One of the first building blocks in using Ansible to automate Palo Alto firewall configuration is setting up an initial playbook. After the concept of Ansible and playbooks are established, you can then start building up from there such as using Ansible Tower / AWX to have a front end to deploy the configurations, then integrating other tools like Jira or Jenkins for full workflow automation.

You can grab the playbook here:

GNS3 Network Lab Environment

In this tutorial I’m going to be using a lab environment in GNS3. Within GNS3 I’ll be using a virtualized Palo Alto firewall and an ubuntu docker container acting as our automation & Ansible server.

Installing Python, PIP, and Palo Alto Ansible module dependencies

You’ll need to use the following commands to install Ansible and the required software packages on the Ubuntu host:

apt-get install python3.8
apt-get install python3-pip
pip install ansible
pip install -r --no-deps
pip list | grep pan
ansible-galaxy collection install paloaltonetworks.panos
ansible-galaxy collection list | grep panos

Setup the host file

To keep this simple for now, you’ll need to create the sub directory and populate this file with the ip of the firewall. More information about the host file and ansible inventory can be found here:

mkdir /etc/ansible
echo >> /etc/ansible/hosts

Ansible playbook prompt for information & connection details

# Palo Alto automation using Ansible  -Tim Baron

## Prompt for Variables
- hosts: all
    - name: user_id
      prompt: "Enter your username ?"
      private: no
    - name: pass_id
      prompt: "Enter your password ?"
    - name: ip_addr
      prompt: "What is the new IP?"
      private: no
    - name: ticket_number
      prompt: "What is the ticket number? (Example: Ticket-123)"
      private: no
    - name: host_name
      prompt: "What is the hostname?"
      private: no
    - name: port_number
      prompt: "What is the port number?"
      private: no
    - name: site_number
      prompt: "What site is it? Example: Madrid"
      private: no
    - name: prd_sbx
      prompt: "What is the environment? Example: prd or sbx"
      private: no

## Conection / login variables for PA provider "device"   
  connection: local

      ip_address: ''
      username: '{{ user_id }}'
      password: '{{ pass_id }}'
      api_key: '{{ api_key | default(omit) }}'

The first part of this playbook we have it setup to prompt for variables, this is information that can be stored and manipulated later on in the playbook. We’ll be using the simplest method for password management which will be to have the playbook prompt for the username and password (not advised for production systems). There’s more secure ways of password / secrets management such as using a token from vault. The last part of the playbook sets up the connection to the firewall.

Here’s a link for better password / secrets management within Ansible:

Create an address object, then add this address object to an address group


## 1. Address objects tasks          

    - name: If address doesn't exist, create new address object
        provider: '{{ device }}'
        name: '{{ host_name }}'
        value: '{{ ip_addr }}'
        description: '{{ "port-" + port_number + "," + ticket_number }}'

The last part of the playbook is the actual task of creating a new address object in the firewall using the information that was prompted for at the beginning of the playbook.

From here all you’ll need to do is run the playbook using the following command on your ubuntu host:

ansible-playbook add_address.yml

Commit the change / conclusion

You can use ansible to commit the configuration, but for this first usage I’d recommend manually reviewing the changes and pushing the config from the Palo Alto web GUI.

Thats it, hope you’ve found this tutorial helpful!