This quickplay solution provides an Ansible playbook to license a VM-series NGFW using an activated authcode, provide content updates, and upgrade or downgrade to a user-inputted PAN-OS software version
Video coming soon...
Playing this solution requires:
Github Branches: main
Product Versions Supported: PAN-OS 9.0 and later
Booting a NGFW can be done in a variety of ways: manual bootstrapping, public UIs or terraform templates, private cloud management systems, workflow and device management utilities, etc. In all cases, baselining the device (eg. licensing, updating, upgrading) can become tightly integrated for each model requiring specific UI interactions, custom templating, or manual instruction.
Instead of creating new workflows for each boot model, this playbook is boot type agnostic and can be run against any network-accessible NGFW in any deployed location. The playbook baselines the newly instantiated NGFW in three ways:
Add the auth code as a playbook variable to interact with the entitlement system to license the NGFW. The NGFW will perform a soft reboot with the newly active licenses.
NOTE: the playbook will continue to poll the NGFW until the management interface is ready for new commands.
Newly deployed NGFWs do not have the latest content/threat and anti-virus updates. Often users may forget this step, waiting for the next scheduled update assuming the device is configured with a schedule. This creates a security gap where the device does not have the latest signatures loaded into the system likely missing active threats traversing the network.
The playbook will download and install the latest content/threat and anti-virus updates to ensure the NGFW is fully armed with the latest signatures.
The user can input the desired software version and the playbook will work through all of the necessary base images, major/minor release stages, and land on the desired version.
The playbook will download and install each required stage while waiting for the device to come online after required reboots.