panos_security_rule – Create security rule policy on PAN-OS devices or Panorama management console¶
New in version 2.4.
DEPRECATED¶
- Removed in Ansible
version: 2.12
- Why
Consolidating code base.
- Alternative
Use https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks instead.
Synopsis¶
Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.
Requirements¶
The below requirements are needed on the host that executes this module.
pan-python can be obtained from PyPI https://pypi.org/project/pan-python/
pandevice can be obtained from PyPI https://pypi.org/project/pandevice/
xmltodict can be obtained from PyPI https://pypi.org/project/xmltodict/
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
action
-
|
Default: "allow"
|
Action to apply once rules maches.
|
antivirus
-
|
Name of the already defined antivirus profile.
|
|
api_key
-
|
API key that can be used instead of username/password credentials.
|
|
application
-
|
Default: "any"
|
List of applications.
|
category
list
|
Default: ["any"]
|
The category.
|
commit
boolean
|
|
Commit configuration if changed.
|
data_filtering
-
|
Name of the already defined data_filtering profile.
|
|
description
-
|
Description for the security rule.
|
|
destination_ip
-
|
Default: "any"
|
List of destination addresses.
|
destination_zone
-
|
Default: "any"
|
List of destination zones.
|
devicegroup
-
|
- Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.
|
|
file_blocking
-
|
Name of the already defined file_blocking profile.
|
|
group_profile
-
|
- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
|
|
hip_profiles
-
|
Default: "any"
|
- If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
|
ip_address
-
/ required
|
IP address (or hostname) of PAN-OS device being configured.
|
|
log_end
boolean
|
|
Whether to log at session end.
|
log_start
boolean
|
|
Whether to log at session start.
|
operation
-
|
|
The action to be taken. Supported values are add/update/find/delete.
|
password
-
/ required
|
Password credentials to use for auth unless api_key is set.
|
|
rule_name
-
/ required
|
Name of the security rule.
|
|
rule_type
-
|
Default: "universal"
|
Type of security rule (version 6.1 of PanOS and above).
|
service
-
|
Default: "application-default"
|
List of services.
|
source_ip
-
|
Default: "any"
|
List of source addresses.
|
source_user
-
|
Default: "any"
|
Use users to enforce policy for individual users or a group of users.
|
source_zone
-
|
Default: "any"
|
List of source zones.
|
spyware
-
|
Name of the already defined spyware profile.
|
|
tag_name
-
|
Administrative tags that can be added to the rule. Note, tags must be already defined.
|
|
url_filtering
-
|
Name of the already defined url_filtering profile.
|
|
username
-
|
Default: "admin"
|
Username credentials to use for auth unless api_key is set.
|
vulnerability
-
|
Name of the already defined vulnerability profile.
|
|
wildfire_analysis
-
|
Name of the already defined wildfire_analysis profile.
|
Notes¶
Note
Checkmode is not supported.
Panorama is supported.
Examples¶
- name: add an SSH inbound rule to devicegroup
panos_security_rule:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'add'
rule_name: 'SSH permit'
description: 'SSH rule test'
tag_name: ['ProjectX']
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
hip_profiles: ['any']
action: 'allow'
devicegroup: 'Cloud Edge'
- name: add a rule to allow HTTP multimedia only from CDNs
panos_security_rule:
ip_address: '10.5.172.91'
username: 'admin'
password: 'paloalto'
operation: 'add'
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
hip_profiles: ['any']
action: 'allow'
- name: add a more complex rule that uses security profiles
panos_security_rule:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'add'
rule_name: 'Allow HTTP w profile'
log_start: false
log_end: true
action: 'allow'
antivirus: 'default'
vulnerability: 'default'
spyware: 'default'
url_filtering: 'default'
wildfire_analysis: 'default'
- name: delete a devicegroup security rule
panos_security_rule:
ip_address: '{{ ip_address }}'
api_key: '{{ api_key }}'
operation: 'delete'
rule_name: 'Allow telnet'
devicegroup: 'DC Firewalls'
- name: find a specific security rule
panos_security_rule:
ip_address: '{{ ip_address }}'
password: '{{ password }}'
operation: 'find'
rule_name: 'Allow RDP to DCs'
register: result
- debug: msg='{{result.stdout_lines}}'
Status¶
This module will be removed in version 2.12. [deprecated]
For more information see DEPRECATED.