Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Firewall policy update based on conditions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall policy update based on conditions

L1 Bithead

Dear All,

I have a situation to automate PaloAlto  Firewall policy requests based on user input. Once i obtain the user input in a certain format, i will have to check certain conditions before creating the rule on the firewalls.

1. Whether the Objects mentioned in the input file already exists or not. Only if any of the objects are not available, then create them.

2. Whether the rule asked for exists already or not. If not, only then create it.

3. What if the rule order is important..how to deal with it.

While going thro Ansible modules, i see there are separate modules for checking the above. But  i want to use the modules in sequence, obtain an output from a module execution and use that to decide the action on the next module.

 

I want some advice on how to go about with the above requirement.  

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Ansible will work for this workflow.  Generally speaking, you'll need to use the panos_object_facts module to get the list of Address Objects first, then register the output so you can make decisions on it.  That will allow you to conditionally execute panos_address_object to create the address object when it's not already present.  As for the security rule, create or update is already how "state: present" works, so you don't have anything special to do there.

 

All the Palo Alto Networks modules and fact modules you'll need to implement this is there, you just need to learn Ansible so you can make it do what you want.

View solution in original post

3 REPLIES 3

L5 Sessionator

Ansible will work for this workflow.  Generally speaking, you'll need to use the panos_object_facts module to get the list of Address Objects first, then register the output so you can make decisions on it.  That will allow you to conditionally execute panos_address_object to create the address object when it's not already present.  As for the security rule, create or update is already how "state: present" works, so you don't have anything special to do there.

 

All the Palo Alto Networks modules and fact modules you'll need to implement this is there, you just need to learn Ansible so you can make it do what you want.

Thank you very much !

Hi,

Your suggestion earlier was of great help and i am progressing in my Ansible knowledge. I have performed various testing using Ansible PAN OS Modules. I've come across a situation and it would be great if you can guide me here.

 

Below is the simplified scenario: There is an existing rule created by someone several months back. There is another team that requests the same policy rule on the Firewall. Using pan os module, the new rule is also created as the Rule name and object names are different. Is there a way, to check whether a rule already exists and stop the new one to be created?

 

 

Already existing rule:

Rule Name : Rule_A
SRC: Host_10.1.1.1
DST: Host_20.1.1.1
Port: service-https

 

New Rule request:

Rule Name: Rule_B
SRC: IP_10.1.1.1
DST: IP_20.1.1.1
Port: service-https

 

  • 1 accepted solution
  • 4174 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!