New Firewall Build Process

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Firewall Build Process

L1 Bithead

Hopefully I am putting this post in the right place.   Please feel free to let me know if I should place it elsewhere. 

 

I work at a place where we deploy a lot firewalls.  At the moment, it is a bunch of the PA-220r devices, but we work with the PA-850s and soon to be, some virtual firewalls.  I am looking for some advice as to how other companies automate their firewall builds.

 

Most all of our config is stored in a template, so once it gets to Panorama, we push down as much as we can.  So, here is the issue.   I need to automate the build process for all those things that are not part of a template, but are local to each specific firewall. 

 

Here are some examples of the types of configs I am talking about:

  • Bring up the OS to the company standard
  • Config the SMTP policy, so the return address of emails is the host name + @domain.com
  • Register the device on PA site
  • Config the host name for device
  • Install the SSL Cert and create the TLS profile

The config is not really all that difficult, but it is time consuming.   When you are setting up 20 or 30 firewalls, mistakes can be made.  So, I want to see how other companies are doing their build process and what types of automation is leveraged.

 

Thanks for all the help,

 

Michael

3 REPLIES 3

L5 Sessionator

Hi @MichaelPrensky, I'd say you are in the right place 🙂
There are various options, but if you can define the steps and config items with placeholder variables for the values that change per firewall, you should then be able to to deploy something consistent to each firewall. You own choice of programming language could do that, Ansible could do that, Terraform -could- do it but is not the best choice given how it likes to manage via state. Ansible is becoming very popular with PAN-OS users, you can do OS upgrades, perform configuration, install certs, etc, and use the variables feature within Ansible to give each firewall the unique values but with a consistent state. The choice between Ansible, bash scripts, Python, PHP, etc is likely something that primarily depends upon what you and/or your team have skills in, and want to operationalise. And keep an eye on the market too in case you need to hire someone; Python skills are more abundant in NetOps than, say, Java! And also the choice can be down to the features of each approach; Ansible may potentially have a lower barrier to entry on learning versus learning Python from scratch, but will likely execute slower than Python, there are trade-offs.
Hope that helps, hopefully some other users will chip in with their experiences...

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

At previus work i build a ugly excel sheet where you entered some info basic info (ip/hostname/serialnumber) then it generated both panorama conf and some basic conf for the devices (we did alot with templates also) that we could paste into the cli. Worked ok. Would have done alot of stuff different today (more ansible and j2 for example)

 

 

L2 Linker

As previously mentioned there are lots of options. I used Palo API calls with Postman as a simple way to build a “new build” collection.  Has been a great help. So once the device is physically on the network I can get it updated and ready for import into Panorama to use a standard template. After Postman, I moved into utilizing Python to help standardize the input variables collected for each firewall build.  

  • 1619 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!