paloaltonetworks.panos.panos_decryption_rule module – Manage a decryption rule on PAN-OS.

Note

This module is part of the paloaltonetworks.panos collection (version 2.19.1).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_decryption_rule.

New in paloaltonetworks.panos 2.10.0

Synopsis

  • This module works for PAN-OS 7.0 and above.

  • Allows for the management of decryption rules on PAN-OS.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python >= 0.17

  • pan-os-python >= 1.7.3

Parameters

Parameter

Comments

action

string

The action.

Choices:

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

audit_comment

string

Add an audit comment to the rule being defined.

This is only applied if there was a change to the rule.

decryption_profile

string

The decryption profile.

decryption_type

string

The decryption type.

Choices:

description

string

The rule description.

destination_addresses

list / elements=string

List of destination addresses.

This can be an IP address, an address object/group, etc.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

destination_hip

list / elements=string

The source HIP info.

destination_zones

list / elements=string

List of destination zones.

device_group

string

(Panorama only) The device group the operation should target.

Default: :ansible-option-default:`"shared"`

disabled

boolean

Rule is disabled or not.

Choices:

existing_rule

string
  • If location=before or location=after, this option specifies

    an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.

    • Required if location=before or location=after.

forwarding_profile

string

The forwarding profile.

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

group_tag

string

PAN-OS 9.0 and above.

The group tag.

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

location

string

Position to place the rule in.

Choices:

log_failed_tls_handshakes

boolean

PAN-OS 10.0 and above.

Log failed TLS handshakes.

Choices:

log_setting

string

PAN-OS 10.0 and above.

The log setting.

log_successful_tls_handshakes

boolean

PAN-OS 10.0 and above.

Log successful TLS handshakes.

Choices:

name

string

Name of the rule.

negate_destination

boolean

Negate the destination addresses.

Choices:

negate_source

boolean

Negate the source addresses.

Choices:

negate_target

boolean

Applicable for Panorama only.

Negate the value for target.

Choices:

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

services

list / elements=string

List of services.

source_addresses

list / elements=string

List of source addresses.

This can be an IP address, an address object/group, etc.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

source_hip

list / elements=string

The source HIP info.

source_users

list / elements=string

The source users.

source_zones

list / elements=string

List of source zones.

ssl_certificate

string

The SSL certificate.

state

string

The state.

Choices:

tags

list / elements=string

The administrative tags.

target

list / elements=string

Applicable for Panorama only.

Apply this rule exclusively to the listed firewall serial numbers.

url_categories

list / elements=string

List of URL categories.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-url name <tab> panw-auth-portal-exclude-list panw-auth-portal-exclude-list

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

uuid

string

The rule UUID.

Note that this is currently more of a read-only field.

Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add SSH inbound rule to Panorama device group
  paloaltonetworks.panos.panos_decryption_rule:
    provider: '{{ provider }}'
    device_group: 'Cloud Edge'
    name: 'sampleRule'
    description: 'Made by Ansible'
    source_zones: ['any']
    source_addresses: ['192.168.10.15']
    source_users: ['any']
    source_hip: ['any']
    destination_zones: ['any']
    destination_addresses: ['10.20.30.40']
    destination_hip: ['any']
    negate_destination: true
    services: ['application-default']
    url_categories: ['adult', 'dating']
    action: 'decrypt'
    decryption_type: 'ssl-forward-proxy'
    log_successful_tls_handshakes: true
    log_failed_tls_handshakes: true
    audit_comment: 'Initial config'

Authors

  • Garfield Lee Freeman (@shinmog)