Try SpotterRemoved in 2.12
Reason:Consolidating code base. | Alternative:Use U(https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks) instead.
Create security rule policy on PAN-OS devices or Panorama management console.
Authors: Ivan Bojer (@ivanbojer), Robert Hagen (@rnh556)
deprecated | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.
- name: add an SSH inbound rule to devicegroup
panos_security_rule:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'add'
rule_name: 'SSH permit'
description: 'SSH rule test'
tag_name: ['ProjectX']
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
hip_profiles: ['any']
action: 'allow'
devicegroup: 'Cloud Edge'
- name: add a rule to allow HTTP multimedia only from CDNs
panos_security_rule:
ip_address: '10.5.172.91'
username: 'admin'
password: 'paloalto'
operation: 'add'
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
hip_profiles: ['any']
action: 'allow'
- name: add a more complex rule that uses security profiles
panos_security_rule:
ip_address: '{{ ip_address }}'
username: '{{ username }}'
password: '{{ password }}'
operation: 'add'
rule_name: 'Allow HTTP w profile'
log_start: false
log_end: true
action: 'allow'
antivirus: 'default'
vulnerability: 'default'
spyware: 'default'
url_filtering: 'default'
wildfire_analysis: 'default'
- name: delete a devicegroup security rule
panos_security_rule:
ip_address: '{{ ip_address }}'
api_key: '{{ api_key }}'
operation: 'delete'
rule_name: 'Allow telnet'
devicegroup: 'DC Firewalls'
- name: find a specific security rule
panos_security_rule:
ip_address: '{{ ip_address }}'
password: '{{ password }}'
operation: 'find'
rule_name: 'Allow RDP to DCs'
register: result
- debug: msg='{{result.stdout_lines}}'
action:
default: allow
description:
- Action to apply once rules maches.
commit:
default: 'yes'
description:
- Commit configuration if changed.
type: bool
api_key:
description:
- API key that can be used instead of I(username)/I(password) credentials.
log_end:
default: true
description:
- Whether to log at session end.
type: bool
service:
default: application-default
description:
- List of services.
spyware:
description:
- Name of the already defined spyware profile.
category:
default:
- any
description:
- The category.
type: list
password:
description:
- Password credentials to use for auth unless I(api_key) is set.
required: true
tag_name:
description:
- Administrative tags that can be added to the rule. Note, tags must be already defined.
username:
default: admin
description:
- Username credentials to use for auth unless I(api_key) is set.
antivirus:
description:
- Name of the already defined antivirus profile.
log_start:
description:
- Whether to log at session start.
type: bool
operation:
choices:
- add
- update
- delete
- find
default: add
description:
- The action to be taken. Supported values are I(add)/I(update)/I(find)/I(delete).
rule_name:
description:
- Name of the security rule.
required: true
rule_type:
default: universal
description:
- Type of security rule (version 6.1 of PanOS and above).
source_ip:
default: any
description:
- List of source addresses.
ip_address:
description:
- IP address (or hostname) of PAN-OS device being configured.
required: true
application:
default: any
description:
- List of applications.
description:
description:
- Description for the security rule.
devicegroup:
description: '- Device groups are used for the Panorama interaction with Firewall(s).
The group must exists on Panorama. If device group is not define we assume that
we are contacting Firewall.
'
source_user:
default: any
description:
- Use users to enforce policy for individual users or a group of users.
source_zone:
default: any
description:
- List of source zones.
hip_profiles:
default: any
description: '- If you are using GlobalProtect with host information profile (HIP)
enabled, you can also base the policy on information collected by GlobalProtect.
For example, the user access level can be determined HIP that notifies the firewall
about the user''s local configuration.
'
file_blocking:
description:
- Name of the already defined file_blocking profile.
group_profile:
description: '- Security profile group that is already defined in the system. This
property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking,
data_filtering, and wildfire_analysis properties.
'
url_filtering:
description:
- Name of the already defined url_filtering profile.
vulnerability:
description:
- Name of the already defined vulnerability profile.
data_filtering:
description:
- Name of the already defined data_filtering profile.
destination_ip:
default: any
description:
- List of destination addresses.
destination_zone:
default: any
description:
- List of destination zones.
wildfire_analysis:
description:
- Name of the already defined wildfire_analysis profile.