04-04-2022 05:21 PM
Today, we are doing every change manually through Panorama and pushing out to Firewalls. We currently only have 2 sets of Physical HA Pairs. At the end of the day the approved changes are manually entered and submitted. For example, say we had to add a new address object to an existing rule. How is it more efficient to use Ansible to do this work vs doing it manually. I'd still need to know the FW rule name exactly to use ansible so i'd likely be logging into Panorama to get that detail. I want to start doing infrastructure as code but having some difficulty getting to the decision that tools like ansible will help in our current environment.
Looking forward to reading how others are using the tool.
04-07-2022 01:23 AM - edited 04-07-2022 01:25 AM
This is quite a subjective topic. My personal opinion, is that to automate (using tools like Ansible) one needs a consistent and reliable source of truth for the data required to describe your configuration. With a good data source and data model, tools like Ansible can read the data and make the changes, hopefully only making the changes of the 'diff', and making them idempotently. This means the target is to have your address objects, groups etc defined somewhere in a data source, such that Ansible can convert these into PAN-OS objects. The same with rules. Ansible pushes all the relevant config into Device Groups and Templates, to be consumed by your PAN-OS NGFWs. The steps required to retrofit into a non-greenfield scenario are not trivial though, so tread carefully.
That's just summary level detail of course, this is a much bigger topic. Folks like NetworkToCode have some great longer-form content, and there is plenty of other content around the Internet on configuration-as-code, policy-as-code, etc.
04-07-2022 04:17 AM
Agreed it was a wide casted questions. Ansible yes can do the job however the Palo modules that can be used with ansible at this time are lacking. The videos and docs you find in blogs and YouTube are very greenfield (stand up some FW, give it a config, and that's about it). There isn't much documentation on operate and maintain.
Here's a use case we're trying to automate with ansible and the palo modules for ansible. Very often we're asked to see if a given IP is used in any FW rule. Today we log into panorama and do a global find. How would you do that programmatically and if that address object is used anywhere in a rule report what that rule is and the various settings of that rule back to the requester?
Does anyone know what Splunk Soar (formerly phantom) brings to operate and maintain for palo FW's?
04-07-2022 07:39 AM
Hi @RyanBess, thanks for the reply. The PAN-OS GUI does a few steps in the background to achieve Global Find functionality, and these steps could be replicated in Ansible if that's your organisation's chosen tool. Whilst I have not tried to create this myself, I could foresee that a combination of rule facts and object facts could be used, with parsing in between, to take a given IP and search for its use in objects and rules. This would require some logic code inside the Ansible playbook, our the logic lives outside of multiple Ansible playbooks if your organisation has other tools/programming in-place which could do the logic via smaller single-purpose playbooks.
Unfortunately I have no experience of the SOAR product.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!