panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console

New in version 2.5.

Synopsis

• Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

• pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python

• pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice

• xmltodict

Parameters

Parameter		Choices/Defaults	Comments
api_key string			Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
application -			The application.
category -			URL category
destination_ip - / required			The destination IP address.
destination_port integer / required			The destination port.
destination_zone -			The destination zone.
ip_address string			Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
password string			Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer		Default: 443	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on.
protocol integer / required			The IP protocol number from 1 to 255.
provider - added in 2.8			A dict object containing connection details.
	api_key string		The API key to use instead of generating it using username / password.
	ip_address string		The IP address or hostname of the PAN-OS device being configured.
	password string		The password to use for authentication. This is ignored if api_key is specified.
	port integer	Default: 443	The port number to connect to the PAN-OS device on.
	serial_number string		The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
	username string	Default: admin	The username to use for authentication. This is ignored if api_key is specified.
rule_type -		Choices: security ← nat	Type of rule.
rulebase string		Choices: pre-rulebase rulebase post-rulebase	The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
source_ip - / required			The source IP address.
source_port integer			The source port.
source_user -			The source user or group.
source_zone -			The source zone.
to_interface -			The inbound interface in a NAT rule.
username string		Default: admin	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified.
vsys string		Default: vsys1	The vsys this object belongs to.
vsys_id -			Removed Use vsys instead.

Notes

Note

• Checkmode is not supported.

• Panorama NOT is supported.

• PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: check security rules for Google DNS
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules inbound SSH with user match
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for source NAT
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for inbound web
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules for outbound POP3 in vsys4
  panos_match_rule:
    provider: '{{ provider }}'
    vsys_id: 'vsys4'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

Status

• This module is not guaranteed to have a backwards compatible interface. [preview]

• This module is maintained by the Ansible Community.

Authors

• Robert Hagen (@rnh556)