paloaltonetworks / paloaltonetworks.panos / 2.19.1 / module / panos_security_rule Manage security rule policy on PAN-OS devices or Panorama management console. | "added in version" 1.0.0 of paloaltonetworks.panos" Authors: Ivan Bojer (@ivanbojer), Robert Hagen (@stealthllama), Michael Richardson (@mrichardson03), Garfield Lee Freeman (@shinmog)paloaltonetworks.panos.panos_security_rule (2.19.1) — module
Install with ansible-galaxy collection install paloaltonetworks.panos:==2.19.1
collections: - name: paloaltonetworks.panos version: 2.19.1
- Security policies allow you to enforce rules and take action, and can be as general or specific as needed. - The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.
- name: add SSH inbound rule to Panorama device group paloaltonetworks.panos.panos_security_rule: provider: '{{ provider }}' device_group: 'Cloud Edge' rule_name: 'SSH permit' description: 'SSH rule test' tag_name: ['production'] source_zone: ['public'] source_ip: ['any'] destination_zone: ['private'] destination_ip: ['1.1.1.1'] application: ['ssh'] action: 'allow'
- name: add a rule to allow HTTP multimedia only to CDNs paloaltonetworks.panos.panos_security_rule: provider: '{{ provider }}' rule_name: 'HTTP Multimedia' description: 'Allow HTTP multimedia only to host at 1.1.1.1' source_zone: ['private'] destination_zone: ['public'] category: ['content-delivery-networks'] application: ['http-video', 'http-audio'] service: ['service-http', 'service-https'] action: 'allow'
- name: add a more complex rule that uses security profiles paloaltonetworks.panos.panos_security_rule: provider: '{{ provider }}' rule_name: 'Allow HTTP' source_zone: ['public'] destination_zone: ['private'] log_start: false log_end: true action: 'allow' antivirus: 'strict' vulnerability: 'strict' spyware: 'strict' url_filtering: 'strict' wildfire_analysis: 'default'
- name: disable a Panorama pre-rule paloaltonetworks.panos.panos_security_rule: provider: '{{ provider }}' device_group: 'Production edge' rule_name: 'Allow telnet' source_zone: ['public'] destination_zone: ['private'] source_ip: ['any'] destination_ip: ['1.1.1.1'] log_start: false log_end: true action: 'allow' disabled: true
- name: delete a device group security rule paloaltonetworks.panos.panos_security_rule: provider: '{{ provider }}' state: 'absent' device_group: 'DC Firewalls' rule_name: 'Allow telnet'
- name: add a rule at a specific location in the rulebase paloaltonetworks.panos.panos_security_rule: provider: '{{ provider }}' rule_name: 'SSH permit' description: 'SSH rule test' source_zone: ['untrust'] destination_zone: ['trust'] source_ip: ['any'] source_user: ['any'] destination_ip: ['1.1.1.1'] category: ['any'] application: ['ssh'] service: ['application-default'] action: 'allow' location: 'before' existing_rule: 'Allow MySQL'
port: default: 443 description: - B(Deprecated) - Use I(provider) to specify PAN-OS connectivity instead. - HORIZONTALLINE - The port number to connect to the PAN-OS device on. type: int uuid: description: - The rule UUID. - Note that this is currently more of a read-only field. - Usage of the UUID cannot currently take the place of using the rule name as the primary identifier. type: str vsys: default: vsys1 description: - The vsys this object belongs to. type: str state: choices: - present - absent - replaced - merged - deleted - gathered default: present description: - The state. type: str action: choices: - allow - deny - drop - reset-client - reset-server - reset-both default: allow description: - Action to apply once rules matches. type: str commit: description: - B(Deprecated) - Please use M(paloaltonetworks.panos.panos_commit_firewall), M(paloaltonetworks.panos.panos_commit_panorama), M(paloaltonetworks.panos.panos_commit_push) instead. - HORIZONTALLINE - Commit changes after creating object. If I(ip_address) is a Panorama device, and I(device_group) or I(template) are also set, perform a commit to Panorama and a commit-all to the device group/template. type: bool target: description: - Applicable for Panorama only. - Apply this rule exclusively to the listed firewall serial numbers. elements: str type: list api_key: description: - B(Deprecated) - Use I(provider) to specify PAN-OS connectivity instead. - HORIZONTALLINE - The API key to use instead of generating it using I(username) / I(password). type: str log_end: default: true description: - Whether to log at session end. type: bool service: default: - application-default description: - List of services and/or service groups. elements: str type: list spyware: description: - Name of the already defined spyware profile. type: str category: default: - any description: - List of destination URL categories. - When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI... request system external-list show type predefined-url name <tab> panw-auth-portal-exclude-list panw-auth-portal-exclude-list elements: str type: list disabled: default: false description: - Disable this rule. type: bool location: choices: - top - bottom - before - after description: - Position to place the rule in. type: str password: description: - B(Deprecated) - Use I(provider) to specify PAN-OS connectivity instead. - HORIZONTALLINE - The password to use for authentication. This is ignored if I(api_key) is specified. type: str provider: description: - A dict object containing connection details. suboptions: api_key: description: - The API key to use instead of generating it using I(username) / I(password). type: str ip_address: description: - The IP address or hostname of the PAN-OS device being configured. type: str password: description: - The password to use for authentication. This is ignored if I(api_key) is specified. type: str port: default: 443 description: - The port number to connect to the PAN-OS device on. type: int serial_number: description: - The serial number of a firewall to use for targeted commands. If I(ip_address) is not a Panorama PAN-OS device, then this param is ignored. type: str username: default: admin description: - The username to use for authentication. This is ignored if I(api_key) is specified. type: str type: dict version_added: 1.0.0 version_added_collection: paloaltonetworks.panos rulebase: choices: - pre-rulebase - rulebase - post-rulebase description: - The rulebase in which the rule is to exist. If left unspecified, this defaults to I(rulebase=pre-rulebase) for Panorama. For NGFW, this is always set to be I(rulebase=rulebase). type: str schedule: description: - Schedule in which this rule is active. type: str tag_name: description: - List of tags associated with the rule. elements: str type: list username: default: admin description: - B(Deprecated) - Use I(provider) to specify PAN-OS connectivity instead. - HORIZONTALLINE - The username to use for authentication. This is ignored if I(api_key) is specified. type: str antivirus: description: - Name of the already defined antivirus profile. type: str group_tag: description: - The group tag. type: str log_start: default: false description: - Whether to log at session start. type: bool rule_name: description: - Name of the security rule. type: str rule_type: choices: - universal - intrazone - interzone default: universal description: - Type of security rule (version 6.1 of PanOS and above). type: str source_ip: default: - any description: - List of source addresses. - This can be an IP address, an address object/group, etc. - When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI... request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list elements: str type: list ip_address: description: - B(Deprecated) - Use I(provider) to specify PAN-OS connectivity instead. - HORIZONTALLINE - The IP address or hostname of the PAN-OS device being configured. type: str application: default: - any description: - List of applications, application groups, and/or application filters. elements: str type: list description: description: - Description of the security rule. type: str devicegroup: description: - B(Deprecated) - Use I(device_group) instead. - HORIZONTALLINE - Device groups are logical groups of firewalls in Panorama. type: str log_setting: description: - Log forwarding profile. type: str source_user: default: - any description: - Use users to enforce policy for individual users or a group of users. elements: str type: list source_zone: default: - any description: - List of source zones. elements: str type: list device_group: default: shared description: - (Panorama only) The device group the operation should target. type: str hip_profiles: description: "- If you are using GlobalProtect with host information profile (HIP)\n\ \ enabled, you can also base the policy on information collected by\n GlobalProtect.\ \ For example, the user access level can be determined\n HIP that notifies the\ \ firewall about the user's local configuration.\n- NOTE: If I(state=present) or\ \ I(state=replaced), and you're running\n PAN-OS < 10.0.0, then this will have\ \ a default of I([\"any\"]).\n- If you are using PAN-OS >= 10.0.0, please do not\ \ use this\n parameter as it was removed from PAN-OS in 10.0.0.\n" elements: str type: list audit_comment: description: - Add an audit comment to the rule being defined. - This is only applied if there was a change to the rule. type: str existing_rule: description: "- If I(location=before) or I(location=after), this option specifies\n\ \ an existing rule name. The rule being managed by this module will\n be positioned\ \ relative to the value of this parameter.\n- Required if I(location=before) or\ \ I(location=after).\n" type: str file_blocking: description: - Name of the already defined file_blocking profile. type: str group_profile: description: '- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties. ' type: str negate_source: default: false description: - Match on the reverse of the 'source_ip' attribute type: bool negate_target: description: - Applicable for Panorama only. - Negate the value for I(target). type: bool url_filtering: description: - Name of the already defined url_filtering profile. type: str vulnerability: description: - Name of the already defined vulnerability profile. type: str data_filtering: description: - Name of the already defined data_filtering profile. type: str destination_ip: default: - any description: - List of destination addresses. - This can be an IP address, an address object/group, etc. - When referencing predefined EDLs, use config names of the EDLS not their full names. The config names can be found with the CLI... request system external-list show type predefined-ip name <tab> panw-bulletproof-ip-list panw-bulletproof-ip-list panw-highrisk-ip-list panw-highrisk-ip-list panw-known-ip-list panw-known-ip-list panw-torexit-ip-list panw-torexit-ip-list elements: str type: list gathered_filter: description: - When I(state=gathered). - An advanced filtering option to filter results returned from PAN-OS. - Refer to the guide discussing I(gathered_filter) for more information. type: str destination_zone: default: - any description: - List of destination zones. elements: str type: list icmp_unreachable: description: - Send 'ICMP Unreachable'. Used with 'deny', 'drop', and 'reset' actions. type: bool wildfire_analysis: description: - Name of the already defined wildfire_analysis profile. type: str negate_destination: default: false description: - Match on the reverse of the 'destination_ip' attribute type: bool disable_server_response_inspection: default: false description: - Disables packet inspection from the server to the client. Useful under heavy server load conditions. type: bool