f5networks / f5networks.f5_modules / 1.28.0 / module / bigip_firewall_log_profile_network Configures Network Firewall related settings of the log profile | "added in version" 1.0.0 of f5networks.f5_modules" Authors: Wojciech Wypior (@wojtek0806)f5networks.f5_modules.bigip_firewall_log_profile_network (1.28.0) — module
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections: - name: f5networks.f5_modules version: 1.28.0
Configures Network Firewall related settings of the log profile.
- name: Add network settings to log profile bigip_firewall_log_profile_network: profile_name: barbaz rate_limit: "150000" log_publisher: local-db-pub log_tcp_errors: enabled: true rate_limit: "10000" log_tcp_events: enabled: true rate_limit: "40000" log_storage_format: "field-list" log_message_fields: - vlan - translated_vlan - src_ip provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
- name: Change delimiter and log fields bigip_firewall_log_profile_network: profile_name: barbaz log_format_delimiter: '.' log_message_fields: - translated_dest_ip - translated_dest_port provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
- name: Modify built-in profile bigip_firewall_log_profile_network: profile_name: "global-network" log_publisher: "/foobar/log1" log_ip_errors: enabled: true rate_limit: "60000" log_matches_reject_rule: enabled: true rate_limit: "2000" log_translation_fields: true log_storage_format: "field-list" log_format_delimiter: '.' log_message_fields: - protocol - dest_ip - dest_port provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
- name: Remove custom log profile network log settings bigip_firewall_log_profile_network: profile_name: "{{ log_profile }}" state: absent provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
state: choices: - present - absent default: present description: - When C(state) is C(present), ensures the resource exists. - The only built-in profile that allows updating network log settings is global-network, attempts to do so on other built-in profiles will be ignored. - When C(state) is C(absent), ensures that the resource is removed. - The C(absent) state is ignored for global-network log profile. type: str provider: description: - A dict object containing connection details. suboptions: auth_provider: description: - Configures the auth provider for to obtain authentication tokens from the remote device. - This option is really used when working with BIG-IQ devices. type: str no_f5_teem: default: false description: - If C(yes), TEEM telemetry data is not sent to F5. - You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF). - Previously used variable C(F5_TEEM) is deprecated as its name was confusing. type: bool password: aliases: - pass - pwd description: - The password for the user account used to connect to the BIG-IP or the BIG-IQ. - You may omit this option by setting the environment variable C(F5_PASSWORD). required: true type: str server: description: - The BIG-IP host or the BIG-IQ host. - You may omit this option by setting the environment variable C(F5_SERVER). required: true type: str server_port: default: 443 description: - The BIG-IP server port. - You may omit this option by setting the environment variable C(F5_SERVER_PORT). type: int timeout: description: - Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. type: int transport: choices: - rest default: rest description: - Configures the transport connection to use when connecting to the remote device. type: str user: description: - The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative privileges on the device. - You may omit this option by setting the environment variable C(F5_USER). required: true type: str validate_certs: default: true description: - If C(no), SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates. - You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS). type: bool type: dict version_added: 1.0.0 version_added_collection: f5networks.f5_modules partition: default: Common description: - Device partition to create log profile on. - This parameter is also used when specifying names for log publishers, unless log publisher names are in fullpath format. type: str rate_limit: description: - Defines a rate limit for all combined network firewall log messages per second. Beyond this rate limit, log messages are not logged. - To specify an indefinite rate, use the value C(indefinite). - If specifying a numeric rate, the value must be between C(1) and C(4294967295). type: str profile_name: description: - Specifies the name of the AFM (Advanced Firewall Manager) log profile to be updated. required: true type: str log_ip_errors: description: - Modifies log settings for logging of IP error packets. suboptions: enabled: description: - This option enables or disables the logging of IP error packets. type: bool rate_limit: description: - This option sets rate limits for the logging of IP error packets. - This option is effective only if logging of this message type is enabled. type: str type: dict log_publisher: description: - Specifies the name of the log publisher used for Network events. - To specify the log_publisher on a different partition from the AFM log profile, specify the name in fullpath format, e.g. C(/Foobar/log-publisher), otherwise the partition for the log publisher is inferred from the C(partition) module parameter. type: str log_tcp_errors: description: - Modifies log settings for the logging of TCP error packets. suboptions: enabled: description: - This option enables or disables the logging of TCP error packets. type: bool rate_limit: description: - This option sets rate limits for the logging of TCP error packets. - This option is effective only if logging of this message type is enabled. type: str type: dict log_tcp_events: description: - Modifies the log settings for logging of TCP events on the client side. suboptions: enabled: description: - This option enables or disables the logging of TCP events on the client side. - Only B(Established) and B(Closed) states of a TCP session are logged if this option is enabled. type: bool rate_limit: description: - This option sets rate limits for the logging of TCP events on the client side. - This option is effective only if logging of this message type is enabled. type: str type: dict log_message_fields: choices: - acl_policy_name - acl_policy_type - acl_rule_name - action - bigip_hostname - context_name - context_type - date_time - dest_fqdn - dest_geo - dest_ip - dest_port - drop_reason - management_ip_address - protocol - route_domain - sa_translation_pool - sa_translation_type - source_fqdn - source_user - src_geo - src_ip - src_port - translated_dest_ip - translated_dest_port - translated_ip_protocol - translated_route_domain - translated_src_ip - translated_src_port - translated_vlan - vlan description: - Specifies a set of fields to be logged. - This option is valid when the C(log_storage_format) is set to C(field-list). It is ignored otherwise. - The order of the list is important, as the server displays the selected traffic items in the log sequentially according to it. elements: str type: list log_storage_format: choices: - field-list - none description: - Specifies the type of the storage format. - When creating a new log profile, if this parameter is not specified, the default is C(none). - When C(field-list), specifies the log displays only the items you specify in the C(log_message_fields) list with C(log_format_delimiter) as the delimiter between the items. - When C(none), the messages will be logged in the default format, which is C("management_ip_address", "bigip_hostname","context_type", "context_name","src_geo","src_ip", "dest_geo","dest_ip","src_port", "dest_port","vlan","protocol","route_domain", "translated_src_ip", "translated_dest_ip", "translated_src_port","translated_dest_port", "translated_vlan","translated_ip_protocol", "translated_route_domain", "acl_policy_type", "acl_policy_name","acl_rule_name","action", "drop_reason","sa_translation_type", "sa_translation_pool","flow_id", "source_user", "source_fqdn","dest_fqdn"). type: str log_format_delimiter: description: - Specifies the delimiter string when using a C(log_storage_format) of C(field-list). - When creating a new profile, if this parameter is not specified, the default value of C(,) (the comma character) is used. - This option is valid when the C(log_storage_format) is set to C(field-list). It is ignored otherwise. - Depending on the delimiter used, it may be necessary to wrap the delimiter in quotes to prevent YAML errors from occurring. - The special character C($) is reserved for internal use, and will raise an error if used. - The maximum length allowed for this parameter is C(31) characters. type: str log_matches_drop_rule: description: - Modifies log settings for ACL rules configured with a drop action. suboptions: enabled: description: - This option enables or disables the logging of packets that match ACL rules configured with a drop action. type: bool rate_limit: description: - This option sets rate limits for the logging of packets that match ACL rules configured with a drop action. - This option is effective only if logging of this message type is enabled. type: str type: dict log_translation_fields: description: - This option enables or disables the logging of translated (i.e server side) fields in ACL match and TCP events. - Translated fields include (but are not limited to) source address/port, destination address/port, IP protocol, route domain, and VLAN. type: bool log_matches_accept_rule: description: - Modifies log settings for ACL rules configured with an "accept" or "accept decisively" action. suboptions: enabled: description: - This option enables or disables the logging of packets that match ACL rules configured with an "accept" or "accept decisively" action. type: bool rate_limit: description: - This option sets rate limits for the logging of packets that match ACL rules configured with an "accept" or "accept decisively" action. - This option is effective only if logging of this message type is enabled. type: str type: dict log_matches_reject_rule: description: - Modifies log settings for ACL rules configured with a reject action. suboptions: enabled: description: - This option enables or disables the logging of packets that match ACL rules configured with a reject action. type: bool rate_limit: description: - This option sets rate limits for the logging of packets that match ACL rules configured with a reject action. - This option is effective only if logging of this message type is enabled. type: str type: dict
log_format_delimiter: description: The delimiter string when using a log_storage_format of field-list. returned: changed sample: . type: str log_ip_errors: contains: enabled: description: Enable or disable the logging of IP error packets. returned: changed sample: true type: bool rate_limit: description: The rate limit for the logging of IP error packets. returned: changed sample: indefinite type: str description: Log settings for logging of IP error packets. returned: changed sample: hash/dictionary of values type: complex log_matches_accept_rule: contains: enabled: description: Enable or disable the logging of packets that match ACL rules. returned: changed sample: true type: bool rate_limit: description: The rate limit for the logging of packets that match ACL rules. returned: changed sample: indefinite type: str description: Log settings for ACL rules configured with an "accept" or "accept decisively" action. returned: changed sample: hash/dictionary of values type: complex log_matches_drop_rule: contains: enabled: description: Enable or disable the logging of packets that match ACL rules. returned: changed sample: true type: bool rate_limit: description: The rate limit for the logging of packets that match ACL rules. returned: changed sample: indefinite type: str description: Log settings for ACL rules configured with a drop action. returned: changed sample: hash/dictionary of values type: complex log_matches_reject_rule: contains: enabled: description: Enable or disable the logging of packets that match ACL rules. returned: changed sample: true type: bool rate_limit: description: The rate limit for the logging of packets that match ACL rules. returned: changed sample: indefinite type: str description: Log settings for ACL rules configured with a reject action. returned: changed sample: hash/dictionary of values type: complex log_message_fields: description: The delimiter string when using a log_storage_format of field-list. returned: changed sample: - acl_policy_name - acl_policy_type type: list log_publisher: description: The name of the log publisher used for Network events. returned: changed sample: /Common/log-publisher type: str log_storage_format: description: The type of the storage format. returned: changed sample: field-list type: str log_tcp_errors: contains: enabled: description: Enable or disable the logging of TCP error packets. returned: changed sample: true type: bool rate_limit: description: The rate limit for the logging of TCP error packets. returned: changed sample: indefinite type: str description: Log settings for logging of TCP error packets. returned: changed sample: hash/dictionary of values type: complex log_tcp_events: contains: enabled: description: Enable or disable the logging of TCP events on the client side. returned: changed sample: true type: bool rate_limit: description: The rate limit for the logging of TCP events on the client side. returned: changed sample: indefinite type: str description: Log settings for logging of TCP events on the client side. returned: changed sample: hash/dictionary of values type: complex log_translation_fields: description: Enable or disable the logging of translated (i.e server side) fields in ACL match and TCP events. returned: changed sample: true type: bool rate_limit: description: The rate limit for all combined network firewall log messages per second. returned: changed sample: indefinite type: str