panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console¶

New in version 2.5.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis ¶

NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible
Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements ¶

The below requirements are needed on the host that executes this module.

pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
xmltodict

Parameters ¶

Parameter		Choices/Defaults	Comments
api_key string			Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
application -			The application.
category -			URL category
destination_ip - / required			The destination IP address.
destination_port integer / required			The destination port.
destination_zone -			The destination zone.
ip_address string			Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
password string			Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer		Default: 443	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on.
protocol integer / required			The IP protocol number from 1 to 255.
provider - added in 2.8			A dict object containing connection details.
	api_key string		The API key to use instead of generating it using username / password.
	ip_address string		The IP address or hostname of the PAN-OS device being configured.
	password string		The password to use for authentication. This is ignored if api_key is specified.
	port integer	Default: 443	The port number to connect to the PAN-OS device on.
	serial_number string		The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
	username string	Default: "admin"	The username to use for authentication. This is ignored if api_key is specified.
rule_type -		Choices: security ← nat	Type of rule.
rulebase -			DEPRECATED This is no longer used and may safely be removed from your playbook.
source_ip - / required			The source IP address.
source_port integer			The source port.
source_user -			The source user or group.
source_zone -			The source zone.
to_interface -			The inbound interface in a NAT rule.
username string		Default: "admin"	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified.
vsys string		Default: "vsys1"	The vsys this object belongs to.
vsys_id -			Removed Use vsys instead.

Notes ¶

Note

Checkmode is not supported.
Panorama NOT is supported. However, specifying Panorama provider info with a target serial number is.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples ¶

- name: check security rules for Google DNS
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules inbound SSH with user match
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for source NAT
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for inbound web
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules for outbound POP3 in vsys4
  panos_match_rule:
    provider: '{{ provider }}'
    vsys_id: 'vsys4'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
rule complex	always	The rule definition, either security rule or NAT rule
rulebase string	always	Rule location; panorama-pre-rulebase, firewall-rulebase, or panorama-post-rulebase
stdout_lines string	always	DEPRECATED; use "rule" instead

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.

Authors¶

Robert Hagen (@rnh556)

panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console¶

Synopsis¶

Requirements¶

Parameters¶

Notes¶

Examples¶

Return Values¶

Status¶

Authors¶

Synopsis ¶

Requirements ¶

Parameters ¶

Notes ¶

Examples ¶

Return Values ¶

Status ¶