panos_pbf_rule – Manage Policy Based Forwarding rules on PAN-OS

New in version 2.9.

Synopsis

  • Manage Policy Based Forwarding rules on PAN-OS.

Requirements

The below requirements are needed on the host that executes this module.

  • pandevice >= 0.13.0

  • pan-python

Parameters

Parameter Choices/Defaults Comments
action
-
    Choices:
  • forward ←
  • forward-to-vsys
  • discard
  • no-pbf
The action to take.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
applications
list
Default:
["any"]
List of applications.
description
-
The description.
destination_addresses
list
Default:
["any"]
List of destination addresses.
device_group
string
Default:
"shared"
(Panorama only) The device group the operation should target.
disabled
boolean
    Choices:
  • no
  • yes
Disable this rule.
enable_enforce_symmetric_return
boolean
    Choices:
  • no
  • yes
Set to enforce symmetric return.
existing_rule
-
If 'location' is set to 'before' or 'after', this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule. If 'location' is set to 'before' or 'after', this option is required.
forward_egress_interface
-
The egress interface.
forward_monitor_disable_if_unreachable
boolean
    Choices:
  • no
  • yes
Set to disable this rule if nexthop / monitor IP is unreachable.
forward_monitor_ip_address
-
The monitor IP address.
forward_monitor_profile
-
The monitor profile to use.
forward_next_hop_type
-
    Choices:
  • None
  • ip-address
  • fqdn
The next hop type.
Leave this as None for a next hop type of 'None'.
forward_next_hop_value
-
The next hop value if forward next hop type is not None.
forward_vsys
-
The vsys to forward to if action is set to forward to a vsys.
from_type
-
    Choices:
  • zone ←
  • interface
Source from type.
from_value
list
The source values for the given type.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
location
-
    Choices:
  • top
  • bottom
  • before
  • after
  • None
Position to place the created rule in the rule base.
name
- / required
Name of the rule.
negate_destination
boolean
    Choices:
  • no
  • yes
Set to negate the destination.
negate_source
boolean
    Choices:
  • no
  • yes
Set to negate the source.
negate_target
boolean
    Choices:
  • no
  • yes
For Panorama devices only.
Exclude this rule from the listed firewalls in Panorama.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
"admin"
The username to use for authentication. This is ignored if api_key is specified.
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
schedule
-
The schedule.
services
list
Default:
["any"]
List of services.
source_addresses
list
Default:
["any"]
List of source IP addresses.
source_users
list
Default:
["any"]
List of source users.
state
string
    Choices:
  • present ←
  • absent
The state.
symmetric_return_addresses
list
List of symmetric return addresses.
tags
list
List of tags.
target
list
For Panorama devices only.
Apply this rule exclusively to the listed firewalls in Panorama.
username
string
Default:
"admin"
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
"vsys1"
The vsys this object belongs to.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: add a pbf rule
  panos_pbf_rule:
    provider: '{{ provider }}'
    name: 'my-pbf'
    description: 'Made by Ansible'
    from_value: ['myZone']
    action: 'discard'

Status

Authors

  • Garfield Lee Freeman (@shinmog)