paloaltonetworks.panos.panos_nat_rule2 module – Manage a NAT rule
Note
This module is part of the paloaltonetworks.panos collection (version 3.1.1).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install paloaltonetworks.panos
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: paloaltonetworks.panos.panos_nat_rule2
.
New in paloaltonetworks.panos 2.10.0
Synopsis
Manage a policy NAT rule.
NOTE Even though this module supports state=merged, due to the complexity of the XML schema for NAT rules, changing a NAT rule’s types using state=merged will likely result in an error. Using state=merged will work as normal for simple operations, such as adding additional IP addresses to any of the listings or changing simple variable types.
Aliases: panos_nat_rule
Requirements
The below requirements are needed on the host that executes this module.
pan-python >= 0.16
pan-os-python >= 1.7.3
Parameters
Parameter |
Comments |
---|---|
Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password. |
|
Add an audit comment to the rule being defined. This is only applied if there was a change to the rule. |
|
The description. |
|
Destination addresses. When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list |
|
For PAN-OS 8.1 and above. Dynamic destination translated address. |
|
For PAN-OS 8.1 and above. Dynamic destination translated distribution. |
|
For PAN-OS 8.1 and above. Dynamic destination translated port. |
|
Static translated destination IP address. |
|
Static translated destination port number. |
|
(Panorama only) The device group the operation should target. Default: |
|
Rule is disabled or not. Choices:
|
|
If location=before or location=after, this option specifies an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter. Required if location=before or location=after. |
|
From zones. |
|
When state=gathered. An advanced filtering option to filter results returned from PAN-OS. Refer to the guide discussing gathered_filter for more information. |
|
For PAN-OS 9.0 and above. The group tag. |
|
Device binding configuration in HA Active-Active mode. Choices:
|
|
Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured. |
|
Position to place the rule in. Choices:
|
|
Name of the rule. |
|
Type of NAT. Choices:
|
|
Applicable for Panorama only. Negate the value for target. Choices:
|
|
Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: |
|
A dict object containing connection details. |
|
The API key to use instead of generating it using username / password. |
|
The IP address or hostname of the PAN-OS device being configured. |
|
The password to use for authentication. This is ignored if api_key is specified. |
|
The port number to connect to the PAN-OS device on. Default: |
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored. |
|
The username to use for authentication. This is ignored if api_key is specified. Default: |
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase. Choices:
|
|
The service. |
|
Source addresses. When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list |
|
For source_translation_type=dynamic-ip-and-port or or source_translation_type=dynamic-ip. Address type. Choices:
|
|
For source_translation_fallback_type=interface-address. The interface for the fallback source translation. |
|
For source_translation_fallback_type=interface-address. The IP address of the fallback source translation. |
|
For source_translation_fallback_type=interface-address. The type of the IP address for the fallback source translation IP address. Choices:
|
|
For source_translation_fallback_type=translated-address. Addresses for translated address types of fallback source translation. |
|
For source_translation_type=dynamic-ip. Type of fallback for dynamic IP source translation. Choices:
|
|
For source_translation_address_type=interface-address. Interface of the source address. |
|
For source_translation_address_type=interface-address. IP address of the source address translation. |
|
For source_translation_type=static-ip. Allow reverse translation from translated address to original address. Choices:
|
|
For source_translation_type=static-ip. The IP address for the static source translation. |
|
For source_translation_address_type=translated-address. Translated addresses of the source address translation. |
|
Type of source address translation. Choices:
|
|
The state. Choices:
|
|
Administrative tags. |
|
Applicable for Panorama only. Apply this rule exclusively to the listed firewall serial numbers. |
|
Egress interface from route lookup. |
|
To zones. Note that there should only be one element in this list. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: |
|
The rule UUID. Note that this is currently more of a read-only field. Usage of the UUID cannot currently take the place of using the rule name as the primary identifier. |
|
The vsys this object belongs to. Default: |
Notes
Note
Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples
- name: add a nat rule
paloaltonetworks.panos.panos_nat_rule2:
provider: '{{ provider }}'
name: 'myRule'
description: 'Made by Ansible'
nat_type: 'ipv4'
from_zones: ['Trust-L3']
to_zones: ['Untrusted-L3']
to_interface: 'ethernet1/1'
service: 'any'
source_addresses: ['any']
destination_addresses: ['any']
source_translation_type: 'dynamic-ip-and-port'
source_translation_address_type: 'interface-address'
source_translation_interface: 'ethernet1/1'