Skip to main content

Information Gathering Tasks

With this playbook, you will gather information from a PAN-OS next-generation firewall. The tasks in this playbook are useful both on their own in order to gather data, but also to use the data to feed into other tasks or other playbooks.

Assumptions

This tutorial/guide assumes:

  • you have a working installation of Ansible with the PAN-OS collection installed (see example instructions here)
  • you have working connectivity to the firewall and/or Panorama
  • you have administrative credentials capable of performing the relevant operations on the firewall and/or Panorama

Important - Work in a Lab Environment First

With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.

The "gather firewall rules" playbook

This playbook gathers all the security (firewall) rules from a PAN-OS next-generation firewall.

  1. Create a file called get-security-rules.yml and paste in the following content:
---
- name: Gather security rules
hosts: "firewall"
connection: local

vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username }}"
password: "{{ password }}"

collections:
- paloaltonetworks.panos

tasks:
- name: Get all security rules
paloaltonetworks.panos.panos_security_rule:
provider: "{{ device }}"
gathered_filter: "*"
state: gathered
register: sec_rules

- name: Output
ansible.builtin.debug:
msg: "{{ sec_rules }}"
  1. Execute the playbook with the following command:
ansible-playbook -i inventory.txt --ask-vault-pass get-security-rules.yml
  1. The output should be something similar to this:
PLAY [Gather rules] ****************************************************************************************

TASK [Gathering Facts] *************************************************************************************
ok: [firewall]

TASK [Get all security rules] ******************************************************************************
ok: [firewall]

TASK [Output] **********************************************************************************************
ok: [firewall] => {
"msg": {
"changed": false,
"failed": false,
"gathered": [
{
"action": "drop",
"antivirus": null,
"application": [
"any"
],
"category": [
"any"
],
"data_filtering": null,
"description": null,
"destination_devices": [
"any"
],
"destination_ip": [
"sinkhole.paloaltonetworks.com"
],
"destination_zone": [
"consumer",
"internet"
],
"disable_server_response_inspection": null,
"disabled": null,
"file_blocking": null,
"group_profile": null,
"group_tag": "drop",
"hip_profiles": null,
"icmp_unreachable": null,
"log_end": null,
"log_setting": "default",
"log_start": false,
"negate_destination": null,
"negate_source": null,
"negate_target": null,
"rule_name": "catch-sinkhole",
"rule_type": null,
"schedule": null,
"service": [
"any"
],
"source_devices": [
"any"
],
"source_ip": [
"any"
],
"source_user": [
"any"
],
"source_zone": [
"any"
],
"spyware": null,
"tag_name": [
"drop"
],
"target": null,
"url_filtering": null,
"uuid": "54f0729b-814c-44fb-b5f8-506563259924",
"vulnerability": null,
"wildfire_analysis": null
},
{
"action": "drop",
"antivirus": null,
"application": [
"any"
],
"category": [
"any"
],
"data_filtering": null,
"description": null,
"destination_devices": [
"any"
],
"destination_ip": [
"blocked-hosts",
"dshield",
"panw-known-ip-list"
],
"destination_zone": [
"consumer",
"internet"
],
"disable_server_response_inspection": null,
"disabled": null,
"file_blocking": null,
"group_profile": null,
"group_tag": "drop",
"hip_profiles": null,
"icmp_unreachable": null,
"log_end": null,
"log_setting": "default",
"log_start": false,
"negate_destination": null,
"negate_source": null,
"negate_target": null,
"rule_name": "block-malicious",
"rule_type": null,
"schedule": null,
"service": [
"any"
],
"source_devices": [
"any"
],
"source_ip": [
"any"
],
"source_user": [
"any"
],
"source_zone": [
"any"
],
"spyware": null,
"tag_name": [
"drop"
],
"target": null,
"url_filtering": null,
"uuid": "6dd3c511-a618-4aad-94fa-c28bd9c5a2d8",
"vulnerability": null,
"wildfire_analysis": null
}
],
"gathered_xml": [
"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<entry name=\"catch-sinkhole\" uuid=\"54f0729b-814c-44fb-b5f8-506563259924\">\n\t<from>\n\t\t<member>any</member>\n\t</from>\n\t<to>\n\t\t<member>consumer</member>\n\t\t<member>internet</member>\n\t</to>\n\t<source>\n\t\t<member>any</member>\n\t</source>\n\t<source-user>\n\t\t<member>any</member>\n\t</source-user>\n\t<destination>\n\t\t<member>sinkhole.paloaltonetworks.com</member>\n\t</destination>\n\t<application>\n\t\t<member>any</member>\n\t</application>\n\t<service>\n\t\t<member>any</member>\n\t</service>\n\t<category>\n\t\t<member>any</member>\n\t</category>\n\t<action>drop</action>\n\t<log-setting>default</log-setting>\n\t<log-start>no</log-start>\n\t<tag>\n\t\t<member>drop</member>\n\t</tag>\n\t<source-hip>\n\t\t<member>any</member>\n\t</source-hip>\n\t<destination-hip>\n\t\t<member>any</member>\n\t</destination-hip>\n\t<group-tag>drop</group-tag>\n</entry>\n",
"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<entry name=\"block-malicious\" uuid=\"6dd3c511-a618-4aad-94fa-c28bd9c5a2d8\">\n\t<from>\n\t\t<member>any</member>\n\t</from>\n\t<to>\n\t\t<member>consumer</member>\n\t\t<member>internet</member>\n\t</to>\n\t<source>\n\t\t<member>any</member>\n\t</source>\n\t<source-user>\n\t\t<member>any</member>\n\t</source-user>\n\t<destination>\n\t\t<member>blocked-hosts</member>\n\t\t<member>dshield</member>\n\t\t<member>panw-known-ip-list</member>\n\t</destination>\n\t<application>\n\t\t<member>any</member>\n\t</application>\n\t<service>\n\t\t<member>any</member>\n\t</service>\n\t<category>\n\t\t<member>any</member>\n\t</category>\n\t<action>drop</action>\n\t<log-setting>default</log-setting>\n\t<log-start>no</log-start>\n\t<tag>\n\t\t<member>drop</member>\n\t</tag>\n\t<source-hip>\n\t\t<member>any</member>\n\t</source-hip>\n\t<destination-hip>\n\t\t<member>any</member>\n\t</destination-hip>\n\t<group-tag>drop</group-tag>\n</entry>\n"
]
}
}

PLAY RECAP *************************************************************************************************
firewall : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Closing notes

  • Tasks do not have to be divided into playbook files as has been described in this tutorial. All the tasks could have been placed in a single playbook, or equally the tasks could have been divided into more playbooks than those used in the tutorial. The structure of your playbooks is something to consider as you operationalize Ansible within your organization.
  • If you used the setup instructions listed here, you were using a static inventory file, and local PAN-OS credentials encrypted on disk with ansible-vault. This is very suitable for a learning tutorial, but these approaches may not be suitable for production, and are also something to consider as you operationalize Ansible within your organization.
  • Almost all values for tasks were defined within the playbooks; names of configuration items, IP addresses, and more. This is very suitable for a learning tutorial, but this approach does not scale well in production, and using variables instead is something to consider as you operationalize Ansible within your organization.