Documentation

panos_security_policy – Create security rule policy on PanOS devices.

New in version 2.3.

DEPRECATED

Removed in Ansible:
 version: 2.9
Why:This module depended on outdated and old SDK. In 2.4 use panos_security_rule instead.
Alternative:Use panos_security_rule instead.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
action
-
Default:
allow
Action to apply once rules maches.
antivirus
-
Name of the already defined antivirus profile.
api_key
-
API key that can be used instead of username/password credentials.
application
-
Default:
any
List of applications.
commit
-
Default:
yes
Commit configuration if changed.
data_filtering
-
Name of the already defined data_filtering profile.
description
-
Description for the security rule.
destination
-
Default:
any
List of destination addresses.
devicegroup
-
Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.
file_blocking
-
Name of the already defined file_blocking profile.
from_zone
-
Default:
any
List of source zones.
group_profile
-
Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
hip_profiles
-
Default:
any
If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
ip_address
- / required
IP address (or hostname) of PAN-OS device being configured.
log_end
-
Default:
yes
Whether to log at session end.
log_start
-
Whether to log at session start.
password
- / required
Password credentials to use for auth unless api_key is set.
rule_name
- / required
Name of the security rule.
rule_type
-
Default:
universal
Type of security rule (version 6.1 of PanOS and above).
service
-
Default:
application-default
List of services.
source
-
Default:
any
List of source addresses.
source_user
-
Default:
any
Use users to enforce policy for individual users or a group of users.
spyware
-
Name of the already defined spyware profile.
tag
-
Administrative tags that can be added to the rule. Note, tags must be already defined.
to_zone
-
Default:
any
List of destination zones.
url_filtering
-
Name of the already defined url_filtering profile.
username
-
Default:
admin
Username credentials to use for auth unless api_key is set.
vulnerability
-
Name of the already defined vulnerability profile.
wildfire_analysis
-
Name of the already defined wildfire_analysis profile.

Notes

Note

  • Checkmode is not supported.
  • Panorama is supported

Examples

- name: permit ssh to 1.1.1.1
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    from_zone: ['public']
    to_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    commit: false

- name: Allow HTTP multimedia only from CDNs
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    from_zone: ['public']
    to_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    hip_profiles: ['any']
    action: 'allow'
    commit: false

- name: more complex fictitious rule that uses profiles
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'Allow HTTP w profile'
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'default'
    vulnerability: 'default'
    spyware: 'default'
    url_filtering: 'default'
    wildfire_analysis: 'default'
    commit: false

- name: deny all
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'DenyAll'
    log_start: true
    log_end: true
    action: 'deny'
    rule_type: 'interzone'
    commit: false

# permit ssh to 1.1.1.1 using panorama and pushing the configuration to firewalls
# that are defined in 'DeviceGroupA' device group
- name: permit ssh to 1.1.1.1 through Panorama
  panos_security_policy:
    ip_address: '10.5.172.92'
    password: 'paloalto'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    from_zone: ['public']
    to_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    devicegroup: 'DeviceGroupA'

Status

  • This module will be removed in version 2.9. [deprecated]
  • For more information see DEPRECATED.

Authors

  • Ivan Bojer (@ivanbojer)

Hint

If you notice any issues in this documentation you can edit this document to improve it.