topic Re: Automate Firewall Policies and Objects in Automation/API Discussions

Automate Firewall Policies and Objects

Tobi_Babatunde — Fri, 24 Feb 2023 00:48:36 GMT

Hello Everyone,

I have a bunch of Palos been centrally managed by Panorama. I am about to embark on an automation journey - more interested in configuration management. I am interested to know what the best practices are and how the community got started on their journey.

Presently use dynamic objects and tags on my configuration, and push all rules via my Panorama.

What are the best practices for the automation journey? How do I ingest all my present rulesets and objects et al to the configuration management tool?

Thanks.

Re: Automate Firewall Policies and Objects

SimonT — Wed, 01 Mar 2023 23:48:39 GMT

Having successfully used direct API, pandevice and pan-os python modules for some years I would in your case recommend the pan-ansible modules: https://ansible-pan.readthedocs.io/en/latest/

Ansible itself handles any workflow and the modules handle all the parsing etc. Does exactly what you need.

Re: Automate Firewall Policies and Objects

Tobi_Babatunde — Thu, 09 Mar 2023 21:33:25 GMT

Thanks @SimonT. Any experience with it in terms of playbooks?

Re: Automate Firewall Policies and Objects

SimonT — Thu, 09 Mar 2023 21:39:07 GMT

I'm sure you read the documentation (https://github.com/PaloAltoNetworks/pan-os-ansible) but in case not there are links to sample playbooks https://github.com/PaloAltoNetworks/ansible-playbooks

Re: Automate Firewall Policies and Objects

Tobi_Babatunde — Thu, 09 Mar 2023 21:49:09 GMT

I sure did. But those look like basic implementations. I was hoping to see things around real world complex scenarios and also integrations to accept inputs from users which gets checked et al.

But it is a good start.

Re: Automate Firewall Policies and Objects

SimonT — Thu, 09 Mar 2023 22:26:35 GMT

A lot of functionality is provided by ansible-pan so its just a case of mapping your requirements to your own playbook (which you can build by cribbing the examples). Start basic. Any data integrity checking can all be done using Ansible built-in modules. Its 100% real world. Perhaps start with a CLI based tool and develop a front end solution later. If you are focusing on configuration management one option might be to store your "standard configuration" as YAML/Jinja2 format in a GitHub repository (you get free version control) and have your tool draw down from that to compare with your actual configurations. Then act on any deficiencies and email a status report. Having said that, check out AIOps https://www.paloaltonetworks.com/network-security/aiops-for-ngfw. It might do some of what you need.