PaloAltoNetworks · pedromaidana · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -0,0 +1,70 @@
+---
+# Collections Requirements File for AWX/Ansible Automation Platform
+#
+# AWX will automatically install these collections when the project is synced
+# if "Collections" is enabled in the project settings.
+#
+# For AWX Configuration:
+# 1. In your AWX Project settings, ensure the following are set:
+#    - Source Control URL: <your-git-repo-url>
+#    - Source Control Branch/Tag/Commit: master (or your branch)
+#    - Options: ✓ Update Revision on Launch
+# 2. In your Job Template settings:
+#    - Check "Enable Collection(s) Download"
+#    - This tells AWX to run: ansible-galaxy collection install -r collections/requirements.yml
+
+collections:
+  # PAN-OS Collection - Required dependency
+  # This provides all the panos_* modules (panos_address_object, panos_security_rule, etc.)
+  - name: paloaltonetworks.panos
+    version: ">=3.1.1"
+    source: https://galaxy.ansible.com
+
+  # Ansible Utils Collection - Required for network_in_network filter
+  # Used in policy matching logic
+  - name: ansible.utils
+    version: ">=6.0.0"
+    source: https://galaxy.ansible.com
+
+  # Ansible Netcommon Collection - Required by paloaltonetworks.panos
+  - name: ansible.netcommon
+    version: ">=8.0.0"
+    source: https://galaxy.ansible.com
+
+  # THIS Collection - PAN-OS Policy Automation
+  # Option 1: Install from Ansible Galaxy (if published)
+  - name: paloaltonetworks.panos_policy_automation
+    # Uncomment this line if the collection is published to Galaxy:
+    # source: https://galaxy.ansible.com
+
+  # Option 2: Install from Git repository (for development/private repos)
+  # Uncomment and configure this section if using Git:
+  # - name: https://github.com/PaloAltoNetworks/ansible_panos_policy_orchestration.git
+  #   type: git
+  #   version: master
+
+  # Option 3: Install from a local tarball or HTTP URL
+  # If you've built the collection and hosted it somewhere:
+  # - name: https://your-server.com/path/to/paloaltonetworks-panos_policy_automation-1.4.4.tar.gz
+  #   type: file
+
+# IMPORTANT NOTES FOR AWX:
+#
+# 1. Collections Path in AWX:
+#    AWX installs collections to: /runner/requirements_collections/
+#    This is automatically in the collection search path.
+#
+# 2. If using a private Git repo for this collection:
+#    - Add SCM credentials to AWX
+#    - Use the git URL format above
+#    - Ensure the repo is accessible from AWX
+#
+# 3. If hosting the built collection tarball:
+#    - Build: ansible-galaxy collection build
+#    - Host the .tar.gz file on a web server or Artifactory
+#    - Use the file URL format above
+#
+# 4. Environment Variables in AWX:
+#    Define these in AWX Credentials (Custom Credential Type) or Job Template extra vars:
+#    - PAN_USERNAME
+#    - PAN_PASSWORD
diff --git a/example_lookup_policy.yml b/example_lookup_policy.yml
@@ -0,0 +1,19 @@
+---
+- hosts: all
+  connection: local
+  gather_facts: true
+  name: Example Policy Lookup Playbook
+
+  vars:
+    provider:
+      ip_address: "{{ ansible_host }}"
+      username: "{{ lookup('env', 'ANSIBLE_NET_USERNAME') }}"
+      password: "{{ lookup('env', 'ANSIBLE_NET_PASSWORD') }}"
+
+  roles:
+    - lookup_policy
+
+  tasks:
+    - name: Print the results
+      ansible.builtin.debug:
+        msg: "{{ lookup_policy_security_policy_match_result | paloaltonetworks.panos_policy_automation.panos_op_stdout_to_dict }}"
diff --git a/playbooks/awx/lookup_policy.yml b/playbooks/awx/lookup_policy.yml
@@ -0,0 +1,101 @@
+---
+# AWX-Compatible Policy Lookup Playbook
+#
+# This playbook tests if the given traffic is already allowed by an existing security policy.
+#
+# AWX Setup Required:
+# 1. Project must have collections/requirements.yml configured
+# 2. Job Template must have "Enable Collection(s) Download" checked
+# 3. Credentials must provide PAN_USERNAME and PAN_PASSWORD (see below)
+#
+# Required Extra Variables (set in AWX Survey or Job Template):
+#   - policy_creation_source_ip: Source IP address (e.g., "10.10.12.11")
+#   - policy_creation_destination_ip: Destination IP address (e.g., "8.8.8.8")
+#   - policy_creation_application: Application name (e.g., "web-browsing", "ssh")
+#
+# Optional Variables:
+#   - policy_creation_destination_port: Destination port (default: "443")
+#   - policy_creation_protocol: IP protocol number (default: "6" for TCP)
+#
+# Inventory Requirements:
+#   - Host or group with ansible_host pointing to Panorama
+#   - Variables: ansible_connection: local
+
+- name: Lookup Security Policy Match
+  hosts: all
+  connection: local
+  gather_facts: true
+
+  vars:
+    # Provider configuration for PAN-OS modules
+    # In AWX, PAN_USERNAME and PAN_PASSWORD should come from a Custom Credential
+    provider:
+      ip_address: "{{ ansible_host }}"
+      username: "{{ pan_username | default(lookup('env', 'PAN_USERNAME')) }}"
+      password: "{{ pan_password | default(lookup('env', 'PAN_PASSWORD')) }}"
+
+  # Pre-flight checks
+  pre_tasks:
+    - name: Validate required variables are provided
+      ansible.builtin.assert:
+        that:
+          - policy_creation_source_ip is defined
+          - policy_creation_source_ip | length > 0
+          - policy_creation_destination_ip is defined
+          - policy_creation_destination_ip | length > 0
+          - policy_creation_application is defined
+          - policy_creation_application | length > 0
+          - ansible_host is defined
+        fail_msg: |
+          Missing required variables. Please ensure the following are set:
+          - policy_creation_source_ip
+          - policy_creation_destination_ip
+          - policy_creation_application
+          - ansible_host (in inventory)
+        success_msg: "All required variables present"
+
+    - name: Validate credentials are available
+      ansible.builtin.assert:
+        that:
+          - provider.username is defined
+          - provider.username | length > 0
+          - provider.password is defined
+          - provider.password | length > 0
+        fail_msg: |
+          PAN-OS credentials not found. In AWX, ensure:
+          1. Custom Credential Type is created for PAN-OS
+          2. Credential is associated with the Job Template
+          Or set PAN_USERNAME and PAN_PASSWORD environment variables
+        success_msg: "PAN-OS credentials validated"
+
+    - name: Display lookup parameters
+      ansible.builtin.debug:
+        msg:
+          - "Testing policy for:"
+          - "  Source IP: {{ policy_creation_source_ip }}"
+          - "  Destination IP: {{ policy_creation_destination_ip }}"
+          - "  Application: {{ policy_creation_application }}"
+          - "  Panorama: {{ provider.ip_address }}"
+
+  # Execute the lookup_policy role
+  roles:
+    - role: paloaltonetworks.panos_policy_automation.lookup_policy
+
+  # Post-execution tasks
+  tasks:
+    - name: Display policy match results
+      ansible.builtin.debug:
+        msg:
+          - "=== Policy Lookup Results ==="
+          - "Policy Match Found: {{ policy_creation_security_matches_existing_policy | default('Unknown') }}"
+          - "{% if policy_creation_security_matches_existing_policy is defined %}{% if policy_creation_security_matches_existing_policy %}Traffic is ALLOWED by existing policy{% else %}Traffic is BLOCKED - no matching policy{% endif %}{% endif %}"
+
+    - name: Create artifact for AWX
+      ansible.builtin.set_stats:
+        data:
+          policy_match: "{{ policy_creation_security_matches_existing_policy | default(false) }}"
+          source_ip: "{{ policy_creation_source_ip }}"
+          destination_ip: "{{ policy_creation_destination_ip }}"
+          application: "{{ policy_creation_application }}"
+          status: "{{ 'ALLOWED' if policy_creation_security_matches_existing_policy | default(false) else 'BLOCKED' }}"
+        per_host: false