PA - can we have an honest discussion about Ansible and PA?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA - can we have an honest discussion about Ansible and PA?

L2 Linker

First of all - thanks for the API - it's mostly great.


But, let's talk about Ansible and PA.  Some of our folks went to Ansible Fest and talked to the PA folks there and they said that they were working on making it better - but requiring external modules if kind of untenable when trying to roll out enterprise automation, as well as the lack for functionality with the modules (no checkmode is a non-starter for us).  Also missing is like 75%? of the API functionality in the PA Ansible modules.


So, we're left to doing roll-your-own automation with the API and python.  That alone restricts a good enterprise integration and maintainability.


I guess what I'm asking is someone to step up and supply a feature roadmap so we can plan our enterprise automation solutions.


Accepted Solutions

L4 Transporter

Hi everyone,


My name is Brian Torres-Gil and my team develops the Ansible modules.  First off, thanks so much for the candid discussion on this thread.  I'll try to collect and respond to the concerns I see.


1. Topic: Ansible modules don't cover all the API functionality we need


True, and we're aware there are several modules needed.  The 2.0 module release that came out recently delivered idempotency in the modules, meaning you can now declare the final configuration state in your playbook without worrying about the steps to get there or the current state of the device.  This is a significant enhancement and required an overhaul of almost every module, which didn't allow us time to add all the modules we'd like to.  Now that it's complete and released, we're considering the highest priority modules that customers have asked for, and we'd greatly value your feedback.  The timing is perfect, so share the modules you'd like to see here!  Try to be as clear as possible about the firewall configuration you need to modify and the use case for modifying it, so we can better prioritize your request.  Thanks!!


2. Topic: The only way to get help is to post anonymously on GitHub, though questions are normally answered quite soon


Since Ansible and our modules are open source, we've found GitHub to be a great way to keep connected with customers. The advantage of this approach is you have direct access to the developers and direct visibility to bugs and fixes. We understand that this can be different from the TAC-based support model you may be used to for paid products.  If there are specific suggestions that would get you the help you need more effectively, we are very interested.  Please let us know.


3. Topic: External 3rd party modules are not a good fit for enterprise customers


We've been overloading the term "module" since we've used the term for the Ansible modules and the python external modules. So I'll use the term "library" here instead of "module" to avoid confusion.  There are 3 python libraries that the Ansible modules depend on:


 - pandevice  (aka. Palo Alto Networks Device Framework for python)

 - pan-python

 - xmltodict


I don't completely understand the concern with these libraries, so I have a few question to clarify it.


I see these libraries being referred to as 'external' libraries.  Do you mean 'external' as in "not part of the python standard libraries"?  Or does external mean something else in this context?  Are libraries in the python standard library acceptable (such as the 'logging' module)?  I'm having trouble understanding what is different about a non-standard library pulled down by our Ansible modules and a non-standard library pulled down by Ansible itself, since Ansible relies on many libraries that are not part of the python standard library.


I also see these 3 libraries referred to as '3rd party', but to clarify, only xmltodict is 3rd party.  The pandevice and pan-python libraries are developed by the same team that develops the Ansible modules, here at Palo Alto Networks.


The 'xmltodict' library is the only 3rd party library, but it's used by thousands of projects in production, so we didn't anticipate a concern with it.  Let us know if this library is still a concern.


All three libraries should be installed with 'pip' (just like Ansible is installed with 'pip') so you shouldn't need to install them from GitHub or any website.  The install process is consistent with Ansible.


I hope that helps!  Very interested in your feedback on the above and continuing the discussion.  Thanks!


View solution in original post


L5 Sessionator


Can I get some clarification, please?


What external modules are you referring to?

Is there some other Ansible functionality besides checkmode that you're referring to with the lack of functionality?

What other Ansible modules for the PAN-OS API did you want to make use of, but there is no module yet?

I dont think its that bad, however im not really a fan of using external modules hosted at github (having to rely on forum post on github to make bugreports on python modules is a not really enterprise). And yes im aware that other big vendor in the same field uses the same approach, so its not really a palo problem i guess.



As far as functions, we deploy new vlan to exisiting "l3" trunks on daliy basis. That is a function/playbook i really do miss.

There is no reason to install any external modules hosted on any github with Ansible.  There is, however, an Ansible Galaxy role that is recommended to be installed, but that has nothing to do with github.

Yeah you can install the panpython/pandevice from other places then github. What i mean is if i run into a bug on any of this modules. The only way to get help is to post a anonumoys post on palos github place in the issue section. I know that they are normaly answerd quite soon. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!