Ansible Playbook to Baseline the NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
100% helpful (1/1)

Brief Description

This quickplay solution provides an Ansible playbook to license a VM-series NGFW using an activated authcode, provide content updates, and upgrade or downgrade to a user-inputted PAN-OS software version

 

Video coming soon...

 

Prerequisites

Playing this solution requires:

  • An active and unused VM-series auth code
  • API access to the NGFW
  • Optional: panhandler 4.3 or later and docker to play skillets

 

Solution Details

Documentation: https://github.com/PaloAltoNetworks/panos-query-scripts/blob/main/README.md

Github Location: https://github.com/PaloAltoNetworks/panos-ansible-upgrade-downgrade.git

Github Branches: main

Product Versions Supported: PAN-OS 9.0 and later

 

Full Description

Booting a NGFW can be done in a variety of ways: manual bootstrapping, public UIs or terraform templates, private cloud management systems, workflow and device management utilities, etc. In all cases, baselining the device (eg. licensing, updating, upgrading) can become tightly integrated for each model requiring specific UI interactions, custom templating, or manual instruction.

 

Instead of creating new workflows for each boot model, this playbook is boot type agnostic and can be run against any network-accessible NGFW in any deployed location. The playbook baselines the newly instantiated NGFW in three ways:

 

Licensing using an active Auth Code

Add the auth code as a playbook variable to interact with the entitlement system to license the NGFW. The NGFW will perform a soft reboot with the newly active licenses.

 

NOTE: the playbook will continue to poll the NGFW until the management interface is ready for new commands.

 

Content Updates

Newly deployed NGFWs do not have the latest content/threat and anti-virus updates. Often users may forget this step, waiting for the next scheduled update assuming the device is configured with a schedule. This creates a security gap where the device does not have the latest signatures loaded into the system likely missing active threats traversing the network.

 

The playbook will download and install the latest content/threat and anti-virus updates to ensure the NGFW is fully armed with the latest signatures.

 

Software Upgrades/Downgrades

The user can input the desired software version and the playbook will work through all of the necessary base images, major/minor release stages, and land on the desired version.

 

The playbook will download and install each required stage while waiting for the device to come online after required reboots.

Rate this article:
  • 5774 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎04-27-2022 01:59 PM
Updated by: