converting existing policies into ansible code

Reply
L0 Member

converting existing policies into ansible code

so - i'm just getting starting with ansible automation for my palo firewalls.  have some basic playbooks working...but now it's time to step it up.  One of my main east/west segmentation firewalls has roughly 100 policies.  Is there a way to ingest these rules into ansible - or somehow turn them into code so that future commits can become automation based - rather than manually building and pushing from panorama?

 

Can't imagine that i'm going to have to build these rules manually in ansible to reach the point of them all being deployed by automation. 

 

anyone else already cross this rubicon and have some guidance to offer a newb?

 

thanks!

L3 Networker

Do you plan to use ansible insted of panorama to create firewall rules? Any special reason?

I think there are alot of other things that can be automated before that makes alot more sense then firewall policy, specialy since you have panorama (if i have understood it correct?)

 

 

 

L0 Member

fair question!

My org has been spending an awful lot of time chasing soc2 compliance, CIS benchmarks, now NIST.  it's tedious work and I suspect will never end.

Being a career "network guy" one thing that has always been a challenge is building an environment that can be easily audited.  So, the reason we're moving forward with ansible to automate some of our palo stuff is because then our config is in code..we have commit histories, change control, etc... it will be very handy to say "this is our baseline security config - here's our code - here's our proof we comply," etc..

 

so - to the question "Do you plan to use ansible instead of panorama to create firewall rules? Any special reason?"

I think that's the direction we're headed...only because panorama is slow, lots of point & click, fairly cumbersome. 

Don't get me wrong...Panorama does a lot of good stuff...but it's also cumbersome, and still hand built manual.

 

Since I'm still pretty new to this I'd love to hear your thoughts on what other low hanging fruit you think is better to pursue first.

L3 Networker

Im fairly sure its no way to convert the old configs to ansible playbooks. I dont really know how your policys look like and how many policys you are creating each day, but the thought of creating individuals policy in a playbook dont really sounds like something you would do in a the long run. Look at this example for a policy, https://github.com/PaloAltoNetworks/ansible-playbooks/blob/master/fw_rules.yml

Imagine just sorting out the application/service/hostname/hostgroup/tag without being able to browse the one that are already defined? 

 

 

I guess panorama has its problem but i rebuilding one sounds messy.

I dont know how your enviorment looks like, but i use ansible to create for example network interface, there you can also sync so it does config for switches, dns etc at the same time.

I have also done playbooks that load a list of policy from a report in (exported from panorama of unused rules for x amount of time) and disable them, i also have a playbook for software upgrades.

 

Here are some inspiration 

https://github.com/PaloAltoNetworks/ansible-playbooks

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!