Try SpotterManage a NAT rule
| "added in version" 2.10.0 of paloaltonetworks.panos"
Authors: Garfield Lee Freeman (@shinmog)
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections:
- name: paloaltonetworks.panos
version: 2.19.1- Manage a policy NAT rule. - NOTE: Even though this module supports I(state=merged), due to the complexity of the XML schema for NAT rules, changing a NAT rule's types using I(state=merged) will likely result in an error. Using I(state=merged) will work as normal for simple operations, such as adding additional IP addresses to any of the listings or changing simple variable types.
- name: add a nat rule
paloaltonetworks.panos.panos_nat_rule2:
provider: '{{ provider }}'
name: 'myRule'
description: 'Made by Ansible'
nat_type: 'ipv4'
from_zones: ['Trust-L3']
to_zones: ['Untrusted-L3']
to_interface: 'ethernet1/1'
service: 'any'
source_addresses: ['any']
destination_addresses: ['any']
source_translation_type: 'dynamic-ip-and-port'
source_translation_address_type: 'interface-address'
source_translation_interface: 'ethernet1/1'
name:
description:
- Name of the rule.
type: str
port:
default: 443
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The port number to connect to the PAN-OS device on.
type: int
tags:
description:
- Administrative tags.
elements: str
type: list
uuid:
description:
- The rule UUID.
- Note that this is currently more of a read-only field.
- Usage of the UUID cannot currently take the place of using the rule name as the
primary identifier.
type: str
vsys:
default: vsys1
description:
- The vsys this object belongs to.
type: str
state:
choices:
- present
- absent
- replaced
- merged
- deleted
- gathered
default: present
description:
- The state.
type: str
target:
description:
- Applicable for Panorama only.
- Apply this rule exclusively to the listed firewall serial numbers.
elements: str
type: list
api_key:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The API key to use instead of generating it using I(username) / I(password).
type: str
service:
description:
- The service.
type: str
disabled:
description:
- Rule is disabled or not.
type: bool
location:
choices:
- top
- bottom
- before
- after
description:
- Position to place the rule in.
type: str
nat_type:
choices:
- ipv4
- nat64
- nptv6
default: ipv4
description:
- Type of NAT.
type: str
password:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
api_key:
description:
- The API key to use instead of generating it using I(username) / I(password).
type: str
ip_address:
description:
- The IP address or hostname of the PAN-OS device being configured.
type: str
password:
description:
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
port:
default: 443
description:
- The port number to connect to the PAN-OS device on.
type: int
serial_number:
description:
- The serial number of a firewall to use for targeted commands. If I(ip_address)
is not a Panorama PAN-OS device, then this param is ignored.
type: str
username:
default: admin
description:
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
type: dict
version_added: 1.0.0
version_added_collection: paloaltonetworks.panos
rulebase:
choices:
- pre-rulebase
- rulebase
- post-rulebase
description:
- The rulebase in which the rule is to exist. If left unspecified, this defaults
to I(rulebase=pre-rulebase) for Panorama. For NGFW, this is always set to be I(rulebase=rulebase).
type: str
to_zones:
description:
- To zones.
- Note that there should only be one element in this list.
elements: str
type: list
username:
default: admin
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
group_tag:
description:
- For PAN-OS 9.0 and above.
- The group tag.
type: str
from_zones:
description:
- From zones.
elements: str
type: list
ha_binding:
choices:
- primary
- both
- '0'
- '1'
description:
- Device binding configuration in HA Active-Active mode.
type: str
ip_address:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The IP address or hostname of the PAN-OS device being configured.
type: str
description:
description:
- The description.
type: str
device_group:
default: shared
description:
- (Panorama only) The device group the operation should target.
type: str
to_interface:
description:
- Egress interface from route lookup.
type: str
audit_comment:
description:
- Add an audit comment to the rule being defined.
- This is only applied if there was a change to the rule.
type: str
existing_rule:
description: "- If I(location=before) or I(location=after), this option specifies\n\
\ an existing rule name. The rule being managed by this module will\n be positioned\
\ relative to the value of this parameter.\n- Required if I(location=before) or\
\ I(location=after).\n"
type: str
negate_target:
description:
- Applicable for Panorama only.
- Negate the value for I(target).
type: bool
gathered_filter:
description:
- When I(state=gathered).
- An advanced filtering option to filter results returned from PAN-OS.
- Refer to the guide discussing I(gathered_filter) for more information.
type: str
source_addresses:
description:
- Source addresses.
- When referencing predefined EDLs, use config names of the EDLS not their full names.
The config names can be found with the CLI... request system external-list show
type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list
panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list
panw-torexit-ip-list panw-torexit-ip-list
elements: str
type: list
destination_addresses:
description:
- Destination addresses.
- When referencing predefined EDLs, use config names of the EDLS not their full names.
The config names can be found with the CLI... request system external-list show
type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list
panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list
panw-torexit-ip-list panw-torexit-ip-list
elements: str
type: list
source_translation_type:
choices:
- dynamic-ip-and-port
- dynamic-ip
- static-ip
description:
- Type of source address translation.
type: str
destination_translated_port:
description:
- Static translated destination port number.
type: int
source_translation_interface:
description:
- For I(source_translation_address_type=interface-address).
- Interface of the source address.
type: str
source_translation_ip_address:
description:
- For I(source_translation_address_type=interface-address).
- IP address of the source address translation.
type: str
destination_translated_address:
description:
- Static translated destination IP address.
type: str
source_translation_address_type:
choices:
- interface-address
- translated-address
description:
- For I(source_translation_type=dynamic-ip-and-port) or or I(source_translation_type=dynamic-ip).
- Address type.
type: str
source_translation_fallback_type:
choices:
- translated-address
- interface-address
description:
- For I(source_translation_type=dynamic-ip).
- Type of fallback for dynamic IP source translation.
type: str
destination_dynamic_translated_port:
description:
- For PAN-OS 8.1 and above.
- Dynamic destination translated port.
type: int
source_translation_fallback_ip_type:
choices:
- ip
- floating-ip
description:
- For I(source_translation_fallback_type=interface-address).
- The type of the IP address for the fallback source translation IP address.
type: str
source_translation_fallback_interface:
description:
- For I(source_translation_fallback_type=interface-address).
- The interface for the fallback source translation.
type: str
destination_dynamic_translated_address:
description:
- For PAN-OS 8.1 and above.
- Dynamic destination translated address.
type: str
source_translation_fallback_ip_address:
description:
- For I(source_translation_fallback_type=interface-address).
- The IP address of the fallback source translation.
type: str
source_translation_translated_addresses:
description:
- For I(source_translation_address_type=translated-address).
- Translated addresses of the source address translation.
elements: str
type: list
source_translation_static_bi_directional:
description:
- For I(source_translation_type=static-ip).
- Allow reverse translation from translated address to original address.
type: bool
destination_dynamic_translated_distribution:
description:
- For PAN-OS 8.1 and above.
- Dynamic destination translated distribution.
type: str
source_translation_static_translated_address:
description:
- For I(source_translation_type=static-ip).
- The IP address for the static source translation.
type: str
source_translation_fallback_translated_addresses:
description:
- For I(source_translation_fallback_type=translated-address).
- Addresses for translated address types of fallback source translation.
elements: str
type: list