-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathset-complex-secrules.yaml
81 lines (76 loc) · 2.5 KB
/
set-complex-secrules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# FILENAME
# playbook_set_complex_srule.yml
# DESCRIPTION
# Example playbook that will connect to the firewall using credentials provided in either host_vars.yaml or group_vars.yaml and set few security rules.
# Good practice: The var files are in cleartext they should be edited and encrypted using: ansible-vault
# REQUIREMENTS
# pip install ansible
# ansible-galaxy install PaloAltoNetworks.paloaltonetworks
# EXECUTE
# ansible-playbook set-complex-secrules.yaml
---
- name: Create complex set of Security Rules
hosts: PA-VM-02
connection: local
gather_facts: false
collections:
- paloaltonetworks.panos
tasks:
# permiting ssh to 1.1.1.1
- name: permit ssh to 1.1.1.1
panos_security_rule:
provider: "{{ provider }}"
rule_name: 'SSH permit'
description: 'SSH rule test'
source_zone: ['Outside']
destination_zone: ['Inside']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['any']
application: ['ssh']
service: ['application-default']
hip_profiles: ['any']
action: 'allow'
commit: false
# Allowing HTTP multimedia only from CDNs
- name: Allow HTTP multimedia only from CDNs
panos_security_rule:
provider: "{{ provider }}"
rule_name: 'HTTP Multimedia'
description: 'Allow HTTP multimedia only to host at 1.1.1.1'
source_zone: ['Outside']
destination_zone: ['Inside']
source_ip: ['any']
source_user: ['any']
destination_ip: ['1.1.1.1']
category: ['content-delivery-networks']
application: ['http-video', 'http-audio']
service: ['service-http', 'service-https']
hip_profiles: ['any']
action: 'allow'
commit: false
# adding a more complex rule that uses profiles
- name: More complex fictitious rule that uses profiles
panos_security_rule:
provider: "{{ provider }}"
rule_name: "test rule 2"
log_start: false
log_end: true
action: 'allow'
antivirus: 'default'
vulnerability: 'default'
spyware: 'default'
url_filtering: 'default'
wildfire_analysis: 'default'
commit: false
# creating a deny all rule
- name: Deny all rules used as a 'catch-all' at the end
panos_security_rule:
provider: "{{ provider }}"
rule_name: 'DenyAll'
log_start: true
log_end: true
action: 'deny'
rule_type: 'interzone'
...