panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console¶
New in version 2.5.
Synopsis¶
NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible
Security policies allow you to enforce rules and take action, and can be as general or specific as needed.
Requirements¶
The below requirements are needed on the host that executes this module.
pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
xmltodict
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
application
-
|
The application.
|
||
category
-
|
URL category
|
||
destination_ip
-
/ required
|
The destination IP address.
|
||
destination_port
integer
/ required
|
The destination port.
|
||
destination_zone
-
|
The destination zone.
|
||
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
protocol
integer
/ required
|
The IP protocol number from 1 to 255.
|
||
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
username
string
|
Default: "admin"
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
rule_type
-
|
|
Type of rule.
|
|
rulebase
-
|
DEPRECATED
This is no longer used and may safely be removed from your playbook.
|
||
source_ip
-
/ required
|
The source IP address.
|
||
source_port
integer
|
The source port.
|
||
source_user
-
|
The source user or group.
|
||
source_zone
-
|
The source zone.
|
||
to_interface
-
|
The inbound interface in a NAT rule.
|
||
username
string
|
Default: "admin"
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
|
vsys
string
|
Default: "vsys1"
|
The vsys this object belongs to.
|
|
vsys_id
-
|
Removed
Use vsys instead.
|
Notes¶
Note
Checkmode is not supported.
Panorama NOT is supported. However, specifying Panorama provider info with a target serial number is.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples¶
- name: check security rules for Google DNS
panos_match_rule:
provider: '{{ provider }}'
source_ip: '10.0.0.0'
destination_ip: '8.8.8.8'
application: 'dns'
destination_port: '53'
protocol: '17'
register: result
- debug: msg='{{ result.rule }}'
- name: check security rules inbound SSH with user match
panos_match_rule:
provider: '{{ provider }}'
source_ip: '0.0.0.0'
source_user: 'mydomain\jsmith'
destination_ip: '192.168.100.115'
destination_port: '22'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check NAT rules for source NAT
panos_match_rule:
provider: '{{ provider }}'
rule_type: 'nat'
source_zone: 'Prod-DMZ'
source_ip: '10.10.118.50'
to_interface: 'ethernet1/2'
destination_zone: 'Internet'
destination_ip: '0.0.0.0'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check NAT rules for inbound web
panos_match_rule:
provider: '{{ provider }}'
rule_type: 'nat'
source_zone: 'Internet'
source_ip: '0.0.0.0'
to_interface: 'ethernet1/1'
destination_zone: 'Prod DMZ'
destination_ip: '192.168.118.50'
destination_port: '80'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check security rules for outbound POP3 in vsys4
panos_match_rule:
provider: '{{ provider }}'
vsys_id: 'vsys4'
source_ip: '10.0.0.0'
destination_ip: '4.3.2.1'
application: 'pop3'
destination_port: '110'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
rule
complex
|
always |
The rule definition, either security rule or NAT rule
|
rulebase
string
|
always |
Rule location; panorama-pre-rulebase, firewall-rulebase, or panorama-post-rulebase
|
stdout_lines
string
|
always |
DEPRECATED; use "rule" instead
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.