policy_push - Install a policy on an NGFW Engine

Synopsis

  • Each NGFW Engine requires that an existing policy be deployed. In addition, when making changes, the policy will need to be refreshed. When retrieving engine facts, you can determine from the pending_changes key whether a policy refresh if required. In addition, specifying the policy in the playbook forces the specified policy to be installed.

Requirements (on host that executes module)

  • smc-python

Options

parameter required default choices comments
max_tries
 no 36

Maximum number of times to repeat status checks. If the policy is in a 'wait' status, such as when there is no connectivity to the NGFW Engine, this will only block for max_tries * sleep.
name
 no

Name of the NGFW Engine on which to install the policy
policy
 no

The policy to install. If the NGFW Engine does not have an existing policy then specifying a policy is required. If an NGFW Engine has an existing policy, a refresh of that existing policy is done.
sleep
 no 3 sec

Amount of time to sleep between checking the task status
smc_address
 no

FQDN with port of SMC. The default value is the environment variable SMC_ADDRESS
smc_alt_filepath
 no

Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored.
smc_api_key
 no

API key for api client. The default value is the environment variable SMC_API_KEY Required if url
smc_api_version
 no

Optional API version to connect to. If none is provided, the latests LTS SMC API version will be used based on the Management Center version. Can be set though the environment variable SMC_API_VERSION
smc_domain
 no

Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable SMC_DOMAIN
smc_extra_args
 no
Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.
Dictionary object smc_extra_args
parameter required default choices comments
verify
 no True
  • yes
  • no
Is the connection to SMC is HTTPS, you can set this to True, or provide a path to a client certificate to verify the SMC SSL certificate. You can also explicitly set this to False.
smc_logging
 no
Optionally enable SMC API logging to a file
Dictionary object smc_logging
parameter required default choices comments
path
 yes
Full path to the log file
level
 no
Log level as specified by the standard python logging library, in int format. Default setting is logging.DEBUG.
smc_timeout
 no

Optional timeout for connections to the SMC. Can be set through environment SMC_TIMEOUT
wait_for_finish
 no True
  • yes
  • no

Whether to wait for the task to finish before returning

Examples

- name: Refresh policy and wait for task to complete
  hosts: localhost
  gather_facts: no
  tasks:
  - name: Refresh policy
    policy_push:
      name: master-eng
      wait_for_finish: yes
      max_tries: 10
      sleep: 3

- name: Upload a policy to an engine and wait for task
  hosts: localhost
  gather_facts: no
  tasks:
  - name: Upload policy specified to engine
    policy_push:
      name: fw
      policy: fwpolicy
      wait_for_finish: yes
      max_tries: 10
      sleep: 3

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name description returned type sample
msg
Message returned when policy task returns
 str
failed
Whether or not the task failed or not
 always bool


Author

  • Forcepoint

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.