About hbalzac

hbalzac · ‎01-09-2021

Im fairly sure its no way to convert the old configs to ansible playbooks. I dont really know how your policys look like and how many policys you are creating each day, but the thought of creating individuals policy in a playbook dont really sounds like something you would do in a the long run. Look at this example for a policy, https://github.com/PaloAltoNetworks/ansible-playbooks/blob/master/fw_rules.yml Imagine just sorting out the application/service/hostname/hostgroup/tag without being able to browse the one that are already defined? I guess panorama has its problem but i rebuilding one sounds messy. I dont know how your enviorment looks like, but i use ansible to create for example network interface, there you can also sync so it does config for switches, dns etc at the same time. I have also done playbooks that load a list of policy from a report in (exported from panorama of unused rules for x amount of time) and disable them, i also have a playbook for software upgrades. Here are some inspiration https://github.com/PaloAltoNetworks/ansible-playbooks

hbalzac · ‎01-08-2021

Do you plan to use ansible insted of panorama to create firewall rules? Any special reason? I think there are alot of other things that can be automated before that makes alot more sense then firewall policy, specialy since you have panorama (if i have understood it correct?)

hbalzac · ‎10-31-2020

So, say i have a multiple firewalls of many zones. If i want to create a rule between two servers in different firewall i need to create one rule in each firewall. For example trust to utrust and in the other firewall untrust to trust. (in some cases we allow it in one of the firewalls by default). If I need to type in this manualy in the automation job (no matter if its ansible or powershell or other) it feels like i almost can use the gui anyway. But if i can get this info via a script it would get alot easier. So if you had a enviorment consisting of many firewall and need to find out the routing between two servers. How would you build that logic?

hbalzac · ‎10-29-2020

The rbac functionality for api users are quite limited, so its not possible. I have heard that 10.0 will be better but not to what extent. Other vendors have had the possibility to just allow certain commands for users but palo lacks here imo. Not sure on how you enviorment is setup, there is always the issue with the client modify the script and run other commands that you dont want. Perhaps just having a simple webportal where they can click one button?

hbalzac · ‎10-29-2020

So do you want to limit so this api users to only be able to run just a few commands? In this case reseting the vpn?

hbalzac · ‎10-15-2020

As have been stated 1000 times here. Creating a feature requst is done to your se. This is a place to share the id. Since you can also ask your SE to vote for other requests.

hbalzac · ‎06-28-2020

https://access.redhat.com/articles/3642632 Can someone with insight answer if palo plan to have their collection "certified" ?

hbalzac · ‎05-10-2020

Hi, can we share some script in this thread? I can post some when i have the computer infront of me.

hbalzac · ‎05-05-2020

Feels abit lazy to ask here, but i cant find how to query for hitcount using pandevice. How do i do that?

hbalzac · ‎05-03-2020

Why are not this hosted at palo altos own site? Yes im abit paranoid but i have never understod why this kind of packages are hosted at pip? At least if they are hosted at external site. Would it not be possible to implement something like this https://media.djangoproject.com/pgp/Django-2.2.12.checksum.txt ?

hbalzac · ‎05-02-2020

Is this still the behavior? It will install the mentioned modules evrytime i run a playbook? (I dont have access to a ansible installation to test with atm)

hbalzac · ‎05-02-2020

Is there any reason to use this insted of the built in backup function with scp?

hbalzac · ‎05-02-2020

Any news on this?

hbalzac · ‎09-09-2019

Im trying to setup a syslog forward from a loggcollector with tls, i get this error in the syslog log on the collector. Certificate subject does not match configured hostname; hostname='scrubbed', certificate='blah.blah.com' However the certificate has the correct hostname as a san name (aswell as blah.blah.com), however it has lots of san names (10+), blah.blah.com is the last one in the list of san name if i check the certificate with openssl from a other host. Has anyone run into issue with lots of san names on a palo while using client certificate?

hbalzac · ‎08-03-2019

Not an answer, but how do you avoid disabling rules that just was added?

Member Since	‎05-30-2018 10:12 PM
Date Last Visited	‎03-12-2021 11:14 AM
Posts	52

Online Status	Offline
Date Last Visited	‎03-12-2021 11:14 AM

About hbalzac

Re: converting existing policies into ansible code

Re: converting existing policies into ansible code

Get zones info for two ip (multiple firewalls)

Re: Client want to reset vpn tunnel though API tools

Re: Client want to reset vpn tunnel though API tools

Re: converting existing policies into ansible code

Re: Same task over and over, automate?

Re: Expedition root directory keeps growing

Re: PA - can we have an honest discussion about Ansible and PA?

Re: PA - can we have an honest discussion about Ansible and PA?

Re: converting existing policies into ansible code

Re: converting existing policies into ansible code

Get zones info for two ip (multiple firewalls)

Re: Client want to reset vpn tunnel though API tools

Re: Client want to reset vpn tunnel though API tools

Re: Feature Request List

Ansible collection

Share scripts/ansible playbooks

Query hitcount with pandevice

Pandevice/panpython, checksum?

Re: Ansible-pan with Ansible Tower and Git

Re: Use Ansible to backup config

Re: Same task over and over, automate?

Client certificate for syslog is failing

Re: Policy Optimizer API calls

Network Security

Cloud Security

Security Operations

About hbalzac