- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Skillets make it possible to share best practice and use-case specific configuration sets across PAN-OS and Panorama devices. However, getting started working with XML configuration can be tricky. Fortunately, there are a whole set of tools available designed to make this as painless as possible.
Using Panhandler, you can import the Skillet Builders repository from GitHub and get started right away.
First, import the Skillet Builders repository into Panhandler.
Once imported, you will find a new Collection called "Skillet Builder." Click into that collection to see the available tools:
Now that we have our tools installed, we can move on to the fun part—Configuring a NGFW!
For best results, we recommend you start with a fresh NGFW with as few configuration options present as possible. If you only have access to a firewall that is already configured, that will work too, but may require a bit more work.
For this example, I'm going to configure a couple of address objects, but any configuration of arbitrary complexity will work just as well.
Here are a couple of address objects I've added:
Note, that I have not yet committed these changes! Once i"m happy with my configuration, we can use a Skillet Generator tool to give us a starter Skillet.
In Panhandler, select the "Skillet Builder" Collection and choose the Generate a Skillet workflow:
The first question, is whether you want to generate a skillet from an uploaded config, or from a running NGFW. Choose the "From Running NGFW" option and click Submit.
Enter the authentication information for the NGFW what you just configured. We also have the option to choose the Configuration Source. Since all our changes are still in the Candidate Configuration, we will choose that option. If you were to choose the "From Running Configuration" option, the tool would generate a skillet comprised of all changes ever made to this device!
Click Next to continue.
In this step, we will customize the actual Skillet template. These are things like the name and description of what your Skillet does and why someone would want to use it.
Click Next and you will receive the complete Skillet!
# skillet preamble information used by panhandler
# ---------------------------------------------------------------------
# unique snippet name
name: example_skillet_id
# label used for menu selection
label: Address Object Skillet
description: This skillet creates two address objects in the NGFW
# type of device configuration
# common types are panorama, panos, and template
# https://github.com/PaloAltoNetworks/panhandler/blob/develop/docs/metadata_configuration.rst
type: panos
# preload static or default-based templates
extends:
# grouping of like snippets for dynamic menu creation in panhandler
labels:
collection:
- Example Skillets
# ---------------------------------------------------------------------
# end of preamble section
# variables section
# ---------------------------------------------------------------------
# variables used in the configuration templates
# type_hint defines the form field used by panhandler
# type_hints can be text, ip_address, or dropdown
variables:
- name: hostname
description: Firewall hostname
default: myFirewall
type_hint: text
- name: choices
description: sample dropdown list
default: choices
type_hint: dropdown
dd_list:
- key: option1
value: option1
- key: option2
value: option2
# ---------------------------------------------------------------------
# end of variables section
# snippets section
# ---------------------------------------------------------------------
# snippets used for api configuration including xpath and element as file name
# files will load in the order listed
# There is a variable called snippets that we can use to auto-generate this section for us
snippets:
- name: address-860650
xpath: ./devices/entry[@name="localhost.localdomain"]/vsys/entry[@name="vsys1"]
element: |-
<address>
<entry name="some_address">
<ip-netmask>10.10.10.0/24</ip-netmask>
<description>This is my address object </description>
</entry>
<entry name="another_address">
<ip-netmask>172.16.99.0/24</ip-netmask>
<description>This is another address that I've decided to add as well</description>
</entry>
</address>
# ---------------------------------------------------------------------
# end of snippets section
This skillet now holds all the configuration options we configured in our firewall in a shareable format. This can be posted to Github, LIVEcommunity, or anywhere else for others to use.
This generated output needs a bit of customization before you can publish. It includes a few variables as an example, but you'll note that those variables do not actually appear in the "element" sections of the snippets.To make this example a bit better, let's customize the value of the addresses being added.
First, we'll find the portions of the configuration on which we will allow customization.
<entry name="some_address">
<ip-netmask>10.10.10.0/24</ip-netmask>
<description>This is my address object </description>
</entry>
We can make this more useful by allowing the user to enter their own values.
<entry name="{{ address_name }}">
<ip-netmask>{{ address_cidr }}</ip-netmask>
<description>{{ address_description }}</description>
</entry>
I've added three variables 'address_name', 'address_cidr' and 'address_description'. Let's add these to the "variables" section of the Skillet as well. I'll use the 'text_hint' to give a hint to the tooling as to what type of data is allowed from the user. A complete list of type_hints can be found here.
variables:
- name: address_name
description: Address Name
default: some_address
type_hint: text
- name: address_cidr
description: Address CIDR
default: 10.10.10.0/24
type_hint: cidr
- name: address_description
description: Address Description
default: Description of this Address Objet
type_hint: text_area
Now the user can enter their own information, or choose the defaults and create their own customized address objects.
Now that you have a skillet in hand, let's upload to Github so everyone else can benefit from your expertise and hard work.
Log in to your GitHub account and Create a new Repository. Ensure you make this repository public and check the "Initialize this repository with a README" option.
Once created, click Create new file to add our Skillet.
Currently, all Skillets are required to be named '.meta-cnc.yaml'. So enter the name, then paste in your completed skillet.
Once completed, your Skillet can be used by everyone. Congrats!