As part of our increasing focus on network automation we have been working on a module for automating Palo Alto Networks Next-Generation Firewalls. The module was built using the latest Puppet tooling for modules, including Puppet Development Kit and the Resource API. The module works without having to install an agent on the firewall under management. The module communicates with the firewall via the PAN-OS XML API. The module is also the first network device module from Puppet that supports Bolt’s remote transports. This means that the module works with both Bolt and
puppet device. It’s worth noting that we’re working on building a new Agentless Catalog Executor service into Puppet Enterprise - details will be announced in due course on that development.
Using the module with Bolt
Ensure that Bolt is installed, then install the module on the same machine, configure the Palo Alto Networks Next-Generation firewall in Bolt’s
inventory.yaml file and you will be able to run tasks against the firewall, or use the providers in the module to apply Puppet manifests. A tutorial detailing how to use the module with Bolt is available. Note that Bolt supports
noop so it’s possible to simulate manifest application with Bolt before it’s applied.
Using the module with Puppet Enterprise
The module also works with Puppet Enterprise, using the
puppet device functionality. It is recommended that
puppet device is configured using the Device Manager module. A tutorial detailing how to use the module with
puppet device is available.
The module supports many resources on Palo Alto Networks offerings, as outlined in the module’s ReadMe. If there are any missing you can use the arbitrary command provider, which allows you to send an arbitrary command the XML API and Puppet will parse the response. The module also has some pre-built tasks that work with Bolt and Puppet Enterprise.
Want to contribute?
We love to get contributions to our modules, either code or just suggestions on how to improve the module. To help contributors we’ve created a section in the ReadMe which outlines best practices for contributing to the module.
Davin Hanlon is a product manager at Puppet.