About paul.dinapoli

I too would love to know how to get help when all avenues of troubleshooting and documentation scouring has failed.  It kinda feels like Palo Alto doesn't give much care & feeding to their ansible support...when something doesnt work as advertised - we're on our own. https://github.com/PaloAltoNetworks/pan-os-ansible/blob/develop/SUPPORT.md ... View more

Hi Ivan, I went through your video - https://www.youtube.com/watch?v=0OnKIcUCKJg    I'm actively working on converting existing firewall rules into ansible code - and I have a feature/functionality inquiry.   Seems like all the documentation talks about how to start building security policies with ansible...and they all seem to be overly simplified and only apply to a basic new install.  What if you want to insert a new rule somewhere into the list...I have a hard time believing I'm the first person to see this - or need this functionality.   I have 130 existing firewall rules - I'd like to turn them into ansible code and manage them with git.  The only documentation I can find talks about "location"   location : 'before/after' existing_rule : 'xyz'   so this would mean you'd have to know the existing firewall rule list - and every code block for new policy - has to reference another rule/name.   example: - name : add SSH inbound rule to Panorama device group panos_security_rule : provider : '{{ provider }}' device_group : 'lab-pan01' rule_name : 'SSH permit' description : 'SSH rule test' source_zone : [ 'any' ] source_ip : [ 'any' ] destination_zone : [ 'any' ] destination_ip : [ '1.1.1.1' ] application : [ 'ssh' ] action : 'allow' - name : add a 2nd rule to Panorama device group panos_security_rule : provider : '{{ provider }}' device_group : 'lab-pan01' rule_name : 'SSH permit01' description : 'rule indexing test' source_zone : [ 'any' ] source_ip : [ 'any' ] destination_zone : [ 'any' ] destination_ip : [ '1.1.1.1' ] application : [ 'ssh' ] action : 'allow' location: 'before' existing_rule: 'SSH permit' the palo cli has the concept of "index" which is the position of the rule in the list...seems like if we could pass that into ansible - and ansible could index the new rule - the code would be a lot simpler.  having to know the name of the rule for before/after insertion makes for lots of useless extra text in the code. being able to index the rule right into the place you want it seems more efficient.  show running security-policy | match index <<-- gives nice output of all your firewall rules in their current ordering maybe this exists somewhere - but I can't find it in any palo/ansible documentation.   ... View more

fair question! My org has been spending an awful lot of time chasing soc2 compliance, CIS benchmarks, now NIST.  it's tedious work and I suspect will never end. Being a career "network guy" one thing that has always been a challenge is building an environment that can be easily audited.  So, the reason we're moving forward with ansible to automate some of our palo stuff is because then our config is in code..we have commit histories, change control, etc... it will be very handy to say "this is our baseline security config - here's our code - here's our proof we comply," etc..   so - to the question " Do you plan to use ansible instead of panorama to create firewall rules? Any special reason?" I think that's the direction we're headed...only because panorama is slow, lots of point & click, fairly cumbersome.  Don't get me wrong...Panorama does a lot of good stuff...but it's also cumbersome, and still hand built manual.   Since I'm still pretty new to this I'd love to hear your thoughts on what other low hanging fruit you think is better to pursue first. ... View more