Try SpotterManage AFM Firewall rules
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Tim Rupp (@caphrim007), Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the C(bigip_security_policy) module. Rules can also be pre-ordered using the C(bigip_security_policy) module and then later updated using the C(bigip_firewall_rule) module.
- name: Create a new rule in the foo firewall policy
bigip_firewall_rule:
name: foo
parent_policy: policy1
protocol: tcp
source:
- address: 1.2.3.4
- address: "::1"
- address_list: foo-list1
- address_range: 1.1.1.1-2.2.2.2
- vlan: vlan1
- country: US
- port: 22
- port_list: port-list1
- port_range: 80-443
destination:
- address: 1.2.3.4
- address: "::1"
- address_list: foo-list1
- address_range: 1.1.1.1-2.2.2.2
- country: US
- port: 22
- port_list: port-list1
- port_range: 80-443
irule: irule1
action: accept
logging: true
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create an ICMP specific rule
bigip_firewall_rule:
name: foo
protocol: icmp
icmp_message:
type: 0
source:
- country: US
action: drop
logging: true
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Add a new policy rule that uses an existing rule list
bigip_firewall_rule:
name: foo
parent_policy: foo_policy
rule_list: rule-list1
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
name:
description:
- Specifies the name of the rule.
required: true
type: str
irule:
description:
- Specifies an iRule that is applied to the firewall rule.
- An iRule can be started when the firewall rule matches traffic.
type: str
state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures the rule exists.
- When C(state) is C(absent), ensures the rule is removed.
type: str
action:
choices:
- accept
- drop
- reject
- accept-decisively
description:
- Specifies the action for the firewall rule.
- When C(accept), allows packets with the specified source, destination, and protocol
to pass through the firewall. Packets that match the rule and are accepted, traverse
the system as if the firewall is not present.
- When C(drop), drops packets with the specified source, destination, and protocol.
Dropping a packet is a silent action with no notification to the source or destination
systems. Dropping the packet causes the connection to be retried until the retry
threshold is reached.
- When C(reject), rejects packets with the specified source, destination, and protocol.
When a packet is rejected, the firewall sends a destination unreachable message
to the sender.
- When C(accept-decisively), allows packets with the specified source, destination,
and protocol to pass through the firewall, and does not require any further processing
by any of the further firewalls. Packets that match the rule and are accepted, traverse
the system as if the firewall is not present. If the Rule List is applied to a virtual
server, management IP, or self IP firewall rule, then Accept Decisively is equivalent
to Accept.
- When creating a new rule, if this parameter is not provided, the default is C(reject).
type: str
source:
description:
- Specifies packet sources to which the rule applies.
- Leaving this field blank applies the rule to all addresses and all ports.
- You can specify the following source items. An IPv4 or IPv6 address, an IPv4 or
IPv6 address range, geographic location, VLAN, address list, port, port range, port
list or address list.
- You can specify a mix of different types of items for the source address.
- A special value C(any) can be specified to all the source items to match any value
for the respective item.
elements: dict
suboptions:
address:
description:
- Specifies a specific IP address.
type: str
address_list:
description:
- Specifies an existing address list.
type: str
address_range:
description:
- Specifies an address range.
type: str
country:
description:
- Specifies a country code.
type: str
port:
description:
- Specifies a single numeric port.
- This option is only valid when C(protocol) is C(tcp)(6) or C(udp)(17).
type: str
port_list:
description:
- Specifes an existing port list.
- This option is only valid when C(protocol) is C(tcp)(6) or C(udp)(17).
type: str
port_range:
description:
- Specifies a range of ports, which is two port values separated by a hyphen.
The port to the left of the hyphen should be less than the port to the right.
- This option is only valid when C(protocol) is C(tcp)(6) or C(udp)(17).
type: str
vlan:
description:
- Specifies VLANs to which the rule applies.
- The VLAN source refers to the packet's source.
type: str
type: list
status:
choices:
- enabled
- disabled
- scheduled
description:
- Indicates the activity state of the rule or rule list.
- When C(disabled), specifies the rule or rule list does not apply at all.
- When C(enabled), specifies the system applies the firewall rule or rule list to
the given context and addresses.
- When C(scheduled), specifies the system applies the rule or rule list according
to the specified schedule.
- When creating a new rule, if this parameter is not provided, the default is C(enabled).
type: str
logging:
description:
- Specifies whether logging is enabled or disabled for the firewall rule.
- When creating a new rule, if this parameter is not specified, the default if C(false).
type: bool
protocol:
description:
- Specifies the protocol to which the rule applies.
- Protocols may be specified by either their name or numeric value.
- A special protocol value C(any) can be specified to match any protocol. The numeric
equivalent of this protocol is C(255).
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
schedule:
description:
- Specifies a schedule for the firewall rule.
- You configure schedules to define days and times when the firewall rule is made
active.
type: str
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
rule_list:
description:
- Specifies an existing rule list to use in the rule.
- This parameter is mutually exclusive with many of the other individual-rule specific
settings. This includes C(logging), C(action), C(source), C(destination), C(irule'),
C(protocol) and C(logging).
- This parameter is only used when C(parent_policy) is specified, otherwise it is
ignored.
type: str
description:
description:
- The rule description.
type: str
destination:
description:
- Specifies packet destinations to which the rule applies.
- Leaving this field blank applies the rule to all addresses and all ports.
- You can specify the following destination items. An IPv4 or IPv6 address, an IPv4
or IPv6 address range, geographic location, VLAN, address list, port, port range,
port list or address list.
- You can specify a mix of different types of items for the source address.
- A special value C(any) can be specified to the destination items to match any value
for the respective item.
elements: dict
suboptions:
address:
description:
- Specifies a specific IP address.
type: str
address_list:
description:
- Specifies an existing address list.
type: str
address_range:
description:
- Specifies an address range.
type: str
country:
description:
- Specifies a country code.
type: str
port:
description:
- Specifies a single numeric port.
- This option is only valid when C(protocol) is C(tcp)(6) or C(udp)(17).
type: str
port_list:
description:
- Specifes an existing port list.
- This option is only valid when C(protocol) is C(tcp)(6) or C(udp)(17).
type: str
port_range:
description:
- Specifies a range of ports, which is two port values separated by a hyphen.
The port to the left of the hyphen should be less than the port to the right.
- This option is only valid when C(protocol) is C(tcp)(6) or C(udp)(17).
type: str
type: list
icmp_message:
description:
- Specifies the Internet Control Message Protocol (ICMP) or ICMPv6 message C(type)
and C(code) the rule uses.
- This parameter is only relevant when C(protocol) is either C(icmp)(1) or C(icmpv6)(58).
elements: dict
suboptions:
code:
description:
- Specifies the code returned in response to the specified ICMP message type.
- You can specify codes, each set appropriate to the associated type, such as
No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated
with Destination Unreachable (3)), or you can specify C(any) to indicate the
system applies the rule for all codes in response to that specific ICMP message.
- You can also specify an arbitrary code.
- The ICMP protocol contains definitions for the existing message code and number
pairs.
type: str
type:
description:
- Specifies the type of ICMP message.
- You can specify control messages, such as Echo Reply (0) and Destination Unreachable
(3), or you can specify C(any) to indicate the system applies the rule for all
ICMP messages.
- You can also specify an arbitrary ICMP message.
- The ICMP protocol contains definitions for the existing message type and number
pairs.
type: str
type: list
parent_policy:
description:
- The policy which contains the rule to be managed.
- One of either C(parent_policy) or C(parent_rule_list) is required.
type: str
parent_rule_list:
description:
- The rule list which contains the rule to be managed.
- One of either C(parent_policy) or C(parent_rule_list) is required.
type: str
action:
description: The action for the firewall rule.
returned: changed
sample: drop
type: str
description:
description: The rule description.
returned: changed
sample: MyRule
type: str
destination:
contains:
address:
description: A specific IP address.
returned: changed
sample: 192.168.1.1
type: str
address_list:
description: An existing address list.
returned: changed
sample: foo-list1
type: str
address_range:
description: The address range.
returned: changed
sample: 1.1.1.1-2.2.2.2
type: str
country:
description: A country code.
returned: changed
sample: US
type: str
port:
description: Single numeric port.
returned: changed
sample: 8080
type: str
port_list:
description: An existing port list.
returned: changed
sample: port-list1
type: str
port_range:
description: The port range.
returned: changed
sample: 80-443
type: str
description: The packet destinations to which the rule applies.
returned: changed
sample: hash/dictionary of values
type: complex
icmp_message:
contains:
code:
description: The code returned in response to the specified ICMP message type.
returned: changed
sample: 1
type: str
type:
description: The type of ICMP message.
returned: changed
sample: 0
type: str
description: The (ICMP) or ICMPv6 message C(type) and C(code) that the rule uses.
returned: changed
sample: hash/dictionary of values
type: complex
irule:
description: The iRule that is applied to the firewall rule.
returned: changed
sample: _sys_auth_radius
type: str
logging:
description: Enable or Disable logging for the firewall rule.
returned: changed
sample: true
type: bool
name:
description: Name of the rule.
returned: changed
sample: FooRule
type: str
parent_policy:
description: The policy which contains the rule to be managed.
returned: changed
sample: FooPolicy
type: str
parent_rule_list:
description: The rule list which contains the rule to be managed.
returned: changed
sample: FooRuleList
type: str
protocol:
description: The protocol to which the rule applies.
returned: changed
sample: any
type: str
rule_list:
description: An existing rule list to use in the parent policy.
returned: changed
sample: rule-list-1
type: str
schedule:
description: The schedule for the firewall rule.
returned: changed
sample: Foo_schedule
type: str
source:
contains:
address:
description: A specific IP address.
returned: changed
sample: 192.168.1.1
type: str
address_list:
description: An existing address list.
returned: changed
sample: foo-list1
type: str
address_range:
description: The address range.
returned: changed
sample: 1.1.1.1-2.2.2.2
type: str
country:
description: A country code.
returned: changed
sample: US
type: str
port:
description: Single numeric port.
returned: changed
sample: 8080
type: str
port_list:
description: An existing port list.
returned: changed
sample: port-list1
type: str
port_range:
description: The port range.
returned: changed
sample: 80-443
type: str
vlan:
description: Source VLANs for the packets.
returned: changed
sample: vlan1
type: str
description: The packet sources to which the rule applies.
returned: changed
sample: hash/dictionary of values
type: complex
status:
description: The activity state of the rule or rule list.
returned: changed
sample: scheduled
type: str