paloaltonetworks.panos.panos_security_rule module – Manage security rule policy on PAN-OS devices or Panorama management console.

Note

This module is part of the paloaltonetworks.panos collection (version 2.17.5).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_security_rule.

New in paloaltonetworks.panos 1.0.0

Synopsis

    • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

    • The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

Action to apply once rules matches.

Choices:

antivirus

string

Name of the already defined antivirus profile.

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

application

list / elements=string

List of applications, application groups, and/or application filters.

Default: :ansible-option-default:`["any"]`

audit_comment

string

Add an audit comment to the rule being defined.

This is only applied if there was a change to the rule.

category

list / elements=string

List of destination URL categories.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-url name <tab> panw-auth-portal-exclude-list panw-auth-portal-exclude-list

Default: :ansible-option-default:`["any"]`

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.

Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

data_filtering

string

Name of the already defined data_filtering profile.

description

string

Description of the security rule.

destination_ip

list / elements=string

List of destination addresses.

This can be an IP address, an address object/group, etc.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

Default: :ansible-option-default:`["any"]`

destination_zone

list / elements=string

List of destination zones.

Default: :ansible-option-default:`["any"]`

device_group

string

(Panorama only) The device group the operation should target.

Default: :ansible-option-default:`"shared"`

devicegroup

string

Deprecated

Use device_group instead.

Device groups are logical groups of firewalls in Panorama.

disable_server_response_inspection

boolean

Disables packet inspection from the server to the client. Useful under heavy server load conditions.

Choices:

disabled

boolean

Disable this rule.

Choices:

existing_rule

string
  • If location=before or location=after, this option specifies

    an existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.

    • Required if location=before or location=after.

file_blocking

string

Name of the already defined file_blocking profile.

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

group_profile

string

  • Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.

group_tag

string

The group tag.

hip_profiles

list / elements=string
  • If you are using GlobalProtect with host information profile (HIP)

    enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user’s local configuration.

    • NOTE: If state=present or state=replaced, and you’re running PAN-OS < 10.0.0, then this will have a default of [“any”].

    • If you are using PAN-OS >= 10.0.0, please do not use this parameter as it was removed from PAN-OS in 10.0.0.

icmp_unreachable

boolean

Send ‘ICMP Unreachable’. Used with ‘deny’, ‘drop’, and ‘reset’ actions.

Choices:

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

location

string

Position to place the rule in.

Choices:

log_end

boolean

Whether to log at session end.

Choices:

log_setting

string

Log forwarding profile.

log_start

boolean

Whether to log at session start.

Choices:

negate_destination

boolean

Match on the reverse of the ‘destination_ip’ attribute

Choices:

negate_source

boolean

Match on the reverse of the ‘source_ip’ attribute

Choices:

negate_target

boolean

Applicable for Panorama only.

Negate the value for target.

Choices:

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

rule_name

string

Name of the security rule.

rule_type

string

Type of security rule (version 6.1 of PanOS and above).

Choices:

rulebase

string

The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.

Choices:

schedule

string

Schedule in which this rule is active.

service

list / elements=string

List of services and/or service groups.

Default: :ansible-option-default:`["application-default"]`

source_ip

list / elements=string

List of source addresses.

This can be an IP address, an address object/group, etc.

When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list

Default: :ansible-option-default:`["any"]`

source_user

list / elements=string

Use users to enforce policy for individual users or a group of users.

Default: :ansible-option-default:`["any"]`

source_zone

list / elements=string

List of source zones.

Default: :ansible-option-default:`["any"]`

spyware

string

Name of the already defined spyware profile.

state

string

The state.

Choices:

tag_name

list / elements=string

List of tags associated with the rule.

target

list / elements=string

Applicable for Panorama only.

Apply this rule exclusively to the listed firewall serial numbers.

url_filtering

string

Name of the already defined url_filtering profile.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

uuid

string

The rule UUID.

Note that this is currently more of a read-only field.

Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.

vsys

string

The vsys this object belongs to.

Default: :ansible-option-default:`"vsys1"`

vulnerability

string

Name of the already defined vulnerability profile.

wildfire_analysis

string

Name of the already defined wildfire_analysis profile.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add SSH inbound rule to Panorama device group
  panos_security_rule:
    provider: '{{ provider }}'
    device_group: 'Cloud Edge'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    tag_name: ['production']
    source_zone: ['public']
    source_ip: ['any']
    destination_zone: ['private']
    destination_ip: ['1.1.1.1']
    application: ['ssh']
    action: 'allow'

- name: add a rule to allow HTTP multimedia only to CDNs
  panos_security_rule:
    provider: '{{ provider }}'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    source_zone: ['private']
    destination_zone: ['public']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    action: 'allow'

- name: add a more complex rule that uses security profiles
  panos_security_rule:
    provider: '{{ provider }}'
    rule_name: 'Allow HTTP'
    source_zone: ['public']
    destination_zone: ['private']
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'strict'
    vulnerability: 'strict'
    spyware: 'strict'
    url_filtering: 'strict'
    wildfire_analysis: 'default'

- name: disable a Panorama pre-rule
  panos_security_rule:
    provider: '{{ provider }}'
    device_group: 'Production edge'
    rule_name: 'Allow telnet'
    source_zone: ['public']
    destination_zone: ['private']
    source_ip: ['any']
    destination_ip: ['1.1.1.1']
    log_start: false
    log_end: true
    action: 'allow'
    disabled: true

- name: delete a device group security rule
  panos_security_rule:
    provider: '{{ provider }}'
    state: 'absent'
    device_group: 'DC Firewalls'
    rule_name: 'Allow telnet'

- name: add a rule at a specific location in the rulebase
  panos_security_rule:
    provider: '{{ provider }}'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    source_zone: ['untrust']
    destination_zone: ['trust']
    source_ip: ['any']
    source_user: ['any']
    destination_ip: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    action: 'allow'
    location: 'before'
    existing_rule: 'Allow MySQL'

Authors

  • Ivan Bojer (@ivanbojer)

  • Robert Hagen (@stealthllama)

  • Michael Richardson (@mrichardson03)

  • Garfield Lee Freeman (@shinmog)