paloaltonetworks.panos.panos_query_rules module – PANOS module that allows search for security rules in PANW NGFW devices.

Note

This module is part of the paloaltonetworks.panos collection (version 2.13.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_query_rules.

New in paloaltonetworks.panos 1.0.0

DEPRECATED

Removed in:

version 3.0.0

Why:

Querying rules is handled better by paloaltonetworks.panos.panos_match_rule.

Alternative:

Use paloaltonetworks.panos.panos_match_rule

Synopsis

• Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

• The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches

• the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

• pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python

• pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice

• xmltodict can be obtains from PyPI https://pypi.python.org/pypi/xmltodict

Parameters

Parameter	Comments
api_key string	API key that can be used instead of username/password credentials.
application string	Name of the application or application group to be queried.
destination_ip string	The destination IP address to be queried.
destination_port string	The destination port to be queried.
destination_zone string	Name of the destination security zone to be queried.
devicegroup string	The Panorama device group in which to conduct the query.
ip_address string / required	IP address (or hostname) of PAN-OS firewall or Panorama management console being queried.
password string	Password credentials to use for authentication.
protocol string	The protocol used to be queried. Choices: :ansible-option-choices-entry:`"tcp"` :ansible-option-choices-entry:`"udp"`
source_ip string	The source IP address to be queried.
source_port string	The source port to be queried.
source_zone string	Name of the source security zone to be queried.
tag_name string	Name of the rule tag to be queried.
username string	Username credentials to use for authentication. Default: :ansible-option-default:`"admin"`

Notes

Note

• Checkmode is not supported.

• Panorama is supported.

Examples

- name: search for rules with tcp/3306
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    source_zone: 'DevNet'
    destination_zone: 'DevVPC'
    destination_port: '3306'
    protocol: 'tcp'

- name: search devicegroup for inbound rules to dmz host
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    destination_zone: 'DMZ'
    destination_ip: '10.100.42.18'
    address: 'DeviceGroupA'

- name: search for rules containing a specified rule tag
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    tag_name: 'ProjectX'

Status

• This module will be removed in version 3.0.0. [deprecated]

• For more information see DEPRECATED.

Authors

• Bob Hagen (@stealthllama)

Collection links

Issue Tracker Repository (Sources)