02-23-2023 04:48 PM
Hello Everyone,
I have a bunch of Palos been centrally managed by Panorama. I am about to embark on an automation journey - more interested in configuration management. I am interested to know what the best practices are and how the community got started on their journey.
Presently use dynamic objects and tags on my configuration, and push all rules via my Panorama.
What are the best practices for the automation journey? How do I ingest all my present rulesets and objects et al to the configuration management tool?
Thanks.
03-01-2023 03:48 PM
Having successfully used direct API, pandevice and pan-os python modules for some years I would in your case recommend the pan-ansible modules: https://ansible-pan.readthedocs.io/en/latest/
Ansible itself handles any workflow and the modules handle all the parsing etc. Does exactly what you need.
03-09-2023 01:33 PM
Thanks @SimonT. Any experience with it in terms of playbooks?
03-09-2023 01:39 PM
I'm sure you read the documentation (https://github.com/PaloAltoNetworks/pan-os-ansible) but in case not there are links to sample playbooks https://github.com/PaloAltoNetworks/ansible-playbooks
03-09-2023 01:49 PM
I sure did. But those look like basic implementations. I was hoping to see things around real world complex scenarios and also integrations to accept inputs from users which gets checked et al.
But it is a good start.
03-09-2023 02:26 PM
A lot of functionality is provided by ansible-pan so its just a case of mapping your requirements to your own playbook (which you can build by cribbing the examples). Start basic. Any data integrity checking can all be done using Ansible built-in modules. Its 100% real world. Perhaps start with a CLI based tool and develop a front end solution later. If you are focusing on configuration management one option might be to store your "standard configuration" as YAML/Jinja2 format in a GitHub repository (you get free version control) and have your tool draw down from that to compare with your actual configurations. Then act on any deficiencies and email a status report. Having said that, check out AIOps https://www.paloaltonetworks.com/network-security/aiops-for-ngfw. It might do some of what you need.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
