Ansible For Firewall SEC Policy Change Management

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L2 Linker

Many customers want to manage security policy changes through internal CI/CD process. In this video tutorial, we will leverage the power of the Palo Alto Networks custom Ansible modules and Ansible "pull" feature to monitor changes in the GitHub and deploy updated policies to already provisioned firewall.

 

 

Thanks for viewing.

 

Please feel free to leave questions or comments in the section below.

 

See also:

Using Ansible For AWS Deployments

3 Comments
L0 Member

If i use operation command to update the rule it show error as below

msg: Param "operation" is removed; use "state" instead

L0 Member

There is no Video here

L1 Bithead

Hi Ivan,


I went through your video - https://www.youtube.com/watch?v=0OnKIcUCKJg 

 

I'm actively working on converting existing firewall rules into ansible code - and I have a feature/functionality inquiry.

 

Seems like all the documentation talks about how to start building security policies with ansible...and they all seem to be overly simplified and only apply to a basic new install.  What if you want to insert a new rule somewhere into the list...I have a hard time believing I'm the first person to see this - or need this functionality.

 


I have 130 existing firewall rules - I'd like to turn them into ansible code and manage them with git.  The only documentation I can find talks about "location"
 
location: 'before/after'
existing_rule: 'xyz'
 
so this would mean you'd have to know the existing firewall rule list - and every code block for new policy - has to reference another rule/name.
 
example:
- name: add SSH inbound rule to Panorama device group
panos_security_rule:
provider: '{{ provider }}'
device_group: 'lab-pan01'
rule_name: 'SSH permit'
description: 'SSH rule test'
source_zone: ['any']
source_ip: ['any']
destination_zone: ['any']
destination_ip: ['1.1.1.1']
application: ['ssh']
action: 'allow'

- name: add a 2nd rule to Panorama device group
panos_security_rule:
provider: '{{ provider }}'
device_group: 'lab-pan01'
rule_name: 'SSH permit01'
description: 'rule indexing test'
source_zone: ['any']
source_ip: ['any']
destination_zone: ['any']
destination_ip: ['1.1.1.1']
application: ['ssh']
action: 'allow'
location: 'before'
existing_rule: 'SSH permit'

the palo cli has the concept of "index" which is the position of the rule in the list...seems like if we could pass that into ansible - and ansible could index the new rule - the code would be a lot simpler.  having to know the name of the rule for before/after insertion makes for lots of useless extra text in the code. being able to index the rule right into the place you want it seems more efficient.


 show running security-policy | match index <<-- gives nice output of all your firewall rules in their current ordering

maybe this exists somewhere - but I can't find it in any palo/ansible documentation.
 
  • 14289 Views
  • 3 comments
  • 4 Likes
Register or Sign-in