Skip to content

Latest commit

 

History

History
7392 lines (7292 loc) · 320 KB

junipernetworks.junos.junos_security_policies_module.rst

File metadata and controls

7392 lines (7292 loc) · 320 KB

junipernetworks.junos.junos_security_policies

Create and manage security policies on Juniper JUNOS devices

Version added: 2.9.0

  • This module provides declarative creation and management of security policies on Juniper JUNOS devices

The below requirements are needed on the host that executes this module.

  • ncclient (>=v0.6.4)
  • xmltodict (>=0.12.0)
Parameter Choices/Defaults Comments
config
dictionary
A dictionary of security policies
from_zones
list / elements=dictionary
List of security zones from which the traffic originates from
name
string
The name of the security zone from which the traffic originates from
to_zones
list / elements=dictionary
List of destination security zones of the traffic
name
string
The name of the destination security zone of the traffic
policies
list / elements=dictionary
List of policies defined for the associated category
description
string
Description of the security policy
match
dictionary
Configure security policy match criteria
application
dictionary
Specify the IP or remote procedure call (RPC) application or set of applications to be used as match criteria
any
boolean
    Choices:
  • no
  • yes
Match any predefined or custom applications or application sets
names
list / elements=string
Name of the predefined or custom application or application set used as match criteria
destination_address
dictionary
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses
addresses
list / elements=string
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask)
any
boolean
    Choices:
  • no
  • yes
Any IPv4 or IPv6 address
any_ipv4
boolean
    Choices:
  • no
  • yes
Any IPv4 address
any_ipv6
boolean
    Choices:
  • no
  • yes
Any IPv6 address
destination_address_excluded
boolean
    Choices:
  • no
  • yes
Exclude destination addresses
dynamic_application
dictionary
Specify the dynamic applications or dynamic application groups used as match criteria within a security policy
any
boolean
    Choices:
  • no
  • yes
Configuring the dynamic application as any installs the policy with the application as a wildcard (default)
names
list / elements=string
Specify dynamic applications or dynamic application groups
none
boolean
    Choices:
  • no
  • yes
Configuring the dynamic application as none ignores classification results from AppID and does not use the dynamic application in security policy lookups
from_zone
dictionary
Identify a single source zone or multiple source zones to be used as a match criteria for a policy
any
boolean
    Choices:
  • no
  • yes
Match any zone
junos_host
boolean
    Choices:
  • no
  • yes
junos-host
names
list / elements=string
Name of single or multiple source zone
source_address
dictionary
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses
addresses
list / elements=string
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask)
any
boolean
    Choices:
  • no
  • yes
Any IPv4 or IPv6 address
any_ipv4
boolean
    Choices:
  • no
  • yes
Any IPv4 address
any_ipv6
boolean
    Choices:
  • no
  • yes
Any IPv6 address
source_address_excluded
boolean
    Choices:
  • no
  • yes
Exclude source addresses
source_end_user_profile
string
Source end user profile name
source_identity
dictionary
Identifies users and roles to be used as match criteria for a policy
any
boolean
    Choices:
  • no
  • yes
Any user or role, as well as the keywords authenticated_user, unauthenticated_user, and unknown_user
authenticated_user
boolean
    Choices:
  • no
  • yes
All users and roles that have been authenticated
names
list / elements=string
A list of specific users and roles
unauthenticated_user
boolean
    Choices:
  • no
  • yes
Any user or role that does not have an IP_address mapped to authentication sources and the authentication source is up and running
unknown_user
boolean
    Choices:
  • no
  • yes
Any user or role that does not have an IP address mapped to authentication sources, because the authentication source is disconnected from the SRX Series device
to_zone
dictionary
Identify a single destination zone or multiple destination zones to be used as a match criteria for a policy
any
boolean
    Choices:
  • no
  • yes
Match any zone
junos_host
boolean
    Choices:
  • no
  • yes
junos-host
names
list / elements=string
Name of single or multiple destination zone
url_category
dictionary
URL category
any
boolean
    Choices:
  • no
  • yes
Apply to any url category
names
list / elements=string
Names of url category to match
none
boolean
    Choices:
  • no
  • yes
Do not apply to the url category
name
string
Name of the policy
scheduler_name
string
Name of the scheduler to run this policy
then
dictionary
Specify the policy action to be performed when packets match the defined criteria
count
boolean
    Choices:
  • no
  • yes
Enable a count, in bytes or kilobytes, of all network traffic the policy allows to pass through the device in both directions; the originating traffic from the client to the server (from the from_zone to the to_zone), and the return traffic from the server to the originating client
deny
boolean
    Choices:
  • no
  • yes
Block the service at the firewall The device drops the packets
log
dictionary
Log traffic information for a specific policy Traffic information is logged when a session begins (session_init) or closes (session_close)
session_close
boolean
    Choices:
  • no
  • yes
Enable logging on session close time
session_init
boolean
    Choices:
  • no
  • yes
Enable logging on session initialization time
permit
dictionary
Block the service at the firewall The device drops the packets
application_services
dictionary
Enable application services within a security policy
advanced_anti_malware_policy
string
Specify advanced_anti_malware policy name
application_firewalls
list / elements=dictionary
Specify the rule sets configured as part of application firewall to be applied to the permitted traffic
rule_set
string
name of rule set to use
application_traffic_control_rule_set
string
Specify the rule set configured as part of AppQoS, application_aware quality of service, to be applied to the permitted traffic
gprs_gtp_profile
string
Specify GPRS tunneling protocol profile name
gprs_sctp_profile
string
Specify GPRS stream control protocol profile name
icap_redirect
string
Specify icap redirect profile name
idp
boolean
    Choices:
  • no
  • yes
Intrusion Detection and Prevention (IDP)
idp_policy
string
Specify IDP policy name
packet_capture
boolean
    Choices:
  • no
  • yes
Option to enable or disable packet capture
redirect_wx
boolean
    Choices:
  • no
  • yes
Specify the WX redirection needed for the packets that arrive from the LAN
reverse_redirect_wx
boolean
    Choices:
  • no
  • yes
Specify the WX redirection needed for the reverse flow of the packets that arrive from the WAN
security_intelligence
dictionary
Specify the security intelligence feed post action
add_destination_identity_to_feed
string
Add destination user identity to the security feed
add_destination_ip_to_feed
string
Add the destination IP address to the security feed
add_source_identity_to_feed
string
Add source user identity to the security feed
add_source_ip_to_feed
string
Add the source IP address to the security feed
security_intelligence_policy
string
Specify security_intelligence policy name
ssl_proxy
dictionary
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action
enable
boolean
    Choices:
  • no
  • yes
Enable SSL proxy
profile_name
string
Name of SSL proxy profile
uac_policy
dictionary
Enable Unified Access Control (UAC) for the security policy
captive_portal
string
Specify the preconfigured security policy for captive portal on the Junos OS Enforcer to enable the captive portal feature
enable
boolean
    Choices:
  • no
  • yes
Enable Unified Access Control (UAC)
utm_policy
string
Specify UTM policy name
destination_address
string
    Choices:
  • drop-translated
  • drop-untranslated
Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated
firewall_authentication
dictionary
Configure firewall authentication methods
pass_through
dictionary
Configure pass-through firewall user authentication
access_profile
string
Specify the name of the access profile
auth_only_browser
boolean
    Choices:
  • no
  • yes
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic
auth_user_agent
string
Specify a user-agent value to be used to verify that the user's browser traffic is HTTP/HTTPS traffic
client_match
string
Specify the name of the users or user groups in a profile who are allowed access by this policy
ssl_termination_profile
string
Specify the SSL termination profile used for SSL offloading
web_redirect
boolean
    Choices:
  • no
  • yes
Enable redirecting an HTTP request to the device and redirecting the client system to a webpage for authentication
web_redirect_to_https
boolean
    Choices:
  • no
  • yes
Redirect unauthenticated HTTP requests to the internal HTTPS Web server of the device
push_to_identity_management
boolean
    Choices:
  • no
  • yes
enables pushing to identity management devices
user_firewall
dictionary
Configure user role firewall authentication, and map the source IP address to the username and its associated roles (groups)
access_profile
string
Specify the name of the access profile to be used for authentication
auth_only_browser
boolean
    Choices:
  • no
  • yes
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic
auth_user_agent
string
Specify a user-agent value to be used to verify that the user's browser traffic is HTTP/HTTPS traffic
domain
string
Specify the name of the domain where firewall authentication occurs in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP_to_user mapping for the integrated user firewall feature
ssl_termination_profile
string
For HTTPS traffic, specify the name of the SSL termination profile used for SSL offloading
web_redirect
boolean
    Choices:
  • no
  • yes
Enable webpage redirection
web_redirect_to_https
boolean
    Choices:
  • no
  • yes
Enable redirection to HTTPS
web_authentication
list / elements=string
Specify that the policy allows access to users or user groups who have previously been authenticated by Web authentication
tcp_options
dictionary
Specify the TCP options for each policy You can configure sync and sequence checks for each policy based on your requirements, and, because each policy has two directions, you can configure a TCP MSS value for both directions or for just one direction
initial_tcp_mss
integer
Configure the TCP maximum segment size (MSS) for packets that arrive at the ingress interface (initial direction), match a specific policy, and for which a session is created
reverse_tcp_mss
integer
Configure the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session
sequence_check_required
boolean
    Choices:
  • no
  • yes
Enable sequence check per policy The sequence_check_required value overrides the global value no_sequence_check
syn_check_required
boolean
    Choices:
  • no
  • yes
Enable sync check per policy The syn_check_required value overrides the global value no_syn_check
window_scale
boolean
    Choices:
  • no
  • yes
Enable window_scale per policy
tunnel
dictionary
Encapsulate outgoing IP packets and decapsulate incoming IP packets
ipsec_vpn
string
name of the ipsec policy
pair_policy
string
name of the pair policy
reject
dictionary
Block the service at the firewall The device drops the packet and sends a TCP reset (RST) segment to the source host for TCP traffic and an ICMP "destination unreachable, port unreachable" message (type 3, code 3) for UDP traffic
enable
boolean
    Choices:
  • no
  • yes
Enable rejection of packets based on match criteria
profile
string
You can chose to provide a notification to the clients or redirect client request to an informative Web page when a policy blocks HTTP or HTTPS traffic with a deny or reject action
ssl_proxy
dictionary
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action When you apply am SSL proxy profile, SSL proxy decrypts the traffic and application identification functionality identifies the application
enable
boolean
    Choices:
  • no
  • yes
Enable SSL proxy
profile_name
string
Name of SSL proxy profile
global
dictionary
List of global security policies
policies
list / elements=dictionary
List of policies defined for the associated category
description
string
Description of the security policy
match
dictionary
Configure security policy match criteria
application
dictionary
Specify the IP or remote procedure call (RPC) application or set of applications to be used as match criteria
any
boolean
    Choices:
  • no
  • yes
Match any predefined or custom applications or application sets
names
list / elements=string
Name of the predefined or custom application or application set used as match criteria
destination_address
dictionary
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses
addresses
list / elements=string
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask)
any
boolean
    Choices:
  • no
  • yes
Any IPv4 or IPv6 address
any_ipv4
boolean
    Choices:
  • no
  • yes
Any IPv4 address
any_ipv6
boolean
    Choices:
  • no
  • yes
Any IPv6 address
destination_address_excluded
boolean
    Choices:
  • no
  • yes
Exclude destination addresses
dynamic_application
dictionary
Specify the dynamic applications or dynamic application groups used as match criteria within a security policy
any
boolean
    Choices:
  • no
  • yes
Configuring the dynamic application as any installs the policy with the application as a wildcard (default)
names
list / elements=string
Specify dynamic applications or dynamic application groups
none
boolean
    Choices:
  • no
  • yes
Configuring the dynamic application as none ignores classification results from AppID and does not use the dynamic application in security policy lookups
from_zone
dictionary
Identify a single source zone or multiple source zones to be used as a match criteria for a policy
any
boolean
    Choices:
  • no
  • yes
Match any zone
junos_host
boolean
    Choices:
  • no
  • yes
junos-host
names
list / elements=string
Name of single or multiple source zone
source_address
dictionary
Define the matching criteria You can specify one or more IP addresses, address sets, or wildcard addresses
addresses
list / elements=string
IP address, IP address set, or address book entry, or wildcard address (represented as ABCD/wildcard_mask)
any
boolean
    Choices:
  • no
  • yes
Any IPv4 or IPv6 address
any_ipv4
boolean
    Choices:
  • no
  • yes
Any IPv4 address
any_ipv6
boolean
    Choices:
  • no
  • yes
Any IPv6 address
source_address_excluded
boolean
    Choices:
  • no
  • yes
Exclude source addresses
source_end_user_profile
string
Source end user profile name
source_identity
dictionary
Identifies users and roles to be used as match criteria for a policy
any
boolean
    Choices:
  • no
  • yes
Any user or role, as well as the keywords authenticated_user, unauthenticated_user, and unknown_user
authenticated_user
boolean
    Choices:
  • no
  • yes
All users and roles that have been authenticated
names
list / elements=string
A list of specific users and roles
unauthenticated_user
boolean
    Choices:
  • no
  • yes
Any user or role that does not have an IP_address mapped to authentication sources and the authentication source is up and running
unknown_user
boolean
    Choices:
  • no
  • yes
Any user or role that does not have an IP address mapped to authentication sources, because the authentication source is disconnected from the SRX Series device
to_zone
dictionary
Identify a single destination zone or multiple destination zones to be used as a match criteria for a policy
any
boolean
    Choices:
  • no
  • yes
Match any zone
junos_host
boolean
    Choices:
  • no
  • yes
junos-host
names
list / elements=string
Name of single or multiple destination zone
url_category
dictionary
URL category
any
boolean
    Choices:
  • no
  • yes
Apply to any url category
names
list / elements=string
Names of url category to match
none
boolean
    Choices:
  • no
  • yes
Do not apply to the url category
name
string
Name of the policy
scheduler_name
string
Name of the scheduler to run this policy
then
dictionary
Specify the policy action to be performed when packets match the defined criteria
count
boolean
    Choices:
  • no
  • yes
Enable a count, in bytes or kilobytes, of all network traffic the policy allows to pass through the device in both directions; the originating traffic from the client to the server (from the from_zone to the to_zone), and the return traffic from the server to the originating client
deny
boolean
    Choices:
  • no
  • yes
Block the service at the firewall The device drops the packets
log
dictionary
Log traffic information for a specific policy Traffic information is logged when a session begins (session_init) or closes (session_close)
session_close
boolean
    Choices:
  • no
  • yes
Enable logging on session close time
session_init
boolean
    Choices:
  • no
  • yes
Enable logging on session initialization time
permit
dictionary
Block the service at the firewall The device drops the packets
application_services
dictionary
Enable application services within a security policy
advanced_anti_malware_policy
string
Specify advanced_anti_malware policy name
application_firewalls
list / elements=dictionary
Specify the rule sets configured as part of application firewall to be applied to the permitted traffic
rule_set
string
name of rule set to use
application_traffic_control_rule_set
string
Specify the rule set configured as part of AppQoS, application_aware quality of service, to be applied to the permitted traffic
gprs_gtp_profile
string
Specify GPRS tunneling protocol profile name
gprs_sctp_profile
string
Specify GPRS stream control protocol profile name
icap_redirect
string
Specify icap redirect profile name
idp
boolean
    Choices:
  • no
  • yes
Intrusion Detection and Prevention (IDP)
idp_policy
string
Specify IDP policy name
packet_capture
boolean
    Choices:
  • no
  • yes
Option to enable or disable packet capture
redirect_wx
boolean
    Choices:
  • no
  • yes
Specify the WX redirection needed for the packets that arrive from the LAN
reverse_redirect_wx
boolean
    Choices:
  • no
  • yes
Specify the WX redirection needed for the reverse flow of the packets that arrive from the WAN
security_intelligence
dictionary
Specify the security intelligence feed post action
add_destination_identity_to_feed
string
Add destination user identity to the security feed
add_destination_ip_to_feed
string
Add the destination IP address to the security feed
add_source_identity_to_feed
string
Add source user identity to the security feed
add_source_ip_to_feed
string
Add the source IP address to the security feed
security_intelligence_policy
string
Specify security_intelligence policy name
ssl_proxy
dictionary
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action
enable
boolean
    Choices:
  • no
  • yes
Enable SSL proxy
profile_name
string
Name of SSL proxy profile
uac_policy
dictionary
Enable Unified Access Control (UAC) for the security policy
captive_portal
string
Specify the preconfigured security policy for captive portal on the Junos OS Enforcer to enable the captive portal feature
enable
boolean
    Choices:
  • no
  • yes
Enable Unified Access Control (UAC)
utm_policy
string
Specify UTM policy name
destination_address
string
    Choices:
  • drop-translated
  • drop-untranslated
Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated
firewall_authentication
dictionary
Configure firewall authentication methods
pass_through
dictionary
Configure pass-through firewall user authentication
access_profile
string
Specify the name of the access profile
auth_only_browser
boolean
    Choices:
  • no
  • yes
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic
auth_user_agent
string
Specify a user-agent value to be used to verify that the user's browser traffic is HTTP/HTTPS traffic
client_match
string
Specify the name of the users or user groups in a profile who are allowed access by this policy
ssl_termination_profile
string
Specify the SSL termination profile used for SSL offloading
web_redirect
boolean
    Choices:
  • no
  • yes
Enable redirecting an HTTP request to the device and redirecting the client system to a webpage for authentication
web_redirect_to_https
boolean
    Choices:
  • no
  • yes
Redirect unauthenticated HTTP requests to the internal HTTPS Web server of the device
push_to_identity_management
boolean
    Choices:
  • no
  • yes
enables pushing to identity management devices
user_firewall
dictionary
Configure user role firewall authentication, and map the source IP address to the username and its associated roles (groups)
access_profile
string
Specify the name of the access profile to be used for authentication
auth_only_browser
boolean
    Choices:
  • no
  • yes
Configure firewall authentication to ignore non-browser HTTP/HTTPS traffic
auth_user_agent
string
Specify a user-agent value to be used to verify that the user's browser traffic is HTTP/HTTPS traffic
domain
string
Specify the name of the domain where firewall authentication occurs in the event that the Windows Management Instrumentation client (WMIC) is not available to get IP_to_user mapping for the integrated user firewall feature
ssl_termination_profile
string
For HTTPS traffic, specify the name of the SSL termination profile used for SSL offloading
web_redirect
boolean
    Choices:
  • no
  • yes
Enable webpage redirection
web_redirect_to_https
boolean
    Choices:
  • no
  • yes
Enable redirection to HTTPS
web_authentication
list / elements=string
Specify that the policy allows access to users or user groups who have previously been authenticated by Web authentication
tcp_options
dictionary
Specify the TCP options for each policy You can configure sync and sequence checks for each policy based on your requirements, and, because each policy has two directions, you can configure a TCP MSS value for both directions or for just one direction
initial_tcp_mss
integer
Configure the TCP maximum segment size (MSS) for packets that arrive at the ingress interface (initial direction), match a specific policy, and for which a session is created
reverse_tcp_mss
integer
Configure the TCP maximum segment size (MSS) for packets that match a specific policy and travel in the reverse direction of a session
sequence_check_required
boolean
    Choices:
  • no
  • yes
Enable sequence check per policy The sequence_check_required value overrides the global value no_sequence_check
syn_check_required
boolean
    Choices:
  • no
  • yes
Enable sync check per policy The syn_check_required value overrides the global value no_syn_check
window_scale
boolean
    Choices:
  • no
  • yes
Enable window_scale per policy
tunnel
dictionary
Encapsulate outgoing IP packets and decapsulate incoming IP packets
ipsec_vpn
string
name of the ipsec policy
pair_policy
string
name of the pair policy
reject
dictionary
Block the service at the firewall The device drops the packet and sends a TCP reset (RST) segment to the source host for TCP traffic and an ICMP "destination unreachable, port unreachable" message (type 3, code 3) for UDP traffic
enable
boolean
    Choices:
  • no
  • yes
Enable rejection of packets based on match criteria
profile
string
You can chose to provide a notification to the clients or redirect client request to an informative Web page when a policy blocks HTTP or HTTPS traffic with a deny or reject action
ssl_proxy
dictionary
You can apply a redirect SSL proxy profile when a policy blocks HTTPS traffic with a reject action When you apply am SSL proxy profile, SSL proxy decrypts the traffic and application identification functionality identifies the application
enable
boolean
    Choices:
  • no
  • yes
Enable SSL proxy
profile_name
string
Name of SSL proxy profile
running_config
string
This option is used only with state parsed
The value of this option should be the output received from the JunOS device by executing the command show configuration security policies
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result
state
string
    Choices:
  • merged ←
  • replaced
  • overridden
  • deleted
  • rendered
  • gathered
  • parsed
The state the configuration should be left in
The states rendered, gathered and parsed does not perform any change on the device
The state rendered will transform the configuration in config option to platform specific CLI commands which will be returned in the rendered key within the result For state rendered active connection to remote host is not required
The state replaced will replace the running configuration with the provided configuration
The state replaced and state overridden have the same behaviour
The state gathered will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the gathered key within the result
The state parsed reads the configuration from running_config option and transforms it into JSON format as per the resource module parameters and the value is returned in the parsed key within the result The value of running_config option should be the same format as the output of command show security policies detail executed on device For state parsed active connection to remote host is not required

Note

  • This module requires the netconf system service be enabled on the device being managed
  • This module works with connection netconf
  • See the Junos OS Platform Options
  • Tested against JunOS v18.4R1
# Using merged
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
#   From zones: any
#     To zones: any
#     Source addresses: any-ipv4
#     Destination addresses: any-ipv4
#     Applications: any
#     Action: deny
#
# vagrant@vsrx> show security zones
#
# Security zone: one
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/0.0
#
# Security zone: three
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/2.0
#
# Security zone: two
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/1.0
#
# Security zone: junos-host
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 0
# Interfaces:
#
- junipernetworks.junos.junos_security_policies:
    config:
      from_zones:
        - name: one
          to_zones:
            - name: two
              policies:
                - match:
                    application:
                      names:
                        - junos-dhcp-relay
                        - junos-finger
                    destination_address:
                      addresses:
                        - a2
                        - a4
                    destination_address_excluded: true
                    dynamic_application:
                      names:
                        - any
                    source_address:
                      addresses:
                        - a1
                        - a3
                    source_address_excluded: true
                    source_end_user_profile: test_end_user_profile
                    source_identity:
                      unknown_user: true
                    url_category:
                      names:
                        - Enhanced_Web_Chat
                  name: test_policy_1
                  then:
                    count: true
                    deny: true
                    log: session-close
                - match:
                    application:
                      any: true
                    destination_address:
                      any_ipv6: true
                    source_address:
                      addresses:
                        - a1
                  name: test_policy_2
                  then:
                    reject:
                      enable: true
                      profile: test_dyn_app
                      ssl_proxy:
                        enable: true
                        profile_name: SECURITY-SSL-PROXY
            - name: three
              policies:
                - match:
                    application:
                      any: true
                    destination_address:
                      addresses:
                        - a2
                    source_address:
                      addresses:
                        - a1
                  name: test_policy_3
                  then:
                    permit:
                      application_services:
                        application_traffic_control_rule_set: test_traffic_control
                        gprs_gtp_profile: gtp1
                        icap_redirect: test_icap
                        reverse_redirect_wx: 'True'
                        uac_policy:
                          enable: true
                      firewall_authentication:
                        push_to_identity_management: true
                        web_authentication:
                          - FWClient1
                      tcp_options:
                        initial_tcp_mss: 64
                        window_scale: true
      global:
        policies:
          - match:
              application:
                any: true
              destination_address:
                any_ipv6: true
              source_address:
                any_ipv6: true
            name: test_glob_1
            then:
              deny: true
          - match:
              application:
                any: true
              destination_address:
                any_ipv6: true
              source_address:
                any_ipv6: true
            name: test_glob_2
            then:
              deny: true
    state: merged
#
# -------------------------
# Module Execution Result
# -------------------------
#   "after": {
#     "from_zones": [
#       {
#         "name": "one",
#         "to_zones": [
#           {
#             "name": "two",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "names": [
#                       "junos-dhcp-relay",
#                       "junos-finger"
#                     ]
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2",
#                       "a4"
#                     ]
#                   },
#                   "destination_address_excluded": true,
#                   "dynamic_application": {
#                     "names": [
#                       "any"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1",
#                       "a3"
#                     ]
#                   },
#                   "source_address_excluded": true,
#                   "source_end_user_profile": "test_end_user_profile",
#                   "source_identity": {
#                     "unknown_user": true
#                   },
#                   "url_category": {
#                     "names": [
#                       "Enhanced_Web_Chat"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_1",
#                 "then": {
#                   "count": true,
#                   "deny": true,
#                   "log": "session-close"
#                 }
#               },
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "any_ipv6": true
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_2",
#                 "then": {
#                   "reject": {
#                     "enable": true,
#                     "profile": "test_dyn_app",
#                     "ssl_proxy": {
#                       "enable": true,
#                       "profile_name": "SECURITY-SSL-PROXY"
#                     }
#                   }
#                 }
#               }
#             ]
#           },
#           {
#             "name": "three",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_3",
#                 "then": {
#                   "permit": {
#                     "application_services": {
#                       "application_traffic_control_rule_set": "test_traffic_control",
#                       "gprs_gtp_profile": "gtp1",
#                       "icap_redirect": "test_icap",
#                       "reverse_redirect_wx": "True",
#                       "uac_policy": {
#                         "enable": true
#                       }
#                     },
#                     "firewall_authentication": {
#                       "push_to_identity_management": true,
#                       "web_authentication": [
#                         "FWClient1"
#                       ]
#                     },
#                     "tcp_options": {
#                       "initial_tcp_mss": 64,
#                       "window_scale": true
#                     }
#                   }
#                 }
#               }
#             ]
#           }
#         ]
#       }
#     ],
#     "global": {
#       "policies": [
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv4": true
#             },
#             "source_address": {
#               "any_ipv4": true
#             }
#           },
#           "name": "test_glob",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_1",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_2",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "before": {
#     "global": {
#       "policies": [
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv4": true
#             },
#             "source_address": {
#               "any_ipv4": true
#             }
#           },
#           "name": "test_glob",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "changed": true,
#   "commands": "<nc:security
#                   xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
#                   <nc:policies>
#                     <nc:policy>
#                       <nc:from-zone-name>one</nc:from-zone-name>
#                       <nc:to-zone-name>two</nc:to-zone-name>
#                       <nc:policy>
#                         <nc:name>test_policy_1</nc:name>
#                         <nc:match>
#                           <nc:source-address>a1</nc:source-address>
#                           <nc:source-address>a3</nc:source-address>
#                           <nc:source-address-excluded/>
#                           <nc:destination-address>a2</nc:destination-address>
#                           <nc:destination-address>a4</nc:destination-address>
#                           <nc:destination-address-excluded/>
#                           <nc:application>junos-dhcp-relay</nc:application>
#                           <nc:application>junos-finger</nc:application>
#                           <nc:source-end-user-profile>test_end_user_profile</nc:source-end-user-profile>
#                           <nc:source-identity>unknown-user</nc:source-identity>
#                           <nc:url-category>Enhanced_Web_Chat</nc:url-category>
#                           <nc:dynamic-application>any</nc:dynamic-application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:deny/>
#                           <nc:count></nc:count>
#                           <nc:log>
#                             <nc:session-close/>
#                           </nc:log>
#                         </nc:then>
#                       </nc:policy>
#                       <nc:policy>
#                         <nc:name>test_policy_2</nc:name>
#                         <nc:match>
#                           <nc:source-address>a1</nc:source-address>
#                           <nc:destination-address>any-ipv6</nc:destination-address>
#                           <nc:application>any</nc:application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:reject>
#                             <nc:profile>test_dyn_app</nc:profile>
#                             <nc:ssl-proxy>
#                               <nc:profile-name>SECURITY-SSL-PROXY</nc:profile-name>
#                             </nc:ssl-proxy>
#                           </nc:reject>
#                         </nc:then>
#                       </nc:policy>
#                     </nc:policy>
#                     <nc:policy>
#                       <nc:from-zone-name>one</nc:from-zone-name>
#                       <nc:to-zone-name>three</nc:to-zone-name>
#                       <nc:policy>
#                         <nc:name>test_policy_3</nc:name>
#                         <nc:match>
#                           <nc:source-address>a1</nc:source-address>
#                           <nc:destination-address>a2</nc:destination-address>
#                           <nc:application>any</nc:application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:permit>
#                             <nc:application-services>
#                               <nc:application-traffic-control>
#                                 <nc:rule-set>test_traffic_control</nc:rule-set>
#                               </nc:application-traffic-control>
#                               <nc:gprs-gtp-profile>gtp1</nc:gprs-gtp-profile>
#                               <nc:icap-redirect>test_icap</nc:icap-redirect>
#                               <nc:reverse-redirect-wx/>
#                               <nc:uac-policy></nc:uac-policy>
#                             </nc:application-services>
#                             <nc:firewall-authentication>
#                               <nc:push-to-identity-management/>
#                               <nc:web-authentication>
#                                 <nc:client-match>FWClient1</nc:client-match>
#                               </nc:web-authentication>
#                             </nc:firewall-authentication>
#                             <nc:tcp-options>
#                               <nc:initial-tcp-mss>64</nc:initial-tcp-mss>
#                               <nc:window-scale/>
#                             </nc:tcp-options>
#                           </nc:permit>
#                         </nc:then>
#                       </nc:policy>
#                     </nc:policy>
#                     <nc:global>
#                       <nc:policy>
#                         <nc:name>test_glob_1</nc:name>
#                         <nc:match>
#                           <nc:source-address>any-ipv6</nc:source-address>
#                           <nc:destination-address>any-ipv6</nc:destination-address>
#                           <nc:application>any</nc:application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:deny/>
#                         </nc:then>
#                       </nc:policy>
#                       <nc:policy>
#                         <nc:name>test_glob_2</nc:name>
#                         <nc:match>
#                           <nc:source-address>any-ipv6</nc:source-address>
#                           <nc:destination-address>any-ipv6</nc:destination-address>
#                           <nc:application>any</nc:application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:deny/>
#                         </nc:then>
#                       </nc:policy>
#                     </nc:global>
#                   </nc:policies>
#                 </nc:security>
#                 "
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny


# Using Replaced
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
    config:
      global:
        policies:
          - description: test update
            match:
              application:
                any: true
              destination_address:
                any_ipv6: true
              source_address:
                any: true
            name: test_glob_3
            then:
              deny: true
    state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
#   "after": {
#     "global": {
#       "policies": [
#         {
#           "description": "test update",
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any": true
#             }
#           },
#           "name": "test_glob_3",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "before": {
#     "from_zones": [
#       {
#         "name": "one",
#         "to_zones": [
#           {
#             "name": "two",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "names": [
#                       "junos-dhcp-relay",
#                       "junos-finger"
#                     ]
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2",
#                       "a4"
#                     ]
#                   },
#                   "destination_address_excluded": true,
#                   "dynamic_application": {
#                     "names": [
#                       "any"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1",
#                       "a3"
#                     ]
#                   },
#                   "source_address_excluded": true,
#                   "source_end_user_profile": "test_end_user_profile",
#                   "source_identity": {
#                     "unknown_user": true
#                   },
#                   "url_category": {
#                     "names": [
#                       "Enhanced_Web_Chat"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_1",
#                 "then": {
#                   "count": true,
#                   "deny": true,
#                   "log": "session-close"
#                 }
#               },
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "any_ipv6": true
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_2",
#                 "then": {
#                   "reject": {
#                     "enable": true,
#                     "profile": "test_dyn_app",
#                     "ssl_proxy": {
#                       "enable": true,
#                       "profile_name": "SECURITY-SSL-PROXY"
#                     }
#                   }
#                 }
#               }
#             ]
#           },
#           {
#             "name": "three",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_3",
#                 "then": {
#                   "permit": {
#                     "application_services": {
#                       "application_traffic_control_rule_set": "test_traffic_control",
#                       "gprs_gtp_profile": "gtp1",
#                       "icap_redirect": "test_icap",
#                       "reverse_redirect_wx": "True",
#                       "uac_policy": {
#                         "enable": true
#                       }
#                     },
#                     "firewall_authentication": {
#                       "push_to_identity_management": true,
#                       "web_authentication": [
#                         "FWClient1"
#                       ]
#                     },
#                     "tcp_options": {
#                       "initial_tcp_mss": 64,
#                       "window_scale": true
#                     }
#                   }
#                 }
#               }
#             ]
#           }
#         ]
#       }
#     ],
#     "global": {
#       "policies": [
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv4": true
#             },
#             "source_address": {
#               "any_ipv4": true
#             }
#           },
#           "name": "test_glob",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_1",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_2",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "changed": true,
#   "commands": "<nc:security
#                   xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
#                   <nc:policies delete="delete"/>
#                   <nc:policies>
#                     <nc:global>
#                       <nc:policy>
#                         <nc:name>test_glob_3</nc:name>
#                         <nc:description>test update</nc:description>
#                         <nc:match>
#                           <nc:source-address>any</nc:source-address>
#                           <nc:destination-address>any-ipv6</nc:destination-address>
#                           <nc:application>any</nc:application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:deny/>
#                         </nc:then>
#                       </nc:policy>
#                     </nc:global>
#                   </nc:policies>
#                 </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny


# Using overridden
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
    config:
      global:
        policies:
          - description: test update
            match:
              application:
                any: true
              destination_address:
                any_ipv6: true
              source_address:
                any: true
            name: test_glob_3
            then:
              deny: true
    state: overridden
#
# -------------------------
# Module Execution Result
# -------------------------
#   "after": {
#     "global": {
#       "policies": [
#         {
#           "description": "test update",
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any": true
#             }
#           },
#           "name": "test_glob_3",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "before": {
#     "from_zones": [
#       {
#         "name": "one",
#         "to_zones": [
#           {
#             "name": "two",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "names": [
#                       "junos-dhcp-relay",
#                       "junos-finger"
#                     ]
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2",
#                       "a4"
#                     ]
#                   },
#                   "destination_address_excluded": true,
#                   "dynamic_application": {
#                     "names": [
#                       "any"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1",
#                       "a3"
#                     ]
#                   },
#                   "source_address_excluded": true,
#                   "source_end_user_profile": "test_end_user_profile",
#                   "source_identity": {
#                     "unknown_user": true
#                   },
#                   "url_category": {
#                     "names": [
#                       "Enhanced_Web_Chat"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_1",
#                 "then": {
#                   "count": true,
#                   "deny": true,
#                   "log": "session-close"
#                 }
#               },
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "any_ipv6": true
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_2",
#                 "then": {
#                   "reject": {
#                     "enable": true,
#                     "profile": "test_dyn_app",
#                     "ssl_proxy": {
#                       "enable": true,
#                       "profile_name": "SECURITY-SSL-PROXY"
#                     }
#                   }
#                 }
#               }
#             ]
#           },
#           {
#             "name": "three",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_3",
#                 "then": {
#                   "permit": {
#                     "application_services": {
#                       "application_traffic_control_rule_set": "test_traffic_control",
#                       "gprs_gtp_profile": "gtp1",
#                       "icap_redirect": "test_icap",
#                       "reverse_redirect_wx": "True",
#                       "uac_policy": {
#                         "enable": true
#                       }
#                     },
#                     "firewall_authentication": {
#                       "push_to_identity_management": true,
#                       "web_authentication": [
#                         "FWClient1"
#                       ]
#                     },
#                     "tcp_options": {
#                       "initial_tcp_mss": 64,
#                       "window_scale": true
#                     }
#                   }
#                 }
#               }
#             ]
#           }
#         ]
#       }
#     ],
#     "global": {
#       "policies": [
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv4": true
#             },
#             "source_address": {
#               "any_ipv4": true
#             }
#           },
#           "name": "test_glob",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_1",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_2",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "changed": true,
#   "commands": "<nc:security
#                   xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
#                   <nc:policies delete="delete"/>
#                   <nc:policies>
#                     <nc:global>
#                       <nc:policy>
#                         <nc:name>test_glob_3</nc:name>
#                         <nc:description>test update</nc:description>
#                         <nc:match>
#                           <nc:source-address>any</nc:source-address>
#                           <nc:destination-address>any-ipv6</nc:destination-address>
#                           <nc:application>any</nc:application>
#                         </nc:match>
#                         <nc:then>
#                           <nc:deny/>
#                         </nc:then>
#                       </nc:policy>
#                     </nc:global>
#                   </nc:policies>
#                 </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny


# Using deleted
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
    config:
    state: deleted
#
# -------------------------
# Module Execution Result
# -------------------------
#
#   "after": {},
#   "before": {
#     "global": {
#       "policies": [
#         {
#           "description": "test update",
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any": true
#             }
#           },
#           "name": "test_glob_3",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   },
#   "changed": true,
#   "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
#   <nc:policies delete="delete"/></nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all


# Using parsed
# parsed.cfg
# ------------
# <?xml version="1.0" encoding="UTF-8"?>
# <rpc-reply>
#     <configuration>
#         <version>18.4R1-S3.1</version>
#         <services>
#             <ssl>
#                 <termination>
#                     <profile>
#                         <name>test_ssl_term</name>
#                         <server-certificate>SECURITY-cert</server-certificate>
#                     </profile>
#                 </termination>
#                 <proxy>
#                     <profile>
#                         <name>SECURITY-SSL-PROXY</name>
#                         <root-ca>SECURITY-cert</root-ca>
#                     </profile>
#                 </proxy>
#             </ssl>
#             <icap-redirect>
#                 <profile>
#                     <name>test_icap</name>
#                     <server>
#                         <name>test_icap_server</name>
#                         <host>10.10.10.11</host>
#                     </server>
#                 </profile>
#             </icap-redirect>
#             <user-identification>
#                 <device-information>
#                     <end-user-profile>
#                         <profile-name>
#                             <name>test_end_user_profile</name>
#                             <domain-name>test_domain</domain-name>
#                             <attribute>
#                                 <name>device-identity</name>
#                                 <string>Windows</string>
#                             </attribute>
#                         </profile-name>
#                     </end-user-profile>
#                 </device-information>
#             </user-identification>
#         </services>
#         <security>
#             <address-book>
#                 <name>global</name>
#                 <address>
#                     <name>a1</name>
#                     <ip-prefix>200.0.113.0/24</ip-prefix>
#                 </address>
#                 <address>
#                     <name>a2</name>
#                     <ip-prefix>201.0.113.0/24</ip-prefix>
#                 </address>
#                 <address>
#                     <name>a3</name>
#                     <ip-prefix>202.0.113.0/24</ip-prefix>
#                 </address>
#                 <address>
#                     <name>a4</name>
#                     <ip-prefix>203.0.113.0/24</ip-prefix>
#                 </address>
#             </address-book>
#             <dynamic-application>
#                 <profile>
#                     <name>test_dyn_app</name>
#                     <redirect-message>
#                         <type>
#                             <custom-text>
#                                 <content>hello_world</content>
#                             </custom-text>
#                         </type>
#                     </redirect-message>
#                 </profile>
#             </dynamic-application>
#             <policies>
#                 <policy>
#                     <from-zone-name>one</from-zone-name>
#                     <to-zone-name>two</to-zone-name>
#                     <policy>
#                         <name>test_policy_1</name>
#                         <match>
#                             <source-address>a1</source-address>
#                             <source-address>a3</source-address>
#                             <destination-address>a2</destination-address>
#                             <destination-address>a4</destination-address>
#                             <source-address-excluded />
#                             <destination-address-excluded />
#                             <application>junos-dhcp-relay</application>
#                             <application>junos-finger</application>
#                             <source-identity>authenticated-user</source-identity>
#                             <source-identity>unknown-user</source-identity>
#                             <source-end-user-profile>
#                                 <source-end-user-profile-name>test_end_user_profile</source-end-user-profile-name>
#                             </source-end-user-profile>
#                             <dynamic-application>any</dynamic-application>
#                             <url-category>Enhanced_Web_Chat</url-category>
#                         </match>
#                         <then>
#                             <deny />
#                             <log>
#                                 <session-close />
#                             </log>
#                             <count></count>
#                         </then>
#                     </policy>
#                     <policy>
#                         <name>test_policy_2</name>
#                         <match>
#                             <source-address>a1</source-address>
#                             <destination-address>any-ipv6</destination-address>
#                             <application>any</application>
#                         </match>
#                         <then>
#                             <reject>
#                                 <profile>test_dyn_app</profile>
#                                 <ssl-proxy>
#                                     <profile-name>SECURITY-SSL-PROXY</profile-name>
#                                 </ssl-proxy>
#                             </reject>
#                         </then>
#                     </policy>
#                 </policy>
#                 <policy>
#                     <from-zone-name>one</from-zone-name>
#                     <to-zone-name>three</to-zone-name>
#                     <policy>
#                         <name>test_policy_3</name>
#                         <match>
#                             <source-address>a1</source-address>
#                             <destination-address>a2</destination-address>
#                             <application>any</application>
#                         </match>
#                         <then>
#                             <permit>
#                                 <firewall-authentication>
#                                     <web-authentication>
#                                         <client-match>FWClient1</client-match>
#                                     </web-authentication>
#                                     <push-to-identity-management />
#                                 </firewall-authentication>
#                                 <destination-address>
#                                     <drop-untranslated />
#                                 </destination-address>
#                                 <application-services>
#                                     <gprs-gtp-profile>gtp1</gprs-gtp-profile>
#                                     <uac-policy></uac-policy>
#                                     <icap-redirect>test_icap</icap-redirect>
#                                     <application-traffic-control>
#                                         <rule-set>test_traffic_control</rule-set>
#                                     </application-traffic-control>
#                                     <reverse-redirect-wx />
#                                 </application-services>
#                                 <tcp-options>
#                                     <initial-tcp-mss>64</initial-tcp-mss>
#                                     <window-scale />
#                                 </tcp-options>
#                             </permit>
#                         </then>
#                     </policy>
#                 </policy>
#                 <global>
#                     <policy>
#                         <name>test_glob_1</name>
#                         <match>
#                             <source-address>any-ipv6</source-address>
#                             <destination-address>any-ipv6</destination-address>
#                             <application>any</application>
#                         </match>
#                         <then>
#                             <deny />
#                         </then>
#                     </policy>
#                     <policy>
#                         <name>test_glob_2</name>
#                         <match>
#                             <source-address>any-ipv6</source-address>
#                             <destination-address>any-ipv6</destination-address>
#                             <application>any</application>
#                         </match>
#                         <then>
#                             <deny />
#                         </then>
#                     </policy>
#                 </global>
#             </policies>
#             <zones>
#                 <security-zone>
#                     <name>one</name>
#                     <interfaces>
#                         <name>ge-0/0/0.0</name>
#                     </interfaces>
#                 </security-zone>
#                 <security-zone>
#                     <name>two</name>
#                     <interfaces>
#                         <name>ge-0/0/1.0</name>
#                     </interfaces>
#                 </security-zone>
#                 <security-zone>
#                     <name>three</name>
#                     <interfaces>
#                         <name>ge-0/0/2.0</name>
#                     </interfaces>
#                 </security-zone>
#             </zones>
#             <gprs>
#                 <gtp>
#                     <profile>
#                         <name>gtp1</name>
#                     </profile>
#                 </gtp>
#             </gprs>
#         </security>
#         <interfaces>
#             <interface>
#                 <name>ge-0/0/0</name>
#                 <unit>
#                     <name>0</name>
#                     <family>
#                         <inet>
#                             <address>
#                                 <name>200.0.113.1/24</name>
#                             </address>
#                         </inet>
#                     </family>
#                 </unit>
#             </interface>
#             <interface>
#                 <name>ge-0/0/1</name>
#                 <unit>
#                     <name>0</name>
#                     <family>
#                         <inet>
#                             <address>
#                                 <name>201.0.113.1/24</name>
#                             </address>
#                         </inet>
#                     </family>
#                 </unit>
#             </interface>
#             <interface>
#                 <name>ge-0/0/2</name>
#                 <unit>
#                     <name>0</name>
#                     <family>
#                         <inet>
#                             <address>
#                                 <name>202.0.113.1/24</name>
#                             </address>
#                         </inet>
#                     </family>
#                 </unit>
#             </interface>
#             <interface>
#                 <name>fxp0</name>
#                 <unit>
#                     <name>0</name>
#                     <family>
#                         <inet>
#                             <dhcp></dhcp>
#                         </inet>
#                     </family>
#                 </unit>
#             </interface>
#         </interfaces>
#         <class-of-service>
#             <application-traffic-control>
#                 <rule-sets>
#                     <name>test_traffic_control</name>
#                     <rule>
#                         <name>test_rule</name>
#                         <match>
#                             <application-known />
#                         </match>
#                         <then>
#                             <log />
#                         </then>
#                     </rule>
#                 </rule-sets>
#             </application-traffic-control>
#         </class-of-service>
#         <access>
#             <profile>
#                 <name>WEBAUTH</name>
#                 <client>
#                     <name>FWClient1</name>
#                     <firewall-user>
#                         <password>$9$kq5Ftu1cSe</password>
#                     </firewall-user>
#                 </client>
#             </profile>
#             <firewall-authentication>
#                 <web-authentication>
#                     <default-profile>WEBAUTH</default-profile>
#                 </web-authentication>
#             </firewall-authentication>
#         </access>
#     </configuration>
#     <database-status-information></database-status-information>
# </rpc-reply>
#
- name: Parse NTP global running config
  junipernetworks.junos.junos_security_policies:
    running_config: "{{ lookup('file', './parsed.cfg') }}"
    state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#   "parsed": {
#     "from_zones": [
#       {
#         "name": "one",
#         "to_zones": [
#           {
#             "name": "two",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "names": [
#                       "junos-dhcp-relay",
#                       "junos-finger"
#                     ]
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2",
#                       "a4"
#                     ]
#                   },
#                   "destination_address_excluded": true,
#                   "dynamic_application": {
#                     "names": [
#                       "any"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1",
#                       "a3"
#                     ]
#                   },
#                   "source_address_excluded": true,
#                   "source_end_user_profile": "test_end_user_profile",
#                   "source_identity": {
#                     "unknown_user": true
#                   },
#                   "url_category": {
#                     "names": [
#                       "Enhanced_Web_Chat"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_1",
#                 "then": {
#                   "count": true,
#                   "deny": true,
#                   "log": "session-close"
#                 }
#               },
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "any_ipv6": true
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_2",
#                 "then": {
#                   "reject": {
#                     "enable": true,
#                     "profile": "test_dyn_app",
#                     "ssl_proxy": {
#                       "enable": true,
#                       "profile_name": "SECURITY-SSL-PROXY"
#                     }
#                   }
#                 }
#               }
#             ]
#           },
#           {
#             "name": "three",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_3",
#                 "then": {
#                   "permit": {
#                     "application_services": {
#                       "application_traffic_control_rule_set": "test_traffic_control",
#                       "gprs_gtp_profile": "gtp1",
#                       "icap_redirect": "test_icap",
#                       "reverse_redirect_wx": "True",
#                       "uac_policy": {
#                         "enable": true
#                       }
#                     },
#                     "firewall_authentication": {
#                       "push_to_identity_management": true,
#                       "web_authentication": [
#                         "FWClient1"
#                       ]
#                     },
#                     "tcp_options": {
#                       "initial_tcp_mss": 64,
#                       "window_scale": true
#                     }
#                   }
#                 }
#               }
#             ]
#           }
#         ]
#       }
#     ],
#     "global": {
#       "policies": [
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_1",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_2",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   }


# Using gathered
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: authenticated-user, unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, drop-untranslated, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob_1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
    state: gathered
#
# -------------------------
# Module Execution Result
# -------------------------
#
#   "changed": false,
#   "gathered": {
#     "from_zones": [
#       {
#         "name": "one",
#         "to_zones": [
#           {
#             "name": "two",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "names": [
#                       "junos-dhcp-relay",
#                       "junos-finger"
#                     ]
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2",
#                       "a4"
#                     ]
#                   },
#                   "destination_address_excluded": true,
#                   "dynamic_application": {
#                     "names": [
#                       "any"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1",
#                       "a3"
#                     ]
#                   },
#                   "source_address_excluded": true,
#                   "source_end_user_profile": "test_end_user_profile",
#                   "source_identity": {
#                     "unknown_user": true
#                   },
#                   "url_category": {
#                     "names": [
#                       "Enhanced_Web_Chat"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_1",
#                 "then": {
#                   "count": true,
#                   "deny": true,
#                   "log": "session-close"
#                 }
#               },
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "any_ipv6": true
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_2",
#                 "then": {
#                   "reject": {
#                     "enable": true,
#                     "profile": "test_dyn_app",
#                     "ssl_proxy": {
#                       "enable": true,
#                       "profile_name": "SECURITY-SSL-PROXY"
#                     }
#                   }
#                 }
#               }
#             ]
#           },
#           {
#             "name": "three",
#             "policies": [
#               {
#                 "match": {
#                   "application": {
#                     "any": true
#                   },
#                   "destination_address": {
#                     "addresses": [
#                       "a2"
#                     ]
#                   },
#                   "source_address": {
#                     "addresses": [
#                       "a1"
#                     ]
#                   }
#                 },
#                 "name": "test_policy_3",
#                 "then": {
#                   "permit": {
#                     "application_services": {
#                       "application_traffic_control_rule_set": "test_traffic_control",
#                       "gprs_gtp_profile": "gtp1",
#                       "icap_redirect": "test_icap",
#                       "reverse_redirect_wx": "True",
#                       "uac_policy": {
#                         "enable": true
#                       }
#                     },
#                     "firewall_authentication": {
#                       "push_to_identity_management": true,
#                       "web_authentication": [
#                         "FWClient1"
#                       ]
#                     },
#                     "tcp_options": {
#                       "initial_tcp_mss": 64,
#                       "window_scale": true
#                     }
#                   }
#                 }
#               }
#             ]
#           }
#         ]
#       }
#     ],
#     "global": {
#       "policies": [
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_1",
#           "then": {
#             "deny": true
#           }
#         },
#         {
#           "match": {
#             "application": {
#               "any": true
#             },
#             "destination_address": {
#               "any_ipv6": true
#             },
#             "source_address": {
#               "any_ipv6": true
#             }
#           },
#           "name": "test_glob_2",
#           "then": {
#             "deny": true
#           }
#         }
#       ]
#     }
#   }
# }


# Using rendered
#
# Before state
# ------------
#
- junipernetworks.junos.junos_security_policies:
    config:
      global:
        policies:
          - description: test update
            match:
              application:
                any: true
              destination_address:
                any_ipv6: true
              source_address:
                any: true
            name: test_glob_3
            then:
              deny: true
    state: rendered
#
# -------------------------
# Module Execution Result
# -------------------------
#     "rendered": "<nc:security
#                 xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
#                 <nc:policies>
#                   <nc:global>
#                     <nc:policy>
#                       <nc:name>test_glob_3</nc:name>
#                       <nc:description>test update</nc:description>
#                       <nc:match>
#                         <nc:source-address>any</nc:source-address>
#                         <nc:destination-address>any-ipv6</nc:destination-address>
#                         <nc:application>any</nc:application>
#                       </nc:match>
#                       <nc:then>
#                         <nc:deny/>
#                       </nc:then>
#                     </nc:policy>
#                   </nc:global>
#                 </nc:policies>
#               </nc:security>"

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
dictionary
when changed
The resulting configuration after module execution.

Sample:
This output will always be in the same format as the module argspec.
before
dictionary
when state is merged, replaced, overridden or deleted
The configuration prior to the module execution.

Sample:
This output will always be in the same format as the module argspec.
commands
list
when state is merged, replaced, overridden or deleted
The set of commands pushed to the remote device.

Sample:
['<rpc-reply> <configuration> <security> <policies> <global> <policy> <name>test_glob_1</name> <match> <source-address>any-ipv6</source-address> <destination-address>any-ipv6</destination-address> <application>any</application> </match> <then> <deny /> </then> </policy> </global> </policies> </security> </configuration> </rpc-reply>']
gathered
dictionary
when state is gathered
Facts about the network resource gathered from the remote device as structured data.

Sample:
This output will always be in the same format as the module argspec.
parsed
dictionary
when state is parsed
The device native config provided in running_config option parsed into structured data as per module argspec.

Sample:
This output will always be in the same format as the module argspec.
rendered
dictionary
when state is rendered
The provided configuration in the task rendered in device-native format (offline).

Sample:
['<rpc-reply> <configuration> <security> <policies> <global> <policy> <name>test_glob_1</name> <match> <source-address>any-ipv6</source-address> <destination-address>any-ipv6</destination-address> <application>any</application> </match> <then> <deny /> </then> </policy> </global> </policies> </security> </configuration> </rpc-reply>']


Authors

  • Pranav Bhatt (@pranav-bhatt)