panos_security_rule_facts – Get information about a security rule¶
New in version 2.8.
Synopsis¶
NOTE: The modules in this role are deprecated in favour of the modules in the collection https://paloaltonetworks.github.io/pan-os-ansible
Get information about a single security rule or the names of all security rules.
Requirements¶
The below requirements are needed on the host that executes this module.
pan-python
pandevice
Parameters¶
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
|
all_details
boolean
|
|
Get full-policy details when name is not set.
|
|
|
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
|
device_group
string
|
Default: "shared"
|
(Panorama only) The device group the operation should target.
|
|
|
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
|
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
|
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
|
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
|
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
|
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
|
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
|
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
|
username
string
|
Default: "admin"
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
|
rule_name
-
|
Name of the security rule.
|
||
|
rulebase
string
|
|
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
|
|
|
username
string
|
Default: "admin"
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
|
|
vsys
string
|
Default: "vsys1"
|
The vsys this object belongs to.
|
|
Notes¶
Note
Checkmode is not supported.
Panorama is supported.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
Examples¶
- name: Get a list of all security rules
panos_security_rule_facts:
provider: '{{ provider }}'
register: sec_rules
- debug:
msg: '{{ sec_rules.rules }}'
- name: Get the definition for rule 'HTTP Multimedia'
panos_security_rule_facts:
provider: '{{ provider }}'
rule_name: 'HTTP Multimedia'
register: rule1
- debug:
msg: '{{ rule1.spec }}'
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
|
policy
complex
|
When rule_name is not specified and all_details is True |
List of security rules present with details
|
|
|
action
string
|
The rule action.
|
||
|
antivirus
string
|
Name of the already defined antivirus profile.
|
||
|
application
list
|
List of applications, application groups, and/or application filters.
|
||
|
category
list
|
List of destination URL categories.
|
||
|
data_filtering
string
|
Name of the already defined data_filtering profile.
|
||
|
description
string
|
Description of the security rule.
|
||
|
destination_ip
list
|
List of destination addresses.
|
||
|
destination_zone
list
|
List of destination zones.
|
||
|
disable_server_response_inspection
boolean
|
Disables packet inspection from the server to the client.
|
||
|
disabled
boolean
|
Disable this rule.
|
||
|
file_blocking
string
|
Name of the already defined file_blocking profile.
|
||
|
group_profile
string
|
Security profile group setting.
|
||
|
hip_profiles
list
|
GlobalProtect host information profile list.
|
||
|
icmp_unreachable
boolean
|
Send 'ICMP Unreachable'.
|
||
|
log_end
boolean
|
Whether to log at session end.
|
||
|
log_setting
string
|
Log forwarding profile.
|
||
|
log_start
boolean
|
Whether to log at session start.
|
||
|
negate_destination
boolean
|
Match on the reverse of the 'destination_ip' attribute
|
||
|
negate_source
boolean
|
Match on the reverse of the 'source_ip' attribute
|
||
|
rule_name
string
|
Name of the security rule.
|
||
|
rule_type
string
|
Type of security rule (version 6.1 of PanOS and above).
|
||
|
schedule
string
|
Schedule in which this rule is active.
|
||
|
service
list
|
List of services and/or service groups.
|
||
|
source_ip
list
|
List of source addresses.
|
||
|
source_user
list
|
List of source users.
|
||
|
source_zone
list
|
List of source zones.
|
||
|
spyware
string
|
Name of the already defined spyware profile.
|
||
|
tag_name
list
|
List of tags associated with the rule.
|
||
|
url_filtering
string
|
Name of the already defined url_filtering profile.
|
||
|
vulnerability
string
|
Name of the already defined vulnerability profile.
|
||
|
wildfire_analysis
string
|
Name of the already defined wildfire_analysis profile.
|
||
|
rules
list
|
When rule_name is not specified and all_details is False |
List of security rules present
Sample:
['rule1', 'rule2', 'rule3']
|
|
|
spec
complex
|
When rule_name is specified |
The security rule definition
|
|
|
action
string
|
The rule action.
|
||
|
antivirus
string
|
Name of the already defined antivirus profile.
|
||
|
application
list
|
List of applications, application groups, and/or application filters.
|
||
|
category
list
|
List of destination URL categories.
|
||
|
data_filtering
string
|
Name of the already defined data_filtering profile.
|
||
|
description
string
|
Description of the security rule.
|
||
|
destination_ip
list
|
List of destination addresses.
|
||
|
destination_zone
list
|
List of destination zones.
|
||
|
disable_server_response_inspection
boolean
|
Disables packet inspection from the server to the client.
|
||
|
disabled
boolean
|
Disable this rule.
|
||
|
file_blocking
string
|
Name of the already defined file_blocking profile.
|
||
|
group_profile
string
|
Security profile group setting.
|
||
|
hip_profiles
list
|
GlobalProtect host information profile list.
|
||
|
icmp_unreachable
boolean
|
Send 'ICMP Unreachable'.
|
||
|
log_end
boolean
|
Whether to log at session end.
|
||
|
log_setting
string
|
Log forwarding profile.
|
||
|
log_start
boolean
|
Whether to log at session start.
|
||
|
negate_destination
boolean
|
Match on the reverse of the 'destination_ip' attribute
|
||
|
negate_source
boolean
|
Match on the reverse of the 'source_ip' attribute
|
||
|
rule_name
string
|
Name of the security rule.
|
||
|
rule_type
string
|
Type of security rule (version 6.1 of PanOS and above).
|
||
|
schedule
string
|
Schedule in which this rule is active.
|
||
|
service
list
|
List of services and/or service groups.
|
||
|
source_ip
list
|
List of source addresses.
|
||
|
source_user
list
|
List of source users.
|
||
|
source_zone
list
|
List of source zones.
|
||
|
spyware
string
|
Name of the already defined spyware profile.
|
||
|
tag_name
list
|
List of tags associated with the rule.
|
||
|
url_filtering
string
|
Name of the already defined url_filtering profile.
|
||
|
vulnerability
string
|
Name of the already defined vulnerability profile.
|
||
|
wildfire_analysis
string
|
Name of the already defined wildfire_analysis profile.
|
||
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.