panos_query_rules – PANOS module that allows search for security rules in PANW NGFW devices

New in version 2.5.

DEPRECATED

Removed in Ansible

version: 2.12

Why

Querying rules is handled better by panos_match_rule.

Alternative

Use panos_match_rule

Synopsis

  • NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

  • The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches

  • the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
api_key
-
API key that can be used instead of username/password credentials.
application
-
Default:
"None"
Name of the application or application group to be queried.
destination_ip
-
Default:
"None"
The destination IP address to be queried.
destination_port
-
Default:
"None"
The destination port to be queried.
destination_zone
-
Default:
"None"
Name of the destination security zone to be queried.
devicegroup
-
Default:
"None"
The Panorama device group in which to conduct the query.
ip_address
- / required
IP address (or hostname) of PAN-OS firewall or Panorama management console being queried.
password
- / required
Password credentials to use for authentication.
protocol
-
Default:
"None"
The protocol used to be queried. Must be either tcp or udp.
source_ip
-
Default:
"None"
The source IP address to be queried.
source_port
-
Default:
"None"
The source port to be queried.
source_zone
-
Default:
"None"
Name of the source security zone to be queried.
tag_name
-
Default:
"None"
Name of the rule tag to be queried.
username
-
Default:
"admin"
Username credentials to use for authentication.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

Examples

- name: search for rules with tcp/3306
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    source_zone: 'DevNet'
    destination_zone: 'DevVPC'
    destination_port: '3306'
    protocol: 'tcp'

- name: search devicegroup for inbound rules to dmz host
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    destination_zone: 'DMZ'
    destination_ip: '10.100.42.18'
    address: 'DeviceGroupA'

- name: search for rules containing a specified rule tag
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    tag_name: 'ProjectX'

Status

  • This module will be removed in version 2.12. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Bob Hagen (@rnh556)