community.network.panos_security_rule – Create security rule policy on PAN-OS devices or Panorama management console.

From Get docs
Ansible/docs/2.10/collections/community/network/panos security rule module


community.network.panos_security_rule – Create security rule policy on PAN-OS devices or Panorama management console.

Note

This plugin is part of the community.network collection (version 1.3.0).

To install it use: ansible-galaxy collection install community.network.

To use it in a playbook, specify: community.network.panos_security_rule.


DEPRECATED

Removed in
version 2.0.0
Why
Consolidating code base.
Alternative
Use https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks instead.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments

action

string

Default:

"allow"

Action to apply once rules maches.

antivirus

string

Name of the already defined antivirus profile.

api_key

string

API key that can be used instead of username/password credentials.

application

string

Default:

"any"

List of applications.

category

list / elements=string

Default:

["any"]

The category.

commit

boolean

  • no
  • yes

Commit configuration if changed.

data_filtering

string

Name of the already defined data_filtering profile.

description

string

Description for the security rule.

destination_ip

string

Default:

"any"

List of destination addresses.

destination_zone

string

Default:

"any"

List of destination zones.

devicegroup

string

- Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.

file_blocking

string

Name of the already defined file_blocking profile.

group_profile

string

- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.

hip_profiles

string

Default:

"any"

- If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.

ip_address

string / required

IP address (or hostname) of PAN-OS device being configured.

log_end

boolean

  • no
  • yes

Whether to log at session end.

log_start

boolean

  • no

  • yes

Whether to log at session start.

operation

string

  • add

  • update
  • delete
  • find

The action to be taken. Supported values are add/update/find/delete.

password

string / required

Password credentials to use for auth unless api_key is set.

rule_name

string / required

Name of the security rule.

rule_type

string

Default:

"universal"

Type of security rule (version 6.1 of PanOS and above).

service

string

Default:

"application-default"

List of services.

source_ip

string

Default:

"any"

List of source addresses.

source_user

string

Default:

"any"

Use users to enforce policy for individual users or a group of users.

source_zone

string

Default:

"any"

List of source zones.

spyware

string

Name of the already defined spyware profile.

tag_name

string

Administrative tags that can be added to the rule. Note, tags must be already defined.

url_filtering

string

Name of the already defined url_filtering profile.

username

string

Default:

"admin"

Username credentials to use for auth unless api_key is set.

vulnerability

string

Name of the already defined vulnerability profile.

wildfire_analysis

string

Name of the already defined wildfire_analysis profile.



Notes

Note

  • Checkmode is not supported.
  • Panorama is supported.


Examples

- name: Add an SSH inbound rule to devicegroup
  community.network.panos_security_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    tag_name: ['ProjectX']
    source_zone: ['public']
    destination_zone: ['private']
    source_ip: ['any']
    source_user: ['any']
    destination_ip: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    devicegroup: 'Cloud Edge'

- name: Add a rule to allow HTTP multimedia only from CDNs
  community.network.panos_security_rule:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    operation: 'add'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    source_zone: ['public']
    destination_zone: ['private']
    source_ip: ['any']
    source_user: ['any']
    destination_ip: ['1.1.1.1']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    hip_profiles: ['any']
    action: 'allow'

- name: Add a more complex rule that uses security profiles
  community.network.panos_security_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    rule_name: 'Allow HTTP w profile'
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'default'
    vulnerability: 'default'
    spyware: 'default'
    url_filtering: 'default'
    wildfire_analysis: 'default'

- name: Delete a devicegroup security rule
  community.network.panos_security_rule:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'delete'
    rule_name: 'Allow telnet'
    devicegroup: 'DC Firewalls'

- name: Find a specific security rule
  community.network.panos_security_rule:
    ip_address: '{{ ip_address }}'
    password: '{{ password }}'
    operation: 'find'
    rule_name: 'Allow RDP to DCs'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

Status

  • This module will be removed in version 2.0.0. [deprecated]
  • For more information see DEPRECATED.

Authors

  • Ivan Bojer (@ivanbojer), Robert Hagen (@rnh556)

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/network/panos_security_rule_module.html