paloaltonetworks.panos.panos_security_rule module – Manage security rule policy on PAN-OS devices or Panorama management console.
Note
This module is part of the paloaltonetworks.panos collection (version 2.21.3).
To install it, use: ansible-galaxy collection install paloaltonetworks.panos.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: paloaltonetworks.panos.panos_security_rule.
New in paloaltonetworks.panos 1.0.0
Synopsis
Following rules apply for security policies:
Security policies allow you to enforce rules and take action, and can be as
general or specific as needed.
The policy rules are compared against the incoming traffic in sequence, and
because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.
Defaults in spec descriptions apply when state=present/state=replaced,
or when creating a new resource with state=merged.
Requirements
The below requirements are needed on the host that executes this module.
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
Parameters
Parameter |
Comments |
|---|---|
Action to apply to the rule. Defaults to “allow”. Choices: |
|
Name of the already defined antivirus profile. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password. |
|
List of applications, application groups, and/or application filters. Defaults to [“any”]. |
|
Add an audit comment to the rule being defined. This is only applied if there was a change to the rule. |
|
List of destination URL categories. Defaults to [“any”]. When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-url name <tab> panw-auth-portal-exclude-list panw-auth-portal-exclude-list |
|
Deprecated Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead. Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template. Choices: |
|
Name of the already defined data_filtering profile. |
|
Description of the security rule. |
|
List of destination addresses. Defaults to [“any”]. This can be an IP address, an address object/group, etc. When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list |
|
List of destination zones. Defaults to [“any”]. |
|
(Panorama only) The device group the operation should target. Default: :ansible-option-default:`"shared"` |
|
Deprecated Use device_group instead. Device groups are logical groups of firewalls in Panorama. |
|
Disables packet inspection from the server to the client. Useful under heavy server load conditions. Defaults to false. Choices: |
|
Disable this rule. Defaults to false. Choices: |
|
|
|
Name of the already defined file_blocking profile. |
|
When state=gathered. An advanced filtering option to filter results returned from PAN-OS. Refer to the guide discussing gathered_filter for more information. |
|
Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties. |
|
The group tag. |
|
If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user’s local configuration. NOTE If state=present or state=replaced, and you’re running PAN-OS < 10.0.0, then this will have a default of [“any”]. If you are using PAN-OS >= 10.0.0, please do not use this parameter as it was removed from PAN-OS in 10.0.0. |
|
Send ‘ICMP Unreachable’. Used with ‘deny’, ‘drop’, and ‘reset’ actions. Choices: |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured. |
|
Position to place the rule in. Choices: |
|
Whether to log at session end. Defaults to true. Choices: |
|
Log forwarding profile. |
|
Whether to log at session start. Defaults to false. Choices: |
|
Match on the reverse of the ‘destination_ip’ attribute. Defaults to false. Choices: |
|
Match on the reverse of the ‘source_ip’ attribute. Defaults to false. Choices: |
|
Applicable for Panorama only. Negate the value for target. Choices: |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443` |
|
A dict object containing connection details. |
|
The API key to use instead of generating it using username / password. |
|
The IP address or hostname of the PAN-OS device being configured. |
|
The password to use for authentication. This is ignored if api_key is specified. |
|
The port number to connect to the PAN-OS device on. Default: :ansible-option-default:`443` |
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored. |
|
The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"` |
|
Name of the security rule. |
|
Type of security rule (version 6.1 of PanOS and above). Defaults to “universal”. Choices: |
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase. Choices: |
|
Schedule in which this rule is active. |
|
List of services and/or service groups. Defaults to [“application-default”]. |
|
List of source addresses. Defaults to [“any”]. This can be an IP address, an address object/group, etc. When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI… request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list |
|
Use users to enforce policy for individual users or a group of users. Defaults to [“any”]. |
|
List of source zones. Defaults to [“any”]. |
|
Name of the already defined spyware profile. |
|
List of tags associated with the rule. |
|
Applicable for Panorama only. Apply this rule exclusively to the listed firewall serial numbers. |
|
Name of the already defined url_filtering profile. |
|
Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified. Default: :ansible-option-default:`"admin"` |
|
The rule UUID. Note that this is currently more of a read-only field. Usage of the UUID cannot currently take the place of using the rule name as the primary identifier. |
|
The vsys this object belongs to. Default: :ansible-option-default:`"vsys1"` |
|
Name of the already defined vulnerability profile. |
|
Name of the already defined wildfire_analysis profile. |
Notes
Note
Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples
- name: add SSH inbound rule to Panorama device group
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
device_group: 'Cloud Edge'
rule_name: 'SSH permit'
description: 'SSH rule test'
tag_name: ['production']
source_zone: ['public']
source_ip: ['any']
destination_zone: ['private']
destination_ip: ['1.1.1.1']
application: ['ssh']
action: 'allow'
- name: add a rule to allow HTTP multimedia only to CDNs
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['private']
destination_zone: ['public']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
action: 'allow'
- name: add a more complex rule that uses security profiles
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
rule_name: 'Allow HTTP'
source_zone: ['public']
destination_zone: ['private']
log_start: false
log_end: true
action: 'allow'
antivirus: 'strict'
vulnerability: 'strict'
spyware: 'strict'
url_filtering: 'strict'
wildfire_analysis: 'default'
- name: disable a Panorama pre-rule
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
device_group: 'Production edge'
rule_name: 'Allow telnet'
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
destination_ip: ['1.1.1.1']
log_start: false
log_end: true
action: 'allow'
disabled: true
- name: delete a device group security rule
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
state: 'absent'
device_group: 'DC Firewalls'
rule_name: 'Allow telnet'
- name: add a rule at a specific location in the rulebase
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
rule_name: 'SSH permit'
description: 'SSH rule test'
source_zone: ['untrust']
destination_zone: ['trust']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
action: 'allow'
location: 'before'
existing_rule: 'Allow MySQL'