Note
This plugin is part of the community.network collection.
To install it use: ansible-galaxy collection install community.network.
To use it in a playbook, specify: community.network.panos_security_rule.
version 2.0.0
Consolidating code base.
Use https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks instead.
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| action string | Default: "allow" | Action to apply once rules maches. |
| antivirus string | Name of the already defined antivirus profile. | |
| api_key string | API key that can be used instead of username/password credentials. | |
| application string | Default: "any" | List of applications. |
| category list / elements=string | Default: ["any"] | The category. |
| commit boolean |
| Commit configuration if changed. |
| data_filtering string | Name of the already defined data_filtering profile. | |
| description string | Description for the security rule. | |
| destination_ip string | Default: "any" | List of destination addresses. |
| destination_zone string | Default: "any" | List of destination zones. |
| devicegroup string | - Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall. | |
| file_blocking string | Name of the already defined file_blocking profile. | |
| group_profile string | - Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties. | |
| hip_profiles string | Default: "any" | - If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration. |
| ip_address string / required | IP address (or hostname) of PAN-OS device being configured. | |
| log_end boolean |
| Whether to log at session end. |
| log_start boolean |
| Whether to log at session start. |
| operation string |
| The action to be taken. Supported values are add/update/find/delete. |
| password string / required | Password credentials to use for auth unless api_key is set. | |
| rule_name string / required | Name of the security rule. | |
| rule_type string | Default: "universal" | Type of security rule (version 6.1 of PanOS and above). |
| service string | Default: "application-default" | List of services. |
| source_ip string | Default: "any" | List of source addresses. |
| source_user string | Default: "any" | Use users to enforce policy for individual users or a group of users. |
| source_zone string | Default: "any" | List of source zones. |
| spyware string | Name of the already defined spyware profile. | |
| tag_name string | Administrative tags that can be added to the rule. Note, tags must be already defined. | |
| url_filtering string | Name of the already defined url_filtering profile. | |
| username string | Default: "admin" | Username credentials to use for auth unless api_key is set. |
| vulnerability string | Name of the already defined vulnerability profile. | |
| wildfire_analysis string | Name of the already defined wildfire_analysis profile. |
Note
- name: Add an SSH inbound rule to devicegroup
community.network.panos_security_rule:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'add'
rule_name: 'SSH permit'
description: 'SSH rule test'
tag_name: ['ProjectX']
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
hip_profiles: ['any']
action: 'allow'
devicegroup: 'Cloud Edge'
- name: Add a rule to allow HTTP multimedia only from CDNs
community.network.panos_security_rule:
ip_address: '10.5.172.91'
username: 'admin'
password: 'paloalto'
operation: 'add'
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
hip_profiles: ['any']
action: 'allow'
- name: Add a more complex rule that uses security profiles
community.network.panos_security_rule:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'add'
rule_name: 'Allow HTTP w profile'
log_start: false
log_end: true
action: 'allow'
antivirus: 'default'
vulnerability: 'default'
spyware: 'default'
url_filtering: 'default'
wildfire_analysis: 'default'
- name: Delete a devicegroup security rule
community.network.panos_security_rule:
ip_address: '{{ ip_address }}'
api_key: '{{ api_key }}'
operation: 'delete'
rule_name: 'Allow telnet'
devicegroup: 'DC Firewalls'
- name: Find a specific security rule
community.network.panos_security_rule:
ip_address: '{{ ip_address }}'
password: '{{ password }}'
operation: 'find'
rule_name: 'Allow RDP to DCs'
register: result
- ansible.builtin.debug: msg='{{result.stdout_lines}}'
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/community/network/panos_security_rule_module.html