ansible / ansible.builtin / v2.7.7 / module / _panos_security_policy
Removed in 2.9
Reason:This module depended on outdated and old SDK. In 2.4 use M(panos_security_rule) instead. | Alternative:Use M(panos_security_rule) instead.
Create security rule policy on PanOS devices.
| "added in version" 2.3 of ansible.builtin"
Authors: Ivan Bojer (@ivanbojer)
deprecated | supported by community
pip
Install with pip install ansible==2.7.7
Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.
- name: permit ssh to 1.1.1.1 panos_security_policy: ip_address: '10.5.172.91' username: 'admin' password: 'paloalto' rule_name: 'SSH permit' description: 'SSH rule test' from_zone: ['public'] to_zone: ['private'] source: ['any'] source_user: ['any'] destination: ['1.1.1.1'] category: ['any'] application: ['ssh'] service: ['application-default'] hip_profiles: ['any'] action: 'allow' commit: false
- name: Allow HTTP multimedia only from CDNs panos_security_policy: ip_address: '10.5.172.91' username: 'admin' password: 'paloalto' rule_name: 'HTTP Multimedia' description: 'Allow HTTP multimedia only to host at 1.1.1.1' from_zone: ['public'] to_zone: ['private'] source: ['any'] source_user: ['any'] destination: ['1.1.1.1'] category: ['content-delivery-networks'] application: ['http-video', 'http-audio'] service: ['service-http', 'service-https'] hip_profiles: ['any'] action: 'allow' commit: false
- name: more complex fictitious rule that uses profiles panos_security_policy: ip_address: '10.5.172.91' username: 'admin' password: 'paloalto' rule_name: 'Allow HTTP w profile' log_start: false log_end: true action: 'allow' antivirus: 'default' vulnerability: 'default' spyware: 'default' url_filtering: 'default' wildfire_analysis: 'default' commit: false
- name: deny all panos_security_policy: ip_address: '10.5.172.91' username: 'admin' password: 'paloalto' rule_name: 'DenyAll' log_start: true log_end: true action: 'deny' rule_type: 'interzone' commit: false
# permit ssh to 1.1.1.1 using panorama and pushing the configuration to firewalls # that are defined in 'DeviceGroupA' device group - name: permit ssh to 1.1.1.1 through Panorama panos_security_policy: ip_address: '10.5.172.92' password: 'paloalto' rule_name: 'SSH permit' description: 'SSH rule test' from_zone: ['public'] to_zone: ['private'] source: ['any'] source_user: ['any'] destination: ['1.1.1.1'] category: ['any'] application: ['ssh'] service: ['application-default'] hip_profiles: ['any'] action: 'allow' devicegroup: 'DeviceGroupA'
tag: description: - Administrative tags that can be added to the rule. Note, tags must be already defined. action: default: allow description: - Action to apply once rules maches. commit: default: true description: - Commit configuration if changed. source: default: any description: - List of source addresses. api_key: description: - API key that can be used instead of I(username)/I(password) credentials. log_end: default: true description: - Whether to log at session end. service: default: application-default description: - List of services. spyware: description: - Name of the already defined spyware profile. to_zone: default: any description: - List of destination zones. password: description: - Password credentials to use for auth unless I(api_key) is set. required: true username: default: admin description: - Username credentials to use for auth unless I(api_key) is set. antivirus: description: - Name of the already defined antivirus profile. from_zone: default: any description: - List of source zones. log_start: description: - Whether to log at session start. rule_name: description: - Name of the security rule. required: true rule_type: default: universal description: - Type of security rule (version 6.1 of PanOS and above). ip_address: description: - IP address (or hostname) of PAN-OS device being configured. required: true application: default: any description: - List of applications. description: description: - Description for the security rule. destination: default: any description: - List of destination addresses. devicegroup: description: 'Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall. ' source_user: default: any description: - Use users to enforce policy for individual users or a group of users. hip_profiles: default: any description: 'If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user''s local configuration. ' file_blocking: description: - Name of the already defined file_blocking profile. group_profile: description: 'Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties. ' url_filtering: description: - Name of the already defined url_filtering profile. vulnerability: description: - Name of the already defined vulnerability profile. data_filtering: description: - Name of the already defined data_filtering profile. wildfire_analysis: description: - Name of the already defined wildfire_analysis profile.