community.network.panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console.

Note

This plugin is part of the community.network collection (version 1.3.0).

To install it use: ansible-galaxy collection install community.network.

To use it in a playbook, specify: community.network.panos_match_rule.

DEPRECATED
Synopsis
Requirements
Parameters
Notes
Examples
Status

DEPRECATED

Removed in: version 2.0.0
Why: Consolidating code base.
Alternative: Use https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks instead.

Synopsis

Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

pan-python can be obtained from PyPI https://pypi.org/project/pan-python/
pandevice can be obtained from PyPI https://pypi.org/project/pandevice/

Parameters

Parameter	Choices/Defaults	Comments
api_key string		API key that can be used instead of username/password credentials.
application string		The application.
category string		URL category
destination_ip string		The destination IP address.
destination_port string		The destination port.
destination_zone string		The destination zone.
ip_address string / required		IP address (or hostname) of PAN-OS device being configured.
password string / required		Password credentials to use for auth unless api_key is set.
protocol string		The IP protocol number from 1 to 255.
rule_type string / required	Choices: security nat	Type of rule. Valid types are security or nat.
source_ip string / required		The source IP address.
source_port string		The source port.
source_user string		The source user or group.
source_zone string		The source zone.
to_interface string		The inbound interface in a NAT rule.
username string	Default: "admin"	Username credentials to use for auth unless api_key is set.
vsys_id string / required	Default: "vsys1"	ID of the VSYS object.

Notes

Note

Checkmode is not supported.
Panorama NOT is supported.

Examples

- name: Check security rules for Google DNS
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check security rules inbound SSH with user match
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check NAT rules for source NAT
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check NAT rules for inbound web
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

- name: Check security rules for outbound POP3 in vsys4
  community.network.panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    vsys_id: 'vsys4'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'

Status

This module will be removed in version 2.0.0. [deprecated]
For more information see DEPRECATED.

Authors

Robert Hagen (@rnh556)

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/network/panos_match_rule_module.html