paloaltonetworks.panos.panos_ipsec_profile module – Manage IPSec Crypto profile on the firewall with subset of settings.

Note

This module is part of the paloaltonetworks.panos collection (version 2.19.1).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_ipsec_profile.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • IPSec Crypto profiles specify protocols and algorithms for authentication and encryption in VPN tunnels based on IPSec SA negotiation (Phase 2).

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

ah_authentication

list / elements=string

Authentication algorithms for AH mode.

Choices:

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.

Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

dh_group

aliases: dhgroup

string

Diffie-Hellman (DH) groups.

Choices:

esp_authentication

aliases: authentication

list / elements=string

Authentication algorithms for ESP mode.

Choices:

esp_encryption

aliases: encryption

list / elements=string

Encryption algorithms for ESP mode.

Choices:

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

lifesize_gb

integer

IPSec SA lifetime in gigabytes.

lifesize_kb

integer

IPSec SA lifetime in kilobytes.

lifesize_mb

integer

IPSec SA lifetime in megabytes.

lifesize_tb

integer

IPSec SA lifetime in terabytes.

lifetime_days

integer

IPSec SA lifetime in days.

lifetime_hours

aliases: lifetime_hrs

integer

IPSec SA lifetime in hours. If no other key lifetimes are specified, default to 1 hour.

lifetime_minutes

integer

IPSec SA lifetime in minutes.

lifetime_seconds

integer

IPSec SA lifetime in seconds.

name

string

Name for the profile.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

state

string

The state.

Choices:

template

string

(Panorama only) The template this operation should target. Mutually exclusive with template_stack.

template_stack

string

(Panorama only) The template stack this operation should target. Mutually exclusive with template.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

- name: Add IPSec crypto config to the firewall
  paloaltonetworks.panos.panos_ipsec_profile:
    provider: '{{ provider }}'
    state: 'present'
    name: 'ipsec-vpn-0cc61dd8c06f95cfd-0'
    esp_authentication: ['sha1']
    esp_encryption: ['aes-128-cbc']
    lifetime_seconds: '3600'

Authors

  • Ivan Bojer (@ivanbojer)