Try SpotterRuns readiness checks (boolean in nature) against a Firewall device.
| "added in version" 2.18.0 of paloaltonetworks.panos"
Authors: Łukasz Pawlęga (@fosix)
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections:
- name: paloaltonetworks.panos
version: 2.19.1A wrapper around the PAN-OS Upgrade Assurance package.
The module is meant to run readiness checks available in the package's CheckFirewall.run_readiness_checks() L(method,https://pan.dev/panos/docs/panos-upgrade-assurance/api/check_firewall/#checkfirewallrun_readiness_checks). Since it's just a wrapper, the way you would configure a check is exactly the same as if you would run the class directly. Please refer to package's documentation for L(syntax,https://pan.dev/panos/docs/panos-upgrade-assurance/configuration-details/#readiness-checks) and L(configuration dialect,https://pan.dev/panos/docs/panos-upgrade-assurance/dialect/).
- name: Run all management plane checks using NOT notation
panos_readiness_checks:
provider: '{{ device }}'
checks:
- '!ha'
- '!session_exist'
- '!arp_entry_exist'
- '!ip_sec_tunnel_status'
- name: Check if a specified session exists in vsys2, fail if it does not
panos_readiness_checks:
provider: '{{ device }}'
vsys: vsys2
force_fail: true
checks:
- session_exist:
source: '34.23.15.1'
destination: '10.1.0.4'
dest_port: '80'
port:
default: 443
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The port number to connect to the PAN-OS device on.
type: int
vsys:
default: vsys1
description:
- The vsys this object belongs to.
type: str
checks:
default:
- all
description:
- A list of checks that should be run against a device. For the details on currently
supported checks please refer to L(package's documentation,https://pan.dev/panos/docs/panos-upgrade-assurance/configuration-details/#readiness-checks).
- In most of the cases it is enough to specify a check name to run it with default
settings. In this case the list element is of type B(str). If additional configuration
is required the element is a one element B(dict), where key is the check name and
value contains the check's configuration. For information which check requires additional
configuration please refer to L(package documentation,https://pan.dev/panos/docs/panos-upgrade-assurance/configuration-details/#readiness-checks).
elements: raw
type: list
api_key:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The API key to use instead of generating it using I(username) / I(password).
type: str
password:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
api_key:
description:
- The API key to use instead of generating it using I(username) / I(password).
type: str
ip_address:
description:
- The IP address or hostname of the PAN-OS device being configured.
type: str
password:
description:
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
port:
default: 443
description:
- The port number to connect to the PAN-OS device on.
type: int
serial_number:
description:
- The serial number of a firewall to use for targeted commands. If I(ip_address)
is not a Panorama PAN-OS device, then this param is ignored.
type: str
username:
default: admin
description:
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
type: dict
version_added: 1.0.0
version_added_collection: paloaltonetworks.panos
username:
default: admin
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
force_fail:
default: false
description: When set to B(true) will make the module fail when at least one of the
checks did not pass.
type: bool
ip_address:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The IP address or hostname of the PAN-OS device being configured.
type: str
skip_force_locale:
default: false
description:
- When set to B(true) will skip the B(en_US.UTF-8) locales on the checks.
- Use with caution only when you actually use different, English based locales but
you do not have B(en_US.UTF-8) installed.
type: bool
response:
contains:
reason:
description:
- A free text describing the check result.
- 'Prefixed with a keyword: SUCCESS, FAIL, ERROR, SKIPPED.'
- Meaningful only for failed tests as the ones succeeded are self explanatory.
returned: always
type: str
state:
description: A result of a check.
returned: always
type: bool
description:
- This is a B(dict) where keys are checks names just as you specify them in the
I(checks) property.
- Each value is also a B(dict).
- WHen I(force_fail) has the default value of B(false) this B(dict) contains results
for all checks that were specified in I(checks) property.
- When I(force_fail) is set to B(true) it contains only checks that failed.
returned: always
sample:
arp_entry_exist:
reason: '[SKIPPED] Missing ARP table entry description.'
state: false
candidate_config:
reason: '[FAIL] Pending changes found on device.'
state: false
content_version:
reason: '[FAIL] Installed content DB version (8640-7694) is not the latest one
(8697-7981).'
state: false
free_disk_space:
reason: '[SUCCESS] '
state: true
ha:
reason: '[ERROR] Device is not a member of an HA pair.'
state: false
ip_sec_tunnel_status:
reason: '[SKIPPED] Missing tunnel specification.'
state: false
ntp_sync:
reason: '[ERROR] No NTP server configured.'
state: false
panorama:
reason: '[SUCCESS] '
state: true
session_exist:
reason: '[SKIPPED] Missing critical session description. Failing check.'
state: false
type: dict