paloaltonetworks.panos.panos_security_rule_facts module – Retrieve information about security rules.

Note

This module is part of the paloaltonetworks.panos collection (version 2.13.2).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_security_rule_facts.

New in paloaltonetworks.panos 1.0.0

DEPRECATED 

Removed in:: version 3.0.0
Why:: Updating module design to network resource modules.
Alternative:: Use paloaltonetworks.panos.panos_security_rule with state=gathered.

Synopsis 

Retrieve information about security rules.

Requirements 

The below requirements are needed on the host that executes this module.

pan-python
pandevice

Parameters 

Parameter	Comments
api_key string	Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
details aliases: all_details boolean	Retrieve full details instead of just rule names. Implied when names is set and not using match_rules. Choices: :ansible-option-choices-entry-default:`false` ← (default) :ansible-option-choices-entry:`true`
device_group string	(Panorama only) The device group the operation should target. Default: :ansible-option-default:`"shared"`
ip_address string	Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
match_rules dictionary	Returns security rule(s) in the policy that will match the specified traffic using the ‘test security-policy-match’ API command.
application string	Application name
category string	URL filtering category
destination_ip string / required	Destination IP address
destination_port string / required	Destination port
destination_zone string / required	Destination zone
protocol string / required	IP protocol type Choices: :ansible-option-choices-entry:`"tcp"` :ansible-option-choices-entry:`"udp"` :ansible-option-choices-entry:`"icmp"`
show_all boolean	Show all potential matches until first allow rule Choices: :ansible-option-choices-entry:`false` :ansible-option-choices-entry:`true`
source_ip string / required	Source IP address
source_user string	Source user
source_zone string / required	Source zone
names list / elements=string	List of security rule names to return data for.
password string	Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443`
provider dictionary added in paloaltonetworks.panos 1.0.0	A dict object containing connection details.
api_key string	The API key to use instead of generating it using username / password.
ip_address string	The IP address or hostname of the PAN-OS device being configured.
password string	The password to use for authentication. This is ignored if api_key is specified.
port integer	The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443`
serial_number string	The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username string	The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"`
rule_name string	Name of the security rule.
rulebase string	The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase. Choices: :ansible-option-choices-entry:`"pre-rulebase"` :ansible-option-choices-entry:`"rulebase"` :ansible-option-choices-entry:`"post-rulebase"`
username string	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"`
vsys string	The vsys this object belongs to. Default: :ansible-option-default:`"vsys1"`

Notes 

Note

Checkmode is not supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples 

- name: Get a list of all security rules
  panos_security_rule_facts:
    provider: '{{ provider }}'
  register: sec_rules

- debug:
    msg: '{{ sec_rules.rule_names }}'

- name: Get the definition for rule 'HTTP Multimedia'
  panos_security_rule_facts:
    provider: '{{ provider }}'
    names:
        - 'HTTP Multimedia'
  register: rule1

- debug:
    msg: '{{ rule1.spec }}'

- name: Get rule names matching DNS traffic
  panos_security_rule_facts:
    provider: '{{ provider }}'
    match_rules:
      source_zone: 'trust'
      source_ip: '192.168.1.10'
      destination_zone: 'untrust'
      destination_ip: '8.8.8.8'
      destination_port: '53'
      protocol: 'udp'
  register: dns_rule

- debug:
    msg: '{{ dns_rule.spec }}'

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
rule_details list / elements=dictionary	Full details of requested security rules, or matching traffic as specified in match_rules. Returned: When details=True
action string	The rule action. Returned: success
antivirus string	Name of the already defined antivirus profile. Returned: success
application list / elements=string	List of applications, application groups, and/or application filters. Returned: success
category list / elements=string	List of destination URL categories. Returned: success
data_filtering string	Name of the already defined data_filtering profile. Returned: success
description string	Description of the security rule. Returned: success
destination_ip list / elements=string	List of destination addresses. Returned: success
destination_zone list / elements=string	List of destination zones. Returned: success
disable_server_response_inspection boolean	Disables packet inspection from the server to the client. Returned: success
disabled boolean	Disable this rule. Returned: success
file_blocking string	Name of the already defined file_blocking profile. Returned: success
group_profile string	Security profile group setting. Returned: success
hip_profiles list / elements=string	GlobalProtect host information profile list. Returned: success
icmp_unreachable boolean	Send ‘ICMP Unreachable’. Returned: success
log_end boolean	Whether to log at session end. Returned: success
log_setting string	Log forwarding profile. Returned: success
log_start boolean	Whether to log at session start. Returned: success
negate_destination boolean	Match on the reverse of the ‘destination_ip’ attribute Returned: success
negate_source boolean	Match on the reverse of the ‘source_ip’ attribute Returned: success
rule_name string	Name of the security rule. Returned: success
rule_type string	Type of security rule (version 6.1 of PanOS and above). Returned: success
schedule string	Schedule in which this rule is active. Returned: success
service list / elements=string	List of services and/or service groups. Returned: success
source_ip list / elements=string	List of source addresses. Returned: success
source_user list / elements=string	List of source users. Returned: success
source_zone list / elements=string	List of source zones. Returned: success
spyware string	Name of the already defined spyware profile. Returned: success
tag_name list / elements=string	List of tags associated with the rule. Returned: success
url_filtering string	Name of the already defined url_filtering profile. Returned: success
vulnerability string	Name of the already defined vulnerability profile. Returned: success
wildfire_analysis string	Name of the already defined wildfire_analysis profile. Returned: success
rule_names list / elements=string	List of security rules present, or matching traffic as specified in match_rules. Returned: When details=False Sample: :ansible-rv-sample-value:`["rule1", "rule2", "rule3"]`

Status 

This module will be removed in version 3.0.0. [deprecated]
For more information see DEPRECATED.

Authors

Garfield Lee Freeman (@shinmog)
Michael Richardson (@mrichardson03)

Collection links

Issue Tracker Repository (Sources)