Setting up
In this tutorial we will get setup ready to execute Ansible playbooks for PAN-OS.
Assumptions
This tutorial/guide assumes:
- you have access to a Linux-based machine, with administrative credentials
- the machine has working connectivity and access to the Internet to download content
- the machine has working connectivity and access to either a PAN-OS next-generation firewall or Panorama
Important - Work in a Lab Environment First
With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.
Install Ansible
-
Install Ansible. The exact steps will differ based on your operating system and environment. The Ansible documentation describes the steps required here
-
Test Ansible installed correctly. Execute this command:
ansible --version
- You should see an output like this (exact version numbers will differ):
ansible [core 2.12.6]
config file = None
configured module search path = ['/Users/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/username/.pyenv/versions/3.10.4/lib/python3.10/site-packages/ansible
ansible collection location = /Users/username/.ansible/collections:/usr/share/ansible/collections
executable location = /Users/username/.pyenv/versions/3.10.4/bin/ansible
python version = 3.10.4 (main, May 24 2022, 14:08:56) [Clang 13.1.6 (clang-1316.0.21.2.5)]
jinja version = 3.1.2
libyaml = True
Install PAN-OS Python packages
- Install the required Python packages. Execute this command:
pip install -r https://raw.githubusercontent.com/PaloAltoNetworks/pan-os-ansible/develop/requirements.txt
- Test the packages installed correctly. Execute this command:
pip list | grep pan
- You should see an output like this (exact version numbers will differ):
pan-os-python 1.7.3
pan-python 0.17.0
Install the PAN-OS collection of Ansible modules
- Install the modules from Ansible's Galaxy repository. Execute this command:
ansible-galaxy collection install paloaltonetworks.panos
- Test the collection installed correctly. Execute this command:
ansible-galaxy collection list | grep panos
- You should see an output like this (exact version numbers will differ):
paloaltonetworks.panos 2.11.0
Setup the Ansible inventory
- In the directory where you will store your Ansible playbook files, create a file called
inventory.txt
with the following content:
firewall
panorama
- Create a sub-directory called
host_vars
- Within the
host_vars
directory, create a file callfirewall.yml
with the following content, changing the values forip_address
,username
andpassword
as appropriate:
---
ip_address: "192.168.1.1"
username: "admin"
password: "admin"
Note that for these learning examples, we are storing PAN-OS credentials in a file on disk. This is not a production-level solution, and other solutions for managing secrets should be considered for real-world deployments. Ansible (Red Hat) and many others have solutions for this.
::: 5. Use the following command to have ansible-vault
encrypt the files with credentials:
ansible-vault encrypt firewall.yml
ansible-vault encrypt panorama.yml
Using this command, ansible-vault
will request a password to be used for accessing the encrypted file at a later date:
New Vault password:
Confirm New Vault password:
Encryption successful
Confirm access to PAN-0S
- Ensure the host machine can reach the NGFW or Panorama. Execute the following command, replacing
HOSTNAME
with the IP address or hostname of your NGFW or Panorama:
http-ping https://HOSTNAME -c 1
- You should see an output like this:
HTTP-PING https://HOSTNAME GET
1: 192.168.1.1:443, code=302, size=0 bytes, time=24.7 ms
--- https://HOSTNAME ping statistics ---
1 requests sent, 1 answers received, 0.0% loss
round-trip min/avg/max/stddev = 24.672/24.672/24.672/0.000 ms
- An error like this suggests you may have an incorret hostname:
1: Error: Get "https://HOSTNAME": lookup HOSTNAME 192.168.1.254:53: no such host
- An error like this suggests you may not have working connectivity to the firewall/Panorama on HTTPS (TCP 443):
1: Error: Get "https://192.168.1.1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
- If
http-ping
is not available on your host machine, you may be able to use other tools like curl to confirm the host machine can reach the NGFW or Panorama using HTTPS. If your machine has a web browser, you can browse tohttps://HOSTNAME