panos_security_rule - Create security rule policy on PAN-OS devices or Panorama management console.

New in version 2.4.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements (on host that executes module)

Options

parameter required default choices comments
action
no allow
Action to apply once rules maches.
antivirus
no None
Name of the already defined antivirus profile.
api_key
no
API key that can be used instead of username/password credentials.
application
no any
List of applications.
commit
no True
Commit configuration if changed.
data_filtering
no None
Name of the already defined data_filtering profile.
description
no None
Description for the security rule.
destination_ip
no any
List of destination addresses.
destination_zone
no any
List of destination zones.
devicegroup
no None
- Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.
file_blocking
no None
Name of the already defined file_blocking profile.
group_profile
no None
- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
hip_profiles
no any
- If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
ip_address
yes
IP address (or hostname) of PAN-OS device being configured.
log_end
no True
Whether to log at session end.
log_start
no
Whether to log at session start.
operation
no add
The action to be taken. Supported values are add/update/find/delete.
password
yes
Password credentials to use for auth unless api_key is set.
rule_name
yes
Name of the security rule.
rule_type
no universal
Type of security rule (version 6.1 of PanOS and above).
service
no application-default
List of services.
source_ip
no any
List of source addresses.
source_user
no any
Use users to enforce policy for individual users or a group of users.
source_zone
no any
List of source zones.
spyware
no None
Name of the already defined spyware profile.
tag_name
no None
Administrative tags that can be added to the rule. Note, tags must be already defined.
url_filtering
no None
Name of the already defined url_filtering profile.
username
no admin
Username credentials to use for auth unless api_key is set.
vulnerability
no None
Name of the already defined vulnerability profile.
wildfire_analysis
no None
Name of the already defined wildfire_analysis profile.

Examples

- name: add an SSH inbound rule to devicegroup
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    tag_name: ['ProjectX']
    source_zone: ['public']
    destination_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    devicegroup: 'Cloud Edge'

- name: add a rule to allow HTTP multimedia only from CDNs
  panos_security_rule:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    operation: 'add'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    source_zone: ['public']
    destination_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    hip_profiles: ['any']
    action: 'allow'

- name: add a more complex rule that uses security profiles
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    rule_name: 'Allow HTTP w profile'
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'default'
    vulnerability: 'default'
    spyware: 'default'
    url_filtering: 'default'
    wildfire_analysis: 'default'

- name: delete a devicegroup security rule
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'delete'
    rule_name: 'Allow telnet'
    devicegroup: 'DC Firewalls'

- name: find a specific security rule
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    password: '{{ password }}'
    operation: 'find'
    rule_name: 'Allow RDP to DCs'
  register: result
- debug: msg='{{result.stdout_lines}}'

Notes

Note

  • Checkmode is not supported.
  • Panorama is supported.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.4/panos_security_rule_module.html