paloaltonetworks.panos.panos_nat_rule2 module – Manage a NAT rule

Note

This module is part of the paloaltonetworks.panos collection (version 2.21.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_nat_rule2.

New in paloaltonetworks.panos 2.10.0

Synopsis

    • Manage a policy NAT rule. - NOTE: Even though this module supports state=merged, due to the complexity of the XML schema for NAT rules, changing a NAT rule’s types using state=merged will likely result in an error. Using state=mergedwill work as normal for simple operations, such as adding additional IP addresses to any of the listings or changing simple variable types.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python >= 0.16

  • pan-os-python >= 1.7.3

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

audit_comment

string

Add an audit comment to the rule being defined.

This is only applied if there was a change to the rule.

description

string

The description.

destination_addresses

list / elements=string

Destination addresses.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

destination_dynamic_translated_address

string

For PAN-OS 8.1 and above.

Dynamic destination translated address.

destination_dynamic_translated_distribution

string

For PAN-OS 8.1 and above.

Dynamic destination translated distribution.

destination_dynamic_translated_port

integer

For PAN-OS 8.1 and above.

Dynamic destination translated port.

destination_translated_address

string

Static translated destination IP address.

destination_translated_port

integer

Static translated destination port number.

device_group

string

(Panorama only) The device group the operation should target.

Default: :ansible-option-default:`"shared"`

disabled

boolean

Rule is disabled or not.

Choices:

existing_rule

string
  • If location=before or location=after, this option specifies

    an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.

    • Required if location=before or location=after.

from_zones

list / elements=string

From zones.

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

group_tag

string

For PAN-OS 9.0 and above.

The group tag.

ha_binding

string

Device binding configuration in HA Active-Active mode.

Choices:

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

location

string

Position to place the rule in.

Choices:

name

string

Name of the rule.

nat_type

string

Type of NAT.

Choices:

negate_target

boolean

Applicable for Panorama only.

Negate the value for target.

Choices:

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

service

string

The service.

source_addresses

list / elements=string

Source addresses.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

source_translation_address_type

string

For source_translation_type=dynamic-ip-and-port or or source_translation_type=dynamic-ip.

Address type.

Choices:

source_translation_fallback_interface

string

For source_translation_fallback_type=interface-address.

The interface for the fallback source translation.

source_translation_fallback_ip_address

string

For source_translation_fallback_type=interface-address.

The IP address of the fallback source translation.

source_translation_fallback_ip_type

string

For source_translation_fallback_type=interface-address.

The type of the IP address for the fallback source translation IP address.

Choices:

source_translation_fallback_translated_addresses

list / elements=string

For source_translation_fallback_type=translated-address.

Addresses for translated address types of fallback source translation.

source_translation_fallback_type

string

For source_translation_type=dynamic-ip.

Type of fallback for dynamic IP source translation.

Choices:

source_translation_interface

string

For source_translation_address_type=interface-address.

Interface of the source address.

source_translation_ip_address

string

For source_translation_address_type=interface-address.

IP address of the source address translation.

source_translation_static_bi_directional

boolean

For source_translation_type=static-ip.

Allow reverse translation from translated address to original address.

Choices:

source_translation_static_translated_address

string

For source_translation_type=static-ip.

The IP address for the static source translation.

source_translation_translated_addresses

list / elements=string

For source_translation_address_type=translated-address.

Translated addresses of the source address translation.

source_translation_type

string

Type of source address translation.

Choices:

state

string

The state.

Choices:

tags

list / elements=string

Administrative tags.

target

list / elements=string

Applicable for Panorama only.

Apply this rule exclusively to the listed firewall serial numbers.

to_interface

string

Egress interface from route lookup.

to_zones

list / elements=string

To zones.

Note that there should only be one element in this list.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

uuid

string

The rule UUID.

Note that this is currently more of a read-only field.

Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add a nat rule
  paloaltonetworks.panos.panos_nat_rule2:
    provider: '{{ provider }}'
    name: 'myRule'
    description: 'Made by Ansible'
    nat_type: 'ipv4'
    from_zones: ['Trust-L3']
    to_zones: ['Untrusted-L3']
    to_interface: 'ethernet1/1'
    service: 'any'
    source_addresses: ['any']
    destination_addresses: ['any']
    source_translation_type: 'dynamic-ip-and-port'
    source_translation_address_type: 'interface-address'
    source_translation_interface: 'ethernet1/1'

Authors

  • Garfield Lee Freeman (@shinmog)