bigip_firewall_rule – Manage AFM Firewall rules

From Get docs
Ansible/docs/2.8/modules/bigip firewall rule module


bigip_firewall_rule – Manage AFM Firewall rules

New in version 2.7.


Synopsis

  • Manages firewall rules in an AFM firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the bigip_security_policy module. Rules can also be pre-ordered using the bigip_security_policy module and then later updated using the bigip_firewall_rule module.

Parameters

Parameter Choices/Defaults Comments

action

string

  • accept
  • drop
  • reject
  • accept-decisively

Specifies the action for the firewall rule.

When accept, allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.

When drop, drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.

When reject, rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.

When accept-decisively, allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.

When creating a new rule, if this parameter is not provided, the default is reject.

description

string

The rule description.

destination

list

Specifies packet destinations to which the rule applies.

Leaving this field blank applies the rule to all addresses and all ports.

You can specify the following destination items. An IPv4 or IPv6 address, an IPv4 or IPv6 address range, geographic location, VLAN, address list, port, port range, port list or address list.

You can specify a mix of different types of items for the source address.

address

string

Specifies a specific IP address.

address_list

string

Specifies an existing address list.

address_range

string

Specifies an address range.

country

string

Specifies a country code.

port

integer

Specifies a single numeric port.

This option is only valid when protocol is tcp(6) or udp(17).

port_list

string

Specifes an existing port list.

This option is only valid when protocol is tcp(6) or udp(17).

port_range

string

Specifies a range of ports, which is two port values separated by a hyphen. The port to the left of the hyphen should be less than the port to the right.

This option is only valid when protocol is tcp(6) or udp(17).

icmp_message

list

Specifies the Internet Control Message Protocol (ICMP) or ICMPv6 message type and code that the rule uses.

This parameter is only relevant when protocol is either icmp(1) or icmpv6(58).

code

string

Specifies the code returned in response to the specified ICMP message type.

You can specify codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can specify any to indicate that the system applies the rule for all codes in response to that specific ICMP message.

You can also specify an arbitrary code.

The ICMP protocol contains definitions for the existing message code and number pairs.

type

string

Specifies the type of ICMP message.

You can specify control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can specify any to indicate that the system applies the rule for all ICMP messages.

You can also specify an arbitrary ICMP message.

The ICMP protocol contains definitions for the existing message type and number pairs.

irule

string

Specifies an iRule that is applied to the firewall rule.

An iRule can be started when the firewall rule matches traffic.

logging

boolean

  • no
  • yes

Specifies whether logging is enabled or disabled for the firewall rule.

When creating a new rule, if this parameter is not specified, the default if no.

name

string / required

Specifies the name of the rule.

parent_policy

string

The policy which contains the rule to be managed.

One of either parent_policy or parent_rule_list is required.

parent_rule_list

string

The rule list which contains the rule to be managed.

One of either parent_policy or parent_rule_list is required.

partition

string

Default:

"Common"

Device partition to manage resources on.

password

string / required

The password for the user account used to connect to the BIG-IP.

You may omit this option by setting the environment variable F5_PASSWORD.


aliases: pass, pwd

protocol

string

Specifies the protocol to which the rule applies.

Protocols may be specified by either their name or numeric value.

A special protocol value any can be specified to match any protocol. The numeric equivalent of this protocol is 255.

provider

dictionary

added in 2.5

A dict object containing connection details.

password

string / required

The password for the user account used to connect to the BIG-IP.

You may omit this option by setting the environment variable F5_PASSWORD.


aliases: pass, pwd

server

string / required

The BIG-IP host.

You may omit this option by setting the environment variable F5_SERVER.

server_port

integer

Default:

443

The BIG-IP server port.

You may omit this option by setting the environment variable F5_SERVER_PORT.

ssh_keyfile

path

Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports.

You may omit this option by setting the environment variable ANSIBLE_NET_SSH_KEYFILE.

timeout

integer

Default:

10

Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.

transport

string

  • cli
  • rest

Configures the transport connection to use when connecting to the remote device.

user

string / required

The username to connect to the BIG-IP with. This user must have administrative privileges on the device.

You may omit this option by setting the environment variable F5_USER.

validate_certs

boolean

  • no
  • yes

If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.

You may omit this option by setting the environment variable F5_VALIDATE_CERTS.

rule_list

string

Specifies an existing rule list to use in the rule.

This parameter is mutually exclusive with many of the other individual-rule specific settings. This includes logging, action, source, destination, irule', protocol and logging.

schedule

string

Specifies a schedule for the firewall rule.

You configure schedules to define days and times when the firewall rule is made active.

server

string / required

The BIG-IP host.

You may omit this option by setting the environment variable F5_SERVER.

server_port

integer

added in 2.2

Default:

443

The BIG-IP server port.

You may omit this option by setting the environment variable F5_SERVER_PORT.

source

list

Specifies packet sources to which the rule applies.

Leaving this field blank applies the rule to all addresses and all ports.

You can specify the following source items. An IPv4 or IPv6 address, an IPv4 or IPv6 address range, geographic location, VLAN, address list, port, port range, port list or address list.

You can specify a mix of different types of items for the source address.

address

string

Specifies a specific IP address.

address_list

string

Specifies an existing address list.

address_range

string

Specifies an address range.

country

string

Specifies a country code.

port

integer

Specifies a single numeric port.

This option is only valid when protocol is tcp(6) or udp(17).

port_list

string

Specifes an existing port list.

This option is only valid when protocol is tcp(6) or udp(17).

port_range

string

Specifies a range of ports, which is two port values separated by a hyphen. The port to the left of the hyphen should be less than the port to the right.

This option is only valid when protocol is tcp(6) or udp(17).

vlan

string

Specifies VLANs to which the rule applies.

The VLAN source refers to the packet's source.

state

string

  • present

  • absent

When state is present, ensures that the rule exists.

When state is absent, ensures that the rule is removed.

status

string

  • enabled
  • disabled
  • scheduled

Indicates the activity state of the rule or rule list.

When disabled, specifies that the rule or rule list does not apply at all.

When enabled, specifies that the system applies the firewall rule or rule list to the given context and addresses.

When scheduled, specifies that the system applies the rule or rule list according to the specified schedule.

When creating a new rule, if this parameter is not provided, the default is enabled.

user

string / required

The username to connect to the BIG-IP with. This user must have administrative privileges on the device.

You may omit this option by setting the environment variable F5_USER.

validate_certs

boolean

added in 2.0

  • no
  • yes

If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.

You may omit this option by setting the environment variable F5_VALIDATE_CERTS.



Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
  • Requires BIG-IP software version >= 12.
  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.


Examples

- name: Create a new rule in the foo firewall policy
  bigip_firewall_rule:
    name: foo
    parent_policy: policy1
    protocol: tcp
    source:
      - address: 1.2.3.4
      - address: "::1"
      - address_list: foo-list1
      - address_range: 1.1.1.1-2.2.2.2
      - vlan: vlan1
      - country: US
      - port: 22
      - port_list: port-list1
      - port_range: 80-443
    destination:
      - address: 1.2.3.4
      - address: "::1"
      - address_list: foo-list1
      - address_range: 1.1.1.1-2.2.2.2
      - country: US
      - port: 22
      - port_list: port-list1
      - port_range: 80-443
    irule: irule1
    action: accept
    logging: yes
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Create an ICMP specific rule
  bigip_firewall_rule:
    name: foo
    protocol: icmp
    icmp_message:
      type: 0
    source:
      - country: US
    action: drop
    logging: yes
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Add a new rule that is uses an existing rule list
  bigip_firewall_rule:
    name: foo
    rule_list: rule-list1
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

action

string

changed

The action for the firewall rule.


Sample:

drop

description

string

changed

The rule description.


Sample:

MyRule

destination

complex

changed

The packet destinations to which the rule applies.


Sample:

hash/dictionary of values

address

string

changed

A specific IP address.


Sample:

192.168.1.1

address_list

string

changed

An existing address list.


Sample:

foo-list1

address_range

string

changed

The address range.


Sample:

1.1.1.1-2.2.2.2

country

string

changed

A country code.


Sample:

US

port

integer

changed

Single numeric port.


Sample:

8080

port_list

string

changed

An existing port list.


Sample:

port-list1

port_range

string

changed

The port range.


Sample:

80-443

icmp_message

complex

changed

The (ICMP) or ICMPv6 message type and code that the rule uses.


Sample:

hash/dictionary of values

code

string

changed

The code returned in response to the specified ICMP message type.


Sample:

1

type

string

changed

The type of ICMP message.


irule

string

changed

The iRule that is applied to the firewall rule.


Sample:

_sys_auth_radius

logging

boolean

changed

Enable or Disable logging for the firewall rule.


Sample:

True

name

string

changed

Name of the rule.


Sample:

FooRule

parent_policy

string

changed

The policy which contains the rule to be managed.


Sample:

FooPolicy

parent_rule_list

string

changed

The rule list which contains the rule to be managed.


Sample:

FooRuleList

protocol

string

changed

The protocol to which the rule applies.


Sample:

any

rule_list

string

changed

An existing rule list to use in the rule.


Sample:

rule-list-1

schedule

string

changed

The schedule for the firewall rule.


Sample:

Foo_schedule

source

complex

changed

The packet sources to which the rule applies


Sample:

hash/dictionary of values

address

string

changed

A specific IP address.


Sample:

192.168.1.1

address_list

string

changed

An existing address list.


Sample:

foo-list1

address_range

string

changed

The address range.


Sample:

1.1.1.1-2.2.2.2

country

string

changed

A country code.


Sample:

US

port

integer

changed

Single numeric port.


Sample:

8080

port_list

string

changed

An existing port list.


Sample:

port-list1

port_range

string

changed

The port range.


Sample:

80-443

vlan

string

changed

Source VLANs for the packets.


Sample:

vlan1

status

string

changed

The activity state of the rule or rule list.


Sample:

scheduled




Status

Authors

  • Tim Rupp (@caphrim007)
  • Wojciech Wypior (@wojtek0806)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/bigip_firewall_rule_module.html