Ansible at Palo Alto Networks
The PAN-OS Collection - Certified and Supported
The collection of content for PAN-OS has been officially certified by the Red Hat Ansible team (list of Ansible certified content) since version 2.12.2, December 2022. This includes the Ansible modules for configuration and operations tasks, as well as the extension plugins for Event-Driven Ansible.
If you are an Ansible Automation Platform subscriber, you will be able to see the collection in Automation Hub, (also viewable through Ecosystem Catalog) and the collection will be supported as part of your ongoing support agreement/offering. Red Had and Palo Alto Networks have collaborated extensively in order to bring the collection into Automation Hub, and to provide you with a supported solution for automating your PAN-OS operations and configuration tasks, with Ansible.
If you are a user of the free and open-source Ansible offerings, you will still be able to use the collection of Ansible modules for PAN-OS as you always have done previously; the PAN-OS collection will continue to be published to Ansible Galaxy, as well as to Automation Hub.
All users of the PAN-OS collection will also benefit from the revised and updated set of getting started tutorials, how-to guides, and background information, which is now published here on pan.dev.
Event-Driven Ansible - Respond to Events with Flexible Actions
Event-Driven Ansible (EDA) provides event-handling capabilities to automate time-consuming tasks and respond to changing conditions in any IT domain. It can process events, determine the appropriate response, then execute automated actions to address or remediate the event.
Palo Alto Networks has expanded the certified PAN-OS Collection to include an event source for EDA, such that logs from PAN-OS NGFWs and Panorama can be used to trigger events in the EDA controller. Rules within the EDA-triggered rulebooks are then able to respond to the trigger sent by PAN-OS, and one of many potential actions would be to use the existing PAN-OS modules to perform configuration or operational commands on PAN-OS NGFWs or Panorama.
The first use case developed for Event-Driven Ansible is for remediation of forward proxy decryption issues; there is a full guide to deploying this use case in the documentation.
The PAN-OS Collection - Common Use Cases
Looking for inspiration, or just not sure where to start? Here are some common use cases where organizations have used Ansible to configure and maintain their security stack:
-
Configuration - adds, removals or edits
- Address objects
- Security/firewall rules
- Address translation (NAT) rules
- Security services (Antivirus, IPS, URL Filtering, WildFire)
- Decryption rules
- Network interfaces
- Static and dynamic routing
- IPSEC VPNs
- And many more...
-
Operations
- Validating new configuration
- Pulling information about device state
- Performing software upgrades
- Certificate management
- Backing up configurations
- Reporting on statistics, metrics, rule hit counts
- License management
- And many more...