paloaltonetworks.panos.panos_bgp_policy_rule module – Manage a BGP Policy Import/Export Rule

Note

This module is part of the paloaltonetworks.panos collection (version 3.1.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_bgp_policy_rule.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

Rule action.

Choices:

  • "allow"

  • "deny"

action_as_path_limit

integer

Add AS path limit attribute if it does not exist.

action_as_path_prepend_times

integer

Prepend local AS for specified number of times.

action_as_path_type

string

AS path update options.

Choices:

  • "none"

  • "remove"

  • "prepend"

  • "remove-and-prepend"

action_community_argument

string

Argument to the action community value if needed.

action_community_modifier

string

Modifier for the community action. Required if ‘action_community_type’ is set to ‘append’ or ‘overwrite’.

action_community_type

string

Community update options.

Choices:

  • "none"

  • "remove-all"

  • "remove-regex"

  • "append"

  • "overwrite"

action_dampening

string

Route flap dampening profile; only with “import” type.

action_extended_community_argument

string

Argument to the action extended community value if needed.

action_extended_community_type

string

Extended community update options.

action_local_preference

integer

New local preference value.

action_med

integer

New MED value.

action_nexthop

string

Nexthop address.

action_origin

string

New route origin.

Choices:

  • "igp"

  • "egp"

  • "incomplete"

action_weight

integer

New weight value; only with “import” type.

address_prefix

list / elements=dictionary

List of address prefix dicts with “name”/”exact” keys.

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The API key to use instead of generating it using username / password.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.


Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

  • false

  • true

enable

boolean

Enable rule.

Choices:

  • false

  • true ← (default)

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The IP address or hostname of the PAN-OS device being configured.

match_afi

string

Address Family Identifier.

Choices:

  • "ip"

  • "ipv6"

match_as_path_regex

string

AS-path regular expression.

match_community_regex

string

Community AS-path regular expression.

match_extended_community_regex

string

Extended Community AS-path regular expression.

match_from_peer

list / elements=string

Filter by peer that sent this route.

match_med

integer

Multi-Exit Discriminator.

match_nexthop

list / elements=string

Next-hop attributes.

match_route_table

string

Route table to match rule.

Choices:

  • "unicast"

  • "multicast"

  • "both"

match_safi

string

Subsequent Address Family Identifier.

Choices:

  • "ip"

  • "ipv6"

name

string / required

Name of filter.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.


The port number to connect to the PAN-OS device on.

Default: 443

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: 443

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: "admin"

state

string

The state.

Choices:

  • "present" ← (default)

  • "absent"

template

string

(Panorama only) The template this operation should target. Mutually exclusive with template_stack.

template_stack

string

(Panorama only) The template stack this operation should target. Mutually exclusive with template.

type

string / required

The type of rule.

Choices:

  • "import"

  • "export"

used_by

list / elements=string

Peer-groups that use this rule.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The username to use for authentication. This is ignored if api_key is specified.

Default: "admin"

vr_name

string

Name of the virtual router; it must already exist; see paloaltonetworks.panos.panos_virtual_router.

Default: "default"

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

# Add a BGP Policy
- name: Create Policy Import Rule
  paloaltonetworks.panos.panos_bgp_policy_rule:
    provider: '{{ provider }}'
    vr_name: 'default'
    name: 'import-rule-001'
    type: 'import'
    enable: true
    action: 'allow'
    address_prefix:
      - name: '10.1.1.0/24'
      - name: '10.1.2.0/24'
        exact: false
      - name: '10.1.3.0/24'
        exact: true
    action_dampening: 'dampening-profile'

- name: Create Policy Export Rule
  paloaltonetworks.panos.panos_bgp_policy_rule:
    provider: '{{ provider }}'
    vr_name: 'default'
    name: 'export-rule-001'
    type: 'export'
    enable: true
    action: 'allow'

- name: Remove Export Rule
  paloaltonetworks.panos.panos_bgp_policy_rule:
    provider: '{{ provider }}'
    state: 'absent'
    vr_name: 'default'
    name: 'export-rule-001'
    type: 'export'

Authors

  • Joshua Colson (@freakinhippie)

  • Garfield Lee Freeman (@shinmog)