firewall_rule - Create, modify or delete a firewall access rule

Synopsis

• Firewall access rules can be added or removed from either a firewall policy or a firewall sub-policy. Source, destination and service elements that have already been created can be used and referenced by their type and name. Many other rule settings are possible, including logging, inspection and connection tracking settings.

Options

parameter	required	default	choices	comments
policy	yes			The policy which to operate on. Any rule modifications are done in the context of this policy
rules	no			Source elements to add to the rule. Elements must specify the type of element to add. If source is not provided, the rule source cell will be set to none and the rule will effectively be disabled. SMC version 6.6 or higher requires actions as a list instead of a string.
	Dictionary object rules parameter required default choices comments comment no Optional comment for this rule add_after no The rule tag ID before which to add the rule after. This is only relevant for rules that are being created. authentication_options no Set authentication options for this rule name yes Name for this rule. Required if adding a new rule. Not required for modifications is_disabled no Specify whether this rule disabled. Set to yes to disable rule. add_before no The rule tag ID before which to add the rule before. This is only relevant for rules that are being created. sources no domain_name expression group host ip_list network engine router netlink interface_zone Sources to use in this rule. You can use a shortcut for 'any' or 'none' in this field by providing a simple dict with the keys 'any' or 'none' and a value of true. Otherwise, this should be a dict with keys using valid element types and the value should be a list of those element types by name. The choices represent valid keys for the dict. If no sources field is provided, 'any' is used. tag no Tag retrieved from facts module. The tag identifies the rule uniquely and is a required field when making modifications. If tag is present, the operation becomes a modify. Otherwise it becomes a create and name is required. connection_tracking no Optional settings to control connection tracking on the rule. Primary connection setting fields allow you to enforce MSS settings or modify the inspection mode to strict, loose, normal or off. services no service_group tcp_service_group udp_service_group ip_service_group icmp_service_group tcp_service udp_service ip_service ethernet_service icmp_service application_situation url_category Services for this rule. You can use a shortcut for 'any' or 'none' in this field by providing a simple dict with the keys 'any' or 'none' and a value of true. Otherwise, this should be a dict with keys using valid element types and the value should be a list of those element types by name. The choices represent valid keys for the dict. If no services field is provided, 'any' is used. log_options no Logging options for this rule action no allow allow discard refuse continue jump apply_blacklist apply_vpn enforce_vpn forward_vpn Required action for the rule inspection_options no Set inspection features on or off destinations no domain_name expression group host ip_list network engine router netlink interface_zone Destinations for use in this rule. You can use a shortcut for 'any' or 'none' in this field, by providing a simple dict with keys 'any' or 'none' and value of true. Otherwise this should be a dict with keys using valid element types and value should be a list of those element types by name. The choices represent valid keys for the dict, If no destinations field is provided, 'any' is used
state	no	present	present absent	Create or delete a firewall access rule
sub_policy	no			The sub-policy on which to operate. This parameter is mutually exclusive with the policy parameter. You can operate on rules within a firewall policy or firewall sub-policy.

Examples

- name: Example log all rule for top of rule set
  firewall_rule:
    policy: TestPolicy
    rules:
    -   action: continue
        comment: logging rule
        log_options:
          log_accounting_info_mode: true
          log_closing_mode: true
          log_level: stored
        is_disabled: false
        name: Log all continue rule

- name: Create a rule with specific sources and services
  firewall_rule:
    smc_logging:
      level: 10
      path: ansible-smc.log
    policy: TestPolicy
    rules:
    -   action: allow
        comment: my comment
        connection_tracking:
            mss_enforced: true
            mss_enforced_max: 1555
            mss_enforced_min: 0
            timeout: 11
        destinations:
            group:
            - foogroup
            host:
            - host-1.1.1.1
            ip_list:
            - Amazon S3
            network:
            - foonet
        inspection_options:
            decrypting: null
            deep_inspection: null
            file_filtering: null
        is_disabled: false
        log_options:
            application_logging: enforced
            eia_executable_logging: 'off'
            log_accounting_info_mode: false
            log_closing_mode: true
            log_compression: 'off'
            log_level: none
            log_payload_additionnal: true
            log_payload_excerpt: false
            log_payload_record: false
            log_severity: -1
            user_logging: enforced
        name: ruletest2
        services:
            ip_service:
            - CHAOS
            tcp_service:
            - AOL
            udp_service:
            - Biff
        sources:
            country:
            - China
            interface_nic_x_ip_alias:
            - $$ Interface ID 0.ip
            single_fw:
            - myfw

- name: Create a rule to use VPN, requires a vpn_policy or mobile_vpn set
  firewall_rule:
    smc_logging:
      level: 10
      path: ansible-smc.log
    inspection_policy: High-Security Inspection Template
    policy: TestPolicy
    rules:
    -   action: enforce_vpn
        comment: my comment
        connection_tracking:
            mss_enforced: false
            mss_enforced_max: -1
            mss_enforced_min: -1
            timeout: -1
        destinations:
            any: true
        inspection_options:
            decrypting: null
            deep_inspection: null
            file_filtering: null
        is_disabled: false
        authentication_options:
            method:
            - LDAP Authentication
            require_auth: true
            users:
            - dc=pages,dc=local,domain=myldapdomain
        log_options:
            application_logging: default
            eia_executable_logging: default
            log_accounting_info_mode: true
            log_closing_mode: false
            log_compression: 'off'
            log_level: stored
            log_payload_additionnal: false
            log_payload_excerpt: false
            log_payload_record: false
            log_severity: -1
        name: ruletest2
        services:
            any: true
        sources:
            any: true
        vpn_policy: MOBILE CLIENT VPN
    template: Firewall Inspection Template

- name: Add a deny rule after specified rule using add_after syntax
  firewall_rule:
    smc_logging:
      level: 10
      path: ansible-smc.log
    policy: TestPolicy
    rules:
    -   action: discard
        comment: deny rule
        is_disabled: false
        name: my deny
        add_after: '2097193.0'

- name: Delete a rule
  firewall_rule:
    policy: TestPolicy
    rules:
    -   tag: '2097203.0'
    state: absent

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name	description	returned	type	sample
state	The current state of the element		dict
changed	Whether or not the change succeeded	always	bool

Author

• UNKNOWN

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.