Palo Alto Ansible Playbook Example
If you are looking for a Palo Alto Ansible Playbook you are in the right place!
In this post I am going to take you through all the steps you need to start getting into Palo Alto Ansible automation.
I will be doing all of this from an Ubuntu 20.04 desktop using Ansible 2.11.4
There are a few dependencies that you need to install and then I will explain the core concepts.
You will need:
- Palo Alto Ansible Galaxy Role
- pan-os SDK
Ansible Palo Alto Collection
First step is to install the Palo Alto Ansible collection.
From your terminal type: ansible-galaxy collection install paloaltonetworks.panos
I already have the collection installed – yours will say Installing paloaltonetworks.panos: <current version> to /home/ubuntu…
You will also have to install the Python PAN-OS SDK
pip3 install pan-os-python
I also have this installed, yours will show downloading the installation.
If you do not already have ansible installed, this can be done with pip3 install ansible
Now you have all the requirements in place, lets look at the topology I am going top be automating
I have 2 Palo Alto firewalls running in EVE-NG they have obtained a management address via DHCP and have no other config on them. For the purpose of this tutorial, I am going to be using the API key for authentication. This is a unique key generated from your username and password. To generate the API key you need to do a post to the firewall and you will need the ip address of the firewall and a username and password.
Palo Alto default password
The default username and password for a Palo Alto firewall is admin / admin.
If you are using the virtual devices and you cannot log in, leave them for a couple minutes, as they will boot and give you a login prompt but will not accept the login.
Ansible Palo Alto API Key
From your terminal type this command – in my example the IP of my firewall is 192.168.1.128 – change this value to your management IP.
curl -k -X POST 'https://192.168.1.128/api/?type=keygen&user=admin&password=admin'
Note this is a lab environment just for testing, in production you will need to change the default admin password.
This API call should return a “success” and give you an API key.
➜ PA git:(master) ✗ curl -k -X POST 'https://192.168.1.128/api/?type=keygen&user=admin&password=admin'
<response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response>%
➜ PA git:(master) ✗
You now need to copy all the code between the <key></key> tags. Save that as you will need it later.
Ansible Palo Alto provider details
When using Ansible to automate Palo Alto devices they use a concept called provider, for each playbook task you specify the provider, this needs to have at a minimum the ip address and api key or username / password combination. This can be coded directly into the playbook but your API key will be in clear so best practice is to put it in a vars file so you can use Ansible Vault to encrypt the data.
Check out my Ansible Vault Tutorial
As I am using Ansible I will use the group_vars and host_vars folders to pull data from.
Within group_vars I have a file called palo.yml This will contain all the information relevant to all my Palo devices. It will contain the provider details and I am using the {{ ansible_host }} variable that will pull the IP from the hosts file
Here you can see in the palo.yml file I have created an entry for palo_provider: (This will be referenced in the playbook later) under the provider I have the api_key: This is where you copy your API to. The ip_address is the management IP of the firewall. the {{ ansible_host }} will pull the ip from the hosts file.
Check out my post on the Ansible Inventory File if you are unsure how to add hosts.
Lets take a look at the hosts file now.
Here you can see I have created a group called palo denoted by the square brackets and in that group I have 2 devices PA-1 and PA-2. I have used the ansible_host entry to specify the IP address. If the IP was resolvable in DNS you could just put the name or you can just put the IP, but when your playbook runs you will just see the IP instead of the name PA-1 or PA-2.
For more information on the hosts file you can read my post on the Ansible Hosts File
Now we have the basics setup let’s look at the Ansible playbook
Ansible Palo Alto Playbook Example
This simple playbook will connect to the two Palo Alto firewalls and create a backup admin account and put an IP address on Ethernet1/1 and set it to mode Layer 3 and put it in the Outside zone.
# Pre Provision Playbook to get base config on a Palo Alto Firewall
---
- name: Palo Alto Provision
hosts: palo
connection: local
collections:
- paloaltonetworks.panos
tasks:
- name: Set DNS and Panorama
panos_mgtconfig:
provider: '{{ palo_provider }}'
dns_server_primary: '{{ dns_primary_ip }}'
dns_server_secondary: '{{ dns_secondary_ip }}'
panorama_primary: '{{ panorama_primary_ip }}'
panorama_secondary: '{{ panorama_secondary_ip }}'
commit: false
- name: Set backup user account
panos_administrator:
provider: '{{ palo_provider }}'
admin_username: '{{ adminusername }}'
admin_password: '{{ adminpassword }}'
superuser: true
commit: false
- name: Set Ethernet1/1 as static in zone Outside
panos_interface:
provider: '{{ palo_provider }}'
if_name: "ethernet1/1"
mode: "layer3"
ip: "{{ ip.ethernet1 }}"
enable_dhcp: false
zone_name: "Outside"
- name: Commit
panos_commit_firewall:
provider: '{{ palo_provider }}'
You should be able to make sense of what is going on here and you can see the provider: for each task which is pointing to my palo_provider.
The final task will commit the changes.
➜ Ansible git:(master) ✗ cd PA
➜ PA git:(master) ✗ ansible-playbook palo-prov.yml
PLAY [Palo Alto Playbook] ********************************************************************
TASK [Set DNS and Panorama] ******************************************************************
changed: [PA-1]
changed: [PA-2]
TASK [Set backup user account] ***************************************************************
changed: [PA-1]
changed: [PA-2]
TASK [Set Ethernet1/1 as static in zone Outside] *********************************************
ok: [PA-1]
ok: [PA-2]
TASK [Commit] ********************************************************************************
changed: [PA-2]
changed: [PA-1]
PLAY RECAP ***********************************************************************************
PA-1 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
PA-2 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
➜ PA git:(master) ✗
For more information on what you can do with Ansible and Palo Alto for Network Automation there is so much more information here from the official documentation.
https://ansible-pan.readthedocs.io/en/latest
You can also clone the git repo for what I used above here
https://github.com/rogerperkin/network-programmability/tree/master/SCRIPTS/Ansible/PA
If you want to dig deeper into this I also have an Ansible Network Automation course which will take you from zero to hero with Ansible.
Great article. Quick question, I can only see one Palo’s API key in the palo.yml file so, how can Ansible reach both firewalls? I presume the API_KEY will be different to each firewall?
There is only one API key because the username and password are the same on both devices.
I have another script which I will add to the post that generates the API key on the fly, if things are different you just put them under the specific host file for each device as opposed to the group level file