paloaltonetworks.panos.panos_nat_rule module – Manage a policy NAT rule

Note

This module is part of the paloaltonetworks.panos collection (version 2.13.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_nat_rule.

New in paloaltonetworks.panos 1.0.0

DEPRECATED

Removed in:

version 3.0.0

Why:

The design of this module is not consistent with current design.

Alternative:

Use paloaltonetworks.panos.panos_nat_rule2 instead.

Synopsis

  • Manage a policy nat rule. Keep in mind that we can either end up configuring source NAT, destination NAT, or both.

  • Instead of splitting it into two we will make a fair attempt to determine which one the user wants.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python >= 0.16

  • pan-os-python >= 1.7.3

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The API key to use instead of generating it using username / password.

audit_comment

string

Add an audit comment to the rule being defined.

This is only applied if there was a change to the rule.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.


Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

description

string

NAT rule description.

destination_ip

list / elements=string

list of destination addresses

Default: :ansible-option-default:`["any"]`

destination_zone

string

destination zone

device_group

string

(Panorama only) The device group the operation should target.

Default: :ansible-option-default:`"shared"`

devicegroup

string

Deprecated

Use device_group instead.


The device group to place the NAT rule into.

Panorama only; ignored for firewalls.

dnat_address

string

Static dnat translated address

Mutually exclusive with dnat_dynamic_address, dnat_dynamic_port, and dnat_dynamic_distribution.

dnat_dynamic_address

string

Dynamic destination translated address.

Mutually exclusive with dnat_address and dnat_port.

dnat_dynamic_distribution

string

Dynamic destination translated distribution.

Mutually exclusive with dnat_address and dnat_port.

dnat_dynamic_port

integer

Dynamic destination translated port.

Mutually exclusive with dnat_address and dnat_port.

dnat_port

string

Static dnat translated port

Mutually exclusive with dnat_dynamic_address, dnat_dynamic_port, and dnat_dynamic_distribution.

existing_rule

string

  • If location=before or location=after, this option specifies

    an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.

    • Required if location=before or location=after.

group_tag

string

The group tag.

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The IP address or hostname of the PAN-OS device being configured.

location

string

nat_type

string

negate_target

boolean

Applicable for Panorama only.

Negate the value for target.

Choices:

operation

string

Removed

Use state instead.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.


The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

rule_name

string / required

name of the SNAT rule

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

service

string

snat_address_type

string

snat_bidirectional

boolean

snat_dynamic_address

list / elements=string

Source NAT translated address.

Used when snat_type=dynamic-ip or snat_type=dynamic-ip-and-port.

snat_interface

string

snat interface

snat_interface_address

string

snat interface address

snat_static_address

string

Source NAT translated address. Used with Static-IP translation.

snat_type

string

source_ip

list / elements=string

list of source addresses

Default: :ansible-option-default:`["any"]`

source_zone

list / elements=string

list of source zones

state

string

tag

list / elements=string

Administrative tags.

tag_name

string

Deprecated

Use tag instead.


Administrative tag.

target

list / elements=string

Applicable for Panorama only.

Apply this rule exclusively to the listed firewall serial numbers.

to_interface

string

Original packet’s destination interface.

Default: :ansible-option-default:`"any"`

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

uuid

string

The rule UUID.

Note that this is currently more of a read-only field.

Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

# Create a source and destination nat rule
- name: Create NAT SSH rule for 10.0.1.101
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: "Web SSH"
    source_zone: ["external"]
    destination_zone: "external"
    source_ip: ["any"]
    destination_ip: ["10.0.0.100"]
    service: "service-tcp-221"
    snat_type: "dynamic-ip-and-port"
    snat_interface: "ethernet1/2"
    dnat_address: "10.0.1.101"
    dnat_port: "22"

- name: disable a specific security rule
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: 'Prod-Legacy 1'
    state: 'disable'

Status

  • This module will be removed in version 3.0.0. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Luigi Mori (@jtschichold)

  • Ivan Bojer (@ivanbojer)

  • Robert Hagen (@stealthllama)

  • Michael Richardson (@mrichardson03)

  • Garfield Lee Freeman (@shinmog)

  • Ken Celenza (@itdependsnetworks)