Ansible and Palo Alto Networks Firewall

L2 Linker

Palo Alto Networks Modules for Ansible are distributed with every Ansible release and they can be used to configure and provision the Next Generation Firewall. The underlying protocol is Palo Alto Networks open XML API. This protocol is exposed and used for both virtual and physical appliance, and Palo Alto Networks Ansible modules can be used to configure either. These modules depend on already available Python SDK tools.

The combination of Ansible and Palo Alto Networks modules address the most common applications of automation and orchestration of the Palo Alto Networks VM-Series NGFW for both public and private cloud deployments.

18,818 Views
Comments
L2 Linker

Can Ansible be used to communicate to Panorama and create objects, policies etc. ?

18,595 Views
L3 Networker

@rkoenig yes, you can Ansible to create objects, security policies, etc from Panorama. to find more info on this please go to http://panwansible.readthedocs.io/en/latest/

18,288 Views
L1 Bithead

Hi Ivan,

 

I have downloaded ansible-pan from github without any issue. However I have been trying to install the PaloAltoNetworks.paloaltonetworks role without any success. It produces "IndexError: list index out of range" error.

 

[ansible-user@localhost roles]$ ansible-galaxy install PaloAltoNetworks.paloaltonetworks -vvv
ansible-galaxy 2.4.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/ansible-user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-galaxy
python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]

 

Could you please shed some light on this issue?

 

Using /etc/ansible/ansible.cfg as config file
Opened /home/ansible-user/.ansible_galaxy
Processing role PaloAltoNetworks.paloaltonetworks
Opened /home/ansible-user/.ansible_galaxy
- downloading role 'paloaltonetworks', owned by PaloAltoNetworks
https://galaxy.ansible.com/api/v1/roles/?owner__username=PaloAltoNetworks&name=paloaltonetworks
https://galaxy.ansible.com/api/v1/roles/16926/versions/?page_size=50
- downloading role from https://github.com/PaloAltoNetworks/ansible-role-paloaltonetworks/archive/V1.0.4.4.tar.gz
- extracting PaloAltoNetworks.paloaltonetworks to /etc/ansible/roles/PaloAltoNetworks.paloaltonetworks
- extracting PaloAltoNetworks.paloaltonetworks to /usr/share/ansible/roles/PaloAltoNetworks.paloaltonetworks
ERROR! Unexpected Exception, this is probably a bug: list index out of range
the full traceback was:
Traceback (most recent call last):
File "/usr/bin/ansible-galaxy", line 106, in <module>
exit_code = cli.run()
File "/usr/lib/python2.7/site-packages/ansible/cli/galaxy.py", line 150, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ansible/cli/__init__.py", line 154, in execute
fn()
File "/usr/lib/python2.7/site-packages/ansible/cli/galaxy.py", line 392, in execute_install
installed = role.install()
File "/usr/lib/python2.7/site-packages/ansible/galaxy/role.py", line 332, in install
self.path = self.paths[nextidx]
IndexError: list index out of range

 

Could you please shed some light on this issue? Thank you very much.

15,575 Views
L2 Linker

I suggest to post this question on ansible-galaxy list. This is galaxy issue.

15,526 Views
L1 Bithead

Thanks, will do. Just another question: Do you or your team provide custom ansible solutions? Say we want to do firewall cleanup task via automation development. Can it be possible? If yes, how to order this service?


@ibojer wrote:

Palo Alto Networks Modules for Ansible are distributed with every Ansible release and they can be used to configure and provision the Next Generation Firewall. The underlying protocol is Palo Alto Networks open XML API. This protocol is exposed and used for both virtual and physical appliance, and Palo Alto Networks Ansible modules can be used to configure either. These modules depend on already available Python SDK tools.

The combination of Ansible and Palo Alto Networks modules address the most common applications of automation and orchestration of the Palo Alto Networks VM-Series NGFW for both public and private cloud deployments.


 

15,511 Views
L2 Linker

@hstsvn We do not provide custom Ansible solutions. If there is a feature that is missing please open issue at our GitHub

https://github.com/PaloAltoNetworks/ansible-pan

15,432 Views
L0 Member

Hi @ibojer,

 

I have installed the PAN Ansible modules via Ansible Galaxy. I am trying to run a playbook that adds an address object to a firewall. It does not succeed. I ran the playbook again with the verbose option and the msg: says Missing required libraries. Full error below:

The full traceback is:
  File "/var/folders/_q/p30qm43s72d92qxztqhtl_vc0000gn/T/ansible_RCZwOY/ansible_module_panos_object.py", line 167, in <module>
    from pan.xapi import PanXapiError

fatal: [lab-fw]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "address": "1.1.1.1",
            "address_type": "ip-netmask",
            "addressgroup": null,
            "addressobject": "Cloudflare DNS",
            "api_key": null,
            "color": null,
            "description": null,
            "destination_port": null,
            "devicegroup": null,
            "dynamic_value": null,
            "ip_address": "192.168.1.1",
            "operation": "add",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "protocol": null,
            "servicegroup": null,
            "serviceobject": null,
            "services": null,
            "source_port": null,
            "static_value": null,
            "tag_name": null,
            "username": "admin"
        }
    },
    "msg": "Missing required libraries."
}

I'm using Ansible 2.6 (installed via pip) and I'm running it inside a virtual environment.

 

Thanks!

10,801 Views
L2 Linker

Please look at this example:

https://github.com/PaloAltoNetworks/ansible-pan/blob/master/examples/fw_objects_add2.yml

 

I suggest you use PaloAltoNetworks role like in above example as that will install anyrequired libraries. 

10,786 Views
L0 Member

I did, I have that example copied exactly as shown with the tag line commented out. I watch it install the libraries via pip, those tasks complete with an ok

10,773 Views
L0 Member

With verbose debugging, I get this as well:

The full traceback is:
  File "/tmp/ansible_2KuSh1/ansible_module_panos_object.py", line 167, in <module>
    from pan.xapi import PanXapiError
10,765 Views
L2 Linker

That works for me just fine. The only thing I can think of is that your virt environment does not play nice with ansible. If you look online you will find few solutions for that. One is to specify your interpreter in inventory file like this:

 

https://github.com/PaloAltoNetworks/ansible-pan/blob/develop/examples/inventory-virt.ini

 

10,709 Views
L0 Member

I just tried it on a fresh install and I can confirm it did work. My local envrionment must look like swiss cheese.

 

Thanks for the response and your work on these modules! And good talk at Ignite!

 

Thanks again!

10,683 Views