panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console

New in version 2.5.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
application
-
The application.
category
-
URL category
destination_ip
- / required
The destination IP address.
destination_port
integer / required
The destination port.
destination_zone
-
The destination zone.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
protocol
integer / required
The IP protocol number from 1 to 255.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
"admin"
The username to use for authentication. This is ignored if api_key is specified.
rule_type
-
    Choices:
  • security ←
  • nat
Type of rule.
rulebase
-
DEPRECATED
This is no longer used and may safely be removed from your playbook.
source_ip
- / required
The source IP address.
source_port
integer
The source port.
source_user
-
The source user or group.
source_zone
-
The source zone.
to_interface
-
The inbound interface in a NAT rule.
username
string
Default:
"admin"
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
"vsys1"
The vsys this object belongs to.
vsys_id
-
Removed
Use vsys instead.

Notes

Note

  • Checkmode is not supported.

  • Panorama NOT is supported. However, specifying Panorama provider info with a target serial number is.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: check security rules for Google DNS
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules inbound SSH with user match
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for source NAT
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for inbound web
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules for outbound POP3 in vsys4
  panos_match_rule:
    provider: '{{ provider }}'
    vsys_id: 'vsys4'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
rule
complex
always
The rule definition, either security rule or NAT rule

rulebase
string
always
Rule location; panorama-pre-rulebase, firewall-rulebase, or panorama-post-rulebase

stdout_lines
string
always
DEPRECATED; use "rule" instead



Status

Authors

  • Robert Hagen (@rnh556)