From 1516ba1ed60c6d40705b13d4b06c3aceb726c71f Mon Sep 17 00:00:00 2001 From: Pedro Maidana Date: Thu, 5 Feb 2026 13:54:41 -0300 Subject: [PATCH 1/5] Create requirements.yml --- collections/requirements.yml | 70 ++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 collections/requirements.yml diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..0877b6f --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,70 @@ +--- +# Collections Requirements File for AWX/Ansible Automation Platform +# +# AWX will automatically install these collections when the project is synced +# if "Collections" is enabled in the project settings. +# +# For AWX Configuration: +# 1. In your AWX Project settings, ensure the following are set: +# - Source Control URL: +# - Source Control Branch/Tag/Commit: master (or your branch) +# - Options: ✓ Update Revision on Launch +# 2. In your Job Template settings: +# - Check "Enable Collection(s) Download" +# - This tells AWX to run: ansible-galaxy collection install -r collections/requirements.yml + +collections: + # PAN-OS Collection - Required dependency + # This provides all the panos_* modules (panos_address_object, panos_security_rule, etc.) + - name: paloaltonetworks.panos + version: ">=3.1.1" + source: https://galaxy.ansible.com + + # Ansible Utils Collection - Required for network_in_network filter + # Used in policy matching logic + - name: ansible.utils + version: ">=6.0.0" + source: https://galaxy.ansible.com + + # Ansible Netcommon Collection - Required by paloaltonetworks.panos + - name: ansible.netcommon + version: ">=8.0.0" + source: https://galaxy.ansible.com + + # THIS Collection - PAN-OS Policy Automation + # Option 1: Install from Ansible Galaxy (if published) + - name: paloaltonetworks.panos_policy_automation + # Uncomment this line if the collection is published to Galaxy: + # source: https://galaxy.ansible.com + + # Option 2: Install from Git repository (for development/private repos) + # Uncomment and configure this section if using Git: + # - name: https://github.com/PaloAltoNetworks/ansible_panos_policy_orchestration.git + # type: git + # version: master + + # Option 3: Install from a local tarball or HTTP URL + # If you've built the collection and hosted it somewhere: + # - name: https://your-server.com/path/to/paloaltonetworks-panos_policy_automation-1.4.4.tar.gz + # type: file + +# IMPORTANT NOTES FOR AWX: +# +# 1. Collections Path in AWX: +# AWX installs collections to: /runner/requirements_collections/ +# This is automatically in the collection search path. +# +# 2. If using a private Git repo for this collection: +# - Add SCM credentials to AWX +# - Use the git URL format above +# - Ensure the repo is accessible from AWX +# +# 3. If hosting the built collection tarball: +# - Build: ansible-galaxy collection build +# - Host the .tar.gz file on a web server or Artifactory +# - Use the file URL format above +# +# 4. Environment Variables in AWX: +# Define these in AWX Credentials (Custom Credential Type) or Job Template extra vars: +# - PAN_USERNAME +# - PAN_PASSWORD From 0055bf196115a9ad78370d5070cd1d0de10c0920 Mon Sep 17 00:00:00 2001 From: Pedro Maidana Date: Thu, 5 Feb 2026 13:55:20 -0300 Subject: [PATCH 2/5] Rename lookup_policy.yml to lookup_policy.yml.bkp --- playbooks/examples/{lookup_policy.yml => lookup_policy.yml.bkp} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename playbooks/examples/{lookup_policy.yml => lookup_policy.yml.bkp} (100%) diff --git a/playbooks/examples/lookup_policy.yml b/playbooks/examples/lookup_policy.yml.bkp similarity index 100% rename from playbooks/examples/lookup_policy.yml rename to playbooks/examples/lookup_policy.yml.bkp From 3b76c6a947ecf0504ebc732e3a659dc1a01450ec Mon Sep 17 00:00:00 2001 From: Pedro Maidana Date: Thu, 5 Feb 2026 13:58:46 -0300 Subject: [PATCH 3/5] Rename lookup_policy.yml.bkp to lookup_policy.yml --- playbooks/examples/{lookup_policy.yml.bkp => lookup_policy.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename playbooks/examples/{lookup_policy.yml.bkp => lookup_policy.yml} (100%) diff --git a/playbooks/examples/lookup_policy.yml.bkp b/playbooks/examples/lookup_policy.yml similarity index 100% rename from playbooks/examples/lookup_policy.yml.bkp rename to playbooks/examples/lookup_policy.yml From 0171378d55aa571093123294f77b4214c4f014d2 Mon Sep 17 00:00:00 2001 From: Pedro Maidana Date: Thu, 5 Feb 2026 13:59:21 -0300 Subject: [PATCH 4/5] Create lookup_policy.yml --- playbooks/awx/lookup_policy.yml | 101 ++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 playbooks/awx/lookup_policy.yml diff --git a/playbooks/awx/lookup_policy.yml b/playbooks/awx/lookup_policy.yml new file mode 100644 index 0000000..292b691 --- /dev/null +++ b/playbooks/awx/lookup_policy.yml @@ -0,0 +1,101 @@ +--- +# AWX-Compatible Policy Lookup Playbook +# +# This playbook tests if the given traffic is already allowed by an existing security policy. +# +# AWX Setup Required: +# 1. Project must have collections/requirements.yml configured +# 2. Job Template must have "Enable Collection(s) Download" checked +# 3. Credentials must provide PAN_USERNAME and PAN_PASSWORD (see below) +# +# Required Extra Variables (set in AWX Survey or Job Template): +# - policy_creation_source_ip: Source IP address (e.g., "10.10.12.11") +# - policy_creation_destination_ip: Destination IP address (e.g., "8.8.8.8") +# - policy_creation_application: Application name (e.g., "web-browsing", "ssh") +# +# Optional Variables: +# - policy_creation_destination_port: Destination port (default: "443") +# - policy_creation_protocol: IP protocol number (default: "6" for TCP) +# +# Inventory Requirements: +# - Host or group with ansible_host pointing to Panorama +# - Variables: ansible_connection: local + +- name: Lookup Security Policy Match + hosts: all + connection: local + gather_facts: true + + vars: + # Provider configuration for PAN-OS modules + # In AWX, PAN_USERNAME and PAN_PASSWORD should come from a Custom Credential + provider: + ip_address: "{{ ansible_host }}" + username: "{{ pan_username | default(lookup('env', 'PAN_USERNAME')) }}" + password: "{{ pan_password | default(lookup('env', 'PAN_PASSWORD')) }}" + + # Pre-flight checks + pre_tasks: + - name: Validate required variables are provided + ansible.builtin.assert: + that: + - policy_creation_source_ip is defined + - policy_creation_source_ip | length > 0 + - policy_creation_destination_ip is defined + - policy_creation_destination_ip | length > 0 + - policy_creation_application is defined + - policy_creation_application | length > 0 + - ansible_host is defined + fail_msg: | + Missing required variables. Please ensure the following are set: + - policy_creation_source_ip + - policy_creation_destination_ip + - policy_creation_application + - ansible_host (in inventory) + success_msg: "All required variables present" + + - name: Validate credentials are available + ansible.builtin.assert: + that: + - provider.username is defined + - provider.username | length > 0 + - provider.password is defined + - provider.password | length > 0 + fail_msg: | + PAN-OS credentials not found. In AWX, ensure: + 1. Custom Credential Type is created for PAN-OS + 2. Credential is associated with the Job Template + Or set PAN_USERNAME and PAN_PASSWORD environment variables + success_msg: "PAN-OS credentials validated" + + - name: Display lookup parameters + ansible.builtin.debug: + msg: + - "Testing policy for:" + - " Source IP: {{ policy_creation_source_ip }}" + - " Destination IP: {{ policy_creation_destination_ip }}" + - " Application: {{ policy_creation_application }}" + - " Panorama: {{ provider.ip_address }}" + + # Execute the lookup_policy role + roles: + - role: paloaltonetworks.panos_policy_automation.lookup_policy + + # Post-execution tasks + tasks: + - name: Display policy match results + ansible.builtin.debug: + msg: + - "=== Policy Lookup Results ===" + - "Policy Match Found: {{ policy_creation_security_matches_existing_policy | default('Unknown') }}" + - "{% if policy_creation_security_matches_existing_policy is defined %}{% if policy_creation_security_matches_existing_policy %}Traffic is ALLOWED by existing policy{% else %}Traffic is BLOCKED - no matching policy{% endif %}{% endif %}" + + - name: Create artifact for AWX + ansible.builtin.set_stats: + data: + policy_match: "{{ policy_creation_security_matches_existing_policy | default(false) }}" + source_ip: "{{ policy_creation_source_ip }}" + destination_ip: "{{ policy_creation_destination_ip }}" + application: "{{ policy_creation_application }}" + status: "{{ 'ALLOWED' if policy_creation_security_matches_existing_policy | default(false) else 'BLOCKED' }}" + per_host: false From 2aa8f62dc2b99c01fd3637adecfe6e4b3f56cad6 Mon Sep 17 00:00:00 2001 From: Pedro Maidana Date: Thu, 5 Feb 2026 14:58:37 -0300 Subject: [PATCH 5/5] Create example_lookup_policy.yml --- example_lookup_policy.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 example_lookup_policy.yml diff --git a/example_lookup_policy.yml b/example_lookup_policy.yml new file mode 100644 index 0000000..4080626 --- /dev/null +++ b/example_lookup_policy.yml @@ -0,0 +1,19 @@ +--- +- hosts: all + connection: local + gather_facts: true + name: Example Policy Lookup Playbook + + vars: + provider: + ip_address: "{{ ansible_host }}" + username: "{{ lookup('env', 'ANSIBLE_NET_USERNAME') }}" + password: "{{ lookup('env', 'ANSIBLE_NET_PASSWORD') }}" + + roles: + - lookup_policy + + tasks: + - name: Print the results + ansible.builtin.debug: + msg: "{{ lookup_policy_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }}"