panos_security_rule_facts – Get information about a security rule

New in version 2.8.

Synopsis

  • Get information about a single security rule or the names of all security rules.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters

Parameter Choices/Defaults Comments
all_details
boolean
    Choices:
  • no
  • yes
Get full-policy details when name is not set.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
device_group
string
Default:
"shared"
(Panorama only) The device group the operation should target.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
"admin"
The username to use for authentication. This is ignored if api_key is specified.
rule_name
-
Name of the security rule.
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
username
string
Default:
"admin"
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
"vsys1"
The vsys this object belongs to.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples

- name: Get a list of all security rules
  panos_security_rule_facts:
    provider: '{{ provider }}'
  register: sec_rules

- debug:
    msg: '{{ sec_rules.rules }}'

- name: Get the definition for rule 'HTTP Multimedia'
  panos_security_rule_facts:
    provider: '{{ provider }}'
    rule_name: 'HTTP Multimedia'
  register: rule1

- debug:
    msg: '{{ rule1.spec }}'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
policy
complex
When rule_name is not specified and all_details is True
List of security rules present with details

  action
string
The rule action.

  antivirus
string
Name of the already defined antivirus profile.

  application
list
List of applications, application groups, and/or application filters.

  category
list
List of destination URL categories.

  data_filtering
string
Name of the already defined data_filtering profile.

  description
string
Description of the security rule.

  destination_ip
list
List of destination addresses.

  destination_zone
list
List of destination zones.

  disable_server_response_inspection
boolean
Disables packet inspection from the server to the client.

  disabled
boolean
Disable this rule.

  file_blocking
string
Name of the already defined file_blocking profile.

  group_profile
string
Security profile group setting.

  hip_profiles
list
GlobalProtect host information profile list.

  icmp_unreachable
boolean
Send 'ICMP Unreachable'.

  log_end
boolean
Whether to log at session end.

  log_setting
string
Log forwarding profile.

  log_start
boolean
Whether to log at session start.

  negate_destination
boolean
Match on the reverse of the 'destination_ip' attribute

  negate_source
boolean
Match on the reverse of the 'source_ip' attribute

  rule_name
string
Name of the security rule.

  rule_type
string
Type of security rule (version 6.1 of PanOS and above).

  schedule
string
Schedule in which this rule is active.

  service
list
List of services and/or service groups.

  source_ip
list
List of source addresses.

  source_user
list
List of source users.

  source_zone
list
List of source zones.

  spyware
string
Name of the already defined spyware profile.

  tag_name
list
List of tags associated with the rule.

  url_filtering
string
Name of the already defined url_filtering profile.

  vulnerability
string
Name of the already defined vulnerability profile.

  wildfire_analysis
string
Name of the already defined wildfire_analysis profile.

rules
list
When rule_name is not specified and all_details is False
List of security rules present

Sample:
['rule1', 'rule2', 'rule3']
spec
complex
When rule_name is specified
The security rule definition

  action
string
The rule action.

  antivirus
string
Name of the already defined antivirus profile.

  application
list
List of applications, application groups, and/or application filters.

  category
list
List of destination URL categories.

  data_filtering
string
Name of the already defined data_filtering profile.

  description
string
Description of the security rule.

  destination_ip
list
List of destination addresses.

  destination_zone
list
List of destination zones.

  disable_server_response_inspection
boolean
Disables packet inspection from the server to the client.

  disabled
boolean
Disable this rule.

  file_blocking
string
Name of the already defined file_blocking profile.

  group_profile
string
Security profile group setting.

  hip_profiles
list
GlobalProtect host information profile list.

  icmp_unreachable
boolean
Send 'ICMP Unreachable'.

  log_end
boolean
Whether to log at session end.

  log_setting
string
Log forwarding profile.

  log_start
boolean
Whether to log at session start.

  negate_destination
boolean
Match on the reverse of the 'destination_ip' attribute

  negate_source
boolean
Match on the reverse of the 'source_ip' attribute

  rule_name
string
Name of the security rule.

  rule_type
string
Type of security rule (version 6.1 of PanOS and above).

  schedule
string
Schedule in which this rule is active.

  service
list
List of services and/or service groups.

  source_ip
list
List of source addresses.

  source_user
list
List of source users.

  source_zone
list
List of source zones.

  spyware
string
Name of the already defined spyware profile.

  tag_name
list
List of tags associated with the rule.

  url_filtering
string
Name of the already defined url_filtering profile.

  vulnerability
string
Name of the already defined vulnerability profile.

  wildfire_analysis
string
Name of the already defined wildfire_analysis profile.



Status

Authors

  • Garfield Lee Freeman (@shinmog)