panos_nat_rule – create a policy NAT rule

New in version 2.4.

Synopsis

• NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible

• Create a policy nat rule. Keep in mind that we can either end up configuring source NAT, destination NAT, or both.

• Instead of splitting it into two we will make a fair attempt to determine which one the user wants.

Requirements

The below requirements are needed on the host that executes this module.

• pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python

• pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice

Parameters

Parameter		Choices/Defaults	Comments
api_key string			Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
commit boolean		Choices: no yes ←	Commit configuration if changed.
description -			NAT rule description.
destination_ip list		Default: ["any"]	list of destination addresses
destination_zone list / required			destination zone
device_group string		Default: "shared"	(Panorama only) The device group the operation should target.
devicegroup -			Deprecated Use device_group instead. The device group to place the NAT rule into. Panorama only; ignored for firewalls.
dnat_address -			dnat translated address
dnat_port -			dnat translated port
existing_rule -			If location=before or location=after, this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule. If location=before or location=after, existing_rule is required.
ip_address string			Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
location -		Choices: top bottom before after	Position to place the created rule in the rule base.
nat_type -		Choices: ipv4 ← nat64 nptv6	Type of NAT.
operation -			Removed Use state instead.
password string			Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer		Default: 443	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on.
provider - added in 2.8			A dict object containing connection details.
	api_key string		The API key to use instead of generating it using username / password.
	ip_address string		The IP address or hostname of the PAN-OS device being configured.
	password string		The password to use for authentication. This is ignored if api_key is specified.
	port integer	Default: 443	The port number to connect to the PAN-OS device on.
	serial_number string		The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
	username string	Default: "admin"	The username to use for authentication. This is ignored if api_key is specified.
rule_name - / required			name of the SNAT rule
rulebase string		Choices: pre-rulebase rulebase post-rulebase	The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
service -		Default: "any"	service
snat_address_type -		Choices: interface-address translated-address ←	type of source translation.
snat_bidirectional boolean		Choices: no yes	bidirectional flag
snat_dynamic_address list			Source NAT translated address. Used when snat_type=dynamic-ip or snat_type=dynamic-ip-and-port.
snat_interface -			snat interface
snat_interface_address -			snat interface address
snat_static_address -			Source NAT translated address. Used with Static-IP translation.
snat_type -		Choices: static-ip dynamic-ip dynamic-ip-and-port Default: "None"	type of source translation
source_ip list		Default: ["any"]	list of source addresses
source_zone list / required			list of source zones
state string		Choices: present ← absent enable disable	The state of the NAT rule.
tag list			Administrative tags.
tag_name -			Deprecated Use tag instead. Administrative tag.
to_interface -		Default: "any"	Original packet's destination interface.
username string		Default: "admin"	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified.
vsys string		Default: "vsys1"	The vsys this object belongs to.

Notes

Note

• Checkmode is supported.

• Panorama is supported.

• PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

# Create a source and destination nat rule
- name: Create NAT SSH rule for 10.0.1.101
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: "Web SSH"
    source_zone: ["external"]
    destination_zone: "external"
    source_ip: ["any"]
    destination_ip: ["10.0.0.100"]
    service: "service-tcp-221"
    snat_type: "dynamic-ip-and-port"
    snat_interface: "ethernet1/2"
    dnat_address: "10.0.1.101"
    dnat_port: "22"

- name: disable a specific security rule
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: 'Prod-Legacy 1'
    state: 'disable'

Status

• This module is not guaranteed to have a backwards compatible interface. [preview]

• This module is maintained by the Ansible Community.

Authors

• Luigi Mori (@jtschichold)

• Ivan Bojer (@ivanbojer)

• Robert Hagen (@rnh556)

• Michael Richardson (@mrichardson03)

• Garfield Lee Freeman (@shinmog)