panos_pbf_rule – Manage Policy Based Forwarding rules on PAN-OS

New in version 2.9.

Synopsis

• NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible

• Manage Policy Based Forwarding rules on PAN-OS.

Requirements

The below requirements are needed on the host that executes this module.

• pandevice >= 0.13.0

• pan-python

Parameters

Parameter		Choices/Defaults	Comments
action -		Choices: forward ← forward-to-vsys discard no-pbf	The action to take.
api_key string			Deprecated Use provider to specify PAN-OS connectivity instead. The API key to use instead of generating it using username / password.
applications list		Default: ["any"]	List of applications.
description -			The description.
destination_addresses list		Default: ["any"]	List of destination addresses.
device_group string		Default: "shared"	(Panorama only) The device group the operation should target.
disabled boolean		Choices: no yes	Disable this rule.
enable_enforce_symmetric_return boolean		Choices: no yes	Set to enforce symmetric return.
existing_rule -			If 'location' is set to 'before' or 'after', this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule. If 'location' is set to 'before' or 'after', this option is required.
forward_egress_interface -			The egress interface.
forward_monitor_disable_if_unreachable boolean		Choices: no yes	Set to disable this rule if nexthop / monitor IP is unreachable.
forward_monitor_ip_address -			The monitor IP address.
forward_monitor_profile -			The monitor profile to use.
forward_next_hop_type -		Choices: None ip-address fqdn	The next hop type. Leave this as None for a next hop type of 'None'.
forward_next_hop_value -			The next hop value if forward next hop type is not None.
forward_vsys -			The vsys to forward to if action is set to forward to a vsys.
from_type -		Choices: zone ← interface	Source from type.
from_value list			The source values for the given type.
ip_address string			Deprecated Use provider to specify PAN-OS connectivity instead. The IP address or hostname of the PAN-OS device being configured.
location -		Choices: top bottom before after None	Position to place the created rule in the rule base.
name - / required			Name of the rule.
negate_destination boolean		Choices: no yes	Set to negate the destination.
negate_source boolean		Choices: no yes	Set to negate the source.
negate_target boolean		Choices: no yes	For Panorama devices only. Exclude this rule from the listed firewalls in Panorama.
password string			Deprecated Use provider to specify PAN-OS connectivity instead. The password to use for authentication. This is ignored if api_key is specified.
port integer		Default: 443	Deprecated Use provider to specify PAN-OS connectivity instead. The port number to connect to the PAN-OS device on.
provider - added in 2.8			A dict object containing connection details.
	api_key string		The API key to use instead of generating it using username / password.
	ip_address string		The IP address or hostname of the PAN-OS device being configured.
	password string		The password to use for authentication. This is ignored if api_key is specified.
	port integer	Default: 443	The port number to connect to the PAN-OS device on.
	serial_number string		The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
	username string	Default: "admin"	The username to use for authentication. This is ignored if api_key is specified.
rulebase string		Choices: pre-rulebase rulebase post-rulebase	The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
schedule -			The schedule.
services list		Default: ["any"]	List of services.
source_addresses list		Default: ["any"]	List of source IP addresses.
source_users list		Default: ["any"]	List of source users.
state string		Choices: present ← absent	The state.
symmetric_return_addresses list			List of symmetric return addresses.
tags list			List of tags.
target list			For Panorama devices only. Apply this rule exclusively to the listed firewalls in Panorama.
username string		Default: "admin"	Deprecated Use provider to specify PAN-OS connectivity instead. The username to use for authentication. This is ignored if api_key is specified.
vsys string		Default: "vsys1"	The vsys this object belongs to.

Notes

Note

• Checkmode is supported.

• Panorama is supported.

• PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add a pbf rule
  panos_pbf_rule:
    provider: '{{ provider }}'
    name: 'my-pbf'
    description: 'Made by Ansible'
    from_value: ['myZone']
    action: 'discard'

Status

• This module is not guaranteed to have a backwards compatible interface. [preview]

• This module is maintained by the Ansible Community.

Authors

• Garfield Lee Freeman (@shinmog)