Try SpotterConfigures Network Firewall related settings of the log profile
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Configures Network Firewall related settings of the log profile.
- name: Add network settings to log profile
bigip_firewall_log_profile_network:
profile_name: barbaz
rate_limit: "150000"
log_publisher: local-db-pub
log_tcp_errors:
enabled: true
rate_limit: "10000"
log_tcp_events:
enabled: true
rate_limit: "40000"
log_storage_format: "field-list"
log_message_fields:
- vlan
- translated_vlan
- src_ip
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Change delimiter and log fields
bigip_firewall_log_profile_network:
profile_name: barbaz
log_format_delimiter: '.'
log_message_fields:
- translated_dest_ip
- translated_dest_port
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Modify built-in profile
bigip_firewall_log_profile_network:
profile_name: "global-network"
log_publisher: "/foobar/log1"
log_ip_errors:
enabled: true
rate_limit: "60000"
log_matches_reject_rule:
enabled: true
rate_limit: "2000"
log_translation_fields: true
log_storage_format: "field-list"
log_format_delimiter: '.'
log_message_fields:
- protocol
- dest_ip
- dest_port
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Remove custom log profile network log settings
bigip_firewall_log_profile_network:
profile_name: "{{ log_profile }}"
state: absent
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures the resource exists.
- The only built-in profile that allows updating network log settings is global-network,
attempts to do so on other built-in profiles will be ignored.
- When C(state) is C(absent), ensures that the resource is removed.
- The C(absent) state is ignored for global-network log profile.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
partition:
default: Common
description:
- Device partition to create log profile on.
- This parameter is also used when specifying names for log publishers, unless log
publisher names are in fullpath format.
type: str
rate_limit:
description:
- Defines a rate limit for all combined network firewall log messages per second.
Beyond this rate limit, log messages are not logged.
- To specify an indefinite rate, use the value C(indefinite).
- If specifying a numeric rate, the value must be between C(1) and C(4294967295).
type: str
profile_name:
description:
- Specifies the name of the AFM (Advanced Firewall Manager) log profile to be updated.
required: true
type: str
log_ip_errors:
description:
- Modifies log settings for logging of IP error packets.
suboptions:
enabled:
description:
- This option enables or disables the logging of IP error packets.
type: bool
rate_limit:
description:
- This option sets rate limits for the logging of IP error packets.
- This option is effective only if logging of this message type is enabled.
type: str
type: dict
log_publisher:
description:
- Specifies the name of the log publisher used for Network events.
- To specify the log_publisher on a different partition from the AFM log profile,
specify the name in fullpath format, e.g. C(/Foobar/log-publisher), otherwise the
partition for the log publisher is inferred from the C(partition) module parameter.
type: str
log_tcp_errors:
description:
- Modifies log settings for the logging of TCP error packets.
suboptions:
enabled:
description:
- This option enables or disables the logging of TCP error packets.
type: bool
rate_limit:
description:
- This option sets rate limits for the logging of TCP error packets.
- This option is effective only if logging of this message type is enabled.
type: str
type: dict
log_tcp_events:
description:
- Modifies the log settings for logging of TCP events on the client side.
suboptions:
enabled:
description:
- This option enables or disables the logging of TCP events on the client side.
- Only B(Established) and B(Closed) states of a TCP session are logged if this
option is enabled.
type: bool
rate_limit:
description:
- This option sets rate limits for the logging of TCP events on the client side.
- This option is effective only if logging of this message type is enabled.
type: str
type: dict
log_message_fields:
choices:
- acl_policy_name
- acl_policy_type
- acl_rule_name
- action
- bigip_hostname
- context_name
- context_type
- date_time
- dest_fqdn
- dest_geo
- dest_ip
- dest_port
- drop_reason
- management_ip_address
- protocol
- route_domain
- sa_translation_pool
- sa_translation_type
- source_fqdn
- source_user
- src_geo
- src_ip
- src_port
- translated_dest_ip
- translated_dest_port
- translated_ip_protocol
- translated_route_domain
- translated_src_ip
- translated_src_port
- translated_vlan
- vlan
description:
- Specifies a set of fields to be logged.
- This option is valid when the C(log_storage_format) is set to C(field-list). It
is ignored otherwise.
- The order of the list is important, as the server displays the selected traffic
items in the log sequentially according to it.
elements: str
type: list
log_storage_format:
choices:
- field-list
- none
description:
- Specifies the type of the storage format.
- When creating a new log profile, if this parameter is not specified, the default
is C(none).
- When C(field-list), specifies the log displays only the items you specify in the
C(log_message_fields) list with C(log_format_delimiter) as the delimiter between
the items.
- When C(none), the messages will be logged in the default format, which is C("management_ip_address",
"bigip_hostname","context_type", "context_name","src_geo","src_ip", "dest_geo","dest_ip","src_port",
"dest_port","vlan","protocol","route_domain", "translated_src_ip", "translated_dest_ip",
"translated_src_port","translated_dest_port", "translated_vlan","translated_ip_protocol",
"translated_route_domain", "acl_policy_type", "acl_policy_name","acl_rule_name","action",
"drop_reason","sa_translation_type", "sa_translation_pool","flow_id", "source_user",
"source_fqdn","dest_fqdn").
type: str
log_format_delimiter:
description:
- Specifies the delimiter string when using a C(log_storage_format) of C(field-list).
- When creating a new profile, if this parameter is not specified, the default value
of C(,) (the comma character) is used.
- This option is valid when the C(log_storage_format) is set to C(field-list). It
is ignored otherwise.
- Depending on the delimiter used, it may be necessary to wrap the delimiter in quotes
to prevent YAML errors from occurring.
- The special character C($) is reserved for internal use, and will raise an error
if used.
- The maximum length allowed for this parameter is C(31) characters.
type: str
log_matches_drop_rule:
description:
- Modifies log settings for ACL rules configured with a drop action.
suboptions:
enabled:
description:
- This option enables or disables the logging of packets that match ACL rules
configured with a drop action.
type: bool
rate_limit:
description:
- This option sets rate limits for the logging of packets that match ACL rules
configured with a drop action.
- This option is effective only if logging of this message type is enabled.
type: str
type: dict
log_translation_fields:
description:
- This option enables or disables the logging of translated (i.e server side) fields
in ACL match and TCP events.
- Translated fields include (but are not limited to) source address/port, destination
address/port, IP protocol, route domain, and VLAN.
type: bool
log_matches_accept_rule:
description:
- Modifies log settings for ACL rules configured with an "accept" or "accept decisively"
action.
suboptions:
enabled:
description:
- This option enables or disables the logging of packets that match ACL rules
configured with an "accept" or "accept decisively" action.
type: bool
rate_limit:
description:
- This option sets rate limits for the logging of packets that match ACL rules
configured with an "accept" or "accept decisively" action.
- This option is effective only if logging of this message type is enabled.
type: str
type: dict
log_matches_reject_rule:
description:
- Modifies log settings for ACL rules configured with a reject action.
suboptions:
enabled:
description:
- This option enables or disables the logging of packets that match ACL rules
configured with a reject action.
type: bool
rate_limit:
description:
- This option sets rate limits for the logging of packets that match ACL rules
configured with a reject action.
- This option is effective only if logging of this message type is enabled.
type: str
type: dict
log_format_delimiter:
description: The delimiter string when using a log_storage_format of field-list.
returned: changed
sample: .
type: str
log_ip_errors:
contains:
enabled:
description: Enable or disable the logging of IP error packets.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for the logging of IP error packets.
returned: changed
sample: indefinite
type: str
description: Log settings for logging of IP error packets.
returned: changed
sample: hash/dictionary of values
type: complex
log_matches_accept_rule:
contains:
enabled:
description: Enable or disable the logging of packets that match ACL rules.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for the logging of packets that match ACL rules.
returned: changed
sample: indefinite
type: str
description: Log settings for ACL rules configured with an "accept" or "accept decisively"
action.
returned: changed
sample: hash/dictionary of values
type: complex
log_matches_drop_rule:
contains:
enabled:
description: Enable or disable the logging of packets that match ACL rules.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for the logging of packets that match ACL rules.
returned: changed
sample: indefinite
type: str
description: Log settings for ACL rules configured with a drop action.
returned: changed
sample: hash/dictionary of values
type: complex
log_matches_reject_rule:
contains:
enabled:
description: Enable or disable the logging of packets that match ACL rules.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for the logging of packets that match ACL rules.
returned: changed
sample: indefinite
type: str
description: Log settings for ACL rules configured with a reject action.
returned: changed
sample: hash/dictionary of values
type: complex
log_message_fields:
description: The delimiter string when using a log_storage_format of field-list.
returned: changed
sample:
- acl_policy_name
- acl_policy_type
type: list
log_publisher:
description: The name of the log publisher used for Network events.
returned: changed
sample: /Common/log-publisher
type: str
log_storage_format:
description: The type of the storage format.
returned: changed
sample: field-list
type: str
log_tcp_errors:
contains:
enabled:
description: Enable or disable the logging of TCP error packets.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for the logging of TCP error packets.
returned: changed
sample: indefinite
type: str
description: Log settings for logging of TCP error packets.
returned: changed
sample: hash/dictionary of values
type: complex
log_tcp_events:
contains:
enabled:
description: Enable or disable the logging of TCP events on the client side.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for the logging of TCP events on the client side.
returned: changed
sample: indefinite
type: str
description: Log settings for logging of TCP events on the client side.
returned: changed
sample: hash/dictionary of values
type: complex
log_translation_fields:
description: Enable or disable the logging of translated (i.e server side) fields
in ACL match and TCP events.
returned: changed
sample: true
type: bool
rate_limit:
description: The rate limit for all combined network firewall log messages per second.
returned: changed
sample: indefinite
type: str