panos_ha – Configures High Availability on PAN-OS¶
New in version 2.9.
Synopsis¶
NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible
Configures High Availability on PAN-OS in A/S and A/A modes including all HA interface configuration. Assumes physical interfaces are of type HA already using panos_interface.
This module has the following limitations due to no support in pandevice - * No peer_backup_ip, this prevents full configuration of ha1_backup links * Speed and Duplex of ports was intentially skipped
Requirements¶
The below requirements are needed on the host that executes this module.
pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
currently requires specific pandevice release 0.13
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
commit
boolean
|
|
Commit configuration if changed.
|
|
ha1_gateway
-
|
Default gateway of the HA1 interface
|
||
ha1_ip_address
-
|
IP of the HA1 interface
|
||
ha1_netmask
-
|
Netmask of the HA1 interface
|
||
ha1_port
-
|
Interface to use for this HA1 interface (eg. ethernet1/5)
|
||
ha1b_gateway
-
|
Default gateway of the HA1Backup interface
|
||
ha1b_ip_address
-
|
IP of the HA1Backup interface
|
||
ha1b_netmask
-
|
Netmask of the HA1Backup interface
|
||
ha1b_port
-
|
Interface to use for this HA1Backup interface (eg. ethernet1/5)
|
||
ha2_gateway
-
|
Default gateway of the HA2 interface
|
||
ha2_ip_address
-
|
IP of the HA2 interface
|
||
ha2_netmask
-
|
Netmask of the HA2 interface
|
||
ha2_port
-
|
Interface to use for this HA2 interface (eg. ethernet1/5)
|
||
ha2b_gateway
-
|
Default gateway of the HA2Backup interface
|
||
ha2b_ip_address
-
|
IP of the HA2Backup interface
|
||
ha2b_netmask
-
|
Netmask of the HA2Backup interface
|
||
ha2b_port
-
|
Interface to use for this HA2Backup interface (eg. ethernet1/5)
|
||
ha3_port
-
|
Interface to use for this HA3 interface (eg. ethernet1/5, ae1)
|
||
ha_config_sync
boolean
|
|
Enabled configuration synchronization
|
|
ha_device_id
integer
|
|
HA3 device id (0 or 1)
|
|
ha_enabled
boolean
|
|
Enable HA
|
|
ha_group_id
integer
|
Default: 1
|
The group identifier
|
|
ha_ha2_keepalive
boolean
|
|
Enable HA2 keepalives
|
|
ha_ha2_keepalive_action
-
|
HA2 keepalive action
|
||
ha_ha2_keepalive_threshold
integer
|
HA2 keepalive threshold
|
||
ha_ip_hash_key
-
|
|
active-active hash key used by ip-hash algorithm
|
|
ha_mode
-
|
|
Mode of HA
|
|
ha_passive_link_state
-
|
|
Passive link state
|
|
ha_peer_ip
string
|
HA Peer’s HA1 IP address
|
||
ha_peer_ip_backup
string
|
HA Peer’s HA1 Backup IP address
|
||
ha_session_owner_selection
-
|
|
active-active session owner mode
|
|
ha_session_setup
-
|
|
active-active session setup mode
|
|
ha_state_sync
boolean
|
|
Enabled state synchronization
|
|
ha_sync_qos
boolean
|
|
active-active network sync qos
|
|
ha_sync_virtual_router
boolean
|
|
active-active network sync virtual router
|
|
ha_tentative_hold_time
integer
|
active-active tentative hold timer
|
||
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
username
string
|
Default: "admin"
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
state
string
|
|
The state.
|
|
template
string
|
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
|
||
template_stack
string
|
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
|
||
username
string
|
Default: "admin"
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
|
vsys
string
|
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.
|
Notes¶
Note
Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.
Examples¶
- name: set ports to HA mode
panos_interface:
provider: '{{ provider }}'
if_name: "{{ item }}"
mode: "ha"
enable_dhcp: false
commit: false
with_items:
- ethernet1/1
- ethernet1/2
- ethernet1/3
- ethernet1/4
- ethernet1/5
- name: Configure Active/Standby HA
panos_ha:
provider: '{{ provider }}'
state: present
ha_peer_ip: "192.168.50.1"
ha1_ip_address: "192.168.50.2"
ha1_netmask: "255.255.255.252"
ha1_port: "ethernet1/1"
ha2_port: "ethernet1/3"
commit: "true"
- name: Configure Active/Active HA
panos_ha:
provider: "{{ provider }}"
state: present
ha_mode: "active-active"
ha_device_id: 0
ha_session_owner_selection: "first-packet"
ha_session_setup: "first-packet"
ha_peer_ip: "192.168.50.1"
ha_peer_ip_backup: "192.168.50.5"
ha1_port: "ethernet1/1"
ha1_ip_address: "192.168.50.2"
ha1_netmask: "255.255.255.252"
ha1b_port: "ethernet1/2"
ha1b_ip_address: "192.168.50.6"
ha1b_netmask: "255.255.255.252"
ha2_port: "ethernet1/3"
ha2b_port: "ethernet1/4"
ha3_port: "ethernet1/5"
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.