airgapped-license-workflow
Licensing an Air-Gapped VM-Series NGFW
Normally, when a VM-Series Palo Alto Networks firewall has direct internet access and an activated auth-code, activating the VM's licenses after initial configurations is as easy as clicking Device > Licenses > Activate feature using authorization code.
When a VM-Series is not connected to the internet (or is said to be air-gapped), additional steps must be completed. This Quickplay solution was created to simplify these steps:
* Grab the CPUID and UUID from the NGFW
* Activate the NGFW with the Licensing API
* Push the PA-VM license key and wait for a reboot
* Push all remaining received licensing keys to the NGFW
Running the Playbook
Install/Upgrade the PAN-OS Enhanced Ansible Collection
This playbook requires the v1.2.0+ mrichardson03.panos
Ansible collection. Install
with this command:
ansible-galaxy collection install --force mrichardson03.panos
Edit your inventory file
In the inventory file, you can set the NGFW's IP address (ansible_host), username (ansible_user) and password (ansible_password).
cp inventory.sample inventory
vi inventory
Edit your vars file
In the vars/main.yml
file, you can set:
1. the pre-activated auth-code
2. your Customer Support Portal > Assets > API Key Management > Licensing API,
3. the first_time
registration (yes/no)
If you did not save the license keys or had a network connection trouble during initial license activation, you may run into the error message:
"Cannot apply a provisioning license feature to an already provisioned device"
In this case, you will need to set the first_time
as no.
Run the Playbook, passing along extra vars if not previously set
If you did not edit the variables and inventory files, you can use the -e
command
line parameter to set extra variables. Run the following command to license your
airgapped firewall:
ansible-playbook -i inventory license-airgap-firewall.yml -e 'first_time=yes'
Please Note:
During the first time registration of a VM, the Push PA-VM license key to Firewall Ansible task WILL FAIL with the error
Remote end closed connection without response
since the VM must reboot. This failure is an expected behavior, and the playbook will wait for the firewall to boot back up and will push remaining licenses to the VM.