@jamesholland-uk That is a great tip. that command now works with the playbook. Many Thanks.

from pan-os-ansible.

@ishuguru : i did find the software module panos_software: to upgrade using Ansible.But do you know how can we import the image from Palo Alto Server to device using Ansible ?is there a existing module for that ?

from pan-os-ansible.

Not at the moment :)

Lets hope for it in the future.

from pan-os-ansible.

@ishuguru : Panos_software allows to download and upgrade both at the same time.So functionality has been included.Hope this helps

from pan-os-ansible.

Yes, but from what i have seen you have to dl from internet, no support for pusing it with panorama? Or if i upload the image with panorama first, and then run the install jobb. Perhaps it will use the image i uploaded?

from pan-os-ansible.

Current panos_software module would have to be extended to support batch mode (download updates from Panorama instead of update server).

from pan-os-ansible.

From what i can see in the api the firewall are referenced by serialnr when using batch mode. So it will be quite messy to write a module for this i guess.

from pan-os-ansible.

This can be accomplished using panos_op.

from pan-os-ansible.

@mrichardson03 I am currently facing same issue where I want to upload image to firewall from Panorama then install that image locally to firewall. You mentioned same can be accomplished using panos_op. please can you advise on that? also if there has been any feature released for this issue? Thanks in advance.

from pan-os-ansible.

Hi @appandya84, we have a guide that goes through a very similar process with panos_op, it should be extendable to include the Panorama part. I hope that helps

from pan-os-ansible.

@jamesholland-uk I will have a read on that guide and test it out. Thanks much.

from pan-os-ansible.

@jamesholland-uk I was wondering if PAN-OS module will work with Panorama cli? From Panorama cli, there are commands we can run to upload software to firewall then install and reboot firewall directly from Panorama cli. So running this Automation guide directly on panorama may be another fix if it supports panorama. Has this been tested? Thanks

from pan-os-ansible.

Hi @appandya84, I don't think I have personally tested that exact use case. However, if you look at the code in the guide, you will see how to use the panos_op module to perform the equivalent of request CLI commands:

 - name: Start content installation
      paloaltonetworks.panos.panos_op:
        provider: "{{ device }}"
        cmd: "<request><content><upgrade><install><skip-content-validity-check>yes</skip-content-validity-check><file>{{ content_file }}</file></install></upgrade></content></request>"
        cmd_is_xml: true
      register: contentinstall

You should be able to reuse that approach to achieve your goal if the CLI commands you're referring to are able to be executed using an XML API call like that example I gave here. Hope that helps

from pan-os-ansible.

@jamesholland-uk no problem. I will try it out this on panorama to see how it works. Thanks

from pan-os-ansible.

@jamesholland-uk @mrichardson03 Hi both, I tried above guide to achieve offline download/upload using panos_op from Panorama to Firewall as firewall doesn't have access to internet and they are managed by panorama so only panorama has access to internet basically. I am downloading required s/w file on panorama first from internet and monitoring this download. Once downloaded on panorama then I will use that file to upload it to firewall itself from panorama. You can run cli command on panorama to achieve this. I am getting success using ansible where I am able to download s/w file successfully on panorama. But when ansible try to run upload command on panorama, it fails. I have tried two ways - using xml command and non-xml and both time it fails. Below is my task

• name: Upload software file to firewall from Panorama
  paloaltonetworks.panos.panos_op:
  provider:
  ip_address: '{{ panorama_ip }}'
  username: 'admin'
  password: '{{ panorama_pwd }}'
  cmd: "{{ fw_serial }}{{ sw_version}}"
  cmd_is_xml: true

cmd: 'request batch software upload devices {{ fw_serial }} file {{ sw_version}}'

  register: uploadsw
  when: sw_version != "" and (panodownload_result.stdout | from_json).response.result.job.result == "OK"

Below is error I get:

TASK [01_software_upgrade : Upload software file to firewall from Panorama] ****************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to run command : request batch software upload devices 015351000035061 file "PanOS_vm-8.1.15" : URLError: code: 400 reason: Illegal parameter [request]"}

TASK [01_software_upgrade : Upload software file to firewall from Panorama] ***************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to run XML command : 015351000035061PanOS_vm-8.1.16 : Command failed with no output"}

Here is verbose output for this task:

TASK [01_software_upgrade : Upload software file to firewall from Panorama] ***********************************************************************
task path: /etc/ansible/roles/01_software_upgrade/tasks/main.yaml:134
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp"&& mkdir "echo /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602" && echo ansible-tmp-1673872645.3731675-31652-165805562480602="echo /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_op.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-31388a40_umw5/tmp6lme4_e9 TO /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/AnsiballZ_panos_op.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/ /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/AnsiballZ_panos_op.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/etc/ansible/python-venv/ansiblevenv/bin/python3 /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/AnsiballZ_panos_op.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1673872645.3731675-31652-165805562480602/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_paloaltonetworks.panos.panos_op_payload_7n6jcv6e/ansible_paloaltonetworks.panos.panos_op_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_op.py", line 144, in main
File "/etc/ansible/python-venv/ansiblevenv/lib64/python3.6/site-packages/panos/panorama.py", line 447, in op
retry_on_peer=retry_on_peer,
File "/etc/ansible/python-venv/ansiblevenv/lib64/python3.6/site-packages/panos/base.py", line 3823, in op
cmd, vsys, cmd_xml, extra_qs, retry_on_peer=retry_on_peer
File "/etc/ansible/python-venv/ansiblevenv/lib64/python3.6/site-packages/panos/base.py", line 3682, in method
raise the_exception
fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"api_key": null,
"cmd": "015351000035061PanOS_vm-8.1.16",
"cmd_is_xml": true,
"ip_address": null,
"password": null,
"port": 443,
"provider": {
"api_key": null,
"ip_address": "10.44.82.70",
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 443,
"serial_number": null,
"username": "admin"
},
"username": "admin",
"vsys": "vsys1"
}
},
"msg": "Failed to run XML command : 015351000035061PanOS_vm-8.1.16 : Command failed with no output"
}

I have tested and made sure this command actually runs OK on panorama cli itself and it works perfectly fine - see below

admin@LOSEC-PANORAMA-VM1> request batch software upload devices 015351000035061 file PanOS_vm-8.1.16

Job enqueued with jobid 2157

2157

admin@LOSEC-PANORAMA-VM1>

admin@LOSEC-PANORAMA-VM1> show jobs id 2157

Enqueued Dequeued ID Type Status Result Completed

2023/01/16 05:49:50 05:49:50 2157 DeployUpload FIN OK 100 %
015351000035061 DeployFin OK
Warnings:

Details:
015351000035061:
Image uploaded

Please can you advise here what could be an issue here and possible fix? Many Thanks

from pan-os-ansible.

looks like in above comment, it doesn't take xml command/lines so I have created a file for above comment and attached here
upgrade.txt

from pan-os-ansible.

Hi @appandya84,

The XML command provided in panso_op is invalid. When trying to get the correct XML to represent a CLI command, the best approach is to use "debug cli on" in the PAN-OS CLI, then execute the command, and it will show you the correct XML format.

In this case, the following XML:
<request><batch><software><upload><devices>{{ fw_serial }}<file>{{ sw_version }}</file></devices></upload></software></batch></request>
needs to be changed to:
<request><batch><software><upload><devices>{{ fw_serial }}</devices><file>{{ sw_version }}</file></upload></software></batch></request>

Hope this helps

from pan-os-ansible.