Documentation

panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console.

New in version 2.5.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_key
-
API key that can be used instead of username/password credentials.
application
-
The application.
category
-
URL category
destination_ip
-
The destination IP address.
destination_port
-
The destination port.
destination_zone
-
The destination zone.
ip_address
- / required
IP address (or hostname) of PAN-OS device being configured.
password
- / required
Password credentials to use for auth unless api_key is set.
protocol
-
The IP protocol number from 1 to 255.
rule_type
-
Default:
security
Type of rule. Valid types are security or nat.
source_ip
- / required
The source IP address.
source_port
-
The source port.
source_user
-
The source user or group.
source_zone
-
The source zone.
to_interface
-
The inbound interface in a NAT rule.
username
-
Default:
admin
Username credentials to use for auth unless api_key is set.
vsys_id
- / required
Default:
vsys1
ID of the VSYS object.

Notes

Note

  • Checkmode is not supported.
  • Panorama NOT is supported.

Examples

- name: check security rules for Google DNS
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check security rules inbound SSH with user match
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check NAT rules for source NAT
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check NAT rules for inbound web
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check security rules for outbound POP3 in vsys4
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    vsys_id: 'vsys4'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

Status

Authors

  • Robert Hagen (@rnh556)

Hint

If you notice any issues in this documentation you can edit this document to improve it.