paloaltonetworks.spatula
Spatula
This Ansible role helps apply security best practice templates to Palo Alto Networks devices.
Purpose
This role uses the Iron Skillet templates to ensure that PAN-OS firewalls are set up according to Palo Alto Networks' best practice guidelines. When you run the playbook, it downloads these templates from the GitHub repository mentioned below and applies them to each device or a Panorama management console.
After applying these templates, you can run a Best Practices Assessment to check how effective the configuration is.
Requirements
This role uses the Python libraries listed below. You can get them from PyPI and install using pip. It's advisable to use virtualenv to prevent any conflicts with system libraries.
- pandevice - Interact with Palo Alto Networks devices through API
- pan-python - Toolkit for PAN-OS, Panorama, WildFire, and AutoFocus
- xmltodict - Convert XML strings to Python dictionaries
- passlib - A framework for secure password hashing with many supported schemes
Role Variables
Below are the variables used in this role with their default values (see defaults/main.yml). Variables in lowercase are for the playbook while UPPERCASE variables are for Jinja2 templates in the configuration. Some variables are for Panorama only, while others work for both Panorama and firewalls.
| Variable | Type | Default | Panorama | Panos | Description |
|---|---|---|---|---|---|
| device_type | panorama, panos | panorama | x | x | Type of configuration (Panorama or firewall) |
| template_version | panos_v9.0, panos_v8.1, panos_v8.0 | panos_v9.0 | x | x | Template version |
| CONFIG_PANORAMA_IP | yes, no | yes | x | Panorama management interface configuration | |
| PANORAMA_TYPE | static, cloud | static | x | Type of Panorama management IP | |
| PANORAMA_NAME | string | panorama01 | x | Hostname for Panorama | |
| PANORAMA_IP | string | 192.168.55.7 | x | IP address for Panorama | |
| PANORAMA_MASK | string | 255.255.255.0 | x | Netmask for Panorama | |
| PANORAMA_DG | string | 192.168.55.2 | x | Default gateway for Panorama | |
| CONFIG_EXPORT_IP | string | 192.0.2.3 | x | IP for scheduled config exports | |
| STACK | string | sample_stack | x | Template stack for Panorama | |
| DEVICE_GROUP | string | sample_devicegroup | x | Device group name for Panorama | |
| FW_NAME | string | panos-01 | x | x | Hostname for the firewall |
| MGMT_TYPE | dhcp-client, static | dhcp-client | x | x | Management IP type for the firewall |
| MGMT_IP | string | 192.0.2.6 | x | x | Management IP for the firewall |
| MGMT_MASK | string | 255.255.255.0 | x | x | Management netmask for the firewall |
| MGMT_DG | string | 192.0.2.7 | x | x | Management default gateway for the firewall |
| NTP_1 | string | 0.pool.ntp.org | x | x | Primary NTP Server |
| NTP_2 | string | 1.pool.ntp.org | x | x | Secondary NTP Server |
| ADMINISTRATOR_USERNAME | string | admin | x | x | Admin username |
| ADMINISTRATOR_PASSWORD | password | admin | x | x | Admin password |
| DNS_1 | string | 8.8.8.8 | x | x | Primary DNS server |
| DNS_2 | string | 8.8.4.4 | x | x | Secondary DNS server |
| SINKHOLE_IPV4 | string | 72.5.65.111 | x | x | IPv4 address for sinkhole |
| SINKHOLE_IPV6 | string | 2600:5200::1 | x | x | IPv6 address for sinkhole |
| INTERNET_ZONE | string | untrust | x | x | Zone to exclude in reports |
| EMAIL_PROFILE_GATEWAY | string | 192.0.2.1 | x | x | Email gateway for alerts |
| EMAIL_PROFILE_FROM | string | sentfrom@yourdomain.com | x | x | From address in alert emails |
| EMAIL_PROFILE_TO | string | sendto@yourdomain.com | x | x | To address in alert emails |
| SYSLOG_SERVER | string | 192.0.2.2 | x | x | Syslog server IP address |
| API_KEY_LIFETIME | string | 525600 | x | x | API key validity period in minutes |
| INCLUDE_PAN_EDL | yes, no | yes | x | x | Include predefined external lists in security rules |
Dependencies
This role relies on the official Palo Alto Networks Ansible modules found in this Galaxy role:
The Palo Alto Networks Ansible modules use a dict for passing inventory and authentication details. This dict can be set up once in the playbook like this:
vars:
credentials:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
Example Playbooks
Here are examples of Ansible playbooks that use this role to apply security best practice templates on Panorama and a firewall:
Panorama:
---
- name: Setup Panorama with best practice templates for PAN-OS 9.0
hosts: all
connection: local
gather_facts: False
vars:
credentials:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
device_type: 'panorama'
template_version: 'panos_v9.0'
vars_files:
- panorama_vars.yml
roles:
- role: PaloAltoNetworks.spatula
Firewall:
---
- name: Setup firewall with best practice templates for PAN-OS 8.1
hosts: all
connection: local
gather_facts: False
vars:
credentials:
ip_address: '{{ ip_address }}'
username: '{{ admin }}'
password: '{{ password }}'
device_type: 'panos'
template_version: 'panos_v8.1'
vars_files:
- fw_vars.yml
roles:
- role: PaloAltoNetworks.spatula
License
Apache 2.0
Author Information
This role was created by Robert Hagen (@stealthllama).
Applies security best practice templates to Palo Alto Networks devices
ansible-galaxy install paloaltonetworks.spatula