Thanks for your response. Several follow-ups and looking forward to seeing yours and other responses. We're also tasked with not having humans manually go into the github IAC file and manually updating the IAC file for new rules. We want to enable users to request things (in this case a FW rule modification) > have infosec approve it > and then ansible just does it so no FW engineer needs to be involved. 1. In the previous comment i stated "I still don't know of a good way to rename a rule via code as you can't simply go into your text based rule base (stored somewhere likely github) and just rename the rule. Ansible will just create a new rule." and you stated "yep - that's the point!". After the new one is created, how are you removing the old rule + auditing that deletion? Say I had a rule that was named "Access to TCP 443 from Internet for DMZ Web Servers", but then you realized you actually meant HTTPS and wanted to update the rule name to now say "Access to HTTPS from Internet for DMZ Web Servers". What is your process from doing this as the moment you change the rule name, you will now have 2 rules that IAC created. 2. How are you modifying your rules. Example, you find you need to move a rule up or down in the rule base for whatever reason say you have a rule that allows HTTPS from the internet to 100 address objects. Then one of those address objects is being retired, how are you removing only that 1 address object from both the rule and from Panorama as to keep the rule clean and panorama clean of stale objects? 3. Just because your rules are in IAC, doesn't mean a human couldn't log into panorama and create a rule (think like when ansible is down or something, or a human just not doing things they are supposed to do) and thus negate your IAC and auditing. How are you accounting for this? 4. How are you creating/maintaining all the things (Objects, security profiles, custom apps, administrators access configs, EDLs, UserID configs, ldap/kerb configs... etc). Without these objects and configs the firewall and it's rules wont work properly. 5. How are you accounting for commit errors? Are you still going into Panorama and validate the commit happened? 6. If you need to back out of a change how do you quickly revert to the last config? Within Panorama it's easy, via IAC, i can't wrap my head around it as you can't just delete the rule (should you need to remove the rule) in IAC and say push. Ansible in this case wont remove the rule. 7. You mention you have an HA pair of Panorama. How are you checking which Panorama is the active Panorama with IAC before pushing the code? 8. As for your rebuilding everything from zero, why would you not just use the panorama backups as it has EVERYTHING where as your IAC only has the stuff that you've put into IAC. Looking forward to yours or others comments on the above as i try and decide if going through this IAC for palo automation is an appropriate use when going through panorama seems to have a lot of upside vs trying to turn every little config into code. Thank you for your time.
... View more