junipernetworks.junos.junos_security_policies module – Create and manage security policies on Juniper JUNOS devices
Note
This module is part of the junipernetworks.junos collection (version 5.3.1).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install junipernetworks.junos
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: junipernetworks.junos.junos_security_policies
.
New in junipernetworks.junos 2.9.0
Synopsis
This module provides declarative creation and management of security policies on Juniper JUNOS devices
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
ncclient (>=v0.6.4)
xmltodict (>=0.12.0)
Parameters
Parameter |
Comments |
---|---|
A dictionary of security policies |
|
List of security zones from which the traffic originates from |
|
The name of the security zone from which the traffic originates from |
|
List of destination security zones of the traffic |
|
The name of the destination security zone of the traffic |
|
List of policies defined for the associated category |
|
Description of the security policy |
|
Configure security policy match criteria |
|
Specify the IP or remote procedure call (RPC) application or set of applications to be used as match criteria |
|
Match any predefined or custom applications or application sets Choices:
|
|
Name of the predefined or custom application or application set used as match criteria |
|
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses |
|
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask) |
|
Any IPv4 or IPv6 address Choices:
|
|
Any IPv4 address Choices:
|
|
Any IPv6 address Choices:
|
|
Exclude destination addresses Choices:
|
|
Specify the dynamic applications or dynamic application groups used as match criteria within a security policy |
|
Configuring the dynamic application as any installs the policy with the application as a wildcard (default) Choices:
|
|
Specify dynamic applications or dynamic application groups |
|
Configuring the dynamic application as none ignores classification results from AppID and does not use the dynamic application in security policy lookups Choices:
|
|
Identify a single source zone or multiple source zones to be used as a match criteria for a policy |
|
Match any zone Choices:
|
|
junos-host Choices:
|
|
Name of single or multiple source zone |
|
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses |
|
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask) |
|
Any IPv4 or IPv6 address Choices:
|
|
Any IPv4 address Choices:
|
|
Any IPv6 address Choices:
|
|
Exclude source addresses Choices:
|
|
Source end user profile name |
|
Identifies users and roles to be used as match criteria for a policy |
|
Any user or role, as well as the keywords authenticated_user, unauthenticated_user, and unknown_user Choices:
|
|
All users and roles that have been authenticated Choices:
|
|
A list of specific users and roles |
|
Any user or role that does not have an IP_address mapped to authentication sources and the authentication source is up and running Choices:
|
|
Any user or role that does not have an IP address mapped to authentication sources, because the authentication source is disconnected from the SRX Series device Choices:
|
|
Identify a single destination zone or multiple destination zones to be used as a match criteria for a policy |
|
Match any zone Choices:
|
|
junos-host Choices:
|
|
Name of single or multiple destination zone |
|
URL category |
|
Apply to any url category Choices:
|
|
Names of url category to match |
|
Do not apply to the url category Choices:
|
|
Name of the policy |
|
Name of the scheduler to run this policy |
|
Specify the policy action to be performed when packets match the defined criteria |
|
Enable a count, in bytes or kilobytes, of all network traffic the policy allows to pass through the device in both directions; the originating traffic from the client to the server (from the from_zone to the to_zone), and the return traffic from the server to the originating client Choices:
|
|
Block the service at the firewall The device drops the packets Choices:
|
|
Log traffic information for a specific policy Traffic information is logged when a session begins (session_init) or closes (session_close) |
|
Enable logging on session close time Choices:
|
|
Enable logging on session initialization time Choices:
|
|
Block the service at the firewall The device drops the packets |
|
Enable application services within a security policy |
|
Specify advanced_anti_malware policy name |
|
Specify the rule sets configured as part of application firewall to be applied to the permitted traffic |
|
name of rule set to use |
|
Specify the rule set configured as part of AppQoS, application_aware quality of service, to be applied to the permitted traffic |
|
Specify GPRS tunneling protocol profile name |
|
Specify GPRS stream control protocol profile name |
|
Specify icap redirect profile name |
|
Intrusion Detection and Prevention (IDP) Choices:
|
|
Specify IDP policy name |
|
Option to enable or disable packet capture Choices:
|
|
Specify the WX redirection needed for the packets that arrive from the LAN Choices:
|
|
Specify the WX redirection needed for the reverse flow of the packets that arrive from the WAN Choices:
|
|
Specify the security intelligence feed post action |
|
Add destination user identity to the security feed |
|
Add the destination IP address to the security feed |
|
Add source user identity to the security feed |
|
Add the source IP address to the security feed |
|
Specify security_intelligence policy name |
|
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action |
|
Enable SSL proxy Choices:
|
|
Name of SSL proxy profile |
|
Enable Unified Access Control (UAC) for the security policy |
|
Specify the preconfigured security policy for captive portal on the Junos OS Enforcer to enable the captive portal feature |
|
Enable Unified Access Control (UAC) Choices:
|
|
Specify UTM policy name |
|
Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated Choices:
|
|
Configure firewall authentication methods |
|
Configure pass-through firewall user authentication |
|
Specify the name of the access profile |
|
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic Choices:
|
|
Specify a user-agent value to be used to verify that the user’s browser traffic is HTTP/HTTPS traffic |
|
Specify the name of the users or user groups in a profile who are allowed access by this policy |
|
Specify the SSL termination profile used for SSL offloading |
|
Enable redirecting an HTTP request to the device and redirecting the client system to a webpage for authentication Choices:
|
|
Redirect unauthenticated HTTP requests to the internal HTTPS Web server of the device Choices:
|
|
enables pushing to identity management devices Choices:
|
|
Configure user role firewall authentication, and map the source IP address to the username and its associated roles (groups) |
|
Specify the name of the access profile to be used for authentication |
|
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic Choices:
|
|
Specify a user-agent value to be used to verify that the user’s browser traffic is HTTP/HTTPS traffic |
|
Specify the name of the domain where firewall authentication occurs in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP_to_user mapping for the integrated user firewall feature |
|
For HTTPS traffic, specify the name of the SSL termination profile used for SSL offloading |
|
Enable webpage redirection Choices:
|
|
Enable redirection to HTTPS Choices:
|
|
Specify that the policy allows access to users or user groups who have previously been authenticated by Web authentication |
|
Specify the TCP options for each policy You can configure sync and sequence checks for each policy based on your requirements, and, because each policy has two directions, you can configure a TCP MSS value for both directions or for just one direction |
|
Configure the TCP maximum segment size (MSS) for packets that arrive at the ingress interface (initial direction), match a specific policy, and for which a session is created |
|
Configure the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session |
|
Enable sequence check per policy The sequence_check_required value overrides the global value no_sequence_check Choices:
|
|
Enable sync check per policy The syn_check_required value overrides the global value no_syn_check Choices:
|
|
Enable window_scale per policy Choices:
|
|
Encapsulate outgoing IP packets and decapsulate incoming IP packets |
|
name of the ipsec policy |
|
name of the pair policy |
|
Block the service at the firewall The device drops the packet and sends a TCP reset (RST) segment to the source host for TCP traffic and an ICMP “destination unreachable, port unreachable” message (type 3, code 3) for UDP traffic |
|
Enable rejection of packets based on match criteria Choices:
|
|
You can chose to provide a notification to the clients or redirect client request to an informative Web page when a policy blocks HTTP or HTTPS traffic with a deny or reject action |
|
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action When you apply am SSL proxy profile, SSL proxy decrypts the traffic and application identification functionality identifies the application |
|
Enable SSL proxy Choices:
|
|
Name of SSL proxy profile |
|
List of global security policies |
|
List of policies defined for the associated category |
|
Description of the security policy |
|
Configure security policy match criteria |
|
Specify the IP or remote procedure call (RPC) application or set of applications to be used as match criteria |
|
Match any predefined or custom applications or application sets Choices:
|
|
Name of the predefined or custom application or application set used as match criteria |
|
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses |
|
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask) |
|
Any IPv4 or IPv6 address Choices:
|
|
Any IPv4 address Choices:
|
|
Any IPv6 address Choices:
|
|
Exclude destination addresses Choices:
|
|
Specify the dynamic applications or dynamic application groups used as match criteria within a security policy |
|
Configuring the dynamic application as any installs the policy with the application as a wildcard (default) Choices:
|
|
Specify dynamic applications or dynamic application groups |
|
Configuring the dynamic application as none ignores classification results from AppID and does not use the dynamic application in security policy lookups Choices:
|
|
Identify a single source zone or multiple source zones to be used as a match criteria for a policy |
|
Match any zone Choices:
|
|
junos-host Choices:
|
|
Name of single or multiple source zone |
|
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses |
|
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask) |
|
Any IPv4 or IPv6 address Choices:
|
|
Any IPv4 address Choices:
|
|
Any IPv6 address Choices:
|
|
Exclude source addresses Choices:
|
|
Source end user profile name |
|
Identifies users and roles to be used as match criteria for a policy |
|
Any user or role, as well as the keywords authenticated_user, unauthenticated_user, and unknown_user Choices:
|
|
All users and roles that have been authenticated Choices:
|
|
A list of specific users and roles |
|
Any user or role that does not have an IP_address mapped to authentication sources and the authentication source is up and running Choices:
|
|
Any user or role that does not have an IP address mapped to authentication sources, because the authentication source is disconnected from the SRX Series device Choices:
|
|
Identify a single destination zone or multiple destination zones to be used as a match criteria for a policy |
|
Match any zone Choices:
|
|
junos-host Choices:
|
|
Name of single or multiple destination zone |
|
URL category |
|
Apply to any url category Choices:
|
|
Names of url category to match |
|
Do not apply to the url category Choices:
|
|
Name of the policy |
|
Name of the scheduler to run this policy |
|
Specify the policy action to be performed when packets match the defined criteria |
|
Enable a count, in bytes or kilobytes, of all network traffic the policy allows to pass through the device in both directions; the originating traffic from the client to the server (from the from_zone to the to_zone), and the return traffic from the server to the originating client Choices:
|
|
Block the service at the firewall The device drops the packets Choices:
|
|
Log traffic information for a specific policy Traffic information is logged when a session begins (session_init) or closes (session_close) |
|
Enable logging on session close time Choices:
|
|
Enable logging on session initialization time Choices:
|
|
Block the service at the firewall The device drops the packets |
|
Enable application services within a security policy |
|
Specify advanced_anti_malware policy name |
|
Specify the rule sets configured as part of application firewall to be applied to the permitted traffic |
|
name of rule set to use |
|
Specify the rule set configured as part of AppQoS, application_aware quality of service, to be applied to the permitted traffic |
|
Specify GPRS tunneling protocol profile name |
|
Specify GPRS stream control protocol profile name |
|
Specify icap redirect profile name |
|
Intrusion Detection and Prevention (IDP) Choices:
|
|
Specify IDP policy name |
|
Option to enable or disable packet capture Choices:
|
|
Specify the WX redirection needed for the packets that arrive from the LAN Choices:
|
|
Specify the WX redirection needed for the reverse flow of the packets that arrive from the WAN Choices:
|
|
Specify the security intelligence feed post action |
|
Add destination user identity to the security feed |
|
Add the destination IP address to the security feed |
|
Add source user identity to the security feed |
|
Add the source IP address to the security feed |
|
Specify security_intelligence policy name |
|
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action |
|
Enable SSL proxy Choices:
|
|
Name of SSL proxy profile |
|
Enable Unified Access Control (UAC) for the security policy |
|
Specify the preconfigured security policy for captive portal on the Junos OS Enforcer to enable the captive portal feature |
|
Enable Unified Access Control (UAC) Choices:
|
|
Specify UTM policy name |
|
Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated Choices:
|
|
Configure firewall authentication methods |
|
Configure pass-through firewall user authentication |
|
Specify the name of the access profile |
|
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic Choices:
|
|
Specify a user-agent value to be used to verify that the user’s browser traffic is HTTP/HTTPS traffic |
|
Specify the name of the users or user groups in a profile who are allowed access by this policy |
|
Specify the SSL termination profile used for SSL offloading |
|
Enable redirecting an HTTP request to the device and redirecting the client system to a webpage for authentication Choices:
|
|
Redirect unauthenticated HTTP requests to the internal HTTPS Web server of the device Choices:
|
|
enables pushing to identity management devices Choices:
|
|
Configure user role firewall authentication, and map the source IP address to the username and its associated roles (groups) |
|
Specify the name of the access profile to be used for authentication |
|
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic Choices:
|
|
Specify a user-agent value to be used to verify that the user’s browser traffic is HTTP/HTTPS traffic |
|
Specify the name of the domain where firewall authentication occurs in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP_to_user mapping for the integrated user firewall feature |
|
For HTTPS traffic, specify the name of the SSL termination profile used for SSL offloading |
|
Enable webpage redirection Choices:
|
|
Enable redirection to HTTPS Choices:
|
|
Specify that the policy allows access to users or user groups who have previously been authenticated by Web authentication |
|
Specify the TCP options for each policy You can configure sync and sequence checks for each policy based on your requirements, and, because each policy has two directions, you can configure a TCP MSS value for both directions or for just one direction |
|
Configure the TCP maximum segment size (MSS) for packets that arrive at the ingress interface (initial direction), match a specific policy, and for which a session is created |
|
Configure the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session |
|
Enable sequence check per policy The sequence_check_required value overrides the global value no_sequence_check Choices:
|
|
Enable sync check per policy The syn_check_required value overrides the global value no_syn_check Choices:
|
|
Enable window_scale per policy Choices:
|
|
Encapsulate outgoing IP packets and decapsulate incoming IP packets |
|
name of the ipsec policy |
|
name of the pair policy |
|
Block the service at the firewall The device drops the packet and sends a TCP reset (RST) segment to the source host for TCP traffic and an ICMP “destination unreachable, port unreachable” message (type 3, code 3) for UDP traffic |
|
Enable rejection of packets based on match criteria Choices:
|
|
You can chose to provide a notification to the clients or redirect client request to an informative Web page when a policy blocks HTTP or HTTPS traffic with a deny or reject action |
|
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action When you apply am SSL proxy profile, SSL proxy decrypts the traffic and application identification functionality identifies the application |
|
Enable SSL proxy Choices:
|
|
Name of SSL proxy profile |
|
This option is used only with state parsed The value of this option should be the output received from the JunOS device by executing the command show configuration security policies The state parsed reads the configuration from |
|
The state the configuration should be left in The states rendered, gathered and parsed does not perform any change on the device The state rendered will transform the configuration in The state replaced will replace the running configuration with the provided configuration The state replaced and state overridden have the same behaviour The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result The state parsed reads the configuration from Choices:
|
Notes
Note
This module requires the netconf system service be enabled on the device being managed
This module works with connection
netconf
Tested against JunOS v18.4R1
Examples
# Using merged
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
#
# vagrant@vsrx> show security zones
#
# Security zone: one
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/0.0
#
# Security zone: three
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/2.0
#
# Security zone: two
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/1.0
#
# Security zone: junos-host
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 0
# Interfaces:
#
- junipernetworks.junos.junos_security_policies:
config:
from_zones:
- name: one
to_zones:
- name: two
policies:
- match:
application:
names:
- junos-dhcp-relay
- junos-finger
destination_address:
addresses:
- a2
- a4
destination_address_excluded: true
dynamic_application:
names:
- any
source_address:
addresses:
- a1
- a3
source_address_excluded: true
source_end_user_profile: test_end_user_profile
source_identity:
unknown_user: true
url_category:
names:
- Enhanced_Web_Chat
name: test_policy_1
then:
count: true
deny: true
log: session-close
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
addresses:
- a1
name: test_policy_2
then:
reject:
enable: true
profile: test_dyn_app
ssl_proxy:
enable: true
profile_name: SECURITY-SSL-PROXY
- name: three
policies:
- match:
application:
any: true
destination_address:
addresses:
- a2
source_address:
addresses:
- a1
name: test_policy_3
then:
permit:
application_services:
application_traffic_control_rule_set: test_traffic_control
gprs_gtp_profile: gtp1
icap_redirect: test_icap
reverse_redirect_wx: 'True'
uac_policy:
enable: true
firewall_authentication:
push_to_identity_management: true
web_authentication:
- FWClient1
tcp_options:
initial_tcp_mss: 64
window_scale: true
global:
policies:
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any_ipv6: true
name: test_glob_1
then:
deny: true
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any_ipv6: true
name: test_glob_2
then:
deny: true
state: merged
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies>
# <nc:policy>
# <nc:from-zone-name>one</nc:from-zone-name>
# <nc:to-zone-name>two</nc:to-zone-name>
# <nc:policy>
# <nc:name>test_policy_1</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:source-address>a3</nc:source-address>
# <nc:source-address-excluded/>
# <nc:destination-address>a2</nc:destination-address>
# <nc:destination-address>a4</nc:destination-address>
# <nc:destination-address-excluded/>
# <nc:application>junos-dhcp-relay</nc:application>
# <nc:application>junos-finger</nc:application>
# <nc:source-end-user-profile>test_end_user_profile</nc:source-end-user-profile>
# <nc:source-identity>unknown-user</nc:source-identity>
# <nc:url-category>Enhanced_Web_Chat</nc:url-category>
# <nc:dynamic-application>any</nc:dynamic-application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# <nc:count></nc:count>
# <nc:log>
# <nc:session-close/>
# </nc:log>
# </nc:then>
# </nc:policy>
# <nc:policy>
# <nc:name>test_policy_2</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:reject>
# <nc:profile>test_dyn_app</nc:profile>
# <nc:ssl-proxy>
# <nc:profile-name>SECURITY-SSL-PROXY</nc:profile-name>
# </nc:ssl-proxy>
# </nc:reject>
# </nc:then>
# </nc:policy>
# </nc:policy>
# <nc:policy>
# <nc:from-zone-name>one</nc:from-zone-name>
# <nc:to-zone-name>three</nc:to-zone-name>
# <nc:policy>
# <nc:name>test_policy_3</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:destination-address>a2</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:permit>
# <nc:application-services>
# <nc:application-traffic-control>
# <nc:rule-set>test_traffic_control</nc:rule-set>
# </nc:application-traffic-control>
# <nc:gprs-gtp-profile>gtp1</nc:gprs-gtp-profile>
# <nc:icap-redirect>test_icap</nc:icap-redirect>
# <nc:reverse-redirect-wx/>
# <nc:uac-policy></nc:uac-policy>
# </nc:application-services>
# <nc:firewall-authentication>
# <nc:push-to-identity-management/>
# <nc:web-authentication>
# <nc:client-match>FWClient1</nc:client-match>
# </nc:web-authentication>
# </nc:firewall-authentication>
# <nc:tcp-options>
# <nc:initial-tcp-mss>64</nc:initial-tcp-mss>
# <nc:window-scale/>
# </nc:tcp-options>
# </nc:permit>
# </nc:then>
# </nc:policy>
# </nc:policy>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_1</nc:name>
# <nc:match>
# <nc:source-address>any-ipv6</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# <nc:policy>
# <nc:name>test_glob_2</nc:name>
# <nc:match>
# <nc:source-address>any-ipv6</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>
# "
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using Replaced
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/>
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using overridden
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: overridden
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/>
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using deleted
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
state: deleted
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "after": {},
# "before": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/></nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Using parsed
# parsed.cfg
# ------------
# <?xml version="1.0" encoding="UTF-8"?>
# <rpc-reply>
# <configuration>
# <version>18.4R1-S3.1</version>
# <services>
# <ssl>
# <termination>
# <profile>
# <name>test_ssl_term</name>
# <server-certificate>SECURITY-cert</server-certificate>
# </profile>
# </termination>
# <proxy>
# <profile>
# <name>SECURITY-SSL-PROXY</name>
# <root-ca>SECURITY-cert</root-ca>
# </profile>
# </proxy>
# </ssl>
# <icap-redirect>
# <profile>
# <name>test_icap</name>
# <server>
# <name>test_icap_server</name>
# <host>10.10.10.11</host>
# </server>
# </profile>
# </icap-redirect>
# <user-identification>
# <device-information>
# <end-user-profile>
# <profile-name>
# <name>test_end_user_profile</name>
# <domain-name>test_domain</domain-name>
# <attribute>
# <name>device-identity</name>
# <string>Windows</string>
# </attribute>
# </profile-name>
# </end-user-profile>
# </device-information>
# </user-identification>
# </services>
# <security>
# <address-book>
# <name>global</name>
# <address>
# <name>a1</name>
# <ip-prefix>200.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a2</name>
# <ip-prefix>201.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a3</name>
# <ip-prefix>202.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a4</name>
# <ip-prefix>203.0.113.0/24</ip-prefix>
# </address>
# </address-book>
# <dynamic-application>
# <profile>
# <name>test_dyn_app</name>
# <redirect-message>
# <type>
# <custom-text>
# <content>hello_world</content>
# </custom-text>
# </type>
# </redirect-message>
# </profile>
# </dynamic-application>
# <policies>
# <policy>
# <from-zone-name>one</from-zone-name>
# <to-zone-name>two</to-zone-name>
# <policy>
# <name>test_policy_1</name>
# <match>
# <source-address>a1</source-address>
# <source-address>a3</source-address>
# <destination-address>a2</destination-address>
# <destination-address>a4</destination-address>
# <source-address-excluded />
# <destination-address-excluded />
# <application>junos-dhcp-relay</application>
# <application>junos-finger</application>
# <source-identity>authenticated-user</source-identity>
# <source-identity>unknown-user</source-identity>
# <source-end-user-profile>
# <source-end-user-profile-name>test_end_user_profile</source-end-user-profile-name>
# </source-end-user-profile>
# <dynamic-application>any</dynamic-application>
# <url-category>Enhanced_Web_Chat</url-category>
# </match>
# <then>
# <deny />
# <log>
# <session-close />
# </log>
# <count></count>
# </then>
# </policy>
# <policy>
# <name>test_policy_2</name>
# <match>
# <source-address>a1</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <reject>
# <profile>test_dyn_app</profile>
# <ssl-proxy>
# <profile-name>SECURITY-SSL-PROXY</profile-name>
# </ssl-proxy>
# </reject>
# </then>
# </policy>
# </policy>
# <policy>
# <from-zone-name>one</from-zone-name>
# <to-zone-name>three</to-zone-name>
# <policy>
# <name>test_policy_3</name>
# <match>
# <source-address>a1</source-address>
# <destination-address>a2</destination-address>
# <application>any</application>
# </match>
# <then>
# <permit>
# <firewall-authentication>
# <web-authentication>
# <client-match>FWClient1</client-match>
# </web-authentication>
# <push-to-identity-management />
# </firewall-authentication>
# <destination-address>
# <drop-untranslated />
# </destination-address>
# <application-services>
# <gprs-gtp-profile>gtp1</gprs-gtp-profile>
# <uac-policy></uac-policy>
# <icap-redirect>test_icap</icap-redirect>
# <application-traffic-control>
# <rule-set>test_traffic_control</rule-set>
# </application-traffic-control>
# <reverse-redirect-wx />
# </application-services>
# <tcp-options>
# <initial-tcp-mss>64</initial-tcp-mss>
# <window-scale />
# </tcp-options>
# </permit>
# </then>
# </policy>
# </policy>
# <global>
# <policy>
# <name>test_glob_1</name>
# <match>
# <source-address>any-ipv6</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <deny />
# </then>
# </policy>
# <policy>
# <name>test_glob_2</name>
# <match>
# <source-address>any-ipv6</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <deny />
# </then>
# </policy>
# </global>
# </policies>
# <zones>
# <security-zone>
# <name>one</name>
# <interfaces>
# <name>ge-0/0/0.0</name>
# </interfaces>
# </security-zone>
# <security-zone>
# <name>two</name>
# <interfaces>
# <name>ge-0/0/1.0</name>
# </interfaces>
# </security-zone>
# <security-zone>
# <name>three</name>
# <interfaces>
# <name>ge-0/0/2.0</name>
# </interfaces>
# </security-zone>
# </zones>
# <gprs>
# <gtp>
# <profile>
# <name>gtp1</name>
# </profile>
# </gtp>
# </gprs>
# </security>
# <interfaces>
# <interface>
# <name>ge-0/0/0</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>200.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>ge-0/0/1</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>201.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>ge-0/0/2</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>202.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>fxp0</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <dhcp></dhcp>
# </inet>
# </family>
# </unit>
# </interface>
# </interfaces>
# <class-of-service>
# <application-traffic-control>
# <rule-sets>
# <name>test_traffic_control</name>
# <rule>
# <name>test_rule</name>
# <match>
# <application-known />
# </match>
# <then>
# <log />
# </then>
# </rule>
# </rule-sets>
# </application-traffic-control>
# </class-of-service>
# <access>
# <profile>
# <name>WEBAUTH</name>
# <client>
# <name>FWClient1</name>
# <firewall-user>
# <password>$9$kq5Ftu1cSe</password>
# </firewall-user>
# </client>
# </profile>
# <firewall-authentication>
# <web-authentication>
# <default-profile>WEBAUTH</default-profile>
# </web-authentication>
# </firewall-authentication>
# </access>
# </configuration>
# <database-status-information></database-status-information>
# </rpc-reply>
#
- name: Parse NTP global running config
junipernetworks.junos.junos_security_policies:
running_config: "{{ lookup('file', './parsed.cfg') }}"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "parsed": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# }
# Using gathered
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: authenticated-user, unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, drop-untranslated, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob_1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
state: gathered
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "changed": false,
# "gathered": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# }
# }
# Using rendered
#
# Before state
# ------------
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: rendered
#
# -------------------------
# Module Execution Result
# -------------------------
# "rendered": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The resulting configuration after module execution. Returned: when changed Sample: |
|
The configuration prior to the module execution. Returned: when state is merged, replaced, overridden or deleted Sample: |
|
The set of commands pushed to the remote device. Returned: when state is merged, replaced, overridden or deleted Sample: |
|
Facts about the network resource gathered from the remote device as structured data. Returned: when state is gathered Sample: |
|
The device native config provided in running_config option parsed into structured data as per module argspec. Returned: when state is parsed Sample: |
|
The provided configuration in the task rendered in device-native format (offline). Returned: when state is rendered Sample: |