panos_pbf_rule – Manage Policy Based Forwarding rules on PAN-OS¶
New in version 2.9.
Synopsis¶
NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible
Manage Policy Based Forwarding rules on PAN-OS.
Requirements¶
The below requirements are needed on the host that executes this module.
pandevice >= 0.13.0
pan-python
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
action
-
|
|
The action to take.
|
|
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
applications
list
|
Default: ["any"]
|
List of applications.
|
|
description
-
|
The description.
|
||
destination_addresses
list
|
Default: ["any"]
|
List of destination addresses.
|
|
device_group
string
|
Default: "shared"
|
(Panorama only) The device group the operation should target.
|
|
disabled
boolean
|
|
Disable this rule.
|
|
enable_enforce_symmetric_return
boolean
|
|
Set to enforce symmetric return.
|
|
existing_rule
-
|
If 'location' is set to 'before' or 'after', this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule. If 'location' is set to 'before' or 'after', this option is required.
|
||
forward_egress_interface
-
|
The egress interface.
|
||
forward_monitor_disable_if_unreachable
boolean
|
|
Set to disable this rule if nexthop / monitor IP is unreachable.
|
|
forward_monitor_ip_address
-
|
The monitor IP address.
|
||
forward_monitor_profile
-
|
The monitor profile to use.
|
||
forward_next_hop_type
-
|
|
The next hop type.
Leave this as None for a next hop type of 'None'.
|
|
forward_next_hop_value
-
|
The next hop value if forward next hop type is not None.
|
||
forward_vsys
-
|
The vsys to forward to if action is set to forward to a vsys.
|
||
from_type
-
|
|
Source from type.
|
|
from_value
list
|
The source values for the given type.
|
||
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
location
-
|
|
Position to place the created rule in the rule base.
|
|
name
-
/ required
|
Name of the rule.
|
||
negate_destination
boolean
|
|
Set to negate the destination.
|
|
negate_source
boolean
|
|
Set to negate the source.
|
|
negate_target
boolean
|
|
For Panorama devices only.
Exclude this rule from the listed firewalls in Panorama.
|
|
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
username
string
|
Default: "admin"
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
rulebase
string
|
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
|
|
schedule
-
|
The schedule.
|
||
services
list
|
Default: ["any"]
|
List of services.
|
|
source_addresses
list
|
Default: ["any"]
|
List of source IP addresses.
|
|
source_users
list
|
Default: ["any"]
|
List of source users.
|
|
state
string
|
|
The state.
|
|
symmetric_return_addresses
list
|
List of symmetric return addresses.
|
||
tags
list
|
List of tags.
|
||
target
list
|
For Panorama devices only.
Apply this rule exclusively to the listed firewalls in Panorama.
|
||
username
string
|
Default: "admin"
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
|
vsys
string
|
Default: "vsys1"
|
The vsys this object belongs to.
|
Notes¶
Note
Checkmode is supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples¶
- name: add a pbf rule
panos_pbf_rule:
provider: '{{ provider }}'
name: 'my-pbf'
description: 'Made by Ansible'
from_value: ['myZone']
action: 'discard'
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.