Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-04-2023 01:58 AM - edited 04-04-2023 02:00 AM
I have a use case for being able to apply set objects (address, service, etc. ) across multiple Panorama device groups in 3 Panorama appliances. How can I do that by defining each of object only once?
The object only allows a single device group reference:
resource "panos_address_object" "addr1" {
device_group = panos_device_group.DG1.name
name = "addr1"
value = "192.168.255.1/32"
}
04-05-2023 03:32 AM
Hi @batd2,
Creating the same object, defined once, in multiple Device Groups can be achieved with Terraform using their looping mechanism. Research Terraform's for_each feature to get more details, but something like this would work, and use the DG resource names instead of hardcoded strings as required:
resource "panos_address_object" "addr1" {
for_each = toset( ["DG1", "DG2", "DG3"] )
device_group = each.key
name = "addr1"
value = "192.168.255.1/32"
}
The PAN-OS provider has to manage state, so it talks to a single PAN-OS, which would be Panorama in this instance. Multiple states (achievable through separate folders or workspaces, again research Terraform's features around this) would be needed for multiple Panorama, assuming you are not using Panorama Interconnect. In order to avoid defining objects multiple times, I would look to use a SSoT or CMDB, and have the multiple Panoramas configured by Terraform, where Terraform uses the information from the SSoT (such as the object definitions) in order to create objects.
Hope that helps
04-04-2023 02:10 AM
Hi @batd2, defining an object once and having it be shared across multiple Device Groups is what Device Group hierarchies are designed for within Panorama. They are used for this purpose whether you are using Terraform, the GUI, the CLI, etc. Once you have a parent Device Group for DG1 and DG2, you can define addr1 once, in the parent Device Group and it will be inherited by DG1 and DG2.
Hope that helps
04-04-2023 03:13 AM - edited 04-04-2023 08:26 AM
@JimmyHolland are we saying that we will not be able to sync multiple objects across different device groups using Terraform?
I am aware of the device group structure, but it is a use case in a production environment, which arguably was created wrong to start with, but we can't just re-design device group structure. In addition the set object will need to be applied to 3 Panorama appliances.
Can you think of another Terraform-based solution, which which will not require defining each of the objects multiple times? Or if we resolve the Device Group and we have a single DG parent, how can we apply the same change over multiple Panoramas?
04-05-2023 03:32 AM
Hi @batd2,
Creating the same object, defined once, in multiple Device Groups can be achieved with Terraform using their looping mechanism. Research Terraform's for_each feature to get more details, but something like this would work, and use the DG resource names instead of hardcoded strings as required:
resource "panos_address_object" "addr1" {
for_each = toset( ["DG1", "DG2", "DG3"] )
device_group = each.key
name = "addr1"
value = "192.168.255.1/32"
}
The PAN-OS provider has to manage state, so it talks to a single PAN-OS, which would be Panorama in this instance. Multiple states (achievable through separate folders or workspaces, again research Terraform's features around this) would be needed for multiple Panorama, assuming you are not using Panorama Interconnect. In order to avoid defining objects multiple times, I would look to use a SSoT or CMDB, and have the multiple Panoramas configured by Terraform, where Terraform uses the information from the SSoT (such as the object definitions) in order to create objects.
Hope that helps
04-13-2023 08:02 AM - edited 04-13-2023 08:07 AM
@JimmyHolland Thank you again for responding. Apply the same object to multiple device groups works well with for_each and list of target groups.
Can you collaborate a bit more on how to do the same for multiple Panoramas/Multiple states. How can I avoid duplicating configuration between each state?
Btw without going into too much detail, we have genuine need to split the management into multiple Panorama appliances and there is no currently alternative solution form Palo Alto.
04-14-2023 04:57 AM
@JimmyHolland I got it work by configuring all required objects in a local terraform module. I have a folder for each of the Panorama appliances and then import the modules to each one of the configuration. Device Groups are passed as a variable for each Panorama state and then iterated using for_each. This way every object is configured only once. The structure looks like:
.
├── modules
│ └── standard_objects
│ ├── address_objects.tf
│ ├── security_profiles.tf
│ ├── security_policies.tf
│ ├── main.tf
│ └── variables.tf
├── panorama001
│ ├── main.tf
│ └── variables.tf
└── panorama002
├── main.tf
└── variables.tf
Thank you for your help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
