homeblogpuppet increases network automation new module palo alto networks next generation firewalls

Puppet Increases Network Automation with new module for Palo Alto Networks Next-Generation Firewalls

As part of our increasing focus on network automation we have been working on a module for automating Palo Alto Networks Next-Generation Firewalls. The module was built using the latest Puppet tooling for modules, including Puppet Development Kit and the Resource API. The module works without having to install an agent on the firewall under management. The module communicates with the firewall via the PAN-OS XML API. The module is also the first network device module from Puppet that supports Bolt’s remote transports. This means that the module works with both Bolt and puppet device. It’s worth noting that we’re working on building a new Agentless Catalog Executor service into Puppet Enterprise - details will be announced in due course on that development.

Using the module with Bolt

Ensure that Bolt is installed, then install the module on the same machine, configure the Palo Alto Networks Next-Generation firewall in Bolt’s inventory.yaml file and you will be able to run tasks against the firewall, or use the providers in the module to apply Puppet manifests. A tutorial detailing how to use the module with Bolt is available. Note that Bolt supports noop so it’s possible to simulate manifest application with Bolt before it’s applied.

Using the module with Puppet Enterprise

The module also works with Puppet Enterprise, using the puppet device functionality. It is recommended that puppet device is configured using the Device Manager module. A tutorial detailing how to use the module with puppet device is available.

Resources supported

The module supports many resources on Palo Alto Networks offerings, as outlined in the module’s ReadMe. If there are any missing you can use the arbitrary command provider, which allows you to send an arbitrary command the XML API and Puppet will parse the response. The module also has some pre-built tasks that work with Bolt and Puppet Enterprise.

Want to contribute?

We love to get contributions to our modules, either code or just suggestions on how to improve the module. To help contributors we’ve created a section in the ReadMe which outlines best practices for contributing to the module.

Get started

The quickest and easiest way to get started with the module is to use Bolt. Follow the tutorial for instructions.

Davin Hanlon is a product manager at Puppet.

Learn more

  • The Device Manager module for configuring puppet device to work with Puppet Enterprise.
  • The Puppet Palo Alto Networks Next-Generation (NGFW) firewall module on the Forge
  • Palo Alto Networks NGFW XML API
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.