This resource allows you to manage the full security posture.
Note:
panos_panorama_security_policies
is known aspanos_panorama_security_policy
.
This resource manages the full set of security rules, enforcing both the contents of individual rules as well as their ordering. Rules are defined in a rule
config block. As this manages the full set of security rules for a given rulebase, any extraneous rules are removed on terraform apply
.
For each security rule, there are three styles of profile settings:
The Profile Setting is implicitly chosen based on what params are configured for the security rule. If you want a Profile Setting of Group
, then the group
param should be set to the desired Group Profile. If you want a Profile Setting of Profiles
, then you will need to specify one or more of the following params:
If the group
param and none of the Profiles
params are specified, then the Profile Setting is set to None
.
resource "panos_panorama_security_policy" "example" { rule { name = "allow bizdev to dmz" source_zones = ["bizdev"] source_addresses = ["any"] source_users = ["any"] hip_profiles = ["any"] destination_zones = ["dmz"] destination_addresses = ["any"] applications = ["any"] services = ["application-default"] categories = ["any"] action = "allow" } rule { name = "deny sales to eng" source_zones = ["sales"] source_addresses = ["any"] source_users = ["any"] hip_profiles = ["any"] destination_zones = ["eng"] destination_addresses = ["any"] applications = ["any"] services = ["application-default"] categories = ["any"] action = "deny" target { serial = "01234" } target { serial = "56789" vsys_list = ["vsys1", "vsys3"] } } }
The following arguments are supported:
device_group
- (Optional) The device group to put the security policy into (default: shared
). rulebase
- (Optional) The rulebase. This can be pre-rulebase
(default), post-rulebase
, or rulebase
. rule
- The security rule definition (see below). The security rule ordering will match how they appear in the terraform plan file. The following arguments are valid for each rule
section:
name
- (Required) The security rule name. type
- (Optional) Rule type. This can be universal
(default), interzone
, or intrazone
. description
- (Optional) The description. tags
- (Optional) List of tags for this security rule. source_zones
- (Required) List of source zones. source_addresses
- (Required) List of source addresses. negate_source
- (Optional, bool) If the source should be negated. source_users
- (Required) List of source users. hip_profiles
- (Required) List of HIP profiles. destination_zones
- (Required) List of destination zones. destination_addresses
- (Required) List of destination addresses. negate_destination
- (Optional, bool) If the destination should be negated. applications
- (Required) List of applications. services
- (Required) List of services. categories
- (Required) List of categories. action
- (Optional) Action for the matched traffic. This can be allow
(default), deny
, drop
, reset-client
, reset-server
, or reset-both
. log_setting
- (Optional) Log forwarding profile. log_start
- (Optional, bool) Log the start of the traffic flow. log_end
- (Optional, bool) Log the end of the traffic flow (default: true
). disabled
- (Optional, bool) Set to true
to disable this rule. schedule
- (Optional) The security rule schedule. icmp_unreachable
- (Optional) Set to true
to enable ICMP unreachable. disable_server_response_inspection
- (Optional) Set to true
to disable server response inspection. group
- (Optional) Profile Setting: Group
- The group profile name. virus
- (Optional) Profile Setting: Profiles
- The antivirus setting. spyware
- (Optional) Profile Setting: Profiles
- The anti-spyware setting. vulnerability
- (Optional) Profile Setting: Profiles
- The Vulnerability Protection setting. url_filtering
- (Optional) Profile Setting: Profiles
- The URL filtering setting. file_blocking
- (Optional) Profile Setting: Profiles
- The file blocking setting. wildfire_analysis
- (Optional) Profile Setting: Profiles
- The WildFire Analysis setting. data_filtering
- (Optional) Profile Setting: Profiles
- The Data Filtering setting. target
- (Optional) A target definition (see below). If there are no target sections, then the rule will apply to every vsys of every device in the device group. negate_target
- (Optional, bool) Instead of applying the rule for the given serial numbers, apply it to everything except them. The following arguments are valid for each target
section:
serial
- (Required) The serial number of the firewall. vsys_list
- (Optional) A subset of all available vsys on the firewall that should be in this device group. If the firewall is a virtual firewall, then this parameter should just be omitted.
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/panos/r/panorama_security_policy.html