Operations Tasks
With this playbook, you will perform operations on a PAN-OS next-generation firewall. These are common operational tasks that would otherwise need to be performed manually.
Assumptions
This tutorial/guide assumes:
- you have a working installation of Ansible with the PAN-OS collection installed (see example instructions here)
- you have working connectivity to the firewall and/or Panorama
- you have administrative credentials capable of performing the relevant operations on the firewall and/or Panorama
Important - Work in a Lab Environment First
With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.
The "check ready" playbook
This playbook checks if the PAN-OS next-generation firewall is ready. If the firewall is not ready, the check will retry multiple times until the firewall is ready. This can be useful when waiting for a firewall reboot to complete.
- Create a file called
check-ready.yml
and paste in the following content:
---
- name: Check the firewall is ready
hosts: "firewall"
connection: local
gather_facts: false
vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username }}"
password: "{{ password }}"
collections:
- paloaltonetworks.panos
tasks:
- name: Check if PAN-OS appliance is ready and wait until it is
paloaltonetworks.panos.panos_check:
provider: "{{ device }}"
changed_when: false
register: result
until: result is not failed and result.msg == 'Device is ready.'
retries: 100
delay: 15
- name: Display output
ansible.builtin.debug:
msg: "{{ result.msg }}"
- Execute the playbook with the following command:
ansible-playbook -i inventory.txt --ask-vault-pass check-ready.yml
- If the firewall is ready, the output should be something similar to this:
PLAY [Palo Alto Playbook] **********************************************************************************
TASK [Check if PAN-OS appliance is ready] ******************************************************************
ok: [firewall]
TASK [Display output] **************************************************************************************
ok: [firewall] => {
"msg": "Device is ready."
}
PLAY RECAP *************************************************************************************************
firewall : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
- If the firewall is not ready when the playbook execution starts, the output should be something similar to this:
PLAY [Palo Alto Playbook] **********************************************************************************
TASK [Check if PAN-OS appliance is ready] ******************************************************************
FAILED - RETRYING: [host_labfw]: Check if PAN-OS appliance is ready (100 retries left).
FAILED - RETRYING: [host_labfw]: Check if PAN-OS appliance is ready (99 retries left).
FAILED - RETRYING: [host_labfw]: Check if PAN-OS appliance is ready (98 retries left).
ok: [firewall]
TASK [Display output] **************************************************************************************
ok: [firewall] => {
"msg": "Device is ready."
}
PLAY RECAP *************************************************************************************************
firewall : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Closing notes
- Tasks do not have to be divided into playbook files as has been described in this tutorial. All the tasks could have been placed in a single playbook, or equally the tasks could have been divided into more playbooks than those used in the tutorial. The structure of your playbooks is something to consider as you operationalize Ansible within your organization.
- If you used the setup instructions listed here, you were using a static inventory file, and local PAN-OS credentials encrypted on disk with
ansible-vault
. This is very suitable for a learning tutorial, but these approaches may not be suitable for production, and are also something to consider as you operationalize Ansible within your organization. - Almost all values for tasks were defined within the playbooks; names of configuration items, IP addresses, and more. This is very suitable for a learning tutorial, but this approach does not scale well in production, and using variables instead is something to consider as you operationalize Ansible within your organization.