before"] includes newly added items for list type params
- "target_negate" being removed from config xml with present state
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pan-os-ansible.