How to change firewall rules on 100+ devices?

There are 100+ devices running VyOS.
Interfaces, firewall rulesets, rules might have different names/numbers.

My goal: remove port restrictions on all firewall rules on all devices.
Any ideas?

Currently all configs get dumped onto control server, so they can be parsed there.
Installing any agents on the devices is not possible.

Use Ansible.
Here is an example playbook I use:

- name: VyOS deploy syslog settings
  connection: network_cli
  gather_facts: False
  hosts: vyos

  - name:                  Include syslog vars
      file:                files/syslog.yml

  - name: Deploy SNMP on VyOS routers
      config: "{{ lookup('template', 'vyos-syslog.j2') }}"
      commit_comment: Updated syslog from Ansible.

And the syslog.yml variables are defined


And this Jinja2 template will use those variables and push configuration to device.

delete system syslog
set system syslog global facility all level 'debug'
{% for host in syslog_hosts %}
set system syslog host {{host}} facility all level 'debug'
set system syslog host {{host}} facility all protocol 'udp'
{% endfor %}

So in the end of the day this is how I solved it:

  1. Ansible pulls the config file from the device (nothing fashionable here, because nodes don’t have python);
  2. Controller node uses command module to launch a python script that parses and edits the pulled config file on the controller;
  3. Ansible pushes the config file back to the node and applies it there.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.