f5networks.f5_modules.bigip_firewall_rule module – Manage AFM Firewall rules
Note
This module is part of the f5networks.f5_modules collection (version 1.17.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install f5networks.f5_modules
.
To use it in a playbook, specify: f5networks.f5_modules.bigip_firewall_rule
.
New in version 1.0.0: of f5networks.f5_modules
Synopsis
Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the
bigip_security_policy
module. Rules can also be pre-ordered using thebigip_security_policy
module and then later updated using thebigip_firewall_rule
module.
Parameters
Parameter |
Comments |
---|---|
Specifies the action for the firewall rule. When When When When When creating a new rule, if this parameter is not provided, the default is Choices:
|
|
The rule description. |
|
Specifies packet destinations to which the rule applies. Leaving this field blank applies the rule to all addresses and all ports. You can specify the following destination items. An IPv4 or IPv6 address, an IPv4 or IPv6 address range, geographic location, VLAN, address list, port, port range, port list or address list. You can specify a mix of different types of items for the source address. |
|
Specifies a specific IP address. |
|
Specifies an existing address list. |
|
Specifies an address range. |
|
Specifies a country code. |
|
Specifies a single numeric port. This option is only valid when |
|
Specifes an existing port list. This option is only valid when |
|
Specifies a range of ports, which is two port values separated by a hyphen. The port to the left of the hyphen should be less than the port to the right. This option is only valid when |
|
Specifies the Internet Control Message Protocol (ICMP) or ICMPv6 message This parameter is only relevant when |
|
Specifies the code returned in response to the specified ICMP message type. You can specify codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can specify You can also specify an arbitrary code. The ICMP protocol contains definitions for the existing message code and number pairs. |
|
Specifies the type of ICMP message. You can specify control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can specify You can also specify an arbitrary ICMP message. The ICMP protocol contains definitions for the existing message type and number pairs. |
|
Specifies an iRule that is applied to the firewall rule. An iRule can be started when the firewall rule matches traffic. |
|
Specifies whether logging is enabled or disabled for the firewall rule. When creating a new rule, if this parameter is not specified, the default if Choices:
|
|
Specifies the name of the rule. |
|
The policy which contains the rule to be managed. One of either |
|
The rule list which contains the rule to be managed. One of either |
|
Device partition to manage resources on. Default: “Common” |
|
Specifies the protocol to which the rule applies. Protocols may be specified by either their name or numeric value. A special protocol value |
|
A dict object containing connection details. |
|
Configures the auth provider for to obtain authentication tokens from the remote device. This option is really used when working with BIG-IQ devices. |
|
If You may omit this option by setting the environment variable Previously used variable Choices:
|
|
The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable |
|
The BIG-IP host. You may omit this option by setting the environment variable |
|
The BIG-IP server port. You may omit this option by setting the environment variable Default: 443 |
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. |
|
Configures the transport connection to use when connecting to the remote device. Choices:
|
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable |
|
If You may omit this option by setting the environment variable Choices:
|
|
Specifies an existing rule list to use in the rule. This parameter is mutually exclusive with many of the other individual-rule specific settings. This includes This parameter is only used when |
|
Specifies a schedule for the firewall rule. You configure schedules to define days and times when the firewall rule is made active. |
|
Specifies packet sources to which the rule applies. Leaving this field blank applies the rule to all addresses and all ports. You can specify the following source items. An IPv4 or IPv6 address, an IPv4 or IPv6 address range, geographic location, VLAN, address list, port, port range, port list or address list. You can specify a mix of different types of items for the source address. |
|
Specifies a specific IP address. |
|
Specifies an existing address list. |
|
Specifies an address range. |
|
Specifies a country code. |
|
Specifies a single numeric port. This option is only valid when |
|
Specifes an existing port list. This option is only valid when |
|
Specifies a range of ports, which is two port values separated by a hyphen. The port to the left of the hyphen should be less than the port to the right. This option is only valid when |
|
Specifies VLANs to which the rule applies. The VLAN source refers to the packet’s source. |
|
When When Choices:
|
|
Indicates the activity state of the rule or rule list. When When When When creating a new rule, if this parameter is not provided, the default is Choices:
|
Notes
Note
For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
Requires BIG-IP software version >= 12.
The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Create a new rule in the foo firewall policy
bigip_firewall_rule:
name: foo
parent_policy: policy1
protocol: tcp
source:
- address: 1.2.3.4
- address: "::1"
- address_list: foo-list1
- address_range: 1.1.1.1-2.2.2.2
- vlan: vlan1
- country: US
- port: 22
- port_list: port-list1
- port_range: 80-443
destination:
- address: 1.2.3.4
- address: "::1"
- address_list: foo-list1
- address_range: 1.1.1.1-2.2.2.2
- country: US
- port: 22
- port_list: port-list1
- port_range: 80-443
irule: irule1
action: accept
logging: yes
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create an ICMP specific rule
bigip_firewall_rule:
name: foo
protocol: icmp
icmp_message:
type: 0
source:
- country: US
action: drop
logging: yes
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Add a new policy rule that uses an existing rule list
bigip_firewall_rule:
name: foo
parent_policy: foo_policy
rule_list: rule-list1
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The action for the firewall rule. Returned: changed Sample: “drop” |
|
The rule description. Returned: changed Sample: “MyRule” |
|
The packet destinations to which the rule applies. Returned: changed Sample: “hash/dictionary of values” |
|
A specific IP address. Returned: changed Sample: “192.168.1.1” |
|
An existing address list. Returned: changed Sample: “foo-list1” |
|
The address range. Returned: changed Sample: “1.1.1.1-2.2.2.2” |
|
A country code. Returned: changed Sample: “US” |
|
Single numeric port. Returned: changed Sample: 8080 |
|
An existing port list. Returned: changed Sample: “port-list1” |
|
The port range. Returned: changed Sample: “80-443” |
|
The (ICMP) or ICMPv6 message Returned: changed Sample: “hash/dictionary of values” |
|
The code returned in response to the specified ICMP message type. Returned: changed Sample: 1 |
|
The type of ICMP message. Returned: changed Sample: 0 |
|
The iRule that is applied to the firewall rule. Returned: changed Sample: “_sys_auth_radius” |
|
Enable or Disable logging for the firewall rule. Returned: changed Sample: true |
|
Name of the rule. Returned: changed Sample: “FooRule” |
|
The policy which contains the rule to be managed. Returned: changed Sample: “FooPolicy” |
|
The rule list which contains the rule to be managed. Returned: changed Sample: “FooRuleList” |
|
The protocol to which the rule applies. Returned: changed Sample: “any” |
|
An existing rule list to use in the parent policy. Returned: changed Sample: “rule-list-1” |
|
The schedule for the firewall rule. Returned: changed Sample: “Foo_schedule” |
|
The packet sources to which the rule applies. Returned: changed Sample: “hash/dictionary of values” |
|
A specific IP address. Returned: changed Sample: “192.168.1.1” |
|
An existing address list. Returned: changed Sample: “foo-list1” |
|
The address range. Returned: changed Sample: “1.1.1.1-2.2.2.2” |
|
A country code. Returned: changed Sample: “US” |
|
Single numeric port. Returned: changed Sample: 8080 |
|
An existing port list. Returned: changed Sample: “port-list1” |
|
The port range. Returned: changed Sample: “80-443” |
|
Source VLANs for the packets. Returned: changed Sample: “vlan1” |
|
The activity state of the rule or rule list. Returned: changed Sample: “scheduled” |
Authors
Tim Rupp (@caphrim007)
Wojciech Wypior (@wojtek0806)