PA - can we have an honest discussion about Ansible and PA?

Reply
L2 Linker

PA - can we have an honest discussion about Ansible and PA?

First of all - thanks for the API - it's mostly great.

 

But, let's talk about Ansible and PA.  Some of our folks went to Ansible Fest and talked to the PA folks there and they said that they were working on making it better - but requiring external modules if kind of untenable when trying to roll out enterprise automation, as well as the lack for functionality with the modules (no checkmode is a non-starter for us).  Also missing is like 75%? of the API functionality in the PA Ansible modules.

 

So, we're left to doing roll-your-own automation with the API and python.  That alone restricts a good enterprise integration and maintainability.

 

I guess what I'm asking is someone to step up and supply a feature roadmap so we can plan our enterprise automation solutions.

L4 Transporter

Re: PA - can we have an honest discussion about Ansible and PA?

 

Can I get some clarification, please?

 

What external modules are you referring to?

Is there some other Ansible functionality besides checkmode that you're referring to with the lack of functionality?

What other Ansible modules for the PAN-OS API did you want to make use of, but there is no module yet?

L3 Networker

Re: PA - can we have an honest discussion about Ansible and PA?

I dont think its that bad, however im not really a fan of using external modules hosted at github (having to rely on forum post on github to make bugreports on python modules is a not really enterprise). And yes im aware that other big vendor in the same field uses the same approach, so its not really a palo problem i guess.

 

 

As far as functions, we deploy new vlan to exisiting "l3" trunks on daliy basis. That is a function/playbook i really do miss.

L4 Transporter

Re: PA - can we have an honest discussion about Ansible and PA?

There is no reason to install any external modules hosted on any github with Ansible.  There is, however, an Ansible Galaxy role that is recommended to be installed, but that has nothing to do with github.

L3 Networker

Re: PA - can we have an honest discussion about Ansible and PA?

Yeah you can install the panpython/pandevice from other places then github. What i mean is if i run into a bug on any of this modules. The only way to get help is to post a anonumoys post on palos github place in the issue section. I know that they are normaly answerd quite soon. 

L2 Linker

Re: PA - can we have an honest discussion about Ansible and PA?

To follow up on some of the questions and comments.

 

I posted back in March:

"So, looking at the docs, it looks like I would not be able to create a tagged vlan sub interface (ae1.500 - vlan.500 - ip 10.2.2.2/24 -- for example) and also add a BGP peers to the VRouter with Ansible.  Looks like something I wold have to do directly through the API - but am I missing something?"

 

So, I don't see those functions.

 

About third party modules being needed, we see in the Ansible Module Index documentation.  From https://docs.ansible.com/ansible/latest/modules/panos_security_rule_module.html#panos-security-rule-... :

Requirements

The below requirements are needed on the host that executes this module.

"

 

Sure there is a catchall for running arbitrary commands on a PAN-OS device using XPath and element (new is 2.7) -

 

L3 Networker

Re: PA - can we have an honest discussion about Ansible and PA?

Yeah exact, i like the way the ansible part is going with palo. There are still some very key modules missing, but more and more are added.

 

My biggest problem in all this is the thing about modules. In my case managment and architects, perhaps being abit to much oldschool dont really like to idea of having everything built around external thirdparty modules.

L4 Transporter

Re: PA - can we have an honest discussion about Ansible and PA?

Hi everyone,

 

My name is Brian Torres-Gil and my team develops the Ansible modules.  First off, thanks so much for the candid discussion on this thread.  I'll try to collect and respond to the concerns I see.

 

1. Topic: Ansible modules don't cover all the API functionality we need

 

True, and we're aware there are several modules needed.  The 2.0 module release that came out recently delivered idempotency in the modules, meaning you can now declare the final configuration state in your playbook without worrying about the steps to get there or the current state of the device.  This is a significant enhancement and required an overhaul of almost every module, which didn't allow us time to add all the modules we'd like to.  Now that it's complete and released, we're considering the highest priority modules that customers have asked for, and we'd greatly value your feedback.  The timing is perfect, so share the modules you'd like to see here!  Try to be as clear as possible about the firewall configuration you need to modify and the use case for modifying it, so we can better prioritize your request.  Thanks!!

 

2. Topic: The only way to get help is to post anonymously on GitHub, though questions are normally answered quite soon

 

Since Ansible and our modules are open source, we've found GitHub to be a great way to keep connected with customers. The advantage of this approach is you have direct access to the developers and direct visibility to bugs and fixes. We understand that this can be different from the TAC-based support model you may be used to for paid products.  If there are specific suggestions that would get you the help you need more effectively, we are very interested.  Please let us know.

 

3. Topic: External 3rd party modules are not a good fit for enterprise customers

 

We've been overloading the term "module" since we've used the term for the Ansible modules and the python external modules. So I'll use the term "library" here instead of "module" to avoid confusion.  There are 3 python libraries that the Ansible modules depend on:

 

 - pandevice  (aka. Palo Alto Networks Device Framework for python)

 - pan-python

 - xmltodict

 

I don't completely understand the concern with these libraries, so I have a few question to clarify it.

 

I see these libraries being referred to as 'external' libraries.  Do you mean 'external' as in "not part of the python standard libraries"?  Or does external mean something else in this context?  Are libraries in the python standard library acceptable (such as the 'logging' module)?  I'm having trouble understanding what is different about a non-standard library pulled down by our Ansible modules and a non-standard library pulled down by Ansible itself, since Ansible relies on many libraries that are not part of the python standard library.

 

I also see these 3 libraries referred to as '3rd party', but to clarify, only xmltodict is 3rd party.  The pandevice and pan-python libraries are developed by the same team that develops the Ansible modules, here at Palo Alto Networks.

 

The 'xmltodict' library is the only 3rd party library, but it's used by thousands of projects in production, so we didn't anticipate a concern with it.  Let us know if this library is still a concern.

 

All three libraries should be installed with 'pip' (just like Ansible is installed with 'pip') so you shouldn't need to install them from GitHub or any website.  The install process is consistent with Ansible.

 

I hope that helps!  Very interested in your feedback on the above and continuing the discussion.  Thanks!

 -Brian

L3 Networker

Re: PA - can we have an honest discussion about Ansible and PA?

Thanks alot for the long and qualified response! 

 

It sounds good that there are alot of modules coming up, i have already posted what modules i see as most prioritize for me. Looking forward to it :-)

 

I can only speak for myself, but we install ansible from the rpm:s that are delivired by redhat (epel aswell, so xmltodict is fine), the serveradmins and so on are generally very strict about installing things in production from places like pip (i think they have been scared by paranoid security people with stories like https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-... ). For me, in a ideal situation it would be possible to download a signed rpm with the two library from palo but i understand that it would take quite alot of work.

L2 Linker

Re: PA - can we have an honest discussion about Ansible and PA?

Thanks Brian for this response.  This is all looking good and thanks to you and your team/contributors for the work.  I'm glad that PA has this on the radar and is working on improving the functionality of the Ansible modules.

 

My concern over 3rd party libraries was that with the Ansible modules being dependant on them, a change to either pandevice or pan-python could break the Ansible module and that would leave customers 'stuck' waiting on a fix.  If we decide to go the Ansible route for automation, there is a significant time and cost investment involved in it - we would not want to develop and deploy automation solutions that could work one day and then not another.  Remember, most of us are net-sec engineers and not developers - this is new ground for a lot of us and it has to work all the time to sell it to management and other engineers.

 

As for the support question - I understand that Github works and is best effort - but to reiterate my statement above - if significant time and cost is sunk into an automation solution, enterprise customers should be able to reach qualified support options other than best effort.  I guess the ask is to have a resource that TAC can reach if we have a problem with this.  What we're seeing on the customer side is a push from vendors to automate (we were at Ignite and Ansiblefest - automation was definitely a topic for PA) - but we're not seeing enterprise level support options (even if it was added paid for).

 

I'll work on developing my wish list for new modules as well.

 

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!