arun6195 / arun6195.ngfw_smc_ansible / 1.0.1 / module / firewall_rule Create, modify or delete a firewall rule | "added in version" 2.5 of arun6195.ngfw_smc_ansible" Authors: unknown preview | supported by communityarun6195.ngfw_smc_ansible.firewall_rule (1.0.1) — module
Install with ansible-galaxy collection install arun6195.ngfw_smc_ansible:==1.0.1
collections: - name: arun6195.ngfw_smc_ansible version: 1.0.1
Firewall rules can be added or removed from either a top level policy or a sub-policy. Source, destination and service elements can be used and referenced by their type and name (they must be pre-created). Many other rule settings are possible, including logging, inspection and connection tracking settings.
- name: Example log all rule for top of rule set firewall_rule: policy: TestPolicy rules: - action: continue comment: logging rule log_options: log_accounting_info_mode: true log_closing_mode: true log_level: stored is_disabled: false name: Log all continue rule
- name: Create a rule with specific sources and services firewall_rule: smc_logging: level: 10 path: ansible-smc.log policy: TestPolicy rules: - action: allow comment: my comment connection_tracking: mss_enforced: true mss_enforced_max: 1555 mss_enforced_min: 0 timeout: 11 destinations: group: - foogroup host: - host-1.1.1.1 ip_list: - Amazon S3 network: - foonet inspection_options: decrypting: null deep_inspection: null file_filtering: null is_disabled: false log_options: application_logging: enforced eia_executable_logging: 'off' log_accounting_info_mode: false log_closing_mode: true log_compression: 'off' log_level: none log_payload_additionnal: true log_payload_excerpt: false log_payload_record: false log_severity: -1 user_logging: enforced name: ruletest2 services: ip_service: - CHAOS tcp_service: - AOL udp_service: - Biff sources: country: - China interface_nic_x_ip_alias: - $$ Interface ID 0.ip single_fw: - myfw
- name: Create a rule to use VPN, requires a vpn_policy or mobile_vpn set firewall_rule: smc_logging: level: 10 path: ansible-smc.log inspection_policy: High-Security Inspection Template policy: TestPolicy rules: - action: enforce_vpn comment: my comment connection_tracking: mss_enforced: false mss_enforced_max: -1 mss_enforced_min: -1 timeout: -1 destinations: any: true inspection_options: decrypting: null deep_inspection: null file_filtering: null is_disabled: false authentication_options: method: - LDAP Authentication require_auth: true users: - dc=pages,dc=local,domain=myldapdomain log_options: application_logging: default eia_executable_logging: default log_accounting_info_mode: true log_closing_mode: false log_compression: 'off' log_level: stored log_payload_additionnal: false log_payload_excerpt: false log_payload_record: false log_severity: -1 name: ruletest2 services: any: true sources: any: true vpn_policy: MOBILE CLIENT VPN template: Firewall Inspection Template
- name: Add a deny rule after specified rule using add_after syntax firewall_rule: smc_logging: level: 10 path: ansible-smc.log policy: TestPolicy rules: - action: discard comment: deny rule is_disabled: false name: my deny add_after: '2097193.0'
- name: Delete a rule firewall_rule: policy: TestPolicy rules: - tag: '2097203.0' state: absent
rules: description: - Source elements to add to the rule. Elements need to specify the type of element to add. If source is not provided, the rule source cell will be set to none and the rule will effectively be disabled. SMC version 6.6 or greater requires actions as a list versus string suboptions: action: choices: - allow - discard - refuse - continue - jump - apply_blacklist - apply_vpn - enforce_vpn - forward_vpn default: allow description: - Required action for the rule type: str add_after: description: - Provide a rule tag ID for which to add the rule after. This is only relevant for rules that are being created. type: str add_before: description: - Provide a rule tag ID for which to add the rule before. This is only relevant for rules that are being created. type: str authentication_options: description: - Set authentication options for this rule suboptions: method: choices: - IPsec Certificate - LDAP Authentication - Network Policy Server - User password - Pre-Shared Key Method description: - Authentication method/s supported for this rule. Default authentication methods are provided as choices. If you've created a custom authentication service reference it by name type: list require_auth: default: false description: - Whether to require auth on this rule. If not set it is false. To require authentication set to true and specify I(method) and I(users) type: bool users: description: - Users that are allowed to authenticate. If using an LDAP authentication resource specify users by their fully qualified DN and specify the system created External LDAP domain. Examples of LDAP configured users are 'CN=myuser,CN=Users,DC=mydomain,DC=local,domain=myldapdomain' 'OU=Domain Controllers,DC=mydomain,DC=local,domain=myldapdomain' 'dc=mydomain,dc=local,domain=myldapdomain' type: list type: dict comment: description: - Optional comment for this rule type: str connection_tracking: description: - Optional settings to control connection tracking on the rule. Primary connection setting fields allow you to enforce MSS settings or modify the inspection mode to strict, loose, normal or off. required: false suboptions: mss_enforced: default: false description: - Whether to enforce mss settings on this rule match. type: bool mss_enforced_max: default: -1 description: - Max value for MSS enforcement. This value must be larger than the value of I(mss_enforced_min). Required if I(mss_enforced). Set to '-1' to disable or set I(mss_enforced) to false type: int mss_enforced_min: default: -1 description: - Min value for MSS enforcement. Used with I(mss_enforced_max). The value must be smaller than I(mss_enforced_max). Set to '-1' to disable or set I(mss_enforced) to false type: int state: choices: - false - loose - normal - strict - null description: - Set the connection tracking mode for the state engine. Connection tracking controls how state is tracked for this rule match. If set use null to unset back to the default state of inherit from continue rule type: str timeout: default: -1 description: - The timeout (in seconds) after which inactive connections are closed. This timeout only concerns idle connections. Set to '-1' to disable type: int type: dict destinations: choices: - domain_name - expression - group - host - ip_list - network - engine - router - netlink - interface_zone description: - Destinations for use in this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict, If no destinations field is provided, 'any' is used type: dict inspection_options: description: - Set inspection features on or off required: false suboptions: decrypting: choices: - true - false - null description: - Whether to allow or deny decryption on this rule match. Set to null to set back to inherit from continue rule type: bool deep_inspection: choices: - true - false - null description: - Whether to enable deep inspection on this rule match. Set to null to set back to inherit from continue rule type: bool file_filtering: choices: - true - false - null description: - Whether to enable file filtering on this rule match. Set to null to set back to inherit from continue rule type: bool type: dict is_disabled: default: false description: - Is this rule disabled. Set to true to disable rule, false otherwise. log_options: description: - Log options for this rule suboptions: application_logging: choices: - enforced - default - false default: default description: - Whether to enable application logging for the rule. Default sets it to inherit from continue rule type: str eia_executable_logging: choices: - enforced - default - false default: default description: - Whether to enable EIA logging for the rule. Default sets it to inherit from continue rule type: str log_accounting_info_mode: default: false description: - Both connection opening and closing are logged and information on the volume of traffic is collected. This sets connection closing to 'log accounting information'. type: bool log_closing_mode: default: false description: - Whether to log an event when the connection closes. This is recommended to capture the application info which might only be written on a connection close event. This setting is only in effect when I(log_level) is not none. This sets connection closing to 'normal'. type: bool log_level: choices: - none - transient - stored - essential - alert - undefined description: - Log level for this rule. Undefined sets it to inherit from continue rule type: str log_payload_additionnal: default: false description: - Log an additional payload with the log entry. By default excerpt logs 4K type: bool log_payload_excerpt: default: false description: - Whether to log an excerpt of 4K bytes for the log entries. Use I(log_payload_additionnal) to change from 4K to smaller or larger type: bool log_payload_record: default: false description: - Logs the payload up to the 4K specified number of bytes type: bool user_logging: choices: - enforced - default - false default: default description: - Whether to enable user logging on the rule. Default sets it to inherit from continue rule type: str type: dict name: description: - Name for this rule. Required if adding a new rule. Not required for modifications required: true type: str services: choices: - service_group - tcp_service_group - udp_service_group - ip_service_group - icmp_service_group - tcp_service - udp_service - ip_service - ethernet_service - icmp_service - application_situation - url_category description: - Services for this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict. If no services field is provided, 'any' is used type: dict sources: choices: - domain_name - expression - group - host - ip_list - network - engine - router - netlink - interface_zone description: - Sources for use in this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict. If no sources field is provided, 'any' is used type: dict tag: description: - Tag retrieved from facts module. The tag identifies the rule uniquely and is a required field when making modifications. If tag is present, the operation becomes a modify. Otherwise it becomes a create and I(name) is required. type: str type: list state: choices: - present - absent default: present description: - Create or delete a firewall cluster required: false policy: description: - The policy which to operate on. Any rule modifications are done in the context of this policy required: true type: str sub_policy: description: - The sub policy which to operate on. This is mutually exclusive with the I(policy) parameter. You can operate on rules within a firewall policy or firewall sub policy. type: str
changed: description: Whether or not the change succeeded returned: always type: bool state: description: The current state of the element return: always type: dict