Documentation

panos_object - create/read/update/delete object in PAN-OS or Panorama

New in version 2.4.

Synopsis

  • Policy objects form the match criteria for policy rules and many other functions in PAN-OS. These may include address object, address groups, service objects, service groups, and tag.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter
Choices/Defaults
Comments
address
The IP address of the host or network in CIDR notation.
address_type
The type of address object definition. Valid types are ip-netmask and ip-range.
addressgroup
A static group of address objects or dynamic address group.
addressobject
The name of the address object.
api_key
API key that can be used instead of username/password credentials.
color
- The color of the tag object. Valid values are red, green, blue, yellow, copper, orange, purple, gray, light green, cyan, light gray, blue gray, lime, black, gold, and brown.
description
The description of the object.
destination_port
The destination port to be used in a service object definition.
devicegroup
- The name of the Panorama device group. The group must exist on Panorama. If device group is not defined it is assumed that we are contacting a firewall.
dynamic_value
The filter match criteria to be used in a dynamic addressgroup definition.
ip_address
required
IP address (or hostname) of PAN-OS device or Panorama management console being configured.
operation
required
The operation to be performed. Supported values are add/delete/find.
password
required
Password credentials to use for authentication.
protocol
The IP protocol to be used in a service object definition. Valid values are tcp or udp.
servicegroup
A group of service objects.
serviceobject
The name of the service object.
services
The group of service objects used in a servicegroup definition.
source_port
The source port to be used in a service object definition.
static_value
A group of address objects to be used in an addressgroup definition.
tag_name
The name of an object or rule tag.
username
Default:
admin
Username credentials to use for authentication.

Notes

Note

  • Checkmode is not supported.
  • Panorama is supported.

Examples

- name: search for shared address object
  panos_object:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'find'
    address: 'DevNet'

- name: create an address group in devicegroup using API key
  panos_object:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'add'
    addressgroup: 'Prod_DB_Svrs'
    static_value: ['prod-db1', 'prod-db2', 'prod-db3']
    description: 'Production DMZ database servers'
    tag_name: 'DMZ'
    devicegroup: 'DMZ Firewalls'

- name: create a global service for TCP 3306
  panos_object:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'add'
    serviceobject: 'mysql-3306'
    destination_port: '3306'
    protocol: 'tcp'
    description: 'MySQL on tcp/3306'

- name: create a global tag
  panos_object:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    tag_name: 'ProjectX'
    color: 'yellow'
    description: 'Associated with Project X'

- name: delete an address object from a devicegroup using API key
  panos_object:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'delete'
    addressobject: 'Win2K test'

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Bob Hagen (@rnh556)

Hint

If you notice any issues in this documentation you can edit this document to improve it.