Try SpotterManage an SSL Orchestrator security policy
| "added in version" 1.7.0 of f5networks.f5_bigip"
Authors: Ravinder Reddy(@chinthalapalli), Kevin Stewart (@kevingstewart)
Install with ansible-galaxy collection install f5networks.f5_bigip:==3.4.0
collections:
- name: f5networks.f5_bigip
version: 3.4.0Use to manage an SSL Orchestrator security policy.
- name: SSLO config policy
bigip_sslo_config_policy:
name: "testpolicy"
server_cert_check: true
proxy_connect:
username: "testuser"
password: ""
pool_members:
- ip: "192.168.30.10"
port: 100
policy_rules:
- name: "testrule"
match_type: "match_any"
policy_action: "reject"
conditions:
- condition_type: "category_lookup_all"
condition_option_category:
- "Financial Data and Services"
- "General Email"
- condition_type: "client_port_match"
condition_option_ports:
- "80"
- "90"
- condition_type: "client_ip_geolocation"
geolocations:
- type: "countryCode"
value: "US"
- type: "countryCode"
value: "UK"
- name: "testrule2"
match_type: "match_all"
policy_action: "reject"
conditions:
- condition_type: "category_lookup_all"
condition_option_category:
- "Financial Data and Services"
- "General Email"
- condition_type: "client_port_match"
condition_option_ports:
- "80"
- "90"
name:
description:
- Specifies the name of the security policy.
- Configuration auto-prepends "ssloP_" to the policy.
- The policy name should be less than 14 characters and not contain dashes "-".
required: true
type: str
state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures the policy is created or modified.
- When C(state) is C(absent), ensures the policy is removed.
type: str
timeout:
default: 300
description:
- The amount of time, to wait for the C(CREATE) or C(MODIFY) task to complete, in
seconds.
- The accepted value range is between C(10) and C(1800) seconds.
type: int
dump_json:
default: false
description:
- Sets the module to output a JSON blob for further consumption.
- When C(true) does not make any changes on the device and always returns C(changed=False).
- The output provided is idempotent in nature, meaning if there are no changes made
during C(MODIFY) on an existing service, no JSON output is generated.
type: bool
default_rule:
description:
- Specifies the settings for the default C(All Traffic) security policy rule.
- When creating a new policy, the rule is created with default values.
- When modifying existing policy, all values should be defined or they are replaced
by default values (see below).
suboptions:
allow_block:
choices:
- allow
- block
description:
- Defines the behavior for the default All Traffic rule.
- If not specified, the C(allow) option is set.
type: str
service_chain:
description:
- Defines the service chain to attach to the default All Traffic rule.
- If not specified, the C('') value is set.
type: str
tls_intercept:
choices:
- bypass
- intercept
description:
- Defines the TLS behavior for the default All Traffic rule.
- If not specified, the C(bypass) option is set.
type: str
type: dict
version_added: 1.8.0
version_added_collection: f5networks.f5_bigip
policy_rules:
description:
- Defines the policy rules to apply to the security policy, in defined order.
elements: dict
suboptions:
conditions:
description:
- Defines the list of conditions within this rule.
elements: dict
suboptions:
condition_option_category:
description:
- A list of URL categories (ex. "Financial and Data Services").
- Use when c(condition_type) matches c(category_lookup_all) or c(category_lookup_sni).
elements: str
type: list
condition_option_portrange:
description:
- Defines a port-range with using keys c(port_from) and c(port_to).
- Use when c(condition_type) matches c(client_port_match) or c(server_port_match).
suboptions:
port_from:
description:
- Starting port number in the port range.
type: str
port_to:
description:
- Ending port number in the port range.
type: str
type: dict
condition_option_ports:
description:
- Defines a list of ports.
- Use when c(condition_type) matches c(client_port_match) or c(server_port_match).
elements: str
type: list
condition_option_subnet:
description:
- Defines a list of IP subnets.
- Use when c(condition_type) matches c(client_ip_subnet_match) or c(server_ip_subnet_match).
elements: str
type: list
condition_type:
choices:
- category_lookup_all
- category_lookup_sni
- category_lookup_httpconnect
- ssl_check
- client_port_match
- server_port_match
- client_ip_subnet_match
- server_ip_subnet_match
- tcp_l7_protocol_lookup
- udp_l7_protocol_lookup
- client_ip_geolocation
- server_ip_geolocation
description:
- Defines the name of the policy rule.
type: str
geolocations:
description:
- A list of 'type' and 'value' keys, where type can be 'countryCode', 'countryName',
'continent', or 'state'.
- Use when c(condition_type) matches c(client_ip_geolocation) or c(server_ip_geolocation).
elements: dict
type: list
option_tcp_protocol:
description:
- Defines a list of TCP protocols to be used with C(tcp_l7_protocol_lookup).
elements: str
type: list
option_udp_protocol:
description:
- Defines a list of UDP protocols you want used with C(udp_l7_protocol_lookup).
elements: str
type: list
type: list
match_type:
choices:
- match_any
- match_all
description:
- Defines the match type when multiple conditions are applied to a single rule.
type: str
name:
description:
- Defines the name of the policy rule.
type: str
policy_action:
choices:
- allow
- reject
- abort
description:
- Defines the policy action applied for this rule.
type: str
service_chain:
description:
- Defines the service chain to attach to this rule.
type: str
ssl_action:
choices:
- bypass
- intercept
description:
- Defines the TLS intercept/bypass behavior for this rule.
type: str
type: list
proxy_connect:
description:
- Specifies the proxy-connect settings, as required, to establish an upstream proxy
chain egress.
suboptions:
password:
description:
- Defines the password pool for the proxy connection.
type: str
pool_members:
description:
- Defines pool members which we want to associate for the new pool.
- Mutually exclusive with the C(pool_name) parameter.
elements: dict
suboptions:
ip:
description:
- IP address of the pool member you want to add.
required: true
type: str
port:
description:
- Port number to be associated with the pool member IP address.
type: int
type: list
pool_name:
description:
- Defines an existing pool name for the proxy connection. Specify with a partition.
- Mutually exclusive with C(pool_members).
type: str
username:
description:
- Defines the username for the proxy connection.
type: str
type: dict
policy_consumer:
choices:
- outbound
- inbound
default: outbound
description:
- Specifies the type of policy.
type: str
server_cert_check:
description:
- Enables or disables server certificate validation.
type: bool