Yep - you bring up good questions - same issues/pain we've had - so rest assured you're not alone! 1. After the new one is created, how are you removing the old rule + auditing that deletion? Me: for us - still keeping this manual. Once the new IaC rule is live I just use panorama UI to disable the existing hand-built rule. We hang onto it for 30 days - then finally just delete/commit/push. Say I had a rule that was named "Access to TCP 443 from Internet for DMZ Web Servers", but then you realized you actually meant HTTPS and wanted to update the rule name to now say "Access to HTTPS from Internet for DMZ Web Servers". What is your process from doing this as the moment you change the rule name, you will now have 2 rules that IAC created. Me: this is the beauty of running the playbook targeting your device-group in Panorama first. If you noticed something you don't like - delete the rule from Panorama via the UI (quickest/easiest). Tweak the playbook and rerun it. You sorta have to iterate over that a few times until you get it right - then finally you do the push to the firewall. 2. How are you modifying your rules. Example, you find you need to move a rule up or down in the rule base for whatever reason say you have a rule that allows HTTPS from the internet to 100 address objects. Then one of those address objects is being retired, how are you removing only that 1 address object from both the rule and from Panorama as to keep the rule clean and panorama clean of stale objects? Me: pretty straight-forward - if you are talking about a rule you have already codified - later you need to tweak it - ansible won't create the rule that already exists...it will only change the value that you tweaked. add a source or dest address...it doesnt recreate another duplicate rule - it just adds the diff. 3. Just because your rules are in IAC, doesn't mean a human couldn't log into panorama and create a rule (think like when ansible is down or something, or a human just not doing things they are supposed to do) and thus negate your IAC and auditing. How are you accounting for this? True, in my organization - for better or worse it's just me and my partner, there's only 2 of us that have full god-rights to the network and firewall infrastructure...so we are 100% in sync as parters in this journey. No exceptions...all firewall rule work goes through this jira/git/PR approval workflow. (think like when ansible is down or something,) this isn't really a thing...Ansible runs from your laptop - or a jump host - unless it was a true emergency and you need to do something "RIGHT NOW" i would say - once you start your journey to all-rules-are-ansible - dont deviate. it will be a mess. if you have folks on your team that won't play nice...demote their account to read-only. 4. How are you creating/maintaining all the things (Objects, security profiles, custom apps, administrators access configs, EDLs, UserID configs, ldap/kerb configs... etc). Without these objects and configs the firewall and it's rules wont work properly. True, there's a lot of dependencies. We made the decision to only focus on the access rules and associated objects...but address objects / tags / etc... you can build a playbook with tasks - and you just create the dependencies first - then finally the firewall rule - that uses those objects 5. How are you accounting for commit errors? Are you still going into Panorama and validate the commit happened? correct - we run the playbooks against panorama - then we use the validate tools for sanity check. there's not really that many commit errors honestly - if the playbook has syntax issues it wont run...so by the time you have your playbook built correctly - it will execute against panorama without any issues. Are you still going into Panorama and validate the commit happened? <--- most definitely! 6. If you need to back out of a change how do you quickly revert to the last config? Within Panorama it's easy, via IAC, i can't wrap my head around it as you can't just delete the rule (should you need to remove the rule) in IAC and say push. Ansible in this case wont remove the rule. (might be easier to show you this via zoom - too much typing!) 7. You mention you have an HA pair of Panorama. How are you checking which Panorama is the active Panorama with IAC before pushing the code? we only have 1 instance of panorama so this is not an issue for us. we have HA firewalls...but for us panorama is just a single VM. 8. As for your rebuilding everything from zero, why would you not just use the panorama backups as it has EVERYTHING where as your IAC only has the stuff that you've put into IAC. yep - fair point. many ways to skin the cat. we bought into panorama after we'd already deployed several firewalls. i would say this was a general PITA disaster. some stuff panorama managed - other stuff it didn't. The general concept of panorama is pretty good...but in day to day use it has a lot of very confusing layers / hard to navigate. its an operational mistake to have feet in both worlds where some stuff is configured local - vs some stuff from panorama.
... View more