topic PAN config for ansible jinja in General Topics

PAN config for ansible jinja

tirexxerit — Thu, 09 Apr 2020 17:15:58 GMT

Hi,

I am trying to create a configuration template which I can change certain variables and pushed the config to multiple firewalls.

However PAN is not behaving the way I need. I have two problems which seems to be related to PAN's design.

1) Even if you fetch the config in set mode and pasted in back in CLI due to strict reference check it fails to run.

https://live.paloaltonetworks.com/t5/General-Topics/cli-scripting-mode-without-strict-check/m-p/319921#M81967

2) Because of this problem, I base my template of XML config then I import it on the new firewalls however XML is quite

dependent on PAN-OS version so my config generated from template might fail to load on 9.0 version in the future. With set based,

it is easier for me to fix the errors but XML is harder.

I wonder what other people do (except recommending panorama as we use it for most but for certain config panorama isn't really efficient) to create a golden template.

Because of this strict check on CLI, I have to defer to XML but it has its own challenges.

thanks

Re: PAN config for ansible jinja

OtakarKlier — Thu, 09 Apr 2020 21:14:12 GMT

Hello,

Looks like you might want to check out Iron Skillet. I created my own base template off of it and just do a search and replace in the xml.

https://live.paloaltonetworks.com/t5/Blogs/IronSkillet-Best-Practices-Templates/ba-p/233175

Regards,

Re: PAN config for ansible jinja

BPry — Thu, 09 Apr 2020 22:27:00 GMT

@tirexxerit,

To add onto the IronSkillet approach that @OtakarKlier brought up. Generally the pieces of the configuration that most people actually care about templating aren't actually dependent on PAN-OS release. So you could make generic XML templates for the major versions, and then further pull in the rulebase and objects and such.