Ansible Introduction - Palo Alto Networks NGFW

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi i'm michael richardson america's automation ce and this is automating panos with ansible so the official ansible collection uh is palo alto networks dot pan and as of february 2021 the current release is 2.5.0 this is an open source project at palo alto networks that's maintained by our developer relations team the ansible collection consists of 90 plus modules for panos firewalls and panorama and they all operate on the device's xml api which is something we've had since pan os 3.0 they all utilize the panos python library which is a general library for manipulating panos devices using the python language for your capabilities you have configuration which is the majority of the modules that will let you add edit delete config elements and these are you know most of the high level uh objects that you would think of in in pan address objects rules network interfaces vpn tunnels uh are some examples and then you have operational commands which is most everything that isn't configuration related so you can pull info back from a running device you can validate config you can reboot a device you can uh upgrade the software upgrade the content and this is an important distinction for what you can accomplish using ansible that you can accomplish using terraform so here's an example of just creating objects using the panos ansible modules the first thing you'll notice is the connection local up there at the top of the playbook and it's important to note that these modules are run on the control node which is the machine that's running the ansible playbook not on the panos device itself so typically the way that ansible modules work is they copy python code to the individual device and execute it there which is not something we let you do with panos so these modules run on the control node and talk to that device's xml api you'll also see the provider dictionary which contains all of your connection details for the panos device this is where you specify the ip address username and password or api key if you want i'm using the dictionary called device in this playbook to feed to the provider option for this module here's an example of a full policy i've had to collapse sections of this to be able to fit it all on this slide this shows interface configuration as well as zone creation service object and security rule so all of the ansible modules will also let you create config elements in a panorama device group or a template depending on what type of object you're you're using for that module here's another example showing vpn tunnel creation which is a great example of something that maps well onto an ansible playbook vpn tunnel creation consists of a lot of individual components in panos and it has easy to forget parts of it or check boxes uh that you don't want to think about every single time and creating vpn tunnels is something that is very prescriptive uh and you can reduce the amount of time that it'll take troubleshooting if you don't miss one of these steps this is also something that would be very nice to hand off to another engineer on your team and be able to execute it the same way every single time here's an example of operational commands using the panos fax module and generally speaking you can get a a lot of good data out of this particular module you can gather information about the running system sessions interfaces ha status routing virtual routers virtual system configuration and then the config itself out of this module so another one of my favorite examples of uh what you can do with an ansible playbook is uh upgrading panos devices this is another really administrative time sync that works really well as a playbook you don't want to have to remember during your late night outage windows if you made a config backup first or if you checked failover correctly or other things like that again this is something that is uh very nice to be able to hand off to another member on your team uh whoever's happened to be upgrading that particular firewall you know make sure that you do it in the same exact way i've got an this is a single node upgrade playbook here but i've got an h a upgrade example linked to here in a repository of example playbooks that i'll share at the end so uh two modules that are really nice to have if you need something that is not something that is supported in the the um ansible collection right now our pan os op and panos type command panos op will let you execute uh any operational command that you want and get back the result as both xml or a json format and then if you use panos type command you can send any raw xml api command to the device so if it's a config element that we don't have a module for or if it's something that like you want to create a backup here which is just one command that you can use using the op command both of these are really good to have in your toolbox so uh for some additional resources we've got the official um github repository for the ansible collection and then a um collec a repository of ansible playbooks that i maintain for examples now i'm going to show you some two examples of running particular playbooks a vpn tunnel creation to an aws private vpc and then upgrading the software on a panel's device i wanted to demonstrate two playbooks from the ansible playbook repository i mentioned in the presentation uh the first one is awsvpn.yaml [Music] which configures a vpn with an aws private vpc i really like this as an example because it's a non-trivial bit of configuration it's got two ipsec tunnels for redundancy and has bgp running inside to exchange routing information uh between the vpc and the firewall here so i've already built out a firewall in aws in a private vpc with a linux instance inside it so i'm going to go into the firewall here i've set this firewall up with a basic policy but we don't have any sort of dynamic routing configured we don't have any sort of ipsec tunnels configured so i'm going to go back and i'm going to run this playbook and all i'm really feeding it is a yaml file with credentials for the panos device that i'm going to log into and the aws vpn id it's going to go ahead and run and this is going to parse out all of the details about this vpn using the ec2 vpc vpn info module and it's going to set that as fact parsing it out with a parsec parse xml filter and it's going to do all the configuration for the panos device and that's going to take a little bit all right so it's done and if i go into the firewall gui here refresh so it's created the ip6 tunnels and they're up and running and if i look i've configured bgp on my default router here and i am exchanging route information with a vpc which is this 172 1600 16 net block through bgp and through my tunnel interface here and i can go to the bgp tab and see that i'm forwarding routes and i'm also transmitting routes out to that private vpc so i've got a linux box here behind the firewall so what i can do is i can actually ping to a host that's running in that private vpc and i can ping it i can actually ssh to it and we can connect and if i go in here you can see that the traffic is going through the tunnel so the next thing i wanted to do is run the upgrade single dot yaml playbook this is a very simple playbook that's going to just give us a backup run a backup of the config on the device and install a new version of panos this is a very simple playbook but it can take a little while to run so i'm going to cut out a section here to so that we can speed up this demo i'm going to upgrade this the firewall's running 9.1.3 we're going to upgrade it just to point release to 9.1.4 okay so that took about 15 minutes to run i'm to go back in and i'm going to refresh the page because this is timed out and after logging back in firewall has been upgraded to 9.1.4 and you can see here in the system logs that our tunnels have come back up so we're rebooted and everything's good thanks
Info
Channel: Ansible video
Views: 834
Rating: undefined out of 5
Keywords:
Id: ODPChBwx11k
Channel Id: undefined
Length: 12min 34sec (754 seconds)
Published: Wed Mar 10 2021
Related Videos
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
$250 Slab To $7700 Table
Blacktail Studio
3.6M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Getting started with Ansible 14 - Roles
LearnLinuxTV
16K
ML-Powered Next-Generation Firewall Demo
Strata by Palo Alto Networks
574
Torch Cutting Basics Everyone Should Know | Oxygen & Acetylene Fuel
WeldTube
699K
you need to learn Ansible RIGHT NOW!! (Linux Automation)
NetworkChuck
439K
How Ansible can be used to automate Palo Alto Network firewall configurations
Armature Systems
2.4K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Ansible Network Modules | ios_conifg, nxos_config, cli_command
Roger Perkin
8.8K
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
272K
Destroy the Barriers - Use Ansible Today on Your Home Lab | Cisco CCNA 200-301
Keith Barker
18K
Let's Talk About Palo Alto - Layer 3 Subinterfaces
Rob Riker's Tech Channel
2.4K
Making a Simple Hydrogen Generator from Washers
Maciej Nowak Projects
3.1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.