• Skip to main content
  • Skip to header right navigation
  • Skip to site footer

Roger Perkin

Learn Network Automation

  • Network Automation
    • Ansible Network Automation
      • Ansible Hosts File
      • What is Ansible?
    • Python Network Automation
      • Python for Network Engineers
    • Python Tutorial for Beginners
    • Terraform
    • pyATS
    • Docker
    • GIT
  • Cisco
    • ISE
    • SD WAN Training
    • Password Recovery
    • Software-Upgrade-Guides
    • BGP
    • Data Center
    • WIRELESS
  • CCIE
  • Blog
  • About
    • My Red Special Guitar
  • COURSES

Palo Alto Ansible

Home » Network Automation » Ansible

Palo Alto Ansible Playbook Example

If you are looking for a Palo Alto Ansible Playbook you are in the right place!
In this post I am going to take you through all the steps you need to start getting into Palo Alto Ansible automation.

I will be doing all of this from an Ubuntu 20.04 desktop using Ansible 2.11.4

There are a few dependencies that you need to install and then I will explain the core concepts.

You will need:

  • Palo Alto Ansible Galaxy Role
  • pan-os SDK

Ansible Palo Alto Collection

First step is to install the Palo Alto Ansible collection.

From your terminal type: ansible-galaxy collection install paloaltonetworks.panos

I already have the collection installed – yours will say Installing paloaltonetworks.panos: <current version> to /home/ubuntu…

palo alto ansible galaxy connection install

You will also have to install the Python PAN-OS SDK

pip3 install pan-os-python

install pan os sdk for python

I also have this installed, yours will show downloading the installation.

If you do not already have ansible installed, this can be done with pip3 install ansible

Now you have all the requirements in place, lets look at the topology I am going top be automating

palo alto ansible lab

I have 2 Palo Alto firewalls running in EVE-NG they have obtained a management address via DHCP and have no other config on them. For the purpose of this tutorial, I am going to be using the API key for authentication. This is a unique key generated from your username and password. To generate the API key you need to do a post to the firewall and you will need the ip address of the firewall and a username and password.

Palo Alto default password

The default username and password for a Palo Alto firewall is admin / admin.

If you are using the virtual devices and you cannot log in, leave them for a couple minutes, as they will boot and give you a login prompt but will not accept the login.

Ansible Palo Alto API Key

From your terminal type this command – in my example the IP of my firewall is 192.168.1.128 – change this value to your management IP.

curl -k -X POST 'https://192.168.1.128/api/?type=keygen&user=admin&password=admin'

Note this is a lab environment just for testing, in production you will need to change the default admin password.

This API call should return a “success” and give you an API key.

➜  PA git:(master) ✗ curl -k -X POST 'https://192.168.1.128/api/?type=keygen&user=admin&password=admin'
<response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response>%                                           
➜  PA git:(master) ✗ 

You now need to copy all the code between the <key></key> tags. Save that as you will need it later.

Ansible Palo Alto provider details

When using Ansible to automate Palo Alto devices they use a concept called provider, for each playbook task you specify the provider, this needs to have at a minimum the ip address and api key or username / password combination. This can be coded directly into the playbook but your API key will be in clear so best practice is to put it in a vars file so you can use Ansible Vault to encrypt the data.

Check out my Ansible Vault Tutorial

As I am using Ansible I will use the group_vars and host_vars folders to pull data from.

Within group_vars I have a file called palo.yml This will contain all the information relevant to all my Palo devices. It will contain the provider details and I am using the {{ ansible_host }} variable that will pull the IP from the hosts file

ansible palo alto group vars provider information

Here you can see in the palo.yml file I have created an entry for palo_provider: (This will be referenced in the playbook later) under the provider I have the api_key: This is where you copy your API to. The ip_address is the management IP of the firewall. the {{ ansible_host }} will pull the ip from the hosts file.

Check out my post on the Ansible Inventory File if you are unsure how to add hosts.

Lets take a look at the hosts file now.

Here you can see I have created a group called palo denoted by the square brackets and in that group I have 2 devices PA-1 and PA-2. I have used the ansible_host entry to specify the IP address. If the IP was resolvable in DNS you could just put the name or you can just put the IP, but when your playbook runs you will just see the IP instead of the name PA-1 or PA-2.

For more information on the hosts file you can read my post on the Ansible Hosts File

Now we have the basics setup let’s look at the Ansible playbook

Ansible Palo Alto Playbook Example

This simple playbook will connect to the two Palo Alto firewalls and create a backup admin account and put an IP address on Ethernet1/1 and set it to mode Layer 3 and put it in the Outside zone.

# Pre Provision Playbook to get base config on a Palo Alto Firewall 
---

- name: Palo Alto Provision 
  hosts: palo
  connection: local

  collections:
    - paloaltonetworks.panos

  tasks: 
    - name: Set DNS and Panorama
      panos_mgtconfig: 
        provider: '{{ palo_provider }}'
        dns_server_primary: '{{ dns_primary_ip }}'
        dns_server_secondary: '{{ dns_secondary_ip }}'
        panorama_primary: '{{ panorama_primary_ip }}'
        panorama_secondary: '{{ panorama_secondary_ip }}'
        commit: false
    
    - name: Set backup user account 
      panos_administrator:
        provider: '{{ palo_provider }}'
        admin_username: '{{ adminusername }}'
        admin_password: '{{ adminpassword }}'
        superuser: true
        commit: false 

    - name: Set Ethernet1/1 as static in zone Outside
      panos_interface: 
        provider: '{{ palo_provider }}'
        if_name: "ethernet1/1"
        mode: "layer3"
        ip: "{{ ip.ethernet1 }}"
        enable_dhcp: false
        zone_name: "Outside"

    - name: Commit 
      panos_commit_firewall:
        provider: '{{ palo_provider }}'

You should be able to make sense of what is going on here and you can see the provider: for each task which is pointing to my palo_provider.

The final task will commit the changes.

➜  Ansible git:(master) ✗ cd PA 
➜  PA git:(master) ✗ ansible-playbook palo-prov.yml

PLAY [Palo Alto Playbook] ********************************************************************

TASK [Set DNS and Panorama] ******************************************************************
changed: [PA-1]
changed: [PA-2]

TASK [Set backup user account] ***************************************************************
changed: [PA-1]
changed: [PA-2]

TASK [Set Ethernet1/1 as static in zone Outside] *********************************************
ok: [PA-1]
ok: [PA-2]

TASK [Commit] ********************************************************************************
changed: [PA-2]
changed: [PA-1]

PLAY RECAP ***********************************************************************************
PA-1                       : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
PA-2                       : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

➜  PA git:(master) ✗ 

For more information on what you can do with Ansible and Palo Alto for Network Automation there is so much more information here from the official documentation.

https://ansible-pan.readthedocs.io/en/latest

You can also clone the git repo for what I used above here

https://github.com/rogerperkin/network-programmability/tree/master/SCRIPTS/Ansible/PA

If you want to dig deeper into this I also have an Ansible Network Automation course which will take you from zero to hero with Ansible.

ansible network automation course

Page Contents

  • Palo Alto Ansible Playbook Example
  • Ansible Palo Alto Collection
  • Palo Alto default password
  • Ansible Palo Alto API Key
  • Ansible Palo Alto provider details
  • Ansible Palo Alto Playbook Example
Category: Ansible Network Automation Training
Previous Post: « Docker Compose
Next Post: Gluware vs Ansible gluware logo »

Reader Interactions

Comments

  1. Ran

    January 8, 2022 at 11:21 pm

    Great article. Quick question, I can only see one Palo’s API key in the palo.yml file so, how can Ansible reach both firewalls? I presume the API_KEY will be different to each firewall?

    Reply
    • Roger Perkin

      January 11, 2022 at 9:12 am

      There is only one API key because the username and password are the same on both devices.

      I have another script which I will add to the post that generates the API key on the fly, if things are different you just put them under the specific host file for each device as opposed to the group level file

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Hi I'm Roger Perkin,
Based in the UK working as a Technical Architect focussed on Network Automation CCIE #50038
About Roger | Twitter | Linkedin

More Ansible

  • What is Ansible?
  • Ansible Vault Tutorial
  • Ansible vs Python Scripts
  • Advantages of Ansible Roles
  • Ansible Hosts File Tutorial
  • How to install Ansible Tower
  • Ansible Network Automation Course
  • Ansible Cisco IOS Command
  • Use Ansible to Backup Cisco Config
  • Where are Ansible Modules Stored?
  • AnsibleFest London Review

Recent Posts

  • Hashicorp Vault Tutorial
  • Ansible Tower vs Ansible Automation Platform
  • Cisco Certified DevNet Expert Getting Started Guide
  • Python for Network Engineers Course
  • Gitlab vs Github the Differences Explained

Topics

Network Automation
Ansible
Python for Network Automation
CCIE
Cisco ISE
F5 Certification
BGP
OSPF

Git for Network Engineers

Ansible vs Nornir

Start learning today with my Network Automation Courses

Master Ansible, Python, Git, Nornir, Jenkins and more..


Buy me a coffeeBuy me a coffee

ansible training course

Have you seen my YouTube Channel?

YouTube Subscribe

Let’s get started

Take a look at my premium courses on Ansible, Nornir & Git or buy them all with the Network Automation Bundle!

Network Automation Courses

Navigation

Home

Blog

About

Contact

Network Tools

Python VENV Tutorial

Contact

Get in touch with me here

[email protected]

Buy me a coffeeBuy me a coffee

YouTube

Don’t forget to take a look at my YouTube Channel

youtube button

Tech

Best Vertical Mouse for RSI

Copyright © 2022 · Roger Perkin · All Rights Reserved · Powered by Mai Theme