panos_security_rule – Create security rule policy on PAN-OS devices or Panorama management console¶
New in version 2.4.
Synopsis¶
Security policies allow you to enforce rules and take action, and can be as general or specific as needed.
The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches
the traffic is applied, the more specific rules must precede the more general ones.
Requirements¶
The below requirements are needed on the host that executes this module.
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
action
-
|
|
Action to apply once rules matches.
|
|
antivirus
-
|
Name of the already defined antivirus profile.
|
||
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
application
list
|
Default: ['any']
|
List of applications, application groups, and/or application filters.
|
|
category
list
|
Default: ['any']
|
List of destination URL categories.
|
|
commit
boolean
|
|
Commit configuration if changed.
|
|
data_filtering
-
|
Name of the already defined data_filtering profile.
|
||
description
-
|
Description of the security rule.
|
||
destination_ip
list
|
Default: ['any']
|
List of destination addresses.
|
|
destination_zone
list
|
Default: ['any']
|
List of destination zones.
|
|
device_group
string
|
Default: shared
|
(Panorama only) The device group the operation should target.
|
|
devicegroup
-
|
Deprecated
Use device_group instead.
Device groups are logical groups of firewalls in Panorama.
|
||
disable_server_response_inspection
boolean
|
|
Disables packet inspection from the server to the client. Useful under heavy server load conditions.
|
|
disabled
boolean
|
|
Disable this rule.
|
|
existing_rule
-
|
If 'location' is set to 'before' or 'after', this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule. If 'location' is set to 'before' or 'after', this option is required.
|
||
file_blocking
-
|
Name of the already defined file_blocking profile.
|
||
group_profile
-
|
- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
|
||
hip_profiles
list
|
Default: ['any']
|
- If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
|
|
icmp_unreachable
boolean
|
|
Send 'ICMP Unreachable'. Used with 'deny', 'drop', and 'reset' actions.
|
|
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
location
-
|
|
Position to place the created rule in the rule base. Supported values are top/bottom/before/after.
|
|
log_end
boolean
|
|
Whether to log at session end.
|
|
log_setting
-
|
Log forwarding profile.
|
||
log_start
boolean
|
|
Whether to log at session start.
|
|
negate_destination
boolean
|
|
Match on the reverse of the 'destination_ip' attribute
|
|
negate_source
boolean
|
|
Match on the reverse of the 'source_ip' attribute
|
|
negate_target
boolean
|
|
Exclude this rule from the listed firewalls in Panorama.
|
|
operation
-
|
Removed
Use state instead.
|
||
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
username
string
|
Default: admin
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
rule_name
-
/ required
|
Name of the security rule.
|
||
rule_type
-
|
|
Type of security rule (version 6.1 of PanOS and above).
|
|
rulebase
string
|
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
|
|
schedule
-
|
Schedule in which this rule is active.
|
||
service
list
|
Default: ['application-default']
|
List of services and/or service groups.
|
|
source_ip
list
|
Default: ['any']
|
List of source addresses.
|
|
source_user
list
|
Default: ['any']
|
Use users to enforce policy for individual users or a group of users.
|
|
source_zone
list
|
Default: ['any']
|
List of source zones.
|
|
spyware
-
|
Name of the already defined spyware profile.
|
||
state
string
|
|
The state.
|
|
tag_name
list
|
List of tags associated with the rule.
|
||
target
list
|
Apply this rule exclusively to the listed firewalls in Panorama.
|
||
url_filtering
-
|
Name of the already defined url_filtering profile.
|
||
username
string
|
Default: admin
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
|
vsys
string
|
Default: vsys1
|
The vsys this object belongs to.
|
|
vulnerability
-
|
Name of the already defined vulnerability profile.
|
||
wildfire_analysis
-
|
Name of the already defined wildfire_analysis profile.
|
Notes¶
Note
Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples¶
- name: add SSH inbound rule to Panorama device group
panos_security_rule:
provider: '{{ provider }}'
device_group: 'Cloud Edge'
rule_name: 'SSH permit'
description: 'SSH rule test'
tag_name: ['production']
source_zone: ['public']
source_ip: ['any']
destination_zone: ['private']
destination_ip: ['1.1.1.1']
application: ['ssh']
action: 'allow'
- name: add a rule to allow HTTP multimedia only to CDNs
panos_security_rule:
provider: '{{ provider }}'
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['private']
destination_zone: ['public']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
action: 'allow'
- name: add a more complex rule that uses security profiles
panos_security_rule:
provider: '{{ provider }}'
rule_name: 'Allow HTTP'
source_zone: ['public']
destination_zone: ['private']
log_start: false
log_end: true
action: 'allow'
antivirus: 'strict'
vulnerability: 'strict'
spyware: 'strict'
url_filtering: 'strict'
wildfire_analysis: 'default'
- name: disable a Panorama pre-rule
panos_security_rule:
provider: '{{ provider }}'
device_group: 'Production edge'
rule_name: 'Allow telnet'
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
destination_ip: ['1.1.1.1']
log_start: false
log_end: true
action: 'allow'
disabled: true
- name: delete a device group security rule
panos_security_rule:
provider: '{{ provider }}'
state: 'absent'
device_group: 'DC Firewalls'
rule_name: 'Allow telnet'
- name: add a rule at a specific location in the rulebase
panos_security_rule:
provider: '{{ provider }}'
rule_name: 'SSH permit'
description: 'SSH rule test'
source_zone: ['untrust']
destination_zone: ['trust']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
action: 'allow'
location: 'before'
existing_rule: 'Allow MySQL'
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.
Authors¶
Ivan Bojer (@ivanbojer), Robert Hagen (@stealthllama), Michael Richardson (@mrichardson03)