PAY

PAY = deployment Palo Alto from Yaml = Palo Alto from Yaml

PAY is rather the name of the approach, than the name of the software product.

The idea is to manage the PA configuration via text files in YAML format. It allows you to

• use a simple interface for PA configuration
• think about the configuration parameters only and not about the command's syntax or GUI-navigation
• use version control systems (for example, based on git) and follow the best practices of development for network infrastructure changes control

Mostly It might be useful in two cases:

• you have repetitive operations with the same or similar command syntax, but with different parameters. In this case, the syntax can be defined using templates (jinja2), and the parameters are described in configuration files (YAML)
• during the implementation stage of the project. This approach permits you to use the best development’s practices of change management based on git and git-like applications

This project should be considered only as a set of examples. Perhaps it will meet your expectations and design, but most likely you will want something else, more or less. And this only means that you need to change the Jinja templates (not just the YAML files), and if you understand this method, it is easy for you.

Installation

• clone this project to your local folder
• install Python3 with YAML and Jinja2 packages

Examples

Devices: Panorama and Palo Alto Firewall. In these examples we always configure FWs with Panorama templates or device groups except the case of initial configuration.

• Panorama configuration
  • device (ntp,dns,mgmt,ha,auth,proxy): folder device
  • server profiles (snmp, syslogs, tacacs), log_settings: folder panorama
• Firewall configuration:
  • Initial configuration : folder initial_fw
  • log forwarding: folder shared
  • templates (template1):
    • bgp: folder bgp
    • device: folder device
    • ha: folder ha
    • interfaces: folder interfaces
    • shared: folder shared
    • user-id: folder user-id
    • zone: folder zone

Configuration procedure

The procedure is simple and mainly consists of three steps:

• fill in the YAML file
• generate the TXT configuration file
• upload it to Panorama.

You never change the Python rendering file render.py and generally you don't need to change Jinja2 templates.

Details

All steps described here have already been completed. So you don't actually have to do anything, and you can just click the links and view the configuration files.

Let's consider, for example, that we want to configure BGP sessions.

1. Go to the correspondent folder. In this case it is bgp

There are 2 files already there: template.j2 and bgp_tmpl.yml.

• template.j2 - is Jinja2 template. You usually don't need to change it.
• bgp_tmpl.yml - this YAML file we are going to use for our YAML file creation (if it has not been done before)

2. Create a new folder (if it has not been done before). Actually you may use any folder, but it looks reasonable to create a new folder in the current one. Let's create a folder example1

mkdir example1

3. Copy file bgp_tmpl.yml (if it has not been done before) to this folder and rename it:

cp bgp_tmpl.yml ./example1/bgp.yml
cd ./example1/

4. Fill in bgp.yml with configuration parameters

5. Generate bgp.txt file for PA configuration

python3 ../../render.py ../template.j2 bgp.yml > bgp.txt

6. Upload this file to Panorama (cut and paste for example).