community.network.panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console.

Note

This plugin is part of the community.network collection (version 1.3.2).

To install it use: ansible-galaxy collection install community.network.

To use it in a playbook, specify: community.network.panos_match_rule.

DEPRECATED

Removed in

version 2.0.0

Why

Consolidating code base.

Alternative

Use https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks instead.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_key
string
API key that can be used instead of username/password credentials.
application
string
The application.
category
string
URL category
destination_ip
string
The destination IP address.
destination_port
string
The destination port.
destination_zone
string
The destination zone.
ip_address
string / required
IP address (or hostname) of PAN-OS device being configured.
password
string / required
Password credentials to use for auth unless api_key is set.
protocol
string
The IP protocol number from 1 to 255.
rule_type
string / required
    Choices:
  • security
  • nat
Type of rule. Valid types are security or nat.
source_ip
string / required
The source IP address.
source_port
string
The source port.
source_user
string
The source user or group.
source_zone
string
The source zone.
to_interface
string
The inbound interface in a NAT rule.
username
string
Default:
"admin"
Username credentials to use for auth unless api_key is set.
vsys_id
string / required
Default:
"vsys1"
ID of the VSYS object.

Notes

Note

  • Checkmode is not supported.

  • Panorama NOT is supported.

Examples

- name: Check security rules for Google DNS
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check security rules inbound SSH with user match
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check NAT rules for source NAT
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check NAT rules for inbound web
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check security rules for outbound POP3 in vsys4
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    vsys_id: 'vsys4'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

Status

  • This module will be removed in version 2.0.0. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Robert Hagen (@rnh556)