Intro
One of the first building blocks in using Ansible to automate Palo Alto firewall configuration is setting up an initial playbook. After the concept of Ansible and playbooks are established, you can then start building up from there such as using Ansible Tower / AWX to have a front end to deploy the configurations, then integrating other tools like Jira or Jenkins for full workflow automation.
You can grab the playbook here: https://github.com/timjbaron/ansible_paloalto.git
GNS3 Network Lab Environment
In this tutorial I’m going to be using a lab environment in GNS3. Within GNS3 I’ll be using a virtualized Palo Alto firewall and an ubuntu docker container acting as our automation & Ansible server.
Installing Python, PIP, and Palo Alto Ansible module dependencies
You’ll need to use the following commands to install Ansible and the required software packages on the Ubuntu host:
apt-get install python3.8
apt-get install python3-pip
pip install ansible
pip install -r https://raw.githubusercontent.com/PaloAltoNetworks/pan-os-ansible/develop/requirements.txt --no-deps
pip list | grep pan
ansible-galaxy collection install paloaltonetworks.panos
ansible-galaxy collection list | grep panosSetup the host file
To keep this simple for now, you’ll need to create the sub directory and populate this file with the ip of the firewall. More information about the host file and ansible inventory can be found here: https://www.digitalocean.com/community/tutorials/how-to-set-up-ansible-inventories
mkdir /etc/ansible
echo 192.168.1.2 >> /etc/ansible/hostsAnsible playbook prompt for information & connection details
---
# Palo Alto automation using Ansible -Tim Baron
## Prompt for Variables
- hosts: all
vars_prompt:
- name: user_id
prompt: "Enter your username ?"
private: no
- name: pass_id
prompt: "Enter your password ?"
- name: ip_addr
prompt: "What is the new IP?"
private: no
- name: ticket_number
prompt: "What is the ticket number? (Example: Ticket-123)"
private: no
- name: host_name
prompt: "What is the hostname?"
private: no
- name: port_number
prompt: "What is the port number?"
private: no
- name: site_number
prompt: "What site is it? Example: Madrid"
private: no
- name: prd_sbx
prompt: "What is the environment? Example: prd or sbx"
private: no
## Conection / login variables for PA provider "device"
connection: local
vars:
device:
ip_address: '192.168.1.2'
username: '{{ user_id }}'
password: '{{ pass_id }}'
api_key: '{{ api_key | default(omit) }}'The first part of this playbook we have it setup to prompt for variables, this is information that can be stored and manipulated later on in the playbook. We’ll be using the simplest method for password management which will be to have the playbook prompt for the username and password (not advised for production systems). There’s more secure ways of password / secrets management such as using a token from vault. The last part of the playbook sets up the connection to the firewall.
Here’s a link for better password / secrets management within Ansible:
https://www.redhat.com/sysadmin/ansible-playbooks-secrets
Create an address object, then add this address object to an address group
tasks:
## 1. Address objects tasks
- name: If address doesn't exist, create new address object
paloaltonetworks.panos.panos_address_object:
provider: '{{ device }}'
name: '{{ host_name }}'
value: '{{ ip_addr }}'
description: '{{ "port-" + port_number + "," + ticket_number }}'The last part of the playbook is the actual task of creating a new address object in the firewall using the information that was prompted for at the beginning of the playbook.
From here all you’ll need to do is run the playbook using the following command on your ubuntu host:
ansible-playbook add_address.yml
Commit the change / conclusion
You can use ansible to commit the configuration, but for this first usage I’d recommend manually reviewing the changes and pushing the config from the Palo Alto web GUI.
Thats it, hope you’ve found this tutorial helpful!