panos_nat_rule – create a policy NAT rule

New in version 2.4.

Synopsis

  • Create a policy nat rule. Keep in mind that we can either end up configuring source NAT, destination NAT, or both.

  • Instead of splitting it into two we will make a fair attempt to determine which one the user wants.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
description
-
NAT rule description.
destination_ip
list
Default:
["any"]
list of destination addresses
destination_zone
list / required
destination zone
device_group
string
Default:
"shared"
(Panorama only) The device group the operation should target.
devicegroup
-
Deprecated
Use device_group instead.

The device group to place the NAT rule into.
Panorama only; ignored for firewalls.
dnat_address
-
dnat translated address
dnat_port
-
dnat translated port
existing_rule
-
If location=before or location=after, this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule.
If location=before or location=after, existing_rule is required.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
location
-
    Choices:
  • top
  • bottom
  • before
  • after
Position to place the created rule in the rule base.
nat_type
-
    Choices:
  • ipv4 ←
  • nat64
  • nptv6
Type of NAT.
operation
-
Removed
Use state instead.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
"admin"
The username to use for authentication. This is ignored if api_key is specified.
rule_name
- / required
name of the SNAT rule
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
service
-
Default:
"any"
service
snat_address_type
-
    Choices:
  • interface-address
  • translated-address ←
type of source translation.
snat_bidirectional
boolean
    Choices:
  • no
  • yes
bidirectional flag
snat_dynamic_address
list
Source NAT translated address.
Used when snat_type=dynamic-ip or snat_type=dynamic-ip-and-port.
snat_interface
-
snat interface
snat_interface_address
-
snat interface address
snat_static_address
-
Source NAT translated address. Used with Static-IP translation.
snat_type
-
    Choices:
  • static-ip
  • dynamic-ip
  • dynamic-ip-and-port
Default:
"None"
type of source translation
source_ip
list
Default:
["any"]
list of source addresses
source_zone
list / required
list of source zones
state
string
    Choices:
  • present ←
  • absent
  • enable
  • disable
The state of the NAT rule.
tag
list
Administrative tags.
tag_name
-
Deprecated
Use tag instead.

Administrative tag.
to_interface
-
Default:
"any"
Original packet's destination interface.
username
string
Default:
"admin"
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
"vsys1"
The vsys this object belongs to.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

# Create a source and destination nat rule
- name: Create NAT SSH rule for 10.0.1.101
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: "Web SSH"
    source_zone: ["external"]
    destination_zone: "external"
    source_ip: ["any"]
    destination_ip: ["10.0.0.100"]
    service: "service-tcp-221"
    snat_type: "dynamic-ip-and-port"
    snat_interface: "ethernet1/2"
    dnat_address: "10.0.1.101"
    dnat_port: "22"

- name: disable a specific security rule
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: 'Prod-Legacy 1'
    state: 'disable'

Status

Authors

  • Luigi Mori (@jtschichold)

  • Ivan Bojer (@ivanbojer)

  • Robert Hagen (@rnh556)

  • Michael Richardson (@mrichardson03)

  • Garfield Lee Freeman (@shinmog)