panos_ha – Configures High Availability on PAN-OS¶

New in version 2.9.

Synopsis
Requirements
Parameters
Notes
Examples
Status

Synopsis ¶

NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible
Configures High Availability on PAN-OS in A/S and A/A modes including all HA interface configuration. Assumes physical interfaces are of type HA already using panos_interface.

This module has the following limitations due to no support in pandevice - * No peer_backup_ip, this prevents full configuration of ha1_backup links * Speed and Duplex of ports was intentially skipped

Requirements ¶

The below requirements are needed on the host that executes this module.

pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
currently requires specific pandevice release 0.13

Parameters ¶

Parameter		Choices/Defaults	Comments
api_key string			Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
commit boolean		Choices: no yes ←	Commit configuration if changed.
ha1_gateway -			Default gateway of the HA1 interface
ha1_ip_address -			IP of the HA1 interface
ha1_netmask -			Netmask of the HA1 interface
ha1_port -			Interface to use for this HA1 interface (eg. ethernet1/5)
ha1b_gateway -			Default gateway of the HA1Backup interface
ha1b_ip_address -			IP of the HA1Backup interface
ha1b_netmask -			Netmask of the HA1Backup interface
ha1b_port -			Interface to use for this HA1Backup interface (eg. ethernet1/5)
ha2_gateway -			Default gateway of the HA2 interface
ha2_ip_address -			IP of the HA2 interface
ha2_netmask -			Netmask of the HA2 interface
ha2_port -			Interface to use for this HA2 interface (eg. ethernet1/5)
ha2b_gateway -			Default gateway of the HA2Backup interface
ha2b_ip_address -			IP of the HA2Backup interface
ha2b_netmask -			Netmask of the HA2Backup interface
ha2b_port -			Interface to use for this HA2Backup interface (eg. ethernet1/5)
ha3_port -			Interface to use for this HA3 interface (eg. ethernet1/5, ae1)
ha_config_sync boolean		Choices: no yes ←	Enabled configuration synchronization
ha_device_id integer		Choices: 0 1	HA3 device id (0 or 1)
ha_enabled boolean		Choices: no yes ←	Enable HA
ha_group_id integer		Default: 1	The group identifier
ha_ha2_keepalive boolean		Choices: no yes	Enable HA2 keepalives
ha_ha2_keepalive_action -			HA2 keepalive action
ha_ha2_keepalive_threshold integer			HA2 keepalive threshold
ha_ip_hash_key -		Choices: source source-and-destination	active-active hash key used by ip-hash algorithm
ha_mode -		Choices: active-passive ← active-active	Mode of HA
ha_passive_link_state -		Choices: shutdown auto ←	Passive link state
ha_peer_ip string			HA Peer’s HA1 IP address
ha_peer_ip_backup string			HA Peer’s HA1 Backup IP address
ha_session_owner_selection -		Choices: primary-device first-packet	active-active session owner mode
ha_session_setup -		Choices: primary-device first-packet ip-module ip-hash	active-active session setup mode
ha_state_sync boolean		Choices: no ← yes	Enabled state synchronization
ha_sync_qos boolean		Choices: no yes	active-active network sync qos
ha_sync_virtual_router boolean		Choices: no yes	active-active network sync virtual router
ha_tentative_hold_time integer			active-active tentative hold timer
ip_address string			Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
password string			Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer		Default: 443	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on.
provider - added in 2.8			A dict object containing connection details.
	api_key string		The API key to use instead of generating it using username / password.
	ip_address string		The IP address or hostname of the PAN-OS device being configured.
	password string		The password to use for authentication. This is ignored if api_key is specified.
	port integer	Default: 443	The port number to connect to the PAN-OS device on.
	serial_number string		The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
	username string	Default: "admin"	The username to use for authentication. This is ignored if api_key is specified.
state string		Choices: present ← absent	The state.
template string			(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack string			(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username string		Default: "admin"	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified.
vsys string			The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.

Notes ¶

Note

Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples ¶

- name: set ports to HA mode
  panos_interface:
    provider: '{{ provider }}'
    if_name: "{{ item }}"
    mode: "ha"
    enable_dhcp: false
    commit: false
  with_items:
    - ethernet1/1
    - ethernet1/2
    - ethernet1/3
    - ethernet1/4
    - ethernet1/5

- name: Configure Active/Standby HA
  panos_ha:
    provider: '{{ provider }}'
    state: present
    ha_peer_ip: "192.168.50.1"
    ha1_ip_address: "192.168.50.2"
    ha1_netmask: "255.255.255.252"
    ha1_port: "ethernet1/1"
    ha2_port: "ethernet1/3"
    commit: "true"

- name: Configure Active/Active HA
  panos_ha:
    provider: "{{ provider }}"
    state: present
    ha_mode: "active-active"
    ha_device_id: 0
    ha_session_owner_selection: "first-packet"
    ha_session_setup: "first-packet"
    ha_peer_ip: "192.168.50.1"
    ha_peer_ip_backup: "192.168.50.5"
    ha1_port: "ethernet1/1"
    ha1_ip_address: "192.168.50.2"
    ha1_netmask: "255.255.255.252"
    ha1b_port: "ethernet1/2"
    ha1b_ip_address: "192.168.50.6"
    ha1b_netmask: "255.255.255.252"
    ha2_port: "ethernet1/3"
    ha2b_port: "ethernet1/4"
    ha3_port: "ethernet1/5"

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.

Authors¶

Patrick Avery

panos_ha – Configures High Availability on PAN-OS¶

Synopsis¶

Requirements¶

Parameters¶

Notes¶

Examples¶

Status¶