paloaltonetworks.panos.panos_ha module – Manage High Availability on PAN-OS

Note

This module is part of the paloaltonetworks.panos collection (version 2.21.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_ha.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • Manage High Availability on PAN-OS in A/S and A/A modes including all HA interface configuration. Assumes physical interfaces are of type HA already using panos_interface. This module has the following limitations due to no support in pandevice - * No peer_backup_ip, this prevents full configuration of ha1_backup links * Speed and Duplex of ports was intentially skipped

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.

Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

ha1_gateway

string

Default gateway of the HA1 interface

ha1_ip_address

string

IP of the HA1 interface

ha1_netmask

string

Netmask of the HA1 interface

ha1_port

string

Interface to use for this HA1 interface (eg. ethernet1/5)

ha1b_gateway

string

Default gateway of the HA1Backup interface

ha1b_ip_address

string

IP of the HA1Backup interface

ha1b_netmask

string

Netmask of the HA1Backup interface

ha1b_port

string

Interface to use for this HA1Backup interface (eg. ethernet1/5)

ha2_gateway

string

Default gateway of the HA2 interface

ha2_ip_address

string

IP of the HA2 interface

ha2_netmask

string

Netmask of the HA2 interface

ha2_port

string

Interface to use for this HA2 interface (eg. ethernet1/5)

Default: :ansible-option-default:`"ha2-a"`

ha2b_gateway

string

Default gateway of the HA2Backup interface

ha2b_ip_address

string

IP of the HA2Backup interface

ha2b_netmask

string

Netmask of the HA2Backup interface

ha2b_port

string

Interface to use for this HA2Backup interface (eg. ethernet1/5)

ha3_port

string

Interface to use for this HA3 interface (eg. ethernet1/5, ae1)

ha_config_sync

boolean

Enabled configuration synchronization

Choices:

ha_device_id

integer

HA3 device id (0 or 1)

Choices:

ha_enabled

boolean

Enable HA

Choices:

ha_group_id

integer

The group identifier

Default: :ansible-option-default:`1`

ha_ha2_keepalive

boolean

Enable HA2 keepalives

Choices:

ha_ha2_keepalive_action

string

HA2 keepalive action

ha_ha2_keepalive_threshold

integer

HA2 keepalive threshold

ha_ip_hash_key

string

active-active hash key used by ip-hash algorithm

Choices:

ha_mode

string

Mode of HA

Choices:

string

Passive link state

Choices:

ha_peer_ip

string

HA Peer HA1 IP address

ha_peer_ip_backup

string

HA Peer HA1 Backup IP address

ha_session_owner_selection

string

active-active session owner mode

Choices:

ha_session_setup

string

active-active session setup mode

Choices:

ha_state_sync

boolean

Enabled state synchronization

Choices:

ha_sync_qos

boolean

active-active network sync qos

Choices:

ha_sync_virtual_router

boolean

active-active network sync virtual router

Choices:

ha_tentative_hold_time

integer

active-active tentative hold timer

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

state

string

The state.

Choices:

template

string

(Panorama only) The template this operation should target. Mutually exclusive with template_stack.

template_stack

string

(Panorama only) The template stack this operation should target. Mutually exclusive with template.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

vsys

string

The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

- name: set ports to HA mode
  paloaltonetworks.panos.panos_interface:
    provider: '{{ provider }}'
    if_name: "{{ item }}"
    mode: "ha"
    enable_dhcp: false
  with_items:
    - ethernet1/1
    - ethernet1/2
    - ethernet1/3
    - ethernet1/4
    - ethernet1/5

- name: Configure Active/Standby HA
  paloaltonetworks.panos.panos_ha:
    provider: '{{ provider }}'
    state: present
    ha_peer_ip: "192.168.50.1"
    ha1_ip_address: "192.168.50.2"
    ha1_netmask: "255.255.255.252"
    ha1_port: "ethernet1/1"
    ha2_port: "ethernet1/3"

- name: Configure Active/Active HA
  paloaltonetworks.panos.panos_ha:
    provider: "{{ provider }}"
    state: present
    ha_mode: "active-active"
    ha_device_id: 0
    ha_session_owner_selection: "first-packet"
    ha_session_setup: "first-packet"
    ha_peer_ip: "192.168.50.1"
    ha_peer_ip_backup: "192.168.50.5"
    ha1_port: "ethernet1/1"
    ha1_ip_address: "192.168.50.2"
    ha1_netmask: "255.255.255.252"
    ha1b_port: "ethernet1/2"
    ha1b_ip_address: "192.168.50.6"
    ha1b_netmask: "255.255.255.252"
    ha2_port: "ethernet1/3"
    ha2b_port: "ethernet1/4"
    ha3_port: "ethernet1/5"

Authors

  • Patrick Avery (@unknown)