paloaltonetworks.panos.panos_security_rule_facts module – Retrieve information about security rules.

Note

This module is part of the paloaltonetworks.panos collection (version 2.13.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_security_rule_facts.

New in paloaltonetworks.panos 1.0.0

DEPRECATED

Removed in:

version 3.0.0

Why:

Updating module design to network resource modules.

Alternative:

Use paloaltonetworks.panos.panos_security_rule with state=gathered.

Synopsis

  • Retrieve information about security rules.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters

Parameter

Comments

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The API key to use instead of generating it using username / password.

details

aliases: all_details

boolean

Retrieve full details instead of just rule names.

Implied when names is set and not using match_rules.

Choices:

device_group

string

(Panorama only) The device group the operation should target.

Default: :ansible-option-default:`"shared"`

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The IP address or hostname of the PAN-OS device being configured.

match_rules

dictionary

Returns security rule(s) in the policy that will match the specified traffic using the ‘test security-policy-match’ API command.

application

string

Application name

category

string

URL filtering category

destination_ip

string / required

Destination IP address

destination_port

string / required

Destination port

destination_zone

string / required

Destination zone

protocol

string / required

show_all

boolean

Show all potential matches until first allow rule

Choices:

source_ip

string / required

Source IP address

source_user

string

Source user

source_zone

string / required

Source zone

names

list / elements=string

List of security rule names to return data for.

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.


The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

rule_name

string

Name of the security rule.

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.


The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: Get a list of all security rules
  panos_security_rule_facts:
    provider: '{{ provider }}'
  register: sec_rules

- debug:
    msg: '{{ sec_rules.rule_names }}'

- name: Get the definition for rule 'HTTP Multimedia'
  panos_security_rule_facts:
    provider: '{{ provider }}'
    names:
        - 'HTTP Multimedia'
  register: rule1

- debug:
    msg: '{{ rule1.spec }}'

- name: Get rule names matching DNS traffic
  panos_security_rule_facts:
    provider: '{{ provider }}'
    match_rules:
      source_zone: 'trust'
      source_ip: '192.168.1.10'
      destination_zone: 'untrust'
      destination_ip: '8.8.8.8'
      destination_port: '53'
      protocol: 'udp'
  register: dns_rule

- debug:
    msg: '{{ dns_rule.spec }}'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

rule_details

list / elements=dictionary

Full details of requested security rules, or matching traffic as specified in match_rules.

Returned: When details=True

action

string

The rule action.

Returned: success

antivirus

string

Name of the already defined antivirus profile.

Returned: success

application

list / elements=string

List of applications, application groups, and/or application filters.

Returned: success

category

list / elements=string

List of destination URL categories.

Returned: success

data_filtering

string

Name of the already defined data_filtering profile.

Returned: success

description

string

Description of the security rule.

Returned: success

destination_ip

list / elements=string

List of destination addresses.

Returned: success

destination_zone

list / elements=string

List of destination zones.

Returned: success

disable_server_response_inspection

boolean

Disables packet inspection from the server to the client.

Returned: success

disabled

boolean

Disable this rule.

Returned: success

file_blocking

string

Name of the already defined file_blocking profile.

Returned: success

group_profile

string

Security profile group setting.

Returned: success

hip_profiles

list / elements=string

GlobalProtect host information profile list.

Returned: success

icmp_unreachable

boolean

Send ‘ICMP Unreachable’.

Returned: success

log_end

boolean

Whether to log at session end.

Returned: success

log_setting

string

Log forwarding profile.

Returned: success

log_start

boolean

Whether to log at session start.

Returned: success

negate_destination

boolean

Match on the reverse of the ‘destination_ip’ attribute

Returned: success

negate_source

boolean

Match on the reverse of the ‘source_ip’ attribute

Returned: success

rule_name

string

Name of the security rule.

Returned: success

rule_type

string

Type of security rule (version 6.1 of PanOS and above).

Returned: success

schedule

string

Schedule in which this rule is active.

Returned: success

service

list / elements=string

List of services and/or service groups.

Returned: success

source_ip

list / elements=string

List of source addresses.

Returned: success

source_user

list / elements=string

List of source users.

Returned: success

source_zone

list / elements=string

List of source zones.

Returned: success

spyware

string

Name of the already defined spyware profile.

Returned: success

tag_name

list / elements=string

List of tags associated with the rule.

Returned: success

url_filtering

string

Name of the already defined url_filtering profile.

Returned: success

vulnerability

string

Name of the already defined vulnerability profile.

Returned: success

wildfire_analysis

string

Name of the already defined wildfire_analysis profile.

Returned: success

rule_names

list / elements=string

List of security rules present, or matching traffic as specified in match_rules.

Returned: When details=False

Sample: :ansible-rv-sample-value:`["rule1", "rule2", "rule3"]`

Status

  • This module will be removed in version 3.0.0. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Garfield Lee Freeman (@shinmog)

  • Michael Richardson (@mrichardson03)