This is quite a subjective topic. My personal opinion, is that to automate (using tools like Ansible) one needs a consistent and reliable source of truth for the data required to describe your configuration. With a good data source and data model, tools like Ansible can read the data and make the changes, hopefully only making the changes of the 'diff', and making them idempotently. This means the target is to have your address objects, groups etc defined somewhere in a data source, such that Ansible can convert these into PAN-OS objects. The same with rules. Ansible pushes all the relevant config into Device Groups and Templates, to be consumed by your PAN-OS NGFWs. The steps required to retrofit into a non-greenfield scenario are not trivial though, so tread carefully. That's just summary level detail of course, this is a much bigger topic. Folks like NetworkToCode have some great longer-form content, and there is plenty of other content around the Internet on configuration-as-code, policy-as-code, etc.
... View more