Configure Anything Using XPath
In this guide, you will make configuration changes to a firewall using a generic module capable of configuring anything in PAN-OS which uses an XPath. This is especially useful for configuring features for which there is no predefined module in the PAN-OS Ansible Collection.
Assumptions
This tutorial/guide assumes:
- you have a working installation of Ansible with the PAN-OS collection installed (see example instructions here)
- you have working connectivity to the firewall and/or Panorama
- you have administrative credentials capable of performing the relevant operations on the firewall and/or Panorama
Important - Work in a Lab Environment First
With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.
Create playbook files and define connectivity to the firewall
Create a new Ansible yaml file named configure-with-xpath.yml
, establish a variable block called device
for the firewall, and reference the PAN-OS collection:
---
- name: Configuration with Xpath
hosts: '{{ target | default("firewall") }}'
connection: local
vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username | default(omit) }}"
password: "{{ password | default(omit) }}"
api_key: "{{ api_key | default(omit) }}"
collections:
- paloaltonetworks.panos
Identify the XPath and element required
Use the PAN-OS API browser found at https://your-device/api
, or an exported XML configuration from your device, to ascertain:
- the XPath required
- the element required to be inserted at the XPath
This XML configuration file, shortened for brevity, highlights the XPath and element required to define a VSYS:
<config version="10.1.0" urldb="paloaltonetworks">
<mgt-config>
...
</mgt-config>
<shared>
...
</shared>
<devices>
<entry name="localhost.localdomain">
<network>
...
</network>
<deviceconfig>
...
</deviceconfig>
<vsys>
<entry name="vsys1">
<display-name>First-VSYS</display-name>
...
</entry>
</vsys>
By following the (indented) elements in the XML configuration, you can see that the XPath required for a VSYS is:
/config/devices/entry[@name="localhost.localdomain"]/vsys
Then beneath the vsys
element is the VSYS entry
itself. When creating a VSYS, you only need to define the VSYS ID number, but you can also include a display name for human readability within the configuration later on:
<entry name="vsys1">
<display-name>First-VSYS</display-name>
</entry>
Define the VSYS creation task
With the XPath and element, you can now define a task that will create a new VSYS, passing in the XPath and element to the task:
tasks:
- name: Create VSYS
paloaltonetworks.panos.panos_config_element:
provider: "{{ device }}"
xpath: '/config/devices/entry[@name="localhost.localdomain"]/vsys'
element: '<entry name="vsys2"><display-name>Second-VSYS</display-name></entry>'
Final playbook
Putting all the sections together, the playbook in entirety looks like this:
---
- name: Configuration with Xpath
hosts: '{{ target | default("firewall") }}'
connection: local
vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username | default(omit) }}"
password: "{{ password | default(omit) }}"
api_key: "{{ api_key | default(omit) }}"
collections:
- paloaltonetworks.panos
tasks:
- name: Create a VSYS
paloaltonetworks.panos.panos_config_element:
provider: "{{ device }}"
xpath: '/config/devices/entry[@name="localhost.localdomain"]/vsys'
element: '<entry name="vsys2"><display-name>Second-VSYS</display-name></entry>'