Try SpotterManage an SSL Orchestrator Layer 3 security device
| "added in version" 1.6.0 of f5networks.f5_bigip"
Authors: Ravinder Reddy(@chinthalapalli), Kevin Stewart (@kevingstewart)
Install with ansible-galaxy collection install f5networks.f5_bigip:==3.4.0
collections:
- name: f5networks.f5_bigip
version: 3.4.0Manage an SSL Orchestrator Layer 3 security device
- name: SSLO LAYER 3 service using exist vlan
bigip_sslo_service_layer3:
name: "layer3_test2"
devices_to:
vlan: "/Common/testvlan_in"
self_ip: "198.19.64.7"
netmask: "255.255.255.128"
devices_from:
vlan: "/Common/testvlan_out"
self_ip: "198.19.64.245"
netmask: "255.255.255.128"
devices:
- ip: "198.19.64.30"
- ip: "198.19.64.31"
- name: SSLO LAYER 3 service using interface and to create Vlan and service
bigip_sslo_service_layer3:
name: "layer3a"
devices_to:
interface: "1.1"
tag: 40
self_ip: "198.19.64.7"
netmask: "255.255.255.128"
devices_from:
interface: "1.1"
tag: 50
self_ip: "198.19.64.245"
netmask: "255.255.255.128"
devices:
- ip: "198.19.64.30"
- ip: "198.19.64.31"
- name: SSLO LAYER 3 service
bigip_sslo_service_layer3:
provider: "{{ provider }}"
name: "layer3a"
devices_to:
vlan: "/Common/layer3-in-vlan"
selfip: "198.19.64.7"
netmask: "255.255.255.128"
devices_from:
interface: "1.3"
tag: 50
selfip: "198.19.64.245"
netmask: "255.255.255.128"
devices:
- ip: "198.19.64.30"
- ip: "198.19.64.31"
snat: automap
name:
description:
- Specifies the name of the Layer 3 security service.
- The configuration auto-prepends C(ssloS_) to the service.
- The service name should be less than 14 characters and not contain dashes C(-).
required: true
type: str
snat:
choices:
- none
- automap
- snatpool
- snatlist
description:
- Defines if and how a SNAT configuration is deployed.
- When C(none), no SNAT configuration is performed. This is the default choice when
creating a L3 inline service if the parameter is not provided.
- When C(automap), SNAT automap is configured.
- When C(snatpool), the SNAT configuration points to existing SNAT Pool defined by
the C(snatpool) parameter.
- When C(snatlist), a new SNAT Pool is created from the provided C(snatlist).
type: str
rules:
description:
- Defines a list of iRules to attach to the service.
elements: str
type: list
state:
choices:
- absent
- present
default: present
description:
- Specifies the present/absent state required.
type: str
devices:
description:
- Defines a list of service IP addresses and ports.
elements: dict
suboptions:
ip:
description:
- The nominal IP address for this service.
type: str
port:
description:
- The port for this service.
type: int
type: list
monitor:
description:
- Specifies the monitor attached to the L3 Inline security device pool.
- The monitor must already exist on the BIG-IP.
- When creating L3 Inline service if the parameter is not provided a default of C(/Common/gateway_icmp)
is assumed.
type: str
timeout:
default: 300
description:
- The amount of time to wait for the C(CREATE) or C(MODIFY) task to complete, in seconds.
- The accepted value range is between C(10) and C(1800) seconds.
type: int
dump_json:
default: false
description:
- Sets the module to output a JSON blob for further consumption.
- When C(true), does not make any changes on the device and always returns C(changed=False).
- The output provided is idempotent in nature, meaning if there are no changes to
be made during C(MODIFY) on an existing service, no JSON output is generated.
type: bool
ip_family:
choices:
- ipv4
- ipv6
description:
- Specifies the IP family used for attached L3 inline security devices.
type: str
snat_list:
description:
- Defines a list of IP addresses to use in a SNAT pool configuration.
- This parameter is required when C(snat) set to C(snatlist).
elements: str
type: list
snat_pool:
description:
- Defines an existing SNAT pool.
- This parameter is required when C(snat) is set to C(snatpool).
type: str
devices_to:
description:
- Specifies the set of network settings for traffic going to the service from the
BIG-IP.
suboptions:
interface:
description:
- Defines the interface on the to-service side.
- Mutually exclusive with C(vlan).
type: str
netmask:
description:
- Defines the to-service self IP netmask.
type: str
self_ip:
description:
- Defines the to-service self IP.
type: str
tag:
description:
- Defines the VLAN tag on the to-service side.
- Mutually exclusive with C(vlan).
type: int
vlan:
description:
- Defines an existing VLAN to attach on the to-service side.
- Mutually exclusive with the C(tag) or C(interface) parameters.
type: str
type: dict
port_remap:
description:
- Defines the port to remap decrypted traffic to.
type: int
auto_manage:
description:
- Specifies whether to provide a set of unique, non-overlapping, non-routable IP addresses
to be used by the security service.
type: bool
vendor_info:
description:
- Specifies the vendor-specific L3 service used. The default is C(Generic Inline Layer
3).
type: str
devices_from:
description:
- Specifies the set of network settings for traffic going to the BIG-IP from the service.
suboptions:
interface:
description:
- Defines the interface on the from-service side.
- Mutually exclusive with C(vlan).
type: str
netmask:
description:
- Defines the from-service self IP netmask.
type: str
self_ip:
description:
- Defines the from-service self IP.
type: str
tag:
description:
- Defines the VLAN tag on the from-service side.
- Mutually exclusive with C(vlan).
type: int
vlan:
description:
- Defines an existing VLAN to attach on the from-service side.
- Mutually exclusive with C(tag) or C(interface) parameter.
type: str
type: dict
use_exist_selfip:
description:
- Specifies whether to use existing self-IPs.
type: bool
service_down_action:
choices:
- ignore
- reset
- drop
description:
- Specifies the action to take on monitor failure.
- Setting to C(ignore) bypasses the security device in the service chain.
- Setting to C(reset) or C(drop) resets or drops the connection, respectively, if
the service monitor fails.
- When creating a L3 Inline service, if the parameter is not provided a default value
of C(ignore) is assumed.
type: str
devices:
contains:
ip:
description: The nominal IP address for this service.
sample: 192.168.1.1
type: str
port:
description: The port for this service.
sample: 8455
type: str
description:
- The list of service IP addresses and ports.
returned: changed
type: complex
devices_from:
contains:
interface:
description: Defines a from-service interface.
sample: 1.3
type: str
netmask:
description: Defines the from-service VLAN self IP netmask.
sample: 255.255.255.128
type: str
self_ip:
description: Defines the from-service VLAN self IP.
sample: 198.19.64.245
type: str
tag:
description: Defines a from-service VLAN tag.
sample: 50
type: int
vlan:
description: Defines an existing for-service VLAN.
sample: /Common/layer3service-to-vlan
type: str
description:
- Network settings for for-service configuration.
returned: changed
type: complex
devices_to:
contains:
interface:
description: Defines a to-service interface.
sample: 1.3
type: str
netmask:
description: Defines the to-service VLAN self IP netmask.
sample: 255.255.255.128
type: str
self_ip:
description: Defines the to-service VLAN self IP.
sample: 198.19.64.7
type: str
tag:
description: Defines a to-service VLAN tag.
sample: 40
type: int
vlan:
description: Defines an existing to-service VLAN.
sample: /Common/layer3service-to-vlan
type: str
description:
- Network settings for to-service configuration.
returned: changed
type: complex
ip_family:
description:
- The IP family used for attached HTTP security devices.
returned: changed
sample: ipv4
type: str
monitor:
description:
- The monitor attached to the HTTP security device pool.
returned: changed
sample: /Common/gateway_icmp
type: str
port_remap:
description:
- Port remap settings.
returned: changed
sample: 8080
type: int
rules:
description:
- List of iRules attached to the service.
returned: changed
sample:
- /Common/test-rule-1
- /Common/test-rule-2
type: list
service_down_action:
description:
- The action to take on monitor failure.
returned: changed
sample: ignore
type: str
snat:
description:
- SNAT configuration type.
returned: changed
sample: none
type: str
snat_pool:
description:
- The name of the existing SNAT pool.
returned: changed
sample: /Common/test-snat-pool
type: str
snatlist:
description:
- The list of SNAT pool members.
returned: changed
sample:
- 198.19.64.10
- 198.19.64.11
type: list