paloaltonetworks.panos.panos_nat_rule module – Manage a policy NAT rule
Note
This module is part of the paloaltonetworks.panos collection (version 2.13.2).
To install it, use: ansible-galaxy collection install paloaltonetworks.panos
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: paloaltonetworks.panos.panos_nat_rule
.
New in paloaltonetworks.panos 1.0.0
DEPRECATED
- Removed in:
version 3.0.0
- Why:
The design of this module is not consistent with current design.
- Alternative:
Use paloaltonetworks.panos.panos_nat_rule2 instead.
Synopsis
Manage a policy nat rule. Keep in mind that we can either end up configuring source NAT, destination NAT, or both.
Instead of splitting it into two we will make a fair attempt to determine which one the user wants.
Requirements
The below requirements are needed on the host that executes this module.
pan-python >= 0.16
pan-os-python >= 1.7.3
Parameters
Parameter |
Comments |
---|---|
Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password. |
|
Add an audit comment to the rule being defined. This is only applied if there was a change to the rule. |
|
Deprecated Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead. Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template. Choices: |
|
NAT rule description. |
|
list of destination addresses Default: :ansible-option-default:`["any"]` |
|
destination zone |
|
(Panorama only) The device group the operation should target. Default: :ansible-option-default:`"shared"` |
|
Deprecated Use device_group instead. The device group to place the NAT rule into. Panorama only; ignored for firewalls. |
|
Static dnat translated address Mutually exclusive with dnat_dynamic_address, dnat_dynamic_port, and dnat_dynamic_distribution. |
|
Dynamic destination translated address. Mutually exclusive with dnat_address and dnat_port. |
|
Dynamic destination translated distribution. Mutually exclusive with dnat_address and dnat_port. |
|
Dynamic destination translated port. Mutually exclusive with dnat_address and dnat_port. |
|
Static dnat translated port Mutually exclusive with dnat_dynamic_address, dnat_dynamic_port, and dnat_dynamic_distribution. |
|
|
|
The group tag. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured. |
|
Position to place the rule in. Choices: |
|
Type of NAT. Choices: |
|
Applicable for Panorama only. Negate the value for target. Choices: |
|
Removed Use state instead. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443` |
|
A dict object containing connection details. |
|
The API key to use instead of generating it using username / password. |
|
The IP address or hostname of the PAN-OS device being configured. |
|
The password to use for authentication. This is ignored if api_key is specified. |
|
The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443` |
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored. |
|
The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"` |
|
name of the SNAT rule |
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase. Choices: |
|
service Default: :ansible-option-default:`"any"` |
|
type of source translation. Choices: |
|
bidirectional flag Choices: |
|
Source NAT translated address. Used when snat_type=dynamic-ip or snat_type=dynamic-ip-and-port. |
|
snat interface |
|
snat interface address |
|
Source NAT translated address. Used with Static-IP translation. |
|
type of source translation Choices: |
|
list of source addresses Default: :ansible-option-default:`["any"]` |
|
list of source zones |
|
The state of this object. Choices: |
|
Administrative tags. |
|
Deprecated Use tag instead. Administrative tag. |
|
Applicable for Panorama only. Apply this rule exclusively to the listed firewall serial numbers. |
|
Original packet’s destination interface. Default: :ansible-option-default:`"any"` |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"` |
|
The rule UUID. Note that this is currently more of a read-only field. Usage of the UUID cannot currently take the place of using the rule name as the primary identifier. |
|
The vsys this object belongs to. Default: :ansible-option-default:`"vsys1"` |
Notes
Note
Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples
# Create a source and destination nat rule
- name: Create NAT SSH rule for 10.0.1.101
panos_nat_rule:
provider: '{{ provider }}'
rule_name: "Web SSH"
source_zone: ["external"]
destination_zone: "external"
source_ip: ["any"]
destination_ip: ["10.0.0.100"]
service: "service-tcp-221"
snat_type: "dynamic-ip-and-port"
snat_interface: "ethernet1/2"
dnat_address: "10.0.1.101"
dnat_port: "22"
- name: disable a specific security rule
panos_nat_rule:
provider: '{{ provider }}'
rule_name: 'Prod-Legacy 1'
state: 'disable'
Status
This module will be removed in version 3.0.0. [deprecated]
For more information see DEPRECATED.