paloaltonetworks.panos.panos_pbf_rule module – Manage Policy Based Forwarding rules on PAN-OS.

Note

This module is part of the paloaltonetworks.panos collection (version 2.19.1).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_pbf_rule.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • Manage Policy Based Forwarding rules on PAN-OS.

Requirements

The below requirements are needed on the host that executes this module.

  • pandevice >= 0.13.0

  • pan-python

Parameters

Parameter

Comments

action

string

The action to take.

Choices:

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

applications

list / elements=string

List of applications.

Default: :ansible-option-default:`["any"]`

audit_comment

string

Add an audit comment to the rule being defined.

This is only applied if there was a change to the rule.

description

string

The description.

destination_addresses

list / elements=string

List of destination addresses.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

Default: :ansible-option-default:`["any"]`

device_group

string

(Panorama only) The device group the operation should target.

Default: :ansible-option-default:`"shared"`

disabled

boolean

Disable this rule.

Choices:

enable_enforce_symmetric_return

boolean

Set to enforce symmetric return.

Choices:

existing_rule

string
  • If location=before or location=after, this option specifies

    an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.

    • Required if location=before or location=after.

forward_egress_interface

string

The egress interface.

forward_monitor_disable_if_unreachable

boolean

Set to disable this rule if nexthop / monitor IP is unreachable.

Choices:

forward_monitor_ip_address

string

The monitor IP address.

forward_monitor_profile

string

The monitor profile to use.

forward_next_hop_type

string

The next hop type.

Leave this as None for a next hop type of ‘None’.

To specify a next-hop of none, leave this parameter unset.

Choices:

forward_next_hop_value

string

The next hop value if forward next hop type is not None.

forward_vsys

string

The vsys to forward to if action is set to forward to a vsys.

from_type

string

Source from type.

Choices:

from_value

list / elements=string

The source values for the given type.

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

group_tag

string

The group tag.

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

location

string

Position to place the rule in.

Choices:

name

string

Name of the rule.

negate_destination

boolean

Set to negate the destination.

Choices:

negate_source

boolean

Set to negate the source.

Choices:

negate_target

boolean

Applicable for Panorama only.

Negate the value for target.

Choices:

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

schedule

string

The schedule.

services

list / elements=string

List of services.

Default: :ansible-option-default:`["any"]`

source_addresses

list / elements=string

List of source IP addresses.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

Default: :ansible-option-default:`["any"]`

source_users

list / elements=string

List of source users.

Default: :ansible-option-default:`["any"]`

state

string

The state.

Choices:

symmetric_return_addresses

list / elements=string

List of symmetric return addresses.

tags

list / elements=string

List of tags.

target

list / elements=string

Applicable for Panorama only.

Apply this rule exclusively to the listed firewall serial numbers.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

uuid

string

The rule UUID.

Note that this is currently more of a read-only field.

Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add a pbf rule
  paloaltonetworks.panos.panos_pbf_rule:
    provider: '{{ provider }}'
    name: 'my-pbf'
    description: 'Made by Ansible'
    from_value: ['myZone']
    action: 'discard'

Authors

  • Garfield Lee Freeman (@shinmog)