firewall_nat_rule - Create, modify or delete a firewall NAT rule

Synopsis

  • Firewall NAT rules can be added or removed from either a top level policy or a sub-policy. Source, destination and service elements that have already been created can be used and referenced by their type and name. To modify NAT rules, SMC 6.4.3 or higher is required.

Options

parameter required default choices comments
policy
 yes

The policy on which to operate on. Any rule modifications are done in the context of this policy.
rules
 no
Source elements to add to the rule. Elements need to specify the type of element to add. If source is not provided, the rule source cell will be set to none and the rule will effectively be disabled.
Dictionary object rules
parameter required default choices comments
comment
 no
Optional comment for this rule
add_after
 no
The rule tag ID after which to add the rule after. This is only relevant for rules that are being created.
name
 yes
Name for this rule. Required if adding a new rule. Not required for modifications
is_disabled
 no
Specify whether this rule disabled. Set to yes to disable rule.
add_before
 no
Provide a rule tag ID for which to add the rule before. This is only relevant for rules that are being created.
sources
 no
  • domain_name
  • expression
  • group
  • host
  • ip_list
  • network
  • engine
  • router
  • netlink
  • interface_zone
Sources for use in this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict. If no sources field is provided, 'any' is used
tag
 no
Tag retrieved from facts module. The tag identifies the rule uniquely and is a required field when making modifications. If tag is present, the operation becomes a modify. Otherwise it becomes a create and name is required.
static_src_nat
 no
Static source NAT rule. A static source NAT rule uses the value of the rule source field and requires either an IP address or element as the translated address. This parameter is mutually exclusive with the dynamic_src_nat parameter.
services
 no
  • service_group
  • tcp_service_group
  • udp_service_group
  • ip_service_group
  • icmp_service_group
  • tcp_service
  • udp_service
  • ip_service
  • ethernet_service
  • icmp_service
  • application_situation
  • url_category
Services for this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict. If no services field is provided, 'any' is used
dynamic_src_nat
 no
Dynamic source NAT rule. A dynamic source NAT rule uses the value of the rule source field and requires either an IP address or element as the translated address. You can also define ports to use for PAT. This NAT type is typically used for outbound NAT and PAT operations. This parameter is mutually exclusive with the static_src_nat parameter.
static_dst_nat
 no
Static dest NAT rule. Typically used for inbound traffic. This rule uses the rule destination field and requires either an IP address or element as the translated address. You can also specify source ports as single values or ranges to translate. For example, this is useful if you want inbound traffic on port 80 and need to redirect to an internal host on 8080.
destinations
 no
  • domain_name
  • expression
  • group
  • host
  • ip_list
  • network
  • engine
  • router
  • netlink
  • interface_zone
Destinations for use in this rule. You can use a shortcut for 'any' or 'none' in this field by providing a simple dict with the keys 'any' or 'none' and a value of true. Otherwise, this should be a dict with keys using valid element types and the value should be a list of those element types by name. The choices represent valid keys for the dict. If no destinations field is provided, 'any' is used.
state
 no present
  • present
  • absent

Create or delete a NAT rule
sub_policy
 no

The sub-policy on which to operate. This parameter is mutually exclusive with the policy parameter. You can operate on rules within a firewall policy or firewall sub-policy.

Examples

- name: Firewall NAT rule examples
  firewall_nat_rule:
    policy: TestPolicy
    rules:
    - comment: added a comment
      destinations:
        any: true
      dynamic_src_nat:
        automatic_proxy: true
        translated_value:
          ip_descriptor: 1.1.1.1
          max_port: 60000
          min_port: 1024
      is_disabled: false
      name: dynamic source nat with ports and IP redirect
      services:
        any: true
      sources:
        any: true
    - comment: null
      destinations:
        any: true
      dynamic_src_nat:
        automatic_proxy: true
        translated_value:
          max_port: 65535
          min_port: 1024
          name: host-4.4.4.4
          type: host
      is_disabled: false
      name: dynamic source nat with element
      services:
        any: true
      sources:
        host:
        - host-3.3.3.3
    - comment: testcomment
      destinations:
        host:
        - host-3.3.3.3
      is_disabled: false
      name: static_dest_nat with IP redirect
      services:
        any: true
      sources:
        any: true
      static_dst_nat:
        automatic_proxy: true
        original_value:
          max_port: 90
          min_port: 90
        translated_value:
          ip_descriptor: 1.1.1.1
          max_port: 9999
          min_port: 9999
      used_on: ANY
    - comment: null
      destinations:
        any: true
      is_disabled: false
      name: static_src_nat with IP address
      services:
        any: true
      sources:
        host:
        - host-4.4.4.4
      static_src_nat:
        automatic_proxy: true
        translated_value:
          ip_descriptor: 1.1.1.1
      used_on: ANY
    - comment: null
      destinations:
        any: true
      dynamic_src_nat:
        automatic_proxy: true
        translated_value:
          max_port: 65535
          min_port: 1024
          name: host-4.4.4.4
          type: host
      is_disabled: false
      name: dynamic_source_nat with element
      services:
        any: true
      sources:
        host:
        - host-3.3.3.3
      used_on: ANY

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name description returned type sample
state
The current state of the element
 dict
changed
Whether or not the change succeeded
 always bool


Author

  • UNKNOWN

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.