topic Re: New Firewall Build Process in Automation/API Discussions

New Firewall Build Process

MichaelPrensky — Tue, 10 Jan 2023 22:41:36 GMT

Hopefully I am putting this post in the right place. Please feel free to let me know if I should place it elsewhere.

I work at a place where we deploy a lot firewalls. At the moment, it is a bunch of the PA-220r devices, but we work with the PA-850s and soon to be, some virtual firewalls. I am looking for some advice as to how other companies automate their firewall builds.

Most all of our config is stored in a template, so once it gets to Panorama, we push down as much as we can. So, here is the issue. I need to automate the build process for all those things that are not part of a template, but are local to each specific firewall.

Here are some examples of the types of configs I am talking about:

Bring up the OS to the company standard
Config the SMTP policy, so the return address of emails is the host name + @domain.com
Register the device on PA site
Config the host name for device
Install the SSL Cert and create the TLS profile

The config is not really all that difficult, but it is time consuming. When you are setting up 20 or 30 firewalls, mistakes can be made. So, I want to see how other companies are doing their build process and what types of automation is leveraged.

Thanks for all the help,

Michael

Re: New Firewall Build Process

JimmyHolland — Wed, 11 Jan 2023 11:51:31 GMT

Hi @MichaelPrensky, I'd say you are in the right place 🙂
There are various options, but if you can define the steps and config items with placeholder variables for the values that change per firewall, you should then be able to to deploy something consistent to each firewall. You own choice of programming language could do that, Ansible could do that, Terraform -could- do it but is not the best choice given how it likes to manage via state. Ansible is becoming very popular with PAN-OS users, you can do OS upgrades, perform configuration, install certs, etc, and use the variables feature within Ansible to give each firewall the unique values but with a consistent state. The choice between Ansible, bash scripts, Python, PHP, etc is likely something that primarily depends upon what you and/or your team have skills in, and want to operationalise. And keep an eye on the market too in case you need to hire someone; Python skills are more abundant in NetOps than, say, Java! And also the choice can be down to the features of each approach; Ansible may potentially have a lower barrier to entry on learning versus learning Python from scratch, but will likely execute slower than Python, there are trade-offs.
Hope that helps, hopefully some other users will chip in with their experiences...

Re: New Firewall Build Process

zol123 — Thu, 12 Jan 2023 18:40:53 GMT

At previus work i build a ugly excel sheet where you entered some info basic info (ip/hostname/serialnumber) then it generated both panorama conf and some basic conf for the devices (we did alot with templates also) that we could paste into the cli. Worked ok. Would have done alot of stuff different today (more ansible and j2 for example)

Re: New Firewall Build Process

jasonrakers — Thu, 26 Jan 2023 23:56:29 GMT

As previously mentioned there are lots of options. I used Palo API calls with Postman as a simple way to build a “new build” collection. Has been a great help. So once the device is physically on the network I can get it updated and ready for import into Panorama to use a standard template. After Postman, I moved into utilizing Python to help standardize the input variables collected for each firewall build.