Skip to main content

Operations Tasks

With this playbook, you will perform operations on a PAN-OS next-generation firewall. These are common operational tasks that would otherwise need to be performed manually.

Assumptions

This tutorial/guide assumes:

  • you have a working installation of Ansible with the PAN-OS collection installed (see example instructions here)
  • you have working connectivity to the firewall and/or Panorama
  • you have administrative credentials capable of performing the relevant operations on the firewall and/or Panorama

Important - Work in a Lab Environment First

With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.

The "upgrade firewall" playbook

This playbook upgrades the software on a PAN-OS next-generation firewall. The playbook initiates a download of the new version of software, installs it, reboots the NGFW to make the new version live, and checks to ensure the reboot is complete and the firewall is ready again.

  1. Create a file called upgrade-firewall.yml and paste in the following content:
---
- name: Upgrade firewall
hosts: "firewall"
connection: local

vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username }}"
password: "{{ password }}"

collections:
- paloaltonetworks.panos

tasks:
- name: Install target PAN-OS version
paloaltonetworks.panos.panos_software:
provider: "{{ device }}"
version: "{{ version }}"
download: true
install: true
restart: true

- name: Pause for restart
pause:
seconds: 30

- name: Check if PAN-OS appliance is ready
paloaltonetworks.panos.panos_check:
provider: "{{ device }}"
changed_when: false
register: result
until: result is not failed and result.msg == 'Device is ready.'
retries: 100
delay: 15

- name: Display output
debug:
msg: "{{ result.msg }}"
  1. Decide on the target version of PAN-OS you are going to upgrade to. To keep this tutorial simple, we suggest you choose the next maintenance release above the currently operating version, by incrementing the final digit of the current version by one. For example, if you are running 10.1.5, choose 10.1.6; if you are running 10.2.1, choose 10.2.2. Ensure that the target version exists by checking the release notes for the major version you are currently running, for example check here for 10.1 and check here for 10.2.

  2. Execute the playbook with the following command, including the target version of PAN-OS:

ansible-playbook -i inventory.txt --ask-vault-pass upgrade-firewall.yml -e "version=10.2.2"
  1. The playbook will upgrade the firewall. Note that the entire execution time for this playbook will be several minutes, and will vary depending upon the speed of Internet connection for the firewall to download the new version, and the speed at which the firewall installs the new version and reboots. You can observe the progress of the download and installation by logging in to the PAN-OS GUI using the Tasks button in the bottom right, it should look something like this:

image of PAN-OS GUI showing download and installation progress

  1. The playbook output should be something similar to this:
PLAY [Upgrade firewall] *******************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************
ok: [firewall]

TASK [Install target PAN-OS version] ******************************************************************************************************
changed: [firewall]

TASK [Pause for restart] ******************************************************************************************************************
Pausing for 30 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [firewall]

TASK [Check if PAN-OS appliance is ready] *************************************************************************************************
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (100 retries left).
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (99 retries left).
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (98 retries left).
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (97 retries left).
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (96 retries left).
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (95 retries left).
FAILED - RETRYING: [firewall]: Check if PAN-OS appliance is ready (94 retries left).
ok: [firewall]

TASK [Display output] *********************************************************************************************************************
ok: [firewall] => {
"msg": "Device is ready."
}

PLAY RECAP ********************************************************************************************************************************
firewall : ok=5 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
  1. Login to the PAN-OS GUI and confirm that the firewall is now running the target version of PAN-OS

Closing notes

  • Tasks do not have to be divided into playbook files as has been described in this tutorial. All the tasks could have been placed in a single playbook, or equally the tasks could have been divided into more playbooks than those used in the tutorial. The structure of your playbooks is something to consider as you operationalize Ansible within your organization.
  • If you used the setup instructions listed here, you were using a static inventory file, and local PAN-OS credentials encrypted on disk with ansible-vault. This is very suitable for a learning tutorial, but these approaches may not be suitable for production, and are also something to consider as you operationalize Ansible within your organization.
  • Almost all values for tasks were defined within the playbooks; names of configuration items, IP addresses, and more. This is very suitable for a learning tutorial, but this approach does not scale well in production, and using variables instead is something to consider as you operationalize Ansible within your organization.