W3cubDocs

/Ansible

panos_security_policy - Create security rule policy on PanOS devices.

New in version 2.3.

DEPRECATED
Synopsis
Requirements (on host that executes module)
Options
Examples
Notes

DEPRECATED

In 2.4 use panos_security_rule instead.

Synopsis

Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Requirements (on host that executes module)

pan-python can be obtained from PyPi https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPi https://pypi.python.org/pypi/pandevice

Options

parameter	required	default	comments
action	no	allow	Action to apply once rules maches.
antivirus	no	None	Name of the already defined antivirus profile.
api_key	no		API key that can be used instead of username/password credentials.
application	no	any	List of applications.
commit	no	True	Commit configuration if changed.
data_filtering	no	None	Name of the already defined data_filtering profile.
description	no	None	Description for the security rule.
destination	no	any	List of destination addresses.
devicegroup	no	None	Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.
file_blocking	no	None	Name of the already defined file_blocking profile.
from_zone	no	any	List of source zones.
group_profile	no	None	Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
hip_profiles	no	any	If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
ip_address	yes		IP address (or hostname) of PAN-OS device being configured.
log_end	no	True	Whether to log at session end.
log_start	no		Whether to log at session start.
password	yes		Password credentials to use for auth unless api_key is set.
rule_name	yes		Name of the security rule.
rule_type	no	universal	Type of security rule (version 6.1 of PanOS and above).
service	no	application-default	List of services.
source	no	any	List of source addresses.
source_user	no	any	Use users to enforce policy for individual users or a group of users.
spyware	no	None	Name of the already defined spyware profile.
tag	no	None	Administrative tags that can be added to the rule. Note, tags must be already defined.
to_zone	no	any	List of destination zones.
url_filtering	no	None	Name of the already defined url_filtering profile.
username	no	admin	Username credentials to use for auth unless api_key is set.
vulnerability	no	None	Name of the already defined vulnerability profile.
wildfire_analysis	no	None	Name of the already defined wildfire_analysis profile.

Examples

- name: permit ssh to 1.1.1.1
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    from_zone: ['public']
    to_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    commit: false

- name: Allow HTTP multimedia only from CDNs
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    from_zone: ['public']
    to_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    hip_profiles: ['any']
    action: 'allow'
    commit: false

- name: more complex fictitious rule that uses profiles
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'Allow HTTP w profile'
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'default'
    vulnerability: 'default'
    spyware: 'default'
    url_filtering: 'default'
    wildfire_analysis: 'default'
    commit: false

- name: deny all
  panos_security_policy:
    ip_address: '10.5.172.91'
    username: 'admin'
    password: 'paloalto'
    rule_name: 'DenyAll'
    log_start: true
    log_end: true
    action: 'deny'
    rule_type: 'interzone'
    commit: false

# permit ssh to 1.1.1.1 using panorama and pushing the configuration to firewalls
# that are defined in 'DeviceGroupA' device group
- name: permit ssh to 1.1.1.1 through Panorama
  panos_security_policy:
    ip_address: '10.5.172.92'
    password: 'paloalto'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    from_zone: ['public']
    to_zone: ['private']
    source: ['any']
    source_user: ['any']
    destination: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    hip_profiles: ['any']
    action: 'allow'
    devicegroup: 'DeviceGroupA'

Notes

Note

Checkmode is not supported.
Panorama is supported

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2017 Michael DeHaan
© 2017 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/panos_security_policy_module.html