Getting Started Building Your Own Skillet

L2 Linker

Skillets make it possible to share best practice and use-case specific configuration sets across PAN-OS and Panorama devices. However, getting started working with XML configuration can be tricky. Fortunately, there are a whole set of tools available designed to make this as painless as possible.

 

Using Panhandler, you can import the Skillet Builders repository from GitHub and get started right away.

 

First, import the Skillet Builders repository into Panhandler.

Panhandler Import Repository Skillet Builder.pngUse the 'clone' link from Github as the URL to import the repository

 

 

Once imported, you will find a new Collection called "Skillet Builder." Click into that collection to see the available tools:

Panhandler Collections Skillet Builder.pngPanhandler - Collections > Skillet Builder

 

 

Now that we have our tools installed, we can move on to the fun part—Configuring a NGFW!

For best results, we recommend you start with a fresh NGFW with as few configuration options present as possible. If you only have access to a firewall that is already configured, that will work too, but may require a bit more work.

 

 

For this example, I'm going to configure a couple of address objects, but any configure of any complexity will work the same.

Some Address.pngWeb Interface View of popup to enter Addresses

 

 

Here are a couple of address objects I've added.

Address.pngWeb Interface View of popup with different Address

 

 

Note, that I have not yet committed these changes! Once i"m happy with my configuration, we can use a Skillet Generator tool to give us a starter Skillet.

 

In Panhandler, select the "Skillet Builder" Collection and choose the Generate a Skillet workflow:

Skillet Builder Generate a Skillet.pngSkillet Builder - Generate a Skillet

 

The first question, is whether you want to generate a skillet from an uploaded config, or from a running NGFW. Choose the "From Running NGFW" option and click Submit.

Skillet Builder Workflow Generate a Skillet Submit.pngSkillet Builder Workflow Generate a Skillet Submit

 

Enter the authentication information for the NGFW what you just configured. We also have the option to choose the Configuration Source. Since all our changes are still in the Candidate Configuration, we will choose that option. If you were to choose the "From Running Configuration" option, the tool would generate a skillet comprised of all changes ever made to this device!

Step 1 Generate a Skillet.pngStep 1: Generate a Skillet

 

Click Next to continue.

Execute Skillet.pngExecute Skillet

 

In this step, we will customize the actual Skillet template. These are things like the name and description of what your Skillet does and why someone would want to use it.

Step 2 Generate a Skillet Customize Template.pngStep 2: Generate a Skillet - Customize Template

 

Click Next and you will receive the complete Skillet!

 

Generated Skillet

# skillet preamble information used by panhandler
# ---------------------------------------------------------------------
# unique snippet name
name: example_skillet_id
# label used for menu selection
label: Address Object Skillet
description: This skillet creates two address objects in the NGFW

# type of device configuration
# common types are panorama, panos, and template
# https://github.com/PaloAltoNetworks/panhandler/blob/develop/docs/metadata_configuration.rst
type: panos
# preload static or default-based templates
extends:

# grouping of like snippets for dynamic menu creation in panhandler
labels:
collection:
- Example Skillets

# ---------------------------------------------------------------------
# end of preamble section

# variables section
# ---------------------------------------------------------------------
# variables used in the configuration templates
# type_hint defines the form field used by panhandler
# type_hints can be text, ip_address, or dropdown
variables:
- name: hostname
description: Firewall hostname
default: myFirewall
type_hint: text
- name: choices
description: sample dropdown list
default: choices
type_hint: dropdown
dd_list:
- key: option1
value: option1
- key: option2
value: option2
# ---------------------------------------------------------------------
# end of variables section

# snippets section
# ---------------------------------------------------------------------
# snippets used for api configuration including xpath and element as file name
# files will load in the order listed

# There is a variable called snippets that we can use to auto-generate this section for us
snippets:

- name: address-860650
xpath: ./devices/entry[@name="localhost.localdomain"]/vsys/entry[@name="vsys1"]
element: |-
<address>
<entry name="some_address">
<ip-netmask>10.10.10.0/24</ip-netmask>
<description>This is my address object </description>
</entry>
<entry name="another_address">
<ip-netmask>172.16.99.0/24</ip-netmask>
<description>This is another address that I've decided to add as well</description>
</entry>
</address>


# ---------------------------------------------------------------------
# end of snippets section

 

This skillet now holds all the configuration options we configured in our firewall in a shareable format. This can be posted to Github, LIVEcommunity, or anywhere else for others to use.

 

Next Steps

This generated output needs a bit of customization before you can publish. It includes a few variables as an example, but you'll note that those variables do not actually appear in the "element" sections of the snippets.To make this example a bit better, let's customize the value of the addresses being added.

 

First, we'll find the portions of the configuration on which we will allow customization.

<entry name="some_address">
<ip-netmask>10.10.10.0/24</ip-netmask>
<description>This is my address object </description>
</entry>

 

We can make this more useful by allowing the user to enter their own values.

<entry name="{{ address_name }}">
<ip-netmask>{{ address_cidr }}</ip-netmask>
<description>{{ address_description }}</description>
</entry>

 

I've added three variables 'address_name', 'address_cidr' and 'address_description'. Let's add these to the "variables" section of the Skillet as well. I'll use the 'text_hint' to give a hint to the tooling as to what type of data is allowed from the user. A complete list of type_hints can be found here.

variables:
- name: address_name
description: Address Name
default: some_address
type_hint: text
- name: address_cidr
description: Address CIDR
default: 10.10.10.0/24
type_hint: cidr
- name: address_description
description: Address Description
default: Description of this Address Objet
type_hint: text_area

 

Now the user can enter their own information, or choose the defaults and create their own customized address objects.

 

Sharing your new Skillet

Now that you have a skillet in hand, let's upload to Github so everyone else can benefit from your expertise and hard work.

 

Log in to your GitHub account and Create a new Repository. Ensure you make this repository public and check the "Initialize this repository with a README" option.

GitHub New Repository.pngGitHub New Repository

 

Once created, click Create new file to add our Skillet.

Create new file.pngCreate new file

 

 

Currently, all Skillets are required to be named '.meta-cnc.yaml'. So enter the name, then paste in your completed skillet.

 

nembery simple skillet.pngnembery / simple skillet

 

 

Once completed, your Skillet can be used by everyone. Congrats!

214 Views
Ask Questions Get Answers Join the Live Community
Labels
Polls
What do you LOVE about LIVEcommunity?

LOVEcommunity #SecuretheLove