Try SpotterTest for match against a security rule on PAN-OS devices.
| "added in version" 1.0.0 of paloaltonetworks.panos"
Authors: Robert Hagen (@stealthllama)
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections:
- name: paloaltonetworks.panos
version: 2.19.1Security policies allow you to enforce rules and take action, and can be as general or specific as needed.
- name: check security rules for Google DNS
paloaltonetworks.panos.panos_match_rule:
provider: '{{ provider }}'
source_ip: '10.0.0.0'
destination_ip: '8.8.8.8'
application: 'dns'
destination_port: '53'
protocol: '17'
register: result
- debug: msg='{{ result.rule }}'
- name: check security rules inbound SSH with user match
paloaltonetworks.panos.panos_match_rule:
provider: '{{ provider }}'
source_ip: '0.0.0.0'
source_user: 'mydomain\jsmith'
destination_ip: '192.168.100.115'
destination_port: '22'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check NAT rules for source NAT
paloaltonetworks.panos.panos_match_rule:
provider: '{{ provider }}'
rule_type: 'nat'
source_zone: 'Prod-DMZ'
source_ip: '10.10.118.50'
to_interface: 'ethernet1/2'
destination_zone: 'Internet'
destination_ip: '0.0.0.0'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check NAT rules for inbound web
paloaltonetworks.panos.panos_match_rule:
provider: '{{ provider }}'
rule_type: 'nat'
source_zone: 'Internet'
source_ip: '0.0.0.0'
to_interface: 'ethernet1/1'
destination_zone: 'Prod DMZ'
destination_ip: '192.168.118.50'
destination_port: '80'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check security rules for outbound POP3 in vsys4
paloaltonetworks.panos.panos_match_rule:
provider: '{{ provider }}'
vsys_id: 'vsys4'
source_ip: '10.0.0.0'
destination_ip: '4.3.2.1'
application: 'pop3'
destination_port: '110'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
port:
default: 443
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The port number to connect to the PAN-OS device on.
type: int
vsys:
default: vsys1
description:
- The vsys this object belongs to.
type: str
api_key:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The API key to use instead of generating it using I(username) / I(password).
type: str
vsys_id:
description:
- B(Removed)
- Use I(vsys) instead.
type: str
category:
description:
- URL category
type: str
password:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
protocol:
description:
- The IP protocol number from 1 to 255.
required: true
type: int
provider:
description:
- A dict object containing connection details.
suboptions:
api_key:
description:
- The API key to use instead of generating it using I(username) / I(password).
type: str
ip_address:
description:
- The IP address or hostname of the PAN-OS device being configured.
type: str
password:
description:
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
port:
default: 443
description:
- The port number to connect to the PAN-OS device on.
type: int
serial_number:
description:
- The serial number of a firewall to use for targeted commands. If I(ip_address)
is not a Panorama PAN-OS device, then this param is ignored.
type: str
username:
default: admin
description:
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
type: dict
version_added: 1.0.0
version_added_collection: paloaltonetworks.panos
rulebase:
description:
- B(DEPRECATED)
- This is no longer used and may safely be removed from your playbook.
type: str
username:
default: admin
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
rule_type:
choices:
- security
- nat
default: security
description:
- Type of rule.
type: str
source_ip:
description:
- The source IP address.
required: true
type: str
ip_address:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The IP address or hostname of the PAN-OS device being configured.
type: str
application:
description:
- The application.
type: str
source_port:
description:
- The source port.
type: int
source_user:
description:
- The source user or group.
type: str
source_zone:
description:
- The source zone.
type: str
to_interface:
description:
- The inbound interface in a NAT rule.
type: str
destination_ip:
description:
- The destination IP address.
required: true
type: str
destination_port:
description:
- The destination port.
required: true
type: int
destination_zone:
description:
- The destination zone.
type: str
rule: description: The rule definition, either security rule or NAT rule returned: always type: dict rulebase: description: Rule location; panorama-pre-rulebase, firewall-rulebase, or panorama-post-rulebase returned: always type: str stdout_lines: description: B(DEPRECATED); use "rule" instead returned: always type: str