paloaltonetworks.panos.panos_readiness_checks module – Runs readiness checks (boolean in nature) against a Firewall device.

Note

This module is part of the paloaltonetworks.panos collection (version 2.19.1).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_readiness_checks.

New in paloaltonetworks.panos 2.18.0

Synopsis

  • A wrapper around the PAN-OS Upgrade Assurance package.

  • The module is meant to run readiness checks available in the package’s CheckFirewall.run_readiness_checks() method. Since it’s just a wrapper, the way you would configure a check is exactly the same as if you would run the class directly. Please refer to package’s documentation for syntax and configuration dialect.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

checks

list / elements=any

A list of checks that should be run against a device. For the details on currently supported checks please refer to package’s documentation.

In most of the cases it is enough to specify a check name to run it with default settings. In this case the list element is of type str. If additional configuration is required the element is a one element dict, where key is the check name and value contains the check’s configuration. For information which check requires additional configuration please refer to package documentation.

Default: :ansible-option-default:`["all"]`

force_fail

boolean

When set to true will make the module fail when at least one of the checks did not pass.

Choices:

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

skip_force_locale

boolean

When set to true will skip the en_US.UTF-8 locales on the checks.

Use with caution only when you actually use different, English based locales but you do not have en_US.UTF-8 installed.

Choices:

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

Notes

Note

  • Panorama is not supported.

  • Check mode is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: Run all management plane checks using NOT notation
  panos_readiness_checks:
    provider: '{{ device }}'
    checks:
      - '!ha'
      - '!session_exist'
      - '!arp_entry_exist'
      - '!ip_sec_tunnel_status'

- name: Check if a specified session exists in vsys2, fail if it does not
  panos_readiness_checks:
    provider: '{{ device }}'
    vsys: vsys2
    force_fail: true
    checks:
      - session_exist:
          source: '34.23.15.1'
          destination: '10.1.0.4'
          dest_port: '80'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

response

dictionary

This is a dict where keys are checks names just as you specify them in the checks property.

Each value is also a dict.

WHen force_fail has the default value of false this dict contains results for all checks that were specified in checks property.

When force_fail is set to true it contains only checks that failed.

Returned: always

Sample: :ansible-rv-sample-value:`{"arp\_entry\_exist": {"reason": "[SKIPPED] Missing ARP table entry description.", "state": false}, "candidate\_config": {"reason": "[FAIL] Pending changes found on device.", "state": false}, "content\_version": {"reason": "[FAIL] Installed content DB version (8640-7694) is not the latest one (8697-7981).", "state": false}, "free\_disk\_space": {"reason": "[SUCCESS] ", "state": true}, "ha": {"reason": "[ERROR] Device is not a member of an HA pair.", "state": false}, "ip\_sec\_tunnel\_status": {"reason": "[SKIPPED] Missing tunnel specification.", "state": false}, "ntp\_sync": {"reason": "[ERROR] No NTP server configured.", "state": false}, "panorama": {"reason": "[SUCCESS] ", "state": true}, "session\_exist": {"reason": "[SKIPPED] Missing critical session description. Failing check.", "state": false}}`

reason

string

A free text describing the check result.

Prefixed with a keyword: SUCCESS, FAIL, ERROR, SKIPPED.

Meaningful only for failed tests as the ones succeeded are self explanatory.

Returned: always

state

boolean

A result of a check.

Returned: always

Authors

  • Łukasz Pawlęga (@fosix)