panos_panorama_security_policy

This resource allows you to manage the full security posture.

Note: panos_panorama_security_policies is known as panos_panorama_security_policy.

This resource manages the full set of security rules, enforcing both the contents of individual rules as well as their ordering. Rules are defined in a rule config block. As this manages the full set of security rules for a given rulebase, any extraneous rules are removed on terraform apply.

For each security rule, there are three styles of profile settings:

• None (the default)
• Group
• Profiles

The Profile Setting is implicitly chosen based on what params are configured for the security rule. If you want a Profile Setting of Group, then the group param should be set to the desired Group Profile. If you want a Profile Setting of Profiles, then you will need to specify one or more of the following params:

• virus
• spyware
• vulnerability
• url_filtering
• file_blocking
• wildfire_analysis
• data_filtering

If the group param and none of the Profiles params are specified, then the Profile Setting is set to None.

Example Usage

resource "panos_panorama_security_policy" "example" {
    rule {
        name = "allow bizdev to dmz"
        source_zones = ["bizdev"]
        source_addresses = ["any"]
        source_users = ["any"]
        hip_profiles = ["any"]
        destination_zones = ["dmz"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["application-default"]
        categories = ["any"]
        action = "allow"
    }
    rule {
        name = "deny sales to eng"
        source_zones = ["sales"]
        source_addresses = ["any"]
        source_users = ["any"]
        hip_profiles = ["any"]
        destination_zones = ["eng"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["application-default"]
        categories = ["any"]
        action = "deny"
        target {
            serial = "01234"
        }
        target {
            serial = "56789"
            vsys_list = ["vsys1", "vsys3"]
        }
    }
}

Argument Reference

The following arguments are supported:

• device_group - (Optional) The device group to put the security policy into (default: shared).
• rulebase - (Optional) The rulebase. This can be pre-rulebase (default), post-rulebase, or rulebase.
• rule - The security rule definition (see below). The security rule ordering will match how they appear in the terraform plan file.

The following arguments are valid for each rule section:

• name - (Required) The security rule name.
• type - (Optional) Rule type. This can be universal (default), interzone, or intrazone.
• description - (Optional) The description.
• tags - (Optional) List of tags for this security rule.
• source_zones - (Required) List of source zones.
• source_addresses - (Required) List of source addresses.
• negate_source - (Optional, bool) If the source should be negated.
• source_users - (Required) List of source users.
• hip_profiles - (Required) List of HIP profiles.
• destination_zones - (Required) List of destination zones.
• destination_addresses - (Required) List of destination addresses.
• negate_destination - (Optional, bool) If the destination should be negated.
• applications - (Required) List of applications.
• services - (Required) List of services.
• categories - (Required) List of categories.
• action - (Optional) Action for the matched traffic. This can be allow (default), deny, drop, reset-client, reset-server, or reset-both.
• log_setting - (Optional) Log forwarding profile.
• log_start - (Optional, bool) Log the start of the traffic flow.
• log_end - (Optional, bool) Log the end of the traffic flow (default: true).
• disabled - (Optional, bool) Set to true to disable this rule.
• schedule - (Optional) The security rule schedule.
• icmp_unreachable - (Optional) Set to true to enable ICMP unreachable.
• disable_server_response_inspection - (Optional) Set to true to disable server response inspection.
• group - (Optional) Profile Setting: Group - The group profile name.
• virus - (Optional) Profile Setting: Profiles - The antivirus setting.
• spyware - (Optional) Profile Setting: Profiles - The anti-spyware setting.
• vulnerability - (Optional) Profile Setting: Profiles - The Vulnerability Protection setting.
• url_filtering - (Optional) Profile Setting: Profiles - The URL filtering setting.
• file_blocking - (Optional) Profile Setting: Profiles - The file blocking setting.
• wildfire_analysis - (Optional) Profile Setting: Profiles - The WildFire Analysis setting.
• data_filtering - (Optional) Profile Setting: Profiles - The Data Filtering setting.
• target - (Optional) A target definition (see below). If there are no target sections, then the rule will apply to every vsys of every device in the device group.
• negate_target - (Optional, bool) Instead of applying the rule for the given serial numbers, apply it to everything except them.

The following arguments are valid for each target section:

• serial - (Required) The serial number of the firewall.
• vsys_list - (Optional) A subset of all available vsys on the firewall that should be in this device group. If the firewall is a virtual firewall, then this parameter should just be omitted.