arun6195 / arun6195.ngfw_smc_ansible / 1.0.1 / module / firewall_nat_rule Create, modify or delete a firewall NAT rule | "added in version" 2.5 of arun6195.ngfw_smc_ansible" Authors: unknown preview | supported by communityarun6195.ngfw_smc_ansible.firewall_nat_rule (1.0.1) — module
Install with ansible-galaxy collection install arun6195.ngfw_smc_ansible:==1.0.1
collections: - name: arun6195.ngfw_smc_ansible version: 1.0.1
Firewall NAT rules can be added or removed from either a top level policy or a sub-policy. Source, destination and service elements can be used and referenced by their type and name (they must be pre-created). This module requires SMC >= 6.4.3 or above to support changes to NAT rules
- name: Firewall NAT rule examples firewall_nat_rule: policy: TestPolicy rules: - comment: added a comment destinations: any: true dynamic_src_nat: automatic_proxy: true translated_value: ip_descriptor: 1.1.1.1 max_port: 60000 min_port: 1024 is_disabled: false name: dynamic source nat with ports and IP redirect services: any: true sources: any: true - comment: null destinations: any: true dynamic_src_nat: automatic_proxy: true translated_value: max_port: 65535 min_port: 1024 name: host-4.4.4.4 type: host is_disabled: false name: dynamic source nat with element services: any: true sources: host: - host-3.3.3.3 - comment: testcomment destinations: host: - host-3.3.3.3 is_disabled: false name: static_dest_nat with IP redirect services: any: true sources: any: true static_dst_nat: automatic_proxy: true original_value: max_port: 90 min_port: 90 translated_value: ip_descriptor: 1.1.1.1 max_port: 9999 min_port: 9999 used_on: ANY - comment: null destinations: any: true is_disabled: false name: static_src_nat with IP address services: any: true sources: host: - host-4.4.4.4 static_src_nat: automatic_proxy: true translated_value: ip_descriptor: 1.1.1.1 used_on: ANY - comment: null destinations: any: true dynamic_src_nat: automatic_proxy: true translated_value: max_port: 65535 min_port: 1024 name: host-4.4.4.4 type: host is_disabled: false name: dynamic_source_nat with element services: any: true sources: host: - host-3.3.3.3 used_on: ANY
rules: description: - Source elements to add to the rule. Elements need to specify the type of element to add. If source is not provided, the rule source cell will be set to none and the rule will effectively be disabled. suboptions: add_after: description: - Provide a rule tag ID for which to add the rule after. This is only relevant for rules that are being created. type: str add_before: description: - Provide a rule tag ID for which to add the rule before. This is only relevant for rules that are being created. type: str comment: description: - Optional comment for this rule type: str destinations: choices: - domain_name - expression - group - host - ip_list - network - engine - router - netlink - interface_zone description: - Destinations for use in this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict, If no destinations field is provided, 'any' is used type: dict dynamic_src_nat: description: - Dynamic source NAT rule. A dynamic source NAT rule uses the value of the rule source field and requires either an IP or element as the translated address. You can also define ports to use for PAT. This NAT type is typically used for outbound NAT and PAT operations. is_disabled: default: false description: - Is this rule disabled. Set to true to disable rule, false otherwise. name: description: - Name for this rule. Required if adding a new rule. Not required for modifications required: true type: str services: choices: - service_group - tcp_service_group - udp_service_group - ip_service_group - icmp_service_group - tcp_service - udp_service - ip_service - ethernet_service - icmp_service - application_situation - url_category description: - Services for this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict. If no services field is provided, 'any' is used type: dict sources: choices: - domain_name - expression - group - host - ip_list - network - engine - router - netlink - interface_zone description: - Sources for use in this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict. If no sources field is provided, 'any' is used type: dict static_dst_nat: description: - Static dest NAT rule. Typically used for inbound traffic. This rule uses the rule destination field and requires either an IP or element as the translated address. You can also specify source ports as single values or ranges to translate. This is useful if you want inbound traffic on port 80 and need to redirect to an internal host on 8080 for example static_src_nat: description: - Static source NAT rule. A static source NAT rule uses the value of the rule source field and requires either an IP or element as the translated address. This is mutually exclusive with dynamic_src_nat. tag: description: - Tag retrieved from facts module. The tag identifies the rule uniquely and is a required field when making modifications. If tag is present, the operation becomes a modify. Otherwise it becomes a create and I(name) is required. type: str type: list state: choices: - present - absent default: present description: - Create or delete a firewall cluster required: false policy: description: - The policy which to operate on. Any rule modifications are done in the context of this policy required: true type: str sub_policy: description: - The sub policy which to operate on. This is mutually exclusive with the I(policy) parameter. You can operate on rules within a firewall policy or firewall sub policy. type: str
changed: description: Whether or not the change succeeded returned: always type: bool state: description: The current state of the element return: always type: dict