Palo Alto Networks Ansible Collection

Version: 2.17.5

The Palo Alto Networks Ansible collection is a collection of modules that automate configuration and operational tasks on Palo Alto Networks Next Generation Firewalls (both physical and virtualized) and Panorama. The underlying protocol uses API calls that are wrapped within the Ansible framework.

This is the module reference documentation. Other documentation including getting started tutorials, how-to guides and other background reading, can be found at https://pan.dev/ansible/docs/panos/

Installation

This collection has the following environment requirements:

• Python 3.8 or higher

• Ansible 2.9 or higher

Install the collection using ansible-galaxy:

ansible-galaxy collection install paloaltonetworks.panos

Then in your playbooks you can specify that you want to use the panos collection like so:

collections:
    - paloaltonetworks.panos

• Ansible Galaxy: https://galaxy.ansible.com/PaloAltoNetworks/panos

• Red Hat Catalog: https://catalog.redhat.com/software/collection/paloaltonetworks/panos

• GitHub repo: https://github.com/PaloAltoNetworks/pan-os-ansible

Contents:

• Gathered Filter
  • The gathered_filter Option
  • Fields
  • Operators
  • Return Values
  • Examples
• Examples
  • Add security policy to Firewall or Panorama
  • Add NAT policy to Firewall or Panorama
  • Change firewall admin password using SSH
  • Generates self-signed certificate
  • Check if FW is ready
  • Import configuration
  • DHCP on data port
  • Load configuration
  • Event-Driven Ansible (EDA)
• Module reference
  • paloaltonetworks.panos.panos_address_group module – Manage address group objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_address_object module – Manage address objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_admin module
  • paloaltonetworks.panos.panos_administrator module – Manage PAN-OS administrator user accounts.
  • paloaltonetworks.panos.panos_admpwd module – change admin password of PAN-OS device using SSH with SSH key
  • paloaltonetworks.panos.panos_aggregate_interface module – Manage aggregate network interfaces
  • paloaltonetworks.panos.panos_api_key module – retrieve api_key for username/password combination
  • paloaltonetworks.panos.panos_application_filter module – Manage application filters on PAN-OS devices.
  • paloaltonetworks.panos.panos_application_group module – Manage application groups on PAN-OS devices.
  • paloaltonetworks.panos.panos_application_object module – Manage application objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_bgp_aggregate module – Manage a BGP Aggregation Prefix Policy
  • paloaltonetworks.panos.panos_bgp_auth module – Manage a BGP Authentication Profile
  • paloaltonetworks.panos.panos_bgp_conditional_advertisement module – Manage a BGP conditional advertisement.
  • paloaltonetworks.panos.panos_bgp_dampening module – Manage a BGP Dampening Profile
  • paloaltonetworks.panos.panos_bgp module – Manage Border Gateway Protocol (BGP)
  • paloaltonetworks.panos.panos_bgp_peer_group module – Manage a BGP Peer Group
  • paloaltonetworks.panos.panos_bgp_peer module – Manage a BGP Peer
  • paloaltonetworks.panos.panos_bgp_policy_filter module – Manage a BGP Policy Import/Export Rule
  • paloaltonetworks.panos.panos_bgp_policy_rule module – Manage a BGP Policy Import/Export Rule
  • paloaltonetworks.panos.panos_bgp_redistribute module – Manage a BGP Redistribution Rule
  • paloaltonetworks.panos.panos_cert_gen_ssh module – generates a self-signed certificate using SSH protocol with SSH key
  • paloaltonetworks.panos.panos_check module – Checks is a PAN-OS device is ready for configuration.
  • paloaltonetworks.panos.panos_commit_firewall module – Commit the firewall’s candidate configuration.
  • paloaltonetworks.panos.panos_commit module
  • paloaltonetworks.panos.panos_commit_panorama module – Commit Panorama’s candidate configuration.
  • paloaltonetworks.panos.panos_commit_push module – Push running configuration to managed devices.
  • paloaltonetworks.panos.panos_config_element module – Modifies an element in the PAN-OS configuration.
  • paloaltonetworks.panos.panos_custom_url_category module – Manage custom url category objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_dag module
  • paloaltonetworks.panos.panos_dag_tags module
  • paloaltonetworks.panos.panos_decryption_rule module – Manage a decryption rule on PAN-OS.
  • paloaltonetworks.panos.panos_device_group module – Manage Panorama device group
  • paloaltonetworks.panos.panos_dhcp module – Manage DHCP for an interface.
  • paloaltonetworks.panos.panos_dhcp_relay_ipv6_address module – Manage DHCP IPv6 relay addresses.
  • paloaltonetworks.panos.panos_dhcp_relay module – Manage dhcp relay.
  • paloaltonetworks.panos.panos_dynamic_updates module – Install dynamic updates on PAN-OS devices.
  • paloaltonetworks.panos.panos_dynamic_user_group module – Manage dynamic user groups on PAN-OS devices.
  • paloaltonetworks.panos.panos_email_profile module – Manage email server profiles.
  • paloaltonetworks.panos.panos_email_server module – Manage email servers in an email profile.
  • paloaltonetworks.panos.panos_export module – export file from PAN-OS devices
  • paloaltonetworks.panos.panos_facts module – Collects facts from PAN-OS devices
  • paloaltonetworks.panos.panos_gre_tunnel module – Manage GRE tunnels on PAN-OS devices.
  • paloaltonetworks.panos.panos_ha module – Manage High Availability on PAN-OS
  • paloaltonetworks.panos.panos_http_profile_header module – Manage HTTP headers for a HTTP profile.
  • paloaltonetworks.panos.panos_http_profile module – Manage http server profiles.
  • paloaltonetworks.panos.panos_http_profile_param module – Manage HTTP params for a HTTP profile.
  • paloaltonetworks.panos.panos_http_server module – Manage HTTP servers in a HTTP server profile.
  • paloaltonetworks.panos.panos httpapi – HttpApi plugin for PAN-OS devices
  • paloaltonetworks.panos.panos_ike_crypto_profile module – Manage IKE Crypto profile on the firewall with subset of settings
  • paloaltonetworks.panos.panos_ike_gateway module – Manage IKE gateway on the firewall with subset of settings.
  • paloaltonetworks.panos.panos_import module – import file on PAN-OS devices
  • paloaltonetworks.panos.panos_interface module – Manage data-port network interfaces
  • paloaltonetworks.panos.panos_ipsec_ipv4_proxyid module – Manage IPv4 Proxy Id on an IPSec Tunnel
  • paloaltonetworks.panos.panos_ipsec_profile module – Manage IPSec Crypto profile on the firewall with subset of settings.
  • paloaltonetworks.panos.panos_ipsec_tunnel module – Manage IPSec Tunnels on the firewall with subset of settings.
  • paloaltonetworks.panos.panos_ipv6_address module – Manage IPv6 addresses on an interface.
  • paloaltonetworks.panos.panos_l2_subinterface module – Manage layer2 subinterface
  • paloaltonetworks.panos.panos_l3_subinterface module – Manage layer3 subinterface
  • paloaltonetworks.panos.panos_lic module – apply authcode to a device/instance
  • paloaltonetworks.panos.panos_loadcfg module – load configuration on PAN-OS device
  • paloaltonetworks.panos.panos_log_forwarding_profile_match_list_action module – Manage log forwarding profile match list actions.
  • paloaltonetworks.panos.panos_log_forwarding_profile_match_list module – Manage log forwarding profile match lists.
  • paloaltonetworks.panos.panos_log_forwarding_profile module – Manage log forwarding profiles.
  • paloaltonetworks.panos.panos_loopback_interface module – Manage network loopback interfaces
  • paloaltonetworks.panos.panos_management_profile module – Manage interface management profiles.
  • paloaltonetworks.panos.panos_match_rule module – Test for match against a security rule on PAN-OS devices.
  • paloaltonetworks.panos.panos_mgtconfig module – Module used to configure some of the device management.
  • paloaltonetworks.panos.panos_nat_rule2 module – Manage a NAT rule
  • paloaltonetworks.panos.panos_nat_rule_facts module – Get information about a NAT rule.
  • paloaltonetworks.panos.panos_nat_rule module
  • paloaltonetworks.panos.panos_object_facts module – Retrieve facts about objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_object module
  • paloaltonetworks.panos.panos_op module – execute arbitrary OP commands on PANW devices (e.g. show interface all)
  • paloaltonetworks.panos.panos_pbf_rule module – Manage Policy Based Forwarding rules on PAN-OS.
  • paloaltonetworks.panos.panos_pg module – Manage a security profiles group
  • paloaltonetworks.panos.panos_query_rules module
  • paloaltonetworks.panos.panos_redistribution module – Manage a Redistribution Profile on a virtual router
  • paloaltonetworks.panos.panos_region module – Manage regions on PAN-OS devices.
  • paloaltonetworks.panos.panos_registered_ip_facts module – Retrieve facts about registered IPs on PAN-OS devices.
  • paloaltonetworks.panos.panos_registered_ip module – Register IP addresses for use with dynamic address groups on PAN-OS devices.
  • paloaltonetworks.panos.panos_restart module – Restart a device
  • paloaltonetworks.panos.panos_sag module
  • paloaltonetworks.panos.panos_schedule_object module – Manage schedule objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_security_rule_facts module
  • paloaltonetworks.panos.panos_security_rule module – Manage security rule policy on PAN-OS devices or Panorama management console.
  • paloaltonetworks.panos.panos_service_group module – Manage service group objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_service_object module – Manage service objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_snmp_profile module – Manage SNMP server profiles.
  • paloaltonetworks.panos.panos_snmp_v2c_server module – Manage SNMP v2c servers.
  • paloaltonetworks.panos.panos_snmp_v3_server module – Manage SNMP v3 servers.
  • paloaltonetworks.panos.panos_software module – Manage PAN-OS software versions.
  • paloaltonetworks.panos.panos_static_route module – Manage static routes on PAN-OS devices.
  • paloaltonetworks.panos.panos_syslog_profile module – Manage syslog server profiles.
  • paloaltonetworks.panos.panos_syslog_server module – Manage syslog server profile syslog servers.
  • paloaltonetworks.panos.panos_tag_object module – Manage tag objects on PAN-OS devices.
  • paloaltonetworks.panos.panos_template module – Manage Panorama template
  • paloaltonetworks.panos.panos_template_stack module – Manage Panorama template stack
  • paloaltonetworks.panos.panos_template_variable module – Manage template or template stack variable
  • paloaltonetworks.panos.panos_tunnel module – Manage tunnel interfaces
  • paloaltonetworks.panos.panos_type_cmd module – Execute arbitrary TYPE commands on PAN-OS
  • paloaltonetworks.panos.panos_userid module – Allow for registration and de-registration of userid
  • paloaltonetworks.panos.panos_virtual_router_facts module
  • paloaltonetworks.panos.panos_virtual_router module – Manage a Virtual Router
  • paloaltonetworks.panos.panos_virtual_wire module – Manage Virtual Wires (vwire).
  • paloaltonetworks.panos.panos_vlan_interface module – Manage VLAN interfaces
  • paloaltonetworks.panos.panos_vlan module – Manage VLANs.
  • paloaltonetworks.panos.panos_vm_auth_key module – Create a VM auth key for VM-Series bootstrapping
  • paloaltonetworks.panos.panos_zone_facts module
  • paloaltonetworks.panos.panos_zone module – Manage security zone
• Release History
• Authors
  • Development Leads
  • Contributors
  • Credits
• License

Collection Dependencies

• pan-python

• pan-os-python

• xmltodict (certain modules only)

If you believe you have installed these dependencies but Ansible is not finding them, it is likely a problem with where your local shell is searching for installed dependencies and where Ansible is searching for them. Try running a simple panos_op playbook to run the command ‘show system info”, and if that errors out, compare the sys.path in the output against where you think Ansible looking for dependencies at.

Configuring ANSIBLE_PYTHON_INTERPRETER is probably the solution to this issue:

https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html#using-python-3-on-the-managed-machines-with-commands-and-playbooks

Support

As of version 2.12.2, this Collection of Ansible Modules for PAN-OS is [certified on Ansible Automation Hub](https://console.redhat.com/ansible/automation-hub/repo/published/paloaltonetworks/panos) and officially supported for Ansible subscribers. Ansible subscribers can engage for support through their usual route towards Red Hat.

For those who are not Ansible subscribers, this Collection of Ansible Modules is also [published on Ansible Galaxy](https://galaxy.ansible.com/paloaltonetworks/panos) to be freely used under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.

Unless explicitly tagged, all projects or work posted in our GitHub repository (at <https://github.com/PaloAltoNetworks>) or sites other than our official Downloads page on <https://support.paloaltonetworks.com> are provided under the best effort policy.

Indices and tables

• Index

• Module Index

• Search Page