paloaltonetworks.panos.panos_security_rule_facts module – Retrieve information about security rules.
Note
This module is part of the paloaltonetworks.panos collection (version 2.13.2).
To install it, use: ansible-galaxy collection install paloaltonetworks.panos
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: paloaltonetworks.panos.panos_security_rule_facts
.
New in paloaltonetworks.panos 1.0.0
DEPRECATED
- Removed in:
version 3.0.0
- Why:
Updating module design to network resource modules.
- Alternative:
Use paloaltonetworks.panos.panos_security_rule with state=gathered.
Synopsis
Retrieve information about security rules.
Requirements
The below requirements are needed on the host that executes this module.
pan-python
pandevice
Parameters
Parameter |
Comments |
---|---|
Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password. |
|
Retrieve full details instead of just rule names. Implied when names is set and not using match_rules. Choices: |
|
(Panorama only) The device group the operation should target. Default: :ansible-option-default:`"shared"` |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured. |
|
Returns security rule(s) in the policy that will match the specified traffic using the ‘test security-policy-match’ API command. |
|
Application name |
|
URL filtering category |
|
Destination IP address |
|
Destination port |
|
Destination zone |
|
IP protocol type Choices: |
|
Show all potential matches until first allow rule Choices: |
|
Source IP address |
|
Source user |
|
Source zone |
|
List of security rule names to return data for. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443` |
|
A dict object containing connection details. |
|
The API key to use instead of generating it using username / password. |
|
The IP address or hostname of the PAN-OS device being configured. |
|
The password to use for authentication. This is ignored if api_key is specified. |
|
The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443` |
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored. |
|
The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"` |
|
Name of the security rule. |
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase. Choices: |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"` |
|
The vsys this object belongs to. Default: :ansible-option-default:`"vsys1"` |
Notes
Note
Checkmode is not supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples
- name: Get a list of all security rules
panos_security_rule_facts:
provider: '{{ provider }}'
register: sec_rules
- debug:
msg: '{{ sec_rules.rule_names }}'
- name: Get the definition for rule 'HTTP Multimedia'
panos_security_rule_facts:
provider: '{{ provider }}'
names:
- 'HTTP Multimedia'
register: rule1
- debug:
msg: '{{ rule1.spec }}'
- name: Get rule names matching DNS traffic
panos_security_rule_facts:
provider: '{{ provider }}'
match_rules:
source_zone: 'trust'
source_ip: '192.168.1.10'
destination_zone: 'untrust'
destination_ip: '8.8.8.8'
destination_port: '53'
protocol: 'udp'
register: dns_rule
- debug:
msg: '{{ dns_rule.spec }}'
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Full details of requested security rules, or matching traffic as specified in match_rules. Returned: When details=True |
|
The rule action. Returned: success |
|
Name of the already defined antivirus profile. Returned: success |
|
List of applications, application groups, and/or application filters. Returned: success |
|
List of destination URL categories. Returned: success |
|
Name of the already defined data_filtering profile. Returned: success |
|
Description of the security rule. Returned: success |
|
List of destination addresses. Returned: success |
|
List of destination zones. Returned: success |
|
Disables packet inspection from the server to the client. Returned: success |
|
Disable this rule. Returned: success |
|
Name of the already defined file_blocking profile. Returned: success |
|
Security profile group setting. Returned: success |
|
GlobalProtect host information profile list. Returned: success |
|
Send ‘ICMP Unreachable’. Returned: success |
|
Whether to log at session end. Returned: success |
|
Log forwarding profile. Returned: success |
|
Whether to log at session start. Returned: success |
|
Match on the reverse of the ‘destination_ip’ attribute Returned: success |
|
Match on the reverse of the ‘source_ip’ attribute Returned: success |
|
Name of the security rule. Returned: success |
|
Type of security rule (version 6.1 of PanOS and above). Returned: success |
|
Schedule in which this rule is active. Returned: success |
|
List of services and/or service groups. Returned: success |
|
List of source addresses. Returned: success |
|
List of source users. Returned: success |
|
List of source zones. Returned: success |
|
Name of the already defined spyware profile. Returned: success |
|
List of tags associated with the rule. Returned: success |
|
Name of the already defined url_filtering profile. Returned: success |
|
Name of the already defined vulnerability profile. Returned: success |
|
Name of the already defined wildfire_analysis profile. Returned: success |
|
List of security rules present, or matching traffic as specified in match_rules. Returned: When details=False Sample: :ansible-rv-sample-value:`["rule1", "rule2", "rule3"]` |
Status
This module will be removed in version 3.0.0. [deprecated]
For more information see DEPRECATED.