paloaltonetworks.panos.panos_match_rule module – Test for match against a security rule on PAN-OS devices.

Note

This module is part of the paloaltonetworks.panos collection (version 2.19.1).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_match_rule.

New in paloaltonetworks.panos 1.0.0

Synopsis

• Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

• pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python

• pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice

• xmltodict

Parameters

Parameter	Comments
api_key string	Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
application string	The application.
category string	URL category
destination_ip string / required	The destination IP address.
destination_port integer / required	The destination port.
destination_zone string	The destination zone.
ip_address string	Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
password string	Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443`
protocol integer / required	The IP protocol number from 1 to 255.
provider dictionary added in paloaltonetworks.panos 1.0.0	A dict object containing connection details.
api_key string	The API key to use instead of generating it using username / password.
ip_address string	The IP address or hostname of the PAN-OS device being configured.
password string	The password to use for authentication. This is ignored if api_key is specified.
port integer	The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443`
serial_number string	The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username string	The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"`
rule_type string	Type of rule. Choices: :ansible-option-choices-entry-default:`"security"` ← (default) :ansible-option-choices-entry:`"nat"`
rulebase string	DEPRECATED This is no longer used and may safely be removed from your playbook.
source_ip string / required	The source IP address.
source_port integer	The source port.
source_user string	The source user or group.
source_zone string	The source zone.
to_interface string	The inbound interface in a NAT rule.
username string	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"`
vsys string	The vsys this object belongs to. Default: :ansible-option-default:`"vsys1"`
vsys_id string	Removed Use vsys instead.

Notes

Note

• Checkmode is not supported.

• Panorama NOT is supported. However, specifying Panorama provider info with a target serial number is.

• PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: check security rules for Google DNS
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules inbound SSH with user match
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for source NAT
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for inbound web
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules for outbound POP3 in vsys4
  paloaltonetworks.panos.panos_match_rule:
    provider: '{{ provider }}'
    vsys_id: 'vsys4'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
rule dictionary	The rule definition, either security rule or NAT rule Returned: always
rulebase string	Rule location; panorama-pre-rulebase, firewall-rulebase, or panorama-post-rulebase Returned: always
stdout_lines string	DEPRECATED; use “rule” instead Returned: always

Authors

• Robert Hagen (@stealthllama)

Collection links

Issue Tracker Homepage Repository (Sources)