paloaltonetworks.panos.panos_match_rule module – Test for match against a security rule on PAN-OS devices.

Note

This module is part of the paloaltonetworks.panos collection (version 3.1.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_match_rule.

New in paloaltonetworks.panos 1.0.0

Synopsis 

Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Aliases: panos_query_rules

Requirements 

The below requirements are needed on the host that executes this module.

pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
xmltodict

Parameters 

Parameter	Comments
api_key string	Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
application string	The application.
category string	URL category
destination_ip string / required	The destination IP address.
destination_port integer / required	The destination port.
destination_zone string	The destination zone.
ip_address string	Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
password string	Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: `443`
protocol integer / required	The IP protocol number from 1 to 255.
provider dictionary added in paloaltonetworks.panos 1.0.0	A dict object containing connection details.
api_key string	The API key to use instead of generating it using username / password.
ip_address string	The IP address or hostname of the PAN-OS device being configured.
password string	The password to use for authentication. This is ignored if api_key is specified.
port integer	The port number to connect to the PAN-OS device on. Default: `443`
serial_number string	The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username string	The username to use for authentication. This is ignored if api_key is specified. Default: `"admin"`
rule_type string	Type of rule. Choices: `"security"` ← (default) `"nat"`
rulebase string	DEPRECATED This is no longer used and may safely be removed from your playbook.
source_ip string / required	The source IP address.
source_port integer	The source port.
source_user string	The source user or group.
source_zone string	The source zone.
to_interface string	The inbound interface in a NAT rule.
username string	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: `"admin"`
vsys string	The vsys this object belongs to. Default: `"vsys1"`
vsys_id string	Removed Use vsys instead.

Notes 

Note

Checkmode is not supported.
Panorama NOT is supported. However, specifying Panorama provider info with a target serial number is.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples 

- name: check security rules for Google DNS
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules inbound SSH with user match
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for source NAT
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for inbound web
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules for outbound POP3 in vsys4
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    vsys_id: 'vsys4'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
rule dictionary	The rule definition, either security rule or NAT rule Returned: always
rulebase string	Rule location; panorama-pre-rulebase, firewall-rulebase, or panorama-post-rulebase Returned: always
stdout_lines string	DEPRECATED; use “rule” instead Returned: always

Authors

Robert Hagen (@stealthllama)

paloaltonetworks.panos.panos_match_rule module – Test for match against a security rule on PAN-OS devices.

Synopsis

Requirements

Parameters

Notes

Examples

Return Values