Skip to main content

Setting up

In this tutorial we will get setup ready to execute Ansible playbooks for PAN-OS.

Assumptions

This tutorial/guide assumes:

  • you have access to a Linux-based machine, with administrative credentials
  • the machine has working connectivity and access to the Internet to download content
  • the machine has working connectivity and access to either a PAN-OS next-generation firewall or Panorama

Important - Work in a Lab Environment First

With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.

Install Ansible

  1. Install Ansible. The exact steps will differ based on your operating system and environment. The Ansible documentation describes the steps required here

  2. Test Ansible installed correctly. Execute this command:

ansible --version
  1. You should see an output like this (exact version numbers will differ):
ansible [core 2.12.6]
  config file = None
  configured module search path = ['/Users/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/username/.pyenv/versions/3.10.4/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/username/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/username/.pyenv/versions/3.10.4/bin/ansible
  python version = 3.10.4 (main, May 24 2022, 14:08:56) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True

Install PAN-OS Python packages

  1. Install the required Python packages. Execute this command:
pip install -r https://raw.githubusercontent.com/PaloAltoNetworks/pan-os-ansible/develop/requirements.txt
  1. Test the packages installed correctly. Execute this command:
pip list | grep pan
  1. You should see an output like this (exact version numbers will differ):
pan-os-python                 1.7.3
pan-python                    0.17.0

Install the PAN-OS collection of Ansible modules

  1. Install the modules from Ansible's Galaxy repository. Execute this command:
ansible-galaxy collection install paloaltonetworks.panos
  1. Test the collection installed correctly. Execute this command:
ansible-galaxy collection list | grep panos
  1. You should see an output like this (exact version numbers will differ):
paloaltonetworks.panos 2.11.0

Setup the Ansible inventory

  1. In the directory where you will store your Ansible playbook files, create a file called inventory.txt with the following content:
firewall
panorama
  1. Create a sub-directory called host_vars
  2. Within the host_vars directory, create a file call firewall.yml with the following content, changing the values for ip_address, username and password as appropriate:
---
ip_address: "192.168.1.1"
username: "admin"
password: "admin"
caution

Note that for these learning examples, we are storing PAN-OS credentials in a file on disk. This is not a production-level solution, and other solutions for managing secrets should be considered for real-world deployments. Ansible (Red Hat) and many others have solutions for this.

ansible-vault encrypt firewall.yml
ansible-vault encrypt panorama.yml

Using this command, ansible-vault will request a password to be used for accessing the encrypted file at a later date:

New Vault password:
Confirm New Vault password:
Encryption successful

Confirm access to PAN-0S

  1. Ensure the host machine can reach the NGFW or Panorama. Execute the following command, replacing HOSTNAME with the IP address or hostname of your NGFW or Panorama:
http-ping https://HOSTNAME -c 1
  1. You should see an output like this:
HTTP-PING https://HOSTNAME GET

       1: 192.168.1.1:443, code=302, size=0 bytes, time=24.7 ms

--- https://HOSTNAME ping statistics ---
1 requests sent, 1 answers received, 0.0% loss
round-trip min/avg/max/stddev = 24.672/24.672/24.672/0.000 ms
  • An error like this suggests you may have an incorret hostname:
   1: Error: Get "https://HOSTNAME": lookup HOSTNAME 192.168.1.254:53: no such host
  • An error like this suggests you may not have working connectivity to the firewall/Panorama on HTTPS (TCP 443):
   1: Error: Get "https://192.168.1.1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  • If http-ping is not available on your host machine, you may be able to use other tools like curl to confirm the host machine can reach the NGFW or Panorama using HTTPS. If your machine has a web browser, you can browse to https://HOSTNAME