paloaltonetworks.panos.panos_nat_rule2 module – Manage a NAT rule

Note

This module is part of the paloaltonetworks.panos collection (version 3.1.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_nat_rule2.

New in paloaltonetworks.panos 2.10.0

Synopsis

  • Manage a policy NAT rule.

  • NOTE Even though this module supports state=merged, due to the complexity of the XML schema for NAT rules, changing a NAT rule’s types using state=merged will likely result in an error. Using state=merged will work as normal for simple operations, such as adding additional IP addresses to any of the listings or changing simple variable types.

Aliases: panos_nat_rule

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python >= 0.16

  • pan-os-python >= 1.7.3

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

audit_comment

string

Add an audit comment to the rule being defined.

This is only applied if there was a change to the rule.

description

string

The description.

destination_addresses

list / elements=string

Destination addresses.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

destination_dynamic_translated_address

string

For PAN-OS 8.1 and above.

Dynamic destination translated address.

destination_dynamic_translated_distribution

string

For PAN-OS 8.1 and above.

Dynamic destination translated distribution.

destination_dynamic_translated_port

integer

For PAN-OS 8.1 and above.

Dynamic destination translated port.

destination_translated_address

string

Static translated destination IP address.

destination_translated_port

integer

Static translated destination port number.

device_group

string

(Panorama only) The device group the operation should target.

Default: "shared"

disabled

boolean

Rule is disabled or not.

Choices:

  • false

  • true

existing_rule

string

If location=before or location=after, this option specifies an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.

Required if location=before or location=after.

from_zones

list / elements=string

From zones.

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

group_tag

string

For PAN-OS 9.0 and above.

The group tag.

ha_binding

string

Device binding configuration in HA Active-Active mode.

Choices:

  • "primary"

  • "both"

  • "0"

  • "1"

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

location

string

Position to place the rule in.

Choices:

  • "top"

  • "bottom"

  • "before"

  • "after"

name

string

Name of the rule.

nat_type

string

Type of NAT.

Choices:

  • "ipv4" ← (default)

  • "nat64"

  • "nptv6"

negate_target

boolean

Applicable for Panorama only.

Negate the value for target.

Choices:

  • false

  • true

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: 443

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: 443

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: "admin"

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

  • "pre-rulebase"

  • "rulebase"

  • "post-rulebase"

service

string

The service.

source_addresses

list / elements=string

Source addresses.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

source_translation_address_type

string

For source_translation_type=dynamic-ip-and-port or or source_translation_type=dynamic-ip.

Address type.

Choices:

  • "interface-address"

  • "translated-address"

source_translation_fallback_interface

string

For source_translation_fallback_type=interface-address.

The interface for the fallback source translation.

source_translation_fallback_ip_address

string

For source_translation_fallback_type=interface-address.

The IP address of the fallback source translation.

source_translation_fallback_ip_type

string

For source_translation_fallback_type=interface-address.

The type of the IP address for the fallback source translation IP address.

Choices:

  • "ip"

  • "floating-ip"

source_translation_fallback_translated_addresses

list / elements=string

For source_translation_fallback_type=translated-address.

Addresses for translated address types of fallback source translation.

source_translation_fallback_type

string

For source_translation_type=dynamic-ip.

Type of fallback for dynamic IP source translation.

Choices:

  • "translated-address"

  • "interface-address"

source_translation_interface

string

For source_translation_address_type=interface-address.

Interface of the source address.

source_translation_ip_address

string

For source_translation_address_type=interface-address.

IP address of the source address translation.

source_translation_static_bi_directional

boolean

For source_translation_type=static-ip.

Allow reverse translation from translated address to original address.

Choices:

  • false

  • true

source_translation_static_translated_address

string

For source_translation_type=static-ip.

The IP address for the static source translation.

source_translation_translated_addresses

list / elements=string

For source_translation_address_type=translated-address.

Translated addresses of the source address translation.

source_translation_type

string

Type of source address translation.

Choices:

  • "dynamic-ip-and-port"

  • "dynamic-ip"

  • "static-ip"

state

string

The state.

Choices:

  • "present" ← (default)

  • "absent"

  • "replaced"

  • "merged"

  • "deleted"

  • "gathered"

tags

list / elements=string

Administrative tags.

target

list / elements=string

Applicable for Panorama only.

Apply this rule exclusively to the listed firewall serial numbers.

to_interface

string

Egress interface from route lookup.

to_zones

list / elements=string

To zones.

Note that there should only be one element in this list.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: "admin"

uuid

string

The rule UUID.

Note that this is currently more of a read-only field.

Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.

vsys

string

The vsys this object belongs to.

Default: "vsys1"

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add a nat rule
  paloaltonetworks.panos.panos_nat_rule2:
    provider: '{{ provider }}'
    name: 'myRule'
    description: 'Made by Ansible'
    nat_type: 'ipv4'
    from_zones: ['Trust-L3']
    to_zones: ['Untrusted-L3']
    to_interface: 'ethernet1/1'
    service: 'any'
    source_addresses: ['any']
    destination_addresses: ['any']
    source_translation_type: 'dynamic-ip-and-port'
    source_translation_address_type: 'interface-address'
    source_translation_interface: 'ethernet1/1'

Authors

  • Garfield Lee Freeman (@shinmog)