Automating F5 Firewall Configuration with NetBox and Ansible

Firewalls play a crucial role in network security by protecting your infrastructure from unauthorized access and potential threats. F5 firewalls, powered by BIG-IP, are highly capable devices for managing traffic and security policies.

Automating the configuration of F5 firewalls using NetBox and Ansible can streamline your network management processes, reduce errors, and enhance security.

In this article, we'll guide you through the steps to automate F5 firewall configuration with NetBox and Ansible.

Prerequisites

Before we begin, make sure you have the following in place:

1. F5 BIG-IP Firewall: An F5 BIG-IP firewall device is required for this setup. Ensure it's properly configured and accessible on your network.
2. NetBox: NetBox is an open-source IP address management (IPAM) and data center infrastructure management (DCIM) tool. Install and configure NetBox on a server in your network.
3. Ansible: Ansible is an automation tool that will be used to interact with the F5 firewall and NetBox. Install Ansible on a control machine that will run the automation scripts.
4. Python Libraries: You'll need specific Python libraries to interact with F5 devices and NetBox. Install f5-sdk, bigrest, and pynetbox using pip:

pip install f5-sdk bigrest pynetbox

Automation Workflow

We'll automate the process in the following steps:

1. Retrieve Configuration Data from NetBox: Use Ansible and the NetBox API to fetch configuration data, such as IP addresses, subnets, and other network-related information.
2. Generate F5 Configuration Templates: Create Jinja2 templates that represent the desired F5 firewall configuration based on the data retrieved from NetBox.
3. Deploy Configuration to F5 Firewall: Use Ansible to push the generated configurations to the F5 firewall, ensuring consistency and accuracy.

Step 1: Retrieve Configuration Data from NetBox

Create an Ansible playbook that fetches the required data from NetBox. Here's an example playbook (fetch_netbox_data.yml):

---
- name: Fetch data from NetBox
  hosts: localhost
  gather_facts: no
  tasks:
    - name: Fetch subnets from NetBox
      uri:
        url: "{{ netbox_url }}/api/ipam/prefixes/?limit=0"
        method: GET
        headers:
          Authorization: "Token {{ netbox_token }}"
        status_code: 200
      register: subnets
      environment:
        netbox_url: "http://your-netbox-url"
        netbox_token: "your-netbox-api-token"

    # Add more tasks to fetch other data as needed

Replace your-netbox-url and your-netbox-api-token with your NetBox URL and API token.

Step 2: Generate F5 Configuration Templates

Create Jinja2 templates that represent the F5 firewall configuration based on the data retrieved from NetBox.

For example, you can create a template (f5_config.j2) to configure VLANs and self-IPs:

{% for subnet in subnets.json.results %}
create /net self {{ subnet.prefix }} {
    address {{ subnet.prefix }};
    vlan {{ subnet.vlan.id }};
    traffic-group traffic-group-1;
}
{% endfor %}

This template uses the data fetched from NetBox to generate self-IP configurations for F5 firewalls.

Step 3: Deploy Configuration to F5 Firewall

Create an Ansible playbook (deploy_f5_config.yml) to push the generated configuration to the F5 firewall:

---
- name: Deploy F5 configuration
  hosts: localhost
  gather_facts: no
  tasks:
    - name: Render F5 configuration template
      template:
        src: f5_config.j2
        dest: f5_config.txt
      vars:
        subnets: "{{ subnets.json.results }}"
      
    - name: Upload configuration to F5
      bigip_device_ssh:
        server: "{{ f5_host }}"
        user: "{{ f5_user }}"
        password: "{{ f5_password }}"
        remote_user: "{{ f5_remote_user }}"
        remote_password: "{{ f5_remote_password }}"
        remote_port: 22
        state: "present"
        force_basic_auth: yes
        files:
          - name: f5_config.txt
            src: f5_config.txt
      delegate_to: localhost
      become: no
      environment:
        ANSIBLE_STDOUT_CALLBACK: debug

This playbook renders the Jinja2 template and uploads the resulting configuration to the F5 firewall. Replace the variables (f5_host, f5_user, f5_password, f5_remote_user, f5_remote_password) with your F5 device's details.

You can find the full documentation of f5 ansible module here

Yalla ! Let's run the automation

To execute the automation, run the following commands:

Fetch data from NetBox:

ansible-playbook fetch_netbox_data.yml

Generate F5 configurations:

ansible-playbook deploy_f5_config.yml

The playbook will upload the generated configuration to the F5 firewall.

With this automation workflow, you can consistently and accurately configure your F5 firewall based on data stored in NetBox.

This not only saves time and reduces errors but also enhances your network's security and manageability by keeping configurations in sync with your network infrastructure.