Try SpotterCreate, modify or delete a firewall NAT rule
| "added in version" 2.5 of fp_secure_flexedge_sdwan.ngfw_smc_ansible"
Authors: unknown
preview | supported by community
Install with ansible-galaxy collection install fp_secure_flexedge_sdwan.ngfw_smc_ansible:==1.0.1
collections:
- name: fp_secure_flexedge_sdwan.ngfw_smc_ansible
version: 1.0.1Firewall NAT rules can be added or removed from either a top level policy or a sub-policy. Source, destination and service elements can be used and referenced by their type and name (they must be pre-created). This module requires SMC >= 6.4.3 or above to support changes to NAT rules
- name: Firewall NAT rule examples
firewall_nat_rule:
policy: TestPolicy
rules:
- comment: added a comment
destinations:
any: true
dynamic_src_nat:
automatic_proxy: true
translated_value:
ip_descriptor: 1.1.1.1
max_port: 60000
min_port: 1024
is_disabled: false
name: dynamic source nat with ports and IP redirect
services:
any: true
sources:
any: true
- comment: null
destinations:
any: true
dynamic_src_nat:
automatic_proxy: true
translated_value:
max_port: 65535
min_port: 1024
name: host-4.4.4.4
type: host
is_disabled: false
name: dynamic source nat with element
services:
any: true
sources:
host:
- host-3.3.3.3
- comment: testcomment
destinations:
host:
- host-3.3.3.3
is_disabled: false
name: static_dest_nat with IP redirect
services:
any: true
sources:
any: true
static_dst_nat:
automatic_proxy: true
original_value:
max_port: 90
min_port: 90
translated_value:
ip_descriptor: 1.1.1.1
max_port: 9999
min_port: 9999
used_on: ANY
- comment: null
destinations:
any: true
is_disabled: false
name: static_src_nat with IP address
services:
any: true
sources:
host:
- host-4.4.4.4
static_src_nat:
automatic_proxy: true
translated_value:
ip_descriptor: 1.1.1.1
used_on: ANY
- comment: null
destinations:
any: true
dynamic_src_nat:
automatic_proxy: true
translated_value:
max_port: 65535
min_port: 1024
name: host-4.4.4.4
type: host
is_disabled: false
name: dynamic_source_nat with element
services:
any: true
sources:
host:
- host-3.3.3.3
used_on: ANY
rules:
description:
- Source elements to add to the rule. Elements need to specify the type of element
to add. If source is not provided, the rule source cell will be set to none and
the rule will effectively be disabled.
suboptions:
add_after:
description:
- Provide a rule tag ID for which to add the rule after. This is only relevant
for rules that are being created.
type: str
add_before:
description:
- Provide a rule tag ID for which to add the rule before. This is only relevant
for rules that are being created.
type: str
comment:
description:
- Optional comment for this rule
type: str
destinations:
choices:
- domain_name
- expression
- group
- host
- ip_list
- network
- engine
- router
- netlink
- interface_zone
description:
- Destinations for use in this rule. You can use a shortcut for 'any' or 'none'
in this field, by providing a simple dict with keys 'any' or 'none' and value
of true. Otherwise this should be a dict with keys using valid element types
and value should be a list of those element types by name. The choices represent
valid keys for the dict, If no destinations field is provided, 'any' is used
type: dict
dynamic_src_nat:
description:
- Dynamic source NAT rule. A dynamic source NAT rule uses the value of the rule
source field and requires either an IP or element as the translated address.
You can also define ports to use for PAT. This NAT type is typically used for
outbound NAT and PAT operations.
is_disabled:
default: false
description:
- Is this rule disabled. Set to true to disable rule, false otherwise.
name:
description:
- Name for this rule. Required if adding a new rule. Not required for modifications
required: true
type: str
services:
choices:
- service_group
- tcp_service_group
- udp_service_group
- ip_service_group
- icmp_service_group
- tcp_service
- udp_service
- ip_service
- ethernet_service
- icmp_service
- application_situation
- url_category
description:
- Services for this rule. You can use a shortcut for 'any' or 'none' in this field,
by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise
this should be a dict with keys using valid element types and value should be
a list of those element types by name. The choices represent valid keys for
the dict. If no services field is provided, 'any' is used
type: dict
sources:
choices:
- domain_name
- expression
- group
- host
- ip_list
- network
- engine
- router
- netlink
- interface_zone
description:
- Sources for use in this rule. You can use a shortcut for 'any' or 'none' in
this field, by providing a simple dict with keys 'any' or 'none' and value of
true. Otherwise this should be a dict with keys using valid element types and
value should be a list of those element types by name. The choices represent
valid keys for the dict. If no sources field is provided, 'any' is used
type: dict
static_dst_nat:
description:
- Static dest NAT rule. Typically used for inbound traffic. This rule uses the
rule destination field and requires either an IP or element as the translated
address. You can also specify source ports as single values or ranges to translate.
This is useful if you want inbound traffic on port 80 and need to redirect to
an internal host on 8080 for example
static_src_nat:
description:
- Static source NAT rule. A static source NAT rule uses the value of the rule
source field and requires either an IP or element as the translated address.
This is mutually exclusive with dynamic_src_nat.
tag:
description:
- Tag retrieved from facts module. The tag identifies the rule uniquely and is
a required field when making modifications. If tag is present, the operation
becomes a modify. Otherwise it becomes a create and I(name) is required.
type: str
type: list
state:
choices:
- present
- absent
default: present
description:
- Create or delete a firewall cluster
required: false
policy:
description:
- The policy which to operate on. Any rule modifications are done in the context of
this policy
required: true
type: str
sub_policy:
description:
- The sub policy which to operate on. This is mutually exclusive with the I(policy)
parameter. You can operate on rules within a firewall policy or firewall sub policy.
type: str
changed: description: Whether or not the change succeeded returned: always type: bool state: description: The current state of the element return: always type: dict