Skip to main content

Configure Anything Using XPath

In this guide, you will make configuration changes to a firewall using a generic module capable of configuring anything in PAN-OS which uses an XPath. This is especially useful for configuring features for which there is no predefined module in the PAN-OS Ansible Collection.

Assumptions

This tutorial/guide assumes:

  • you have a working installation of Ansible with the PAN-OS collection installed (see example instructions here)
  • you have working connectivity to the firewall and/or Panorama
  • you have administrative credentials capable of performing the relevant operations on the firewall and/or Panorama

Important - Work in a Lab Environment First

With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.

Create playbook files and define connectivity to the firewall

Create a new Ansible yaml file named configure-with-xpath.yml, establish a variable block called device for the firewall, and reference the PAN-OS collection:

---
- name: Configuration with Xpath
hosts: '{{ target | default("firewall") }}'
connection: local

vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username | default(omit) }}"
password: "{{ password | default(omit) }}"
api_key: "{{ api_key | default(omit) }}"

collections:
- paloaltonetworks.panos

Identify the XPath and element required

Use the PAN-OS API browser found at https://your-device/api, or an exported XML configuration from your device, to ascertain:

  • the XPath required
  • the element required to be inserted at the XPath

This XML configuration file, shortened for brevity, highlights the XPath and element required to define a VSYS:

<config version="10.1.0" urldb="paloaltonetworks">
<mgt-config>
...
</mgt-config>
<shared>
...
</shared>
<devices>
<entry name="localhost.localdomain">
<network>
...
</network>
<deviceconfig>
...
</deviceconfig>
<vsys>
<entry name="vsys1">
<display-name>First-VSYS</display-name>
...
</entry>
</vsys>

By following the (indented) elements in the XML configuration, you can see that the XPath required for a VSYS is:

/config/devices/entry[@name="localhost.localdomain"]/vsys

Then beneath the vsys element is the VSYS entry itself. When creating a VSYS, you only need to define the VSYS ID number, but you can also include a display name for human readability within the configuration later on:

<entry name="vsys1">
<display-name>First-VSYS</display-name>
</entry>

Define the VSYS creation task

With the XPath and element, you can now define a task that will create a new VSYS, passing in the XPath and element to the task:

tasks:
- name: Create VSYS
paloaltonetworks.panos.panos_config_element:
provider: "{{ device }}"
xpath: '/config/devices/entry[@name="localhost.localdomain"]/vsys'
element: '<entry name="vsys2"><display-name>Second-VSYS</display-name></entry>'

Final playbook

Putting all the sections together, the playbook in entirety looks like this:

---
- name: Configuration with Xpath
hosts: '{{ target | default("firewall") }}'
connection: local

vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username | default(omit) }}"
password: "{{ password | default(omit) }}"
api_key: "{{ api_key | default(omit) }}"

collections:
- paloaltonetworks.panos

tasks:
- name: Create a VSYS
paloaltonetworks.panos.panos_config_element:
provider: "{{ device }}"
xpath: '/config/devices/entry[@name="localhost.localdomain"]/vsys'
element: '<entry name="vsys2"><display-name>Second-VSYS</display-name></entry>'