Try SpotterManage security rule policy on PAN-OS devices or Panorama management console.
| "added in version" 1.0.0 of paloaltonetworks.panos"
Authors: Ivan Bojer (@ivanbojer), Robert Hagen (@stealthllama), Michael Richardson (@mrichardson03), Garfield Lee Freeman (@shinmog)
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections:
- name: paloaltonetworks.panos
version: 2.19.1- Security policies allow you to enforce rules and take action, and can be as general or specific as needed. - The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.
- name: add SSH inbound rule to Panorama device group
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
device_group: 'Cloud Edge'
rule_name: 'SSH permit'
description: 'SSH rule test'
tag_name: ['production']
source_zone: ['public']
source_ip: ['any']
destination_zone: ['private']
destination_ip: ['1.1.1.1']
application: ['ssh']
action: 'allow'
- name: add a rule to allow HTTP multimedia only to CDNs
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['private']
destination_zone: ['public']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
action: 'allow'
- name: add a more complex rule that uses security profiles
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
rule_name: 'Allow HTTP'
source_zone: ['public']
destination_zone: ['private']
log_start: false
log_end: true
action: 'allow'
antivirus: 'strict'
vulnerability: 'strict'
spyware: 'strict'
url_filtering: 'strict'
wildfire_analysis: 'default'
- name: disable a Panorama pre-rule
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
device_group: 'Production edge'
rule_name: 'Allow telnet'
source_zone: ['public']
destination_zone: ['private']
source_ip: ['any']
destination_ip: ['1.1.1.1']
log_start: false
log_end: true
action: 'allow'
disabled: true
- name: delete a device group security rule
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
state: 'absent'
device_group: 'DC Firewalls'
rule_name: 'Allow telnet'
- name: add a rule at a specific location in the rulebase
paloaltonetworks.panos.panos_security_rule:
provider: '{{ provider }}'
rule_name: 'SSH permit'
description: 'SSH rule test'
source_zone: ['untrust']
destination_zone: ['trust']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
action: 'allow'
location: 'before'
existing_rule: 'Allow MySQL'
port:
default: 443
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The port number to connect to the PAN-OS device on.
type: int
uuid:
description:
- The rule UUID.
- Note that this is currently more of a read-only field.
- Usage of the UUID cannot currently take the place of using the rule name as the
primary identifier.
type: str
vsys:
default: vsys1
description:
- The vsys this object belongs to.
type: str
state:
choices:
- present
- absent
- replaced
- merged
- deleted
- gathered
default: present
description:
- The state.
type: str
action:
choices:
- allow
- deny
- drop
- reset-client
- reset-server
- reset-both
default: allow
description:
- Action to apply once rules matches.
type: str
commit:
description:
- B(Deprecated)
- Please use M(paloaltonetworks.panos.panos_commit_firewall), M(paloaltonetworks.panos.panos_commit_panorama),
M(paloaltonetworks.panos.panos_commit_push) instead.
- HORIZONTALLINE
- Commit changes after creating object. If I(ip_address) is a Panorama device, and
I(device_group) or I(template) are also set, perform a commit to Panorama and a
commit-all to the device group/template.
type: bool
target:
description:
- Applicable for Panorama only.
- Apply this rule exclusively to the listed firewall serial numbers.
elements: str
type: list
api_key:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The API key to use instead of generating it using I(username) / I(password).
type: str
log_end:
default: true
description:
- Whether to log at session end.
type: bool
service:
default:
- application-default
description:
- List of services and/or service groups.
elements: str
type: list
spyware:
description:
- Name of the already defined spyware profile.
type: str
category:
default:
- any
description:
- List of destination URL categories.
- When referencing predefined EDLs, use config names of the EDLS not their full names.
The config names can be found with the CLI... request system external-list show
type predefined-url name <tab> panw-auth-portal-exclude-list panw-auth-portal-exclude-list
elements: str
type: list
disabled:
default: false
description:
- Disable this rule.
type: bool
location:
choices:
- top
- bottom
- before
- after
description:
- Position to place the rule in.
type: str
password:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
provider:
description:
- A dict object containing connection details.
suboptions:
api_key:
description:
- The API key to use instead of generating it using I(username) / I(password).
type: str
ip_address:
description:
- The IP address or hostname of the PAN-OS device being configured.
type: str
password:
description:
- The password to use for authentication. This is ignored if I(api_key) is specified.
type: str
port:
default: 443
description:
- The port number to connect to the PAN-OS device on.
type: int
serial_number:
description:
- The serial number of a firewall to use for targeted commands. If I(ip_address)
is not a Panorama PAN-OS device, then this param is ignored.
type: str
username:
default: admin
description:
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
type: dict
version_added: 1.0.0
version_added_collection: paloaltonetworks.panos
rulebase:
choices:
- pre-rulebase
- rulebase
- post-rulebase
description:
- The rulebase in which the rule is to exist. If left unspecified, this defaults
to I(rulebase=pre-rulebase) for Panorama. For NGFW, this is always set to be I(rulebase=rulebase).
type: str
schedule:
description:
- Schedule in which this rule is active.
type: str
tag_name:
description:
- List of tags associated with the rule.
elements: str
type: list
username:
default: admin
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The username to use for authentication. This is ignored if I(api_key) is specified.
type: str
antivirus:
description:
- Name of the already defined antivirus profile.
type: str
group_tag:
description:
- The group tag.
type: str
log_start:
default: false
description:
- Whether to log at session start.
type: bool
rule_name:
description:
- Name of the security rule.
type: str
rule_type:
choices:
- universal
- intrazone
- interzone
default: universal
description:
- Type of security rule (version 6.1 of PanOS and above).
type: str
source_ip:
default:
- any
description:
- List of source addresses.
- This can be an IP address, an address object/group, etc.
- When referencing predefined EDLs, use config names of the EDLS not their full names.
The config names can be found with the CLI... request system external-list show
type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list
panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list
panw-torexit-ip-list panw-torexit-ip-list
elements: str
type: list
ip_address:
description:
- B(Deprecated)
- Use I(provider) to specify PAN-OS connectivity instead.
- HORIZONTALLINE
- The IP address or hostname of the PAN-OS device being configured.
type: str
application:
default:
- any
description:
- List of applications, application groups, and/or application filters.
elements: str
type: list
description:
description:
- Description of the security rule.
type: str
devicegroup:
description:
- B(Deprecated)
- Use I(device_group) instead.
- HORIZONTALLINE
- Device groups are logical groups of firewalls in Panorama.
type: str
log_setting:
description:
- Log forwarding profile.
type: str
source_user:
default:
- any
description:
- Use users to enforce policy for individual users or a group of users.
elements: str
type: list
source_zone:
default:
- any
description:
- List of source zones.
elements: str
type: list
device_group:
default: shared
description:
- (Panorama only) The device group the operation should target.
type: str
hip_profiles:
description: "- If you are using GlobalProtect with host information profile (HIP)\n\
\ enabled, you can also base the policy on information collected by\n GlobalProtect.\
\ For example, the user access level can be determined\n HIP that notifies the\
\ firewall about the user's local configuration.\n- NOTE: If I(state=present) or\
\ I(state=replaced), and you're running\n PAN-OS < 10.0.0, then this will have\
\ a default of I([\"any\"]).\n- If you are using PAN-OS >= 10.0.0, please do not\
\ use this\n parameter as it was removed from PAN-OS in 10.0.0.\n"
elements: str
type: list
audit_comment:
description:
- Add an audit comment to the rule being defined.
- This is only applied if there was a change to the rule.
type: str
existing_rule:
description: "- If I(location=before) or I(location=after), this option specifies\n\
\ an existing rule name. The rule being managed by this module will\n be positioned\
\ relative to the value of this parameter.\n- Required if I(location=before) or\
\ I(location=after).\n"
type: str
file_blocking:
description:
- Name of the already defined file_blocking profile.
type: str
group_profile:
description: '- Security profile group that is already defined in the system. This
property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking,
data_filtering, and wildfire_analysis properties.
'
type: str
negate_source:
default: false
description:
- Match on the reverse of the 'source_ip' attribute
type: bool
negate_target:
description:
- Applicable for Panorama only.
- Negate the value for I(target).
type: bool
url_filtering:
description:
- Name of the already defined url_filtering profile.
type: str
vulnerability:
description:
- Name of the already defined vulnerability profile.
type: str
data_filtering:
description:
- Name of the already defined data_filtering profile.
type: str
destination_ip:
default:
- any
description:
- List of destination addresses.
- This can be an IP address, an address object/group, etc.
- When referencing predefined EDLs, use config names of the EDLS not their full names.
The config names can be found with the CLI... request system external-list show
type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list
panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list
panw-torexit-ip-list panw-torexit-ip-list
elements: str
type: list
gathered_filter:
description:
- When I(state=gathered).
- An advanced filtering option to filter results returned from PAN-OS.
- Refer to the guide discussing I(gathered_filter) for more information.
type: str
destination_zone:
default:
- any
description:
- List of destination zones.
elements: str
type: list
icmp_unreachable:
description:
- Send 'ICMP Unreachable'. Used with 'deny', 'drop', and 'reset' actions.
type: bool
wildfire_analysis:
description:
- Name of the already defined wildfire_analysis profile.
type: str
negate_destination:
default: false
description:
- Match on the reverse of the 'destination_ip' attribute
type: bool
disable_server_response_inspection:
default: false
description:
- Disables packet inspection from the server to the client. Useful under heavy server
load conditions.
type: bool