Terraform Provider for PAN-OS Now Supports Panorama

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Earlier this year, Palo Alto Networks became the first security vendor to release a Terraform Provider, which allows customers to fully automate the configuration and policy creation of an in-place appliance-based or virtualized Palo Alto Networks next generation firewall.

With our Provider for PAN-OS 1.1, 1.2 and 1.4 releases, we have added a wide range of configuration tasks including support for IPSec VPN configuration. In addition to IPSec VPN support, the Terraform Provider for PAN-OS can be used to automate firewall configuration through Panorama. Device Groups, Templates, Template Stacks, Address Objects and NAT Policies are just a few of the items you can now automate within Panorama via the Provider for PAN-OS.


Terraform and Panorama?

We’ve heard the question: doesn’t Terraform obviate the need for Panorama? The short answer is no; in fact, Panorama and Terraform address two distinct roles and are complementary. Here’s a handy summary:

Device configuration & update X X
Policy deployment/updates X X
Visibility X
Reporting X
Forensics X
Log storage/aggregation X


As a reminder, Panorama provides centralized management of our next generation firewalls. It can be deployed as a dedicated appliance, or as a virtualized instance in AWS, Azure and Google Cloud. The Panorama distributed architecture allows you to separate management functionality from logging, deploying where it makes the most sense. For example, you might use an appliance on-prem with management only, deploying Log Collectors in the cloud regions where your firewalls are located, thereby minimizing log transfers (and bandwidth charges). Logging Service can also be used as an alternative to Log Collectors.

Customers can use an existing Terraform Provider for AWS, Azure or Google Cloud to automate the creation of a VPC on AWS or Google Cloud, or a Resource Group in Azure, complete with a VM-Series firewall. Using Bootstrapping, the VM-Series is deployed with a minimal configuration that establishes connectivity and registers itself with Panorama. The benefit of a minimal configuration approach with bootstrapping is that it allows you to use that single image in a wide range of deployment scenarios, addressing variances with Terraform and Panorama.

Once the firewall is deployed, the expanded Panorama support in the Terraform Provider for PAN-OS can be used to automate additional configuration changes. Templates/Template Stacks can be applied to address configuration variances for firewalls deployed in different regions (US, EMEA, APAC cloud regions) or different form factors (cloud vs. physical on-premise). Device Groups (based on location or form factor) are then applied for policy creation and updates. Note that Templates, Template Stacks and Device Groups all can be automated through Panorama with the Terraform Provider.

Once the firewalls are in production, the role of Panorama increases as it becomes the central location for visibility reporting and forensics across the entire firewall estate. Put differently, for security teams, Panorama becomes the “source of truth” for all security related tasks, with Terraform acting as a complementary mechanism to automate large scale, repetitive tasks.

Additional resources:

  • Terraform Providers for the cloud providers and for PAN-OS
  • Review a summary of the new features added to Terraform Provider for PAN-OS 1, 1.2 and 1.4.
  • Additional automation tools and resources

The post Terraform Provider for PAN-OS Now Supports Panorama appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?