Roger Perkin

Learn Network Automation

You are here: Home / Network Automation / Ansible Network Automation / Palo Alto Ansible

Palo Alto Ansible Playbook Example

If you are looking for a Palo Alto Ansible Playbook you are in the right place!
In this post I am going to take you through all the steps you need to start getting into Palo Alto Ansible automation.

I will be doing all of this from an Ubuntu 20.04 desktop using Ansible 2.11.4

There are a few dependencies that you need to install and then I will explain the core concepts.

You will need:

  • Palo Alto Ansible Galaxy Role
  • pan-os SDK

Ansible Palo Alto Collection

First step is to install the Palo Alto Ansible collection.

From your terminal type: ansible-galaxy collection install paloaltonetworks.panos

I already have the collection installed – yours will say Installing paloaltonetworks.panos: <current version> to /home/ubuntu…

palo alto ansible galaxy connection install

You will also have to install the Python PAN-OS SDK

pip3 install pan-os-python

install pan os sdk for python

I also have this installed, yours will show downloading the installation.

If you do not already have ansible installed, this can be done with pip3 install ansible

Now you have all the requirements in place, lets look at the topology I am going top be automating

palo alto ansible lab

I have 2 Palo Alto firewalls running in EVE-NG they have obtained a management address via DHCP and have no other config on them. For the purpose of this tutorial, I am going to be using the API key for authentication. This is a unique key generated from your username and password. To generate the API key you need to do a post to the firewall and you will need the ip address of the firewall and a username and password.

Palo Alto default password

The default username and password for a Palo Alto firewall is admin / admin.

If you are using the virtual devices and you cannot log in, leave them for a couple minutes, as they will boot and give you a login prompt but will not accept the login.

Ansible Palo Alto API Key

From your terminal type this command – in my example the IP of my firewall is 192.168.1.128 – change this value to your management IP.

curl -k -X POST 'https://192.168.1.128/api/?type=keygen&user=admin&password=admin'

Note this is a lab environment just for testing, in production you will need to change the default admin password.

This API call should return a “success” and give you an API key. 

➜  PA git:(master) ✗ curl -k -X POST 'https://192.168.1.128/api/?type=keygen&user=admin&password=admin'
<response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response>%                                           
➜  PA git:(master) ✗

You now need to copy all the code between the <key></key> tags. Save that as you will need it later.

Ansible Palo Alto provider details

When using Ansible to automate Palo Alto devices they use a concept called provider, for each playbook task you specify the provider, this needs to have at a minimum the ip address and api key or username / password combination. This can be coded directly into the playbook but your API key will be in clear so best practice is to put it in a vars file so you can use Ansible Vault to encrypt the data.

Check out my Ansible Vault Tutorial

As I am using Ansible I will use the group_vars and host_vars folders to pull data from.

Within group_vars I have a file called palo.yml This will contain all the information relevant to all my Palo devices. It will contain the provider details and I am using the {{ ansible_host }} variable that will pull the IP from the hosts file

ansible palo alto group vars provider information

Here you can see in the palo.yml file I have created an entry for palo_provider: (This will be referenced in the playbook later) under the provider I have the api_key: This is where you copy your API to. The ip_address is the management IP of the firewall. the {{ ansible_host }} will pull the ip from the hosts file.

Lets take a look at the hosts file now.

Here you can see I have created a group called palo denoted by the square brackets and in that group I have 2 devices PA-1 and PA-2. I have used the ansible_host entry to specify the IP address. If the IP was resolvable in DNS you could just put the name or you can just put the IP, but when your playbook runs you will just see the IP instead of the name PA-1 or PA-2.

For more information on the hosts file you can read my post on the Ansible Hosts File

Now we have the basics setup let’s look at the Ansible playbook

Ansible Palo Alto Playbook Example

This simple playbook will connect to the two Palo Alto firewalls and create a backup admin account and put an IP address on Ethernet1/1 and set it to mode Layer 3 and put it in the Outside zone. 

# Pre Provision Playbook to get base config on a Palo Alto Firewall 
---

- name: Palo Alto Provision 
  hosts: palo
  connection: local

  collections:
    - paloaltonetworks.panos

  tasks: 
    - name: Set DNS and Panorama
      panos_mgtconfig: 
        provider: '{{ palo_provider }}'
        dns_server_primary: '{{ dns_primary_ip }}'
        dns_server_secondary: '{{ dns_secondary_ip }}'
        panorama_primary: '{{ panorama_primary_ip }}'
        panorama_secondary: '{{ panorama_secondary_ip }}'
        commit: false
    
    - name: Set backup user account 
      panos_administrator:
        provider: '{{ palo_provider }}'
        admin_username: '{{ adminusername }}'
        admin_password: '{{ adminpassword }}'
        superuser: true
        commit: false 

    - name: Set Ethernet1/1 as static in zone Outside
      panos_interface: 
        provider: '{{ palo_provider }}'
        if_name: "ethernet1/1"
        mode: "layer3"
        ip: "{{ ip.ethernet1 }}"
        enable_dhcp: false
        zone_name: "Outside"

    - name: Commit 
      panos_commit_firewall:
        provider: '{{ palo_provider }}'

You should be able to make sense of what is going on here and you can see the provider: for each task which is pointing to my palo_provider.

The final task will commit the changes. 

➜  Ansible git:(master) ✗ cd PA 
➜  PA git:(master) ✗ ansible-playbook palo-prov.yml

PLAY [Palo Alto Playbook] ********************************************************************

TASK [Set DNS and Panorama] ******************************************************************
changed: [PA-1]
changed: [PA-2]

TASK [Set backup user account] ***************************************************************
changed: [PA-1]
changed: [PA-2]

TASK [Set Ethernet1/1 as static in zone Outside] *********************************************
ok: [PA-1]
ok: [PA-2]

TASK [Commit] ********************************************************************************
changed: [PA-2]
changed: [PA-1]

PLAY RECAP ***********************************************************************************
PA-1                       : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
PA-2                       : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

➜  PA git:(master) ✗

For more information on what you can do with Ansible and Palo Alto for Network Automation there is so much more information here from the official documentation.

https://ansible-pan.readthedocs.io/en/latest

You can also clone the git repo for what I used above here

https://github.com/rogerperkin/network-programmability/tree/master/SCRIPTS/Ansible/PA

If you want to dig deeper into this I also have an Ansible Network Automation course which will take you from zero to hero with Ansible.

ansible network automation course
Category:

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *