panos_security_rule - Create security rule policy on PAN-OS devices or Panorama management console.¶

New in version 2.4.

Synopsis
- Requirements
Parameters
Notes
Examples
Status
Maintenance
- Author

Synopsis ¶

Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements ¶

The below requirements are needed on the host that executes this module.

pan-python can be obtained from PyPi https://pypi.org/project/pan-python/
pandevice can be obtained from PyPi https://pypi.org/project/pandevice/
xmltodict can be obtained from PyPi https://pypi.org/project/xmltodict/

Parameters ¶

Parameter	Choices/Defaults	Comments
action	Default: allow	Action to apply once rules maches.
antivirus		Name of the already defined antivirus profile.
api_key		API key that can be used instead of username/password credentials.
application	Default: any	List of applications.
commit bool	Choices: no yes ←	Commit configuration if changed.
data_filtering		Name of the already defined data_filtering profile.
description		Description for the security rule.
destination_ip	Default: any	List of destination addresses.
destination_zone	Default: any	List of destination zones.
devicegroup		- Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.
file_blocking		Name of the already defined file_blocking profile.
group_profile		- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
hip_profiles	Default: any	- If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
ip_address required		IP address (or hostname) of PAN-OS device being configured.
log_end	Default: yes	Whether to log at session end.
log_start		Whether to log at session start.
operation	Default: add	The action to be taken. Supported values are add/update/find/delete.
password required		Password credentials to use for auth unless api_key is set.
rule_name required		Name of the security rule.
rule_type	Default: universal	Type of security rule (version 6.1 of PanOS and above).
service	Default: application-default	List of services.
source_ip	Default: any	List of source addresses.
source_user	Default: any	Use users to enforce policy for individual users or a group of users.
source_zone	Default: any	List of source zones.
spyware		Name of the already defined spyware profile.
tag_name		Administrative tags that can be added to the rule. Note, tags must be already defined.
url_filtering		Name of the already defined url_filtering profile.
username	Default: admin	Username credentials to use for auth unless api_key is set.
vulnerability		Name of the already defined vulnerability profile.
wildfire_analysis		Name of the already defined wildfire_analysis profile.

Notes ¶

Note

Checkmode is not supported.
Panorama is supported.

Examples ¶

- name: add an SSH inbound rule to devicegroup
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    tag_name: ['ProjectX']
    source_zone: ['public']
    destination_zone: ['private']
    source_ip: ['any']
    source_user: ['any']
    destination_ip: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    devicegroup: 'Cloud Edge'

- name: add a rule to allow HTTP multimedia only from CDNs
  panos_security_rule:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    operation: 'add'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    source_zone: ['public']
    destination_zone: ['private']
    source_ip: ['any']
    source_user: ['any']
    destination_ip: ['1.1.1.1']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    hip_profiles: ['any']
    action: 'allow'

- name: add a more complex rule that uses security profiles
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    rule_name: 'Allow HTTP w profile'
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'default'
    vulnerability: 'default'
    spyware: 'default'
    url_filtering: 'default'
    wildfire_analysis: 'default'

- name: delete a devicegroup security rule
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'delete'
    rule_name: 'Allow telnet'
    devicegroup: 'DC Firewalls'

- name: find a specific security rule
  panos_security_rule:
    ip_address: '{{ ip_address }}'
    password: '{{ password }}'
    operation: 'find'
    rule_name: 'Allow RDP to DCs'
  register: result
- debug: msg='{{result.stdout_lines}}'

Status ¶

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Maintenance ¶

This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Community, see here.

Author ¶

Ivan Bojer (@ivanbojer), Robert Hagen (@rnh556)

Hint

If you notice any issues in this documentation you can edit this document to improve it.