Palo Alto Networks and Red Hat Automate NGFW Config and Management

Jun 27, 2023
5 minutes

The varied tasks it takes to keep complex IT environments secure have moved far beyond the scope of customized, siloed processes and manual tasks. SecOps, network and DevOps teams are straining to do more than ever with fewer team members. In today’s hyperautomation world, it makes sense to standardize and automate whatever you can to reduce workloads and remove bottlenecks. This is especially important when enforcing security policies across complex environments (on-prem, cloud, OT/IoT), pushing out config changes or new rules across hundreds of Next-Gen Firewalls (NGFW) or provisioning a new firewall.

With these challenges in mind, we’re proud to announce the new Palo Alto Networks Ansible Content Collection, a certified integrated solution for Palo Alto Networks ML-Powered Next-Gen Firewalls(NGFW), which works with the physical PA-Series, the virtual VM-Series, the container CN-Series, and also the Panorama central management platform. Built by Palo Alto Networks and certified by Red Hat, this collection helps teams leverage their Ansible expertise to configure, deploy and manage all aspects of enterprise network security.

While community collections have their strengths and have helped many Palo Alto Networks customers with Ansible integrations in the past, a certified collection is a step up that many have been seeking. As a certified collection, it has undergone rigorous testing by both Palo Alto Networks and Red Hat. Its software chain of custody is certified and signed with a Red Hat key. And should you need help with the integration, you can raise a ticket to benefit from our support team’s expertise instead of being on your own to solve the issue.

How it works

With the certified Palo Alto Networks NGFW Ansible Content Collection, network and security teams can join forces to work from one familiar automation platform, defining and managing NGFW-related components, configurations and policies while creating highly automated, predictable and repeatable processes. This collection works across all form factors, including physical, virtual, container and cloud.

With the Ansible Content Collection, network security policies and configurations become easy-to-use code modules that speed up work, enforce consistency and minimize human error. This unified framework helps create more efficient operations and stronger security across all environments.

What can be automated?

A whole lot. You can standardize and automate the configuration of everything from security policies (a.k.a., firewall rules) and Network Address Translation (NAT) rules to decryption policies and all the objects used within those rules and policies. Additionally, you can standardize and automate the change control workflows that put these policies into place in the right NGFW groups.

The Content Collection can also help you automate security services (Advanced Threat Prevention, antivirus, WildFire, Advanced URL filtering/web filtering, etc.) and device administration, like admin users and certificate management. Additionally, operational tasks like firmware updates, signature updates, configuration backup/restore and more can all be automated and scheduled using Ansible operations.

The Content Collection also allows you to take actionable tasks from firewalls to update other infrastructure and enterprise applications.

What other benefits come with the Ansible Content Collection?

Additional benefits of this partnership and the Content Collection include:

  • A system of record: By implementing NGFW management operations and security policies into our Panorama management system with Ansible modules, you'll always have a system of record to inspect configs for change management and audit purposes.
  • Minimizing variability and loss of knowledge: Manual configurations can cause great variability — and potential security gaps — across teams. Standardized configs replicated in an automated “as code” fashion minimizes variance and improves continuity, even as staffing levels and priorities shift.
  • Self-service provisioning: Repeatable, easy-to-use NGFW provisioning processes empower teams outside of network and security ops, reducing bottlenecks and empowering DevOps, fusion teams and lines of business working on digital products to move quickly, securely and with proper governance and oversight.
  • Scalability without worry: For companies already using the Ansible Automation Platform, the Certified Content Collection enables Palo Alto Networks NGFWs to be integrated into larger, multi-domain workflows. This allows cross-functional use cases of higher value while maintaining the separation of duties and the appropriate level of governance. Companies can use this collection across all form factors.
  • Collaborative, automated changes: Playbooks can be checked into a source code repository, enabling teams to audit and approve changes, such as security policy additions, deletions or modifications. Once approved, they can trigger a CI/CD pipeline job that commits the changes to the appropriate NGFWs.

The use cases for NGFW management with Ansible Automation Platform

Let’s look at a few use cases for automating NGFW management:

  • Reduce complexity by automating common configurations to improve efficiency, lower IT costs and ensure consistency of applied security across your organization. Even small organizations may have firewalls across hundreds of form factors, from on-premise machines and user devices to VMs and container environments. This complexity multiplies for enterprises with thousands of employees.
  • Simplify tasks, review and approve policy updates and then automate changes across the network and to the NGFW. This allows the engineer to focus on the outcome — the new security policy and where it should be applied — rather than the API mechanics.
  • Automation and the ability to provide repeatable provisioning for applications and services can remove bottlenecks and create smoother processes for all. Many security teams aren’t just short-staffed; they’re far outnumbered by their ops and dev teams. The Ansible-Palo Alto Networks Content Collection enables SecOps to build security natively into their daily workflows.

How to get started

The Palo Alto Networks Ansible Content Collection is available to Palo Alto Networks customers who are also Ansible subscribers. You can find the collection in the Red Hat Automation Hub and view how-tos and tutorials. If you are new to Ansible or not a subscriber, you can try it out with a 30-day free trial.

Additionally stay tuned for more information on our upcoming Event-Driven Ansible plugin for PAN-OS, elevating the security operations of Palo Alto Networks products.

Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.