Published on 7 June 2019 by

As part of our increasing focus on network automation we have been working on a module for automating Palo Alto Next Generation Firewalls. The module was built using the latest Puppet tooling for modules, including Puppet Development Kit and the Resource API. The module works without having to install an agent on the firewall under management. The module communicates with the firewall via the PAN-OS XML API. The module is also the first network device module from Puppet that supports Bolt’s remote transports. This means that the module works with both Bolt and puppet device. It’s worth noting that we’re working on building a new Agentless Catalog Executor service into Puppet Enterprise - details will be announced in due course on that development.

Using the module with Bolt

Ensure that Bolt is installed, then install the module on the same machine, configure the Palo Alto firewall in Bolt’s inventory.yaml file and you will be able to run tasks against the Palo Alto firewall, or use the providers in the module to apply Puppet manifests. A tutorial detailing how to use the module with Bolt is available. Note that Bolt supports noop so it’s possible to simulate manifest application with Bolt before it’s applied.

Using the module with Puppet Enterprise

The module also works with Puppet Enterprise, using the puppet device functionality. It is recommended that puppet device is configured using the Device Manager module. A tutorial detailing how to use the module with puppet device is available.

Resources supported

The module supports many resources on Palo Alto devices, as outlined in the module’s ReadMe. If there are any missing you can use the arbitrary command provider, which allows you to send an arbitrary command the XML API and Puppet will parse the response. The module also has some pre-built tasks that work with Bolt and Puppet Enterprise.

Want to contribute?

We love to get contributions to our modules, either code or just suggestions on how to improve the module. To help contributors we’ve created a section in the ReadMe which outlines best practices for contributing to the module.

Get started

The quickest and easiest way to get started with the module is to use Bolt. Follow the tutorial for instructions.

Davin Hanlon is a product manager at Puppet.

Learn more

  • The Device Manager module for configuring puppet device to work with Puppet Enterprise.
  • The Puppet Palo Alto firewall module on the Forge
  • Palo Alto Next Generation Firewall (NGFW) XML API
Share via:
Tagged:
The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.