How to change firewall rules on 100+ devices?

brandebaldius · April 3, 2020, 7:43am

There are 100+ devices running VyOS.
Interfaces, firewall rulesets, rules might have different names/numbers.

My goal: remove port restrictions on all firewall rules on all devices.
Any ideas?

Currently all configs get dumped onto control server, so they can be parsed there.
Installing any agents on the devices is not possible.

olofl · April 3, 2020, 8:49am

Use Ansible.
Here is an example playbook I use:

- name: VyOS deploy syslog settings
  connection: network_cli
  gather_facts: False
  hosts: vyos

  tasks:
  - name:                  Include syslog vars
    include_vars:
      file:                files/syslog.yml

  - name: Deploy SNMP on VyOS routers
    cli_config:
      config: "{{ lookup('template', 'vyos-syslog.j2') }}"
      commit_comment: Updated syslog from Ansible.

And the syslog.yml variables are defined

---
syslog_hosts:
  - 172.18.42.12:1521
  - 172.23.253.22:1521

And this Jinja2 template will use those variables and push configuration to device.

delete system syslog
set system syslog global facility all level 'debug'
{% for host in syslog_hosts %}
set system syslog host {{host}} facility all level 'debug'
set system syslog host {{host}} facility all protocol 'udp'
{% endfor %}

brandebaldius · April 30, 2020, 7:00am

So in the end of the day this is how I solved it:

Ansible pulls the config file from the device (nothing fashionable here, because nodes don’t have python);
Controller node uses command module to launch a python script that parses and edits the pulled config file on the controller;
Ansible pushes the config file back to the node and applies it there.

system · May 2, 2020, 7:14am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.