Try SpotterCreate, modify or delete a firewall rule
| "added in version" 2.5 of fp_secure_flexedge_sdwan.ngfw_smc_ansible"
Authors: unknown
preview | supported by community
Install with ansible-galaxy collection install fp_secure_flexedge_sdwan.ngfw_smc_ansible:==1.0.1
collections:
- name: fp_secure_flexedge_sdwan.ngfw_smc_ansible
version: 1.0.1Firewall rules can be added or removed from either a top level policy or a sub-policy. Source, destination and service elements can be used and referenced by their type and name (they must be pre-created). Many other rule settings are possible, including logging, inspection and connection tracking settings.
- name: Example log all rule for top of rule set
firewall_rule:
policy: TestPolicy
rules:
- action: continue
comment: logging rule
log_options:
log_accounting_info_mode: true
log_closing_mode: true
log_level: stored
is_disabled: false
name: Log all continue rule
- name: Create a rule with specific sources and services
firewall_rule:
smc_logging:
level: 10
path: ansible-smc.log
policy: TestPolicy
rules:
- action: allow
comment: my comment
connection_tracking:
mss_enforced: true
mss_enforced_max: 1555
mss_enforced_min: 0
timeout: 11
destinations:
group:
- foogroup
host:
- host-1.1.1.1
ip_list:
- Amazon S3
network:
- foonet
inspection_options:
decrypting: null
deep_inspection: null
file_filtering: null
is_disabled: false
log_options:
application_logging: enforced
eia_executable_logging: 'off'
log_accounting_info_mode: false
log_closing_mode: true
log_compression: 'off'
log_level: none
log_payload_additionnal: true
log_payload_excerpt: false
log_payload_record: false
log_severity: -1
user_logging: enforced
name: ruletest2
services:
ip_service:
- CHAOS
tcp_service:
- AOL
udp_service:
- Biff
sources:
country:
- China
interface_nic_x_ip_alias:
- $$ Interface ID 0.ip
single_fw:
- myfw
- name: Create a rule to use VPN, requires a vpn_policy or mobile_vpn set
firewall_rule:
smc_logging:
level: 10
path: ansible-smc.log
inspection_policy: High-Security Inspection Template
policy: TestPolicy
rules:
- action: enforce_vpn
comment: my comment
connection_tracking:
mss_enforced: false
mss_enforced_max: -1
mss_enforced_min: -1
timeout: -1
destinations:
any: true
inspection_options:
decrypting: null
deep_inspection: null
file_filtering: null
is_disabled: false
authentication_options:
method:
- LDAP Authentication
require_auth: true
users:
- dc=pages,dc=local,domain=myldapdomain
log_options:
application_logging: default
eia_executable_logging: default
log_accounting_info_mode: true
log_closing_mode: false
log_compression: 'off'
log_level: stored
log_payload_additionnal: false
log_payload_excerpt: false
log_payload_record: false
log_severity: -1
name: ruletest2
services:
any: true
sources:
any: true
vpn_policy: MOBILE CLIENT VPN
template: Firewall Inspection Template
- name: Add a deny rule after specified rule using add_after syntax
firewall_rule:
smc_logging:
level: 10
path: ansible-smc.log
policy: TestPolicy
rules:
- action: discard
comment: deny rule
is_disabled: false
name: my deny
add_after: '2097193.0'
- name: Delete a rule
firewall_rule:
policy: TestPolicy
rules:
- tag: '2097203.0'
state: absent
rules:
description:
- Source elements to add to the rule. Elements need to specify the type of element
to add. If source is not provided, the rule source cell will be set to none and
the rule will effectively be disabled. SMC version 6.6 or greater requires actions
as a list versus string
suboptions:
action:
choices:
- allow
- discard
- refuse
- continue
- jump
- apply_blacklist
- apply_vpn
- enforce_vpn
- forward_vpn
default: allow
description:
- Required action for the rule
type: str
add_after:
description:
- Provide a rule tag ID for which to add the rule after. This is only relevant
for rules that are being created.
type: str
add_before:
description:
- Provide a rule tag ID for which to add the rule before. This is only relevant
for rules that are being created.
type: str
authentication_options:
description:
- Set authentication options for this rule
suboptions:
method:
choices:
- IPsec Certificate
- LDAP Authentication
- Network Policy Server
- User password
- Pre-Shared Key Method
description:
- Authentication method/s supported for this rule. Default authentication
methods are provided as choices. If you've created a custom authentication
service reference it by name
type: list
require_auth:
default: false
description:
- Whether to require auth on this rule. If not set it is false. To require
authentication set to true and specify I(method) and I(users)
type: bool
users:
description:
- Users that are allowed to authenticate. If using an LDAP authentication
resource specify users by their fully qualified DN and specify the system
created External LDAP domain. Examples of LDAP configured users are 'CN=myuser,CN=Users,DC=mydomain,DC=local,domain=myldapdomain'
'OU=Domain Controllers,DC=mydomain,DC=local,domain=myldapdomain' 'dc=mydomain,dc=local,domain=myldapdomain'
type: list
type: dict
comment:
description:
- Optional comment for this rule
type: str
connection_tracking:
description:
- Optional settings to control connection tracking on the rule. Primary connection
setting fields allow you to enforce MSS settings or modify the inspection mode
to strict, loose, normal or off.
required: false
suboptions:
mss_enforced:
default: false
description:
- Whether to enforce mss settings on this rule match.
type: bool
mss_enforced_max:
default: -1
description:
- Max value for MSS enforcement. This value must be larger than the value
of I(mss_enforced_min). Required if I(mss_enforced). Set to '-1' to disable
or set I(mss_enforced) to false
type: int
mss_enforced_min:
default: -1
description:
- Min value for MSS enforcement. Used with I(mss_enforced_max). The value
must be smaller than I(mss_enforced_max). Set to '-1' to disable or set
I(mss_enforced) to false
type: int
state:
choices:
- false
- loose
- normal
- strict
- null
description:
- Set the connection tracking mode for the state engine. Connection tracking
controls how state is tracked for this rule match. If set use null to unset
back to the default state of inherit from continue rule
type: str
timeout:
default: -1
description:
- The timeout (in seconds) after which inactive connections are closed. This
timeout only concerns idle connections. Set to '-1' to disable
type: int
type: dict
destinations:
choices:
- domain_name
- expression
- group
- host
- ip_list
- network
- engine
- router
- netlink
- interface_zone
description:
- Destinations for use in this rule. You can use a shortcut for 'any' or 'none'
in this field, by providing a simple dict with keys 'any' or 'none' and value
of true. Otherwise this should be a dict with keys using valid element types
and value should be a list of those element types by name. The choices represent
valid keys for the dict, If no destinations field is provided, 'any' is used
type: dict
inspection_options:
description:
- Set inspection features on or off
required: false
suboptions:
decrypting:
choices:
- true
- false
- null
description:
- Whether to allow or deny decryption on this rule match. Set to null to set
back to inherit from continue rule
type: bool
deep_inspection:
choices:
- true
- false
- null
description:
- Whether to enable deep inspection on this rule match. Set to null to set
back to inherit from continue rule
type: bool
file_filtering:
choices:
- true
- false
- null
description:
- Whether to enable file filtering on this rule match. Set to null to set
back to inherit from continue rule
type: bool
type: dict
is_disabled:
default: false
description:
- Is this rule disabled. Set to true to disable rule, false otherwise.
log_options:
description:
- Log options for this rule
suboptions:
application_logging:
choices:
- enforced
- default
- false
default: default
description:
- Whether to enable application logging for the rule. Default sets it to inherit
from continue rule
type: str
eia_executable_logging:
choices:
- enforced
- default
- false
default: default
description:
- Whether to enable EIA logging for the rule. Default sets it to inherit from
continue rule
type: str
log_accounting_info_mode:
default: false
description:
- Both connection opening and closing are logged and information on the volume
of traffic is collected. This sets connection closing to 'log accounting
information'.
type: bool
log_closing_mode:
default: false
description:
- Whether to log an event when the connection closes. This is recommended
to capture the application info which might only be written on a connection
close event. This setting is only in effect when I(log_level) is not none.
This sets connection closing to 'normal'.
type: bool
log_level:
choices:
- none
- transient
- stored
- essential
- alert
- undefined
description:
- Log level for this rule. Undefined sets it to inherit from continue rule
type: str
log_payload_additionnal:
default: false
description:
- Log an additional payload with the log entry. By default excerpt logs 4K
type: bool
log_payload_excerpt:
default: false
description:
- Whether to log an excerpt of 4K bytes for the log entries. Use I(log_payload_additionnal)
to change from 4K to smaller or larger
type: bool
log_payload_record:
default: false
description:
- Logs the payload up to the 4K specified number of bytes
type: bool
user_logging:
choices:
- enforced
- default
- false
default: default
description:
- Whether to enable user logging on the rule. Default sets it to inherit from
continue rule
type: str
type: dict
name:
description:
- Name for this rule. Required if adding a new rule. Not required for modifications
required: true
type: str
services:
choices:
- service_group
- tcp_service_group
- udp_service_group
- ip_service_group
- icmp_service_group
- tcp_service
- udp_service
- ip_service
- ethernet_service
- icmp_service
- application_situation
- url_category
description:
- Services for this rule. You can use a shortcut for 'any' or 'none' in this field,
by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise
this should be a dict with keys using valid element types and value should be
a list of those element types by name. The choices represent valid keys for
the dict. If no services field is provided, 'any' is used
type: dict
sources:
choices:
- domain_name
- expression
- group
- host
- ip_list
- network
- engine
- router
- netlink
- interface_zone
description:
- Sources for use in this rule. You can use a shortcut for 'any' or 'none' in
this field, by providing a simple dict with keys 'any' or 'none' and value of
true. Otherwise this should be a dict with keys using valid element types and
value should be a list of those element types by name. The choices represent
valid keys for the dict. If no sources field is provided, 'any' is used
type: dict
tag:
description:
- Tag retrieved from facts module. The tag identifies the rule uniquely and is
a required field when making modifications. If tag is present, the operation
becomes a modify. Otherwise it becomes a create and I(name) is required.
type: str
type: list
state:
choices:
- present
- absent
default: present
description:
- Create or delete a firewall cluster
required: false
policy:
description:
- The policy which to operate on. Any rule modifications are done in the context of
this policy
required: true
type: str
sub_policy:
description:
- The sub policy which to operate on. This is mutually exclusive with the I(policy)
parameter. You can operate on rules within a firewall policy or firewall sub policy.
type: str
changed: description: Whether or not the change succeeded returned: always type: bool state: description: The current state of the element return: always type: dict