Ansible and Palo Alto Networks Firewall

by ibojer ‎04-03-2017 02:38 PM - edited ‎04-03-2017 03:27 PM (11,754 Views)

Palo Alto Networks Modules for Ansible are distributed with every Ansible release and they can be used to configure and provision the Next Generation Firewall. The underlying protocol is Palo Alto Networks open XML API. This protocol is exposed and used for both virtual and physical appliance, and Palo Alto Networks Ansible modules can be used to configure either. These modules depend on already available Python SDK tools.

The combination of Ansible and Palo Alto Networks modules address the most common applications of automation and orchestration of the Palo Alto Networks VM-Series NGFW for both public and private cloud deployments.

Comments
by rkoenig
on ‎04-21-2017 02:56 PM

Can Ansible be used to communicate to Panorama and create objects, policies etc. ?

by bartoq
on ‎05-23-2017 03:20 AM

@rkoenig yes, you can Ansible to create objects, security policies, etc from Panorama. to find more info on this please go to http://panwansible.readthedocs.io/en/latest/

by hstsvn
on ‎12-05-2017 05:13 PM

Hi Ivan,

 

I have downloaded ansible-pan from github without any issue. However I have been trying to install the PaloAltoNetworks.paloaltonetworks role without any success. It produces "IndexError: list index out of range" error.

 

[ansible-user@localhost roles]$ ansible-galaxy install PaloAltoNetworks.paloaltonetworks -vvv
ansible-galaxy 2.4.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/ansible-user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-galaxy
python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]

 

Could you please shed some light on this issue?

 

Using /etc/ansible/ansible.cfg as config file
Opened /home/ansible-user/.ansible_galaxy
Processing role PaloAltoNetworks.paloaltonetworks
Opened /home/ansible-user/.ansible_galaxy
- downloading role 'paloaltonetworks', owned by PaloAltoNetworks
https://galaxy.ansible.com/api/v1/roles/?owner__username=PaloAltoNetworks&name=paloaltonetworks
https://galaxy.ansible.com/api/v1/roles/16926/versions/?page_size=50
- downloading role from https://github.com/PaloAltoNetworks/ansible-role-paloaltonetworks/archive/V1.0.4.4.tar.gz
- extracting PaloAltoNetworks.paloaltonetworks to /etc/ansible/roles/PaloAltoNetworks.paloaltonetworks
- extracting PaloAltoNetworks.paloaltonetworks to /usr/share/ansible/roles/PaloAltoNetworks.paloaltonetworks
ERROR! Unexpected Exception, this is probably a bug: list index out of range
the full traceback was:
Traceback (most recent call last):
File "/usr/bin/ansible-galaxy", line 106, in <module>
exit_code = cli.run()
File "/usr/lib/python2.7/site-packages/ansible/cli/galaxy.py", line 150, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ansible/cli/__init__.py", line 154, in execute
fn()
File "/usr/lib/python2.7/site-packages/ansible/cli/galaxy.py", line 392, in execute_install
installed = role.install()
File "/usr/lib/python2.7/site-packages/ansible/galaxy/role.py", line 332, in install
self.path = self.paths[nextidx]
IndexError: list index out of range

 

Could you please shed some light on this issue? Thank you very much.

by ibojer
on ‎12-07-2017 08:02 AM

I suggest to post this question on ansible-galaxy list. This is galaxy issue.

by hstsvn
on ‎12-07-2017 09:08 PM

Thanks, will do. Just another question: Do you or your team provide custom ansible solutions? Say we want to do firewall cleanup task via automation development. Can it be possible? If yes, how to order this service?


ibojer wrote:

Palo Alto Networks Modules for Ansible are distributed with every Ansible release and they can be used to configure and provision the Next Generation Firewall. The underlying protocol is Palo Alto Networks open XML API. This protocol is exposed and used for both virtual and physical appliance, and Palo Alto Networks Ansible modules can be used to configure either. These modules depend on already available Python SDK tools.

The combination of Ansible and Palo Alto Networks modules address the most common applications of automation and orchestration of the Palo Alto Networks VM-Series NGFW for both public and private cloud deployments.


 

by ibojer
on ‎12-13-2017 02:48 PM

@hstsvn We do not provide custom Ansible solutions. If there is a feature that is missing please open issue at our GitHub

https://github.com/PaloAltoNetworks/ansible-pan

by edmichels
on ‎07-25-2018 07:53 PM

Hi @ibojer,

 

I have installed the PAN Ansible modules via Ansible Galaxy. I am trying to run a playbook that adds an address object to a firewall. It does not succeed. I ran the playbook again with the verbose option and the msg: says Missing required libraries. Full error below:

The full traceback is:
  File "/var/folders/_q/p30qm43s72d92qxztqhtl_vc0000gn/T/ansible_RCZwOY/ansible_module_panos_object.py", line 167, in <module>
    from pan.xapi import PanXapiError

fatal: [lab-fw]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "address": "1.1.1.1",
            "address_type": "ip-netmask",
            "addressgroup": null,
            "addressobject": "Cloudflare DNS",
            "api_key": null,
            "color": null,
            "description": null,
            "destination_port": null,
            "devicegroup": null,
            "dynamic_value": null,
            "ip_address": "192.168.1.1",
            "operation": "add",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "protocol": null,
            "servicegroup": null,
            "serviceobject": null,
            "services": null,
            "source_port": null,
            "static_value": null,
            "tag_name": null,
            "username": "admin"
        }
    },
    "msg": "Missing required libraries."
}

I'm using Ansible 2.6 (installed via pip) and I'm running it inside a virtual environment.

 

Thanks!

by ibojer
on ‎07-26-2018 09:20 AM

Please look at this example:

https://github.com/PaloAltoNetworks/ansible-pan/blob/master/examples/fw_objects_add2.yml

 

I suggest you use PaloAltoNetworks role like in above example as that will install anyrequired libraries. 

by edmichels
on ‎07-26-2018 12:00 PM

I did, I have that example copied exactly as shown with the tag line commented out. I watch it install the libraries via pip, those tasks complete with an ok

by edmichels
on ‎07-26-2018 05:25 PM

With verbose debugging, I get this as well:

The full traceback is:
  File "/tmp/ansible_2KuSh1/ansible_module_panos_object.py", line 167, in <module>
    from pan.xapi import PanXapiError
by ibojer
on ‎07-29-2018 09:57 AM

That works for me just fine. The only thing I can think of is that your virt environment does not play nice with ansible. If you look online you will find few solutions for that. One is to specify your interpreter in inventory file like this:

 

https://github.com/PaloAltoNetworks/ansible-pan/blob/develop/examples/inventory-virt.ini

 

by edmichels
on ‎07-30-2018 09:21 AM

I just tried it on a fresh install and I can confirm it did work. My local envrionment must look like swiss cheese.

 

Thanks for the response and your work on these modules! And good talk at Ignite!

 

Thanks again!