Use a Configuration Lock

In this guide, you will use a configuration lock, whilst you make changes. This ensures the integrity of the configuration changes by not allowing any other administrators or to make changes during the time the lock is active.

Assumptions

This tutorial/guide assumes:

you have a working installation of Ansible with the PAN-OS collection installed (see example instructions here)
you have working connectivity to the firewall and/or Panorama
you have administrative credentials capable of performing the relevant operations on the firewall and/or Panorama

Important - Work in a Lab Environment First

With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.

Create playbook files and define connectivity to the firewall

Create a new Ansible yaml file named changes-with-config-lock.yml, establish a variable block called device for the firewall, and reference the PAN-OS collection:

---
- name: Make Changes with Config Lock
  hosts: '{{ target | default("firewall") }}'
  connection: local

  vars:
    device:
      ip_address: "{{ ip_address }}"
      username: "{{ username | default(omit) }}"
      password: "{{ password | default(omit) }}"
      api_key: "{{ api_key | default(omit) }}"

  collections:
    - paloaltonetworks.panos

Check if there is a lock in place

Start the playbook by using panos_op to check if there is already a configuration lock. If there is a lock in place, you retry the task until the lock is released:

tasks:
  - name: Wait for config lock
    paloaltonetworks.panos.panos_op:
      provider: "{{ device }}"
      cmd: "<show><config-locks><vsys>{{ vsys }}</vsys></config-locks></show>"
      cmd_is_xml: true
    retries: 30
    delay: 10
    register: result
    until: result.stdout_xml == '<response status="success"><result><config-locks /></result></response>'

Acquire the configuration lock

Continue the tasks by taking the configuration lock:

- name: Acquire config lock
  paloaltonetworks.panos.panos_op:
    provider: "{{ device }}"
    cmd: "<request><config-lock><add><comment>Ansible config lock</comment></add></config-lock></request>"
    cmd_is_xml: true

Make configuration changes

With the lock acquired, it is now safe to make changes knowing other administrators and tools will not be able to interfere.

- name: Create address object
  paloaltonetworks.panos.panos_address_object:
    provider: "{{ device }}"
    name: "{{ address-object-name }}"
    value: "{{ address-object-ip-address }}"
    description: "Created with Ansible"

As many changes as required can be inserted at this stage of the playbook, whilst the configuration lock is being held.

Release the configuration lock

Now that the changes are made, the configuration lock can be released.

- name: Release config lock
  paloaltonetworks.panos.panos_op:
    provider: "{{ device }}"
    cmd: "<request><config-lock><remove></remove></config-lock></request>"
    cmd_is_xml: true

Final playbook

Putting all the sections together, the playbook in entirety looks like this:

---
- name: Make Changes with Config Lock
  hosts: '{{ target | default("firewall") }}'
  connection: local

  vars:
    device:
      ip_address: "{{ ip_address }}"
      username: "{{ username | default(omit) }}"
      password: "{{ password | default(omit) }}"
      api_key: "{{ api_key | default(omit) }}"

  collections:
    - paloaltonetworks.panos

  tasks:
    - name: Wait for config lock
      paloaltonetworks.panos.panos_op:
        provider: "{{ device }}"
        cmd: "<show><config-locks><vsys>{{ vsys }}</vsys></config-locks></show>"
        cmd_is_xml: true
      retries: 30
      delay: 10
      register: result
      until: result.stdout_xml == '<response status="success"><result><config-locks /></result></response>'

    - name: Acquire config lock
      paloaltonetworks.panos.panos_op:
        provider: "{{ device }}"
        cmd: "<request><config-lock><add><comment>Ansible config lock</comment></add></config-lock></request>"
        cmd_is_xml: true

    - name: Create address object
      paloaltonetworks.panos.panos_address_object:
        provider: "{{ device }}"
        name: "{{ address-object-name }}"
        value: "{{ address-object-ip-address }}"
        description: "Created with Ansible"

    - name: Release config lock
      paloaltonetworks.panos.panos_op:
        provider: "{{ device }}"
        cmd: "<request><config-lock><remove></remove></config-lock></request>"
        cmd_is_xml: true

Use a Configuration Lock

Assumptions​

Important - Work in a Lab Environment First​

Create playbook files and define connectivity to the firewall​

Check if there is a lock in place​

Acquire the configuration lock​

Make configuration changes​

Release the configuration lock​

Final playbook​