Documentation

panos_match_rule - Test for match against a security rule on PAN-OS devices or Panorama management console.

New in version 2.5.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter
Choices/Defaults
Comments
api_key
API key that can be used instead of username/password credentials.
application
The application.
category
URL category
destination_ip
The destination IP address.
destination_port
The destination port.
destination_zone
The destination zone.
ip_address
required
IP address (or hostname) of PAN-OS device being configured.
password
required
Password credentials to use for auth unless api_key is set.
protocol
The IP protocol number from 1 to 255.
rule_type
Default:
security
Type of rule. Valid types are security or nat.
source_ip
required
The source IP address.
source_port
The source port.
source_user
The source user or group.
source_zone
The source zone.
to_interface
The inbound interface in a NAT rule.
username
Default:
admin
Username credentials to use for auth unless api_key is set.
vsys_id
required
Default:
vsys1
ID of the VSYS object.

Notes

Note

  • Checkmode is not supported.
  • Panorama NOT is supported.

Examples

- name: check security rules for Google DNS
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check security rules inbound SSH with user match
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'security'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check NAT rules for source NAT
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check NAT rules for inbound web
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

- name: check security rules for outbound POP3 in vsys4
  panos_match_rule:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    vsys_id: 'vsys4'
    rule_type: 'security'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{result.stdout_lines}}'

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Robert Hagen (@rnh556)

Hint

If you notice any issues in this documentation you can edit this document to improve it.