About RyanBess

hi @gfreeman good to see you here.  Can you please take a look at https://github.com/PaloAltoNetworks/pan-os-ansible/issues/348     ... View more

For us, we are trying to build this dynamically through ServiceNow and get FW IT Staff out of the day to day grind of operating FWs and let code do what it does best.  Thus some requestor who today puts in a ticket would go into a SNOW workflow, request a rule, some approval process happens and out the backend is a json file of all our rules in consumable via an API call.  From there we run our code on a task every x minutes hours and our code needs to iterate through each rule and do it's magic.  Fortunately we are starting with a new zone on the Firewall so all other existing rules wont have that new zone as a source or a destination, thus we can start with explicit denies in each direction.  For each new rule they would go "before" the explicit denies for that direction.  Lets say we have 10 rules that would go before the explicit deny.  With the ansible module can you specify "location" and "existing rule" https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_security_rule_module.html.  The problem i'm running into is if you say that all 10 rules be BEFORE the deny rule, the module is literal.  It will check the first rule of the 10 and ask the question "is this rule DIRECTLY before the deny rule".  The answer will be NO.  Ansible will then move rule 1 DIRECTLY before the deny rule.  Then it goes to the next rule and asks the same question.  The answer is still NO, and now it moves it.  This continues until all rules are back exactly how they started EVEN IF NOTHING IN THE RULE CHANGES.  Thus every time we run a KCC to ensure the rules are correct, there is always a pending commit because from the FW perspective, a MOVE command was issued.  I've requested help here https://github.com/PaloAltoNetworks/pan-os-ansible/issues/348   so if anyone sees this from the ansible module team, lets please work together.  I'm happy to beta new versions of the modules.       ... View more

Thanks for your response.  Several follow-ups and looking forward to seeing yours and other responses.  We're also tasked with not having humans manually go into the github IAC file and manually updating the IAC file for new rules.  We want to enable users to request things (in this case a FW rule modification) > have infosec approve it > and then ansible just does it so no FW engineer needs to be involved.     1. In the previous comment i stated "I still don't know of a good way to rename a rule via code as you can't simply go into your text based rule base (stored somewhere likely github) and just rename the rule.  Ansible will just create a new rule."  and you stated "yep - that's the point!".  After the new one is created, how are you removing the old rule + auditing that deletion?  Say I had a rule that was named "Access to TCP 443 from Internet for DMZ Web Servers", but then you realized you actually meant HTTPS and wanted to update the rule name to now say "Access to HTTPS from Internet for DMZ Web Servers".  What is your process from doing this as the moment you change the rule name, you will now have 2 rules that IAC created.   2. How are you modifying your rules.  Example, you find you need to move a rule up or down in the rule base for whatever reason say you have a rule that allows HTTPS from the internet to 100 address objects.  Then one of those address objects is being retired, how are you removing only that 1 address object from both the rule and from Panorama as to keep the rule clean and panorama clean of stale objects?     3. Just because your rules are in IAC, doesn't mean a human couldn't log into panorama and create a rule (think like when ansible is down or something, or a human just not doing things they are supposed to do) and thus negate your IAC and auditing.  How are you accounting for this?    4. How are you creating/maintaining all the things  (Objects, security profiles, custom apps, administrators access configs, EDLs, UserID configs, ldap/kerb configs... etc).  Without these objects and configs the firewall and it's rules wont work properly.   5. How are you accounting for commit errors?  Are you still going into Panorama and validate the commit happened?     6. If you need to back out of a change how do you quickly revert to the last config?  Within Panorama it's easy, via IAC, i can't wrap my head around it as you can't just delete the rule (should you need to remove the rule) in IAC and say push.  Ansible in this case wont remove the rule.   7. You mention you have an HA pair of Panorama.  How are you checking which Panorama is the active Panorama with IAC before pushing the code?   8. As for your rebuilding everything from zero, why would you not just use the panorama backups as it has EVERYTHING where as your IAC only has the stuff that you've put into IAC.     Looking forward to yours or others comments on the above as i try and decide if going through this IAC for palo automation is an appropriate use when going through panorama seems to have a lot of upside vs trying to turn every little config into code.      Thank you for your time.    ... View more

@paul.dinapoli how did your migration from using Panorama to using IAC go?  I've been tasked with this for a number of reasons including the auditability by having your configs in code.  This all gets really complicated when you start using application based rules vs port based rules, ssl decryption...etc.  I still don't know of a good way to rename a rule via code as you can't simply go into your text based rule base (stored somewhere likely github) and just rename the rule.  Ansible will just create a new rule.  On the topic of new rules looking at the text file isn't' as easy to see your rule base and thus hard to know where to place a new rule...lots to think about.  Hoping you have some advise on how you accomplished this task.    ... View more

Thanks JimmyHolland, Agreed it was a wide casted questions.  Ansible yes can do the job however the Palo modules that can be used with ansible at this time are lacking.  The videos and docs you find in blogs and YouTube are very greenfield (stand up some FW, give it a config, and that's about it).  There isn't much documentation on operate and maintain.     Here's a use case we're trying to automate with ansible and the palo modules for ansible.  Very often we're asked to see if a given IP is used in any FW rule.  Today we log into panorama and do a global find.  How would you do that programmatically and if that address object is used anywhere in a rule report what that rule is and the various settings of that rule back to the requester?   Does anyone know what Splunk Soar (formerly phantom) brings to operate and maintain for palo FW's? ... View more

just my two cents here.  The audit comment feature is very buggy and there are / have been a number of issues with it.  If you are looking to use it as an a way for auditing change, you may be better suited to look to something outside of this feature.  We're told things are fixed in some newer releases but we've hit a number of issues. ... View more

how would you do this through appID? ... View more