Ansible for Palo Alto firewalls

I have done scripting before and I have used Excpect  and shell scripts for tasks that allowed me to do so. Ansible has been on my radar for some time, so today  I thought I should start getting Ansible setup on my home laptop.  Just to do some simple task on my Palo alto firewall at home.

I’m a long time Debian user, but for some reason – now I use Ubuntu on my laptop, any way apt is apt so did a:

apt install ansible python-pip

I need pip to get the missing Python libs installed with:

pip install appdirs asn1crypto boto3 botocore cffi cryptography docutils enum34 futures idna ipaddress Jinja2 jmespath MarkupSafe packaging pan-python pandevice paramiko pyasn1 pycparser pycrypto pydevd pyparsing python-dateutil PyYAML s3transfer six xmltodict

Now I can work on and create a playbook where I aim to just create a address object in the palo.

my playbook file:  create_address_object.yml

Yes – it is simple and I got most of it from the Palo Alto guide. But again it is just a POC, here goes:

– name: create_address_object

  hosts: localhost

  connection: local

 

  tasks:

   – name: create an address object

     panos_object:

      ip_address: “172.30.9.1”

      username: “admin”

      password: “XXXXXXXXXXXXXXXXXXXXXXXXXXXXX”

      operation: “add”

      address: “192.192.192.192”

      address_type: “ip-netmask”

      addressobject: “TESTOBJ”

 

In the end after some debugging I could run it with the below command :

ansible-playbook create_address_object.yml

Below is terminal output:

PLAY [create_address_object] ************************************************************************************************TASK [Gathering Facts] ************************************************************************************************ok: [localhost]

TASK [create an address object] ************************************************************************************************changed: [localhost]

PLAY RECAP ************************************************************************************************

localhost                  : ok=1   changed=1    unreachable=0    failed=0  

As indicated by changed=1 , I did add the address object.

If the same playbook is run again it will fail as the object is already present in the firewall.

I’m excited about what I can do with this for both customers and internally to offload operations team etc.

One great use case is to integrating ServiceNow, Ansible and Palo altoFirewalls and automat alot of the simple stuff.