panos_query_rules - PANOS module that allows search for security rules in PANW NGFW devices.¶

New in version 2.5.

Synopsis
- Requirements
Parameters
Notes
Examples
Status
Maintenance
- Author

Synopsis ¶

- Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements ¶

The below requirements are needed on the host that executes this module.

pan-python can be obtained from PyPi https://pypi.org/project/pan-python/
pandevice can be obtained from PyPi https://pypi.org/project/pandevice/
xmltodict can be obtains from PyPi https://pypi.org/project/xmltodict/

Parameters ¶

Parameter	Choices/Defaults	Comments
api_key		API key that can be used instead of username/password credentials.
application		Name of the application or application group to be queried.
destination_ip		The destination IP address to be queried.
destination_port		The destination port to be queried.
destination_zone		Name of the destination security zone to be queried.
devicegroup		The Panorama device group in which to conduct the query.
ip_address required		IP address (or hostname) of PAN-OS firewall or Panorama management console being queried.
password required		Password credentials to use for authentication.
protocol		The protocol used to be queried. Must be either tcp or udp.
source_ip		The source IP address to be queried.
source_port		The source port to be queried.
source_zone		Name of the source security zone to be queried.
tag_name		Name of the rule tag to be queried.
username	Default: admin	Username credentials to use for authentication.

Notes ¶

Note

Checkmode is not supported.
Panorama is supported.

Examples ¶

- name: search for rules with tcp/3306
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    source_zone: 'DevNet'
    destination_zone: 'DevVPC'
    destination_port: '3306'
    protocol: 'tcp'

- name: search devicegroup for inbound rules to dmz host
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    destination_zone: 'DMZ'
    destination_ip: '10.100.42.18'
    address: 'DeviceGroupA'

- name: search for rules containing a specified rule tag
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    tag_name: 'ProjectX'

Status ¶

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Maintenance ¶

This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Community, see here.

Author ¶

Bob Hagen (@rnh556)

Hint

If you notice any issues in this documentation you can edit this document to improve it.