Automating PANOS - the Ansible and Terraform "no question is too dumb" post

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Automating PANOS - the Ansible and Terraform "no question is too dumb" post

L1 Bithead

I'm currently in the process of teaching myself automation. Lots of things I end up beating my head against a wall over dumb stuff.


"How do I open the ~/.ssh directory so I can drop the private key in there for SSH?". Huh, who knew that it's not that it's a secret or a hidden directory, it just doesn't exist until you first create it. Yes, that kind of dumb answer.


I'm assuming I can edit this initial post to try and keep a master list as a crib sheet for the clueless. I'm also going to put my current headaches in here in the hope that somebody has mercy on me 🙂 In the long run I'm hoping this post becomes a collection that we can point real beginners at. The kind of thing you'd sticky as a readme in an old forum world.


I'm currently playing around on a CentOS box in AWS at the very early stages.

Terraform I'm getting comfy with. Ansible so far refuses to reboot my running firewall. That's probably because I'm trying to use a username/password (for a working account!) with a module that uses the API but if I was sure of that I wouldn't be stuck there still.


Lessons I have learned


You probably have an environment you want to learn how to automate. Start off by learning how to create and destroy a playpen environment rather than trying to change your existing test area. Also be REALLY careful about importing anything in to Terraform and then idly deleting the description for it as you modify your "code". The 1 odd thing it might be planning to destroy could be the VPC that contains your current test environment. Luckily for me I read the details before hitting apply but I assume otherwise it would've happily removed the VPC and left everything else homeless, cloudless, unrecoverable. If you import it in to Terraform you give Terraform life and death control over it.


Terraform has recently moved to version 0.12. Lots of examples are for older versions.

- In version 0.11 variables are surrounded by ${var.replaceme}

- in version 0.12 variables are simply included with their name var.replaceme

Use this to determine which version of Terraform an example was written in and to adjust for what you're using.


Ansible has recently moved to version 2.9. Even though when you look on GitHub the newest release was WAAAY older.

- The following snippet identifies an example written to use the old roles packaging



- The following snippet identifies an example written to use the new collections packaging 

    - paloaltonetworks.panos"

Converting from old to new is really straight forward as you just have to add the palo part to the collections section (creating that if needed) and remove it from the roles section. Presumably the reverse process also works for now if your ansible is pre 2.9.


Ansible wants to be version 2.9. Installing that doesn't follow the "normal" process you see in many places. If your example isn't talking about updating a repository such as EPEL then it'll probably try and load an older version. Cygwin seems to max out at 2.8 which is what drove me to finally starting to learn Linux. Actually read the version number it spits out at you!


If you want to auth to a firewall using the key-pair that you had AWS associate with the admin credentials then you need to import that in to your server. In your home directory create a .ssh folder. Change permissions on it to 700. Drop the private cert file in OpenSSH format in to that directory. Change permissions in it to 600. Make sure it has a unique name. Why would you do this? Because that way you at least know you've got working SSH credentials as that's what you used to log in to the Palo in the first place. You alternative is to create a new administrator on the palo, create a key pair on your control box and then import the public key (in the right format) in to the Palo.



Current Questions

Every example / tutorial I've found so far skips over the authentication setup on the firewall end. Lots of lovely guides about installing the automation software and writing playbooks etc. but it's all from the control machine end. It seems that depending on which module I use ansible will either use SSH or the Rest API. Is there a reliable way to tell which? Is there a programmatic way to determine it? Can I use providers or similar to foist the problem on to Ansible?

I've got a working SSH superuser account I can log in with from my control host. Is getting the API credentials really as simple as using the curl command and then pasting the right part of the output in to a suitable variables / password type file? Does anybody actually know of a tutorial that covers the dumb basic preparation on the firewall end? Text or video, I'm not picky.


Today we discover I can update this post (yes, I'm new to this area). Formatting improved for a few bits.

  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!