Palo Alto Networks Ansible Galaxy Role Documentation

The Palo Alto Networks Ansible Galaxy role is a collection of modules that automate configuration and operational tasks on Palo Alto Networks Next Generation Firewalls (both physical and virtualized) and Panorama. The underlying protocol uses API calls that are wrapped within the Ansible framework.

This is a community supported project. You can find the community supported live page at https://live.paloaltonetworks.com/ansible.

Installation

The most recent release of the role is available on Ansible Galaxy: https://galaxy.ansible.com/PaloAltoNetworks/paloaltonetworks. To install this, you can use the ansible-galaxy command like so:

ansible-galaxy install PaloAltoNetworks.paloaltonetworks

Once the role is installed, update your playbooks to tell Ansible to use the role you’ve installed:

roles:
    - role: PaloAltoNetworks.paloaltonetworks

The role is built from the Palo Alto Networks github repo: https://github.com/PaloAltoNetworks/ansible-pan.

Module Reference

panos_address_group – Create address group objects on PAN-OS devices

New in version 2.8.

Synopsis

  • Create address group objects on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit changes after creating object. If ip_address is a Panorama device, and device_group is also set, perform a commit to Panorama and a commit-all to the device group.
description
-
Descriptive name for this address group.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
dynamic_value
string
Registered IP tags for a dynamic address group.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of address group to create.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
static_value
list
List of address objects to be included in the group.
tag
list
List of tags to add to this address group.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Create object group 'Prod'
  panos_address_group:
    provider: '{{ provider }}'
    name: 'Prod'
    static_value: ['Test-One', 'Test-Three']
    tag: ['Prod']

- name: Create object group 'SI'
  panos_address_group:
    provider: '{{ provider }}'
    name: 'SI'
    dynamic_value: "'SI_Instances'"
    tag: ['SI']

- name: Delete object group 'SI'
  panos_address_group:
    provider: '{{ provider }}'
    name: 'SI'
    state: 'absent'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_address_object – Create address objects on PAN-OS devices

New in version 2.8.

Synopsis

  • Create address objects on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
address_type
-
    Choices:
  • ip-netmask ←
  • ip-range
  • fqdn
Type of address object.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit changes after creating object. If ip_address is a Panorama device, and device_group is also set, perform a commit to Panorama and a commit-all to the device group.
description
-
Descriptive name for this address object.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of object to create.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
tag
list
List of tags to add to this address object.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
value
- / required
IP address, IP range, or FQDN for the object. Must specify if state is present.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Create object 'Test-One'
  panos_address_object:
    provider: '{{ provider }}'
    name: 'Test-One'
    value: '1.1.1.1'
    description: 'Description One'
    tag: ['Prod']

- name: Create object 'Test-Two'
  panos_address_object:
    provider: '{{ provider }}'
    name: 'Test-Two'
    address_type: 'ip-range'
    value: '1.1.1.1-2.2.2.2'
    description: 'Description Two'
    tag: ['SI']

- name: Create object 'Test-Three'
  panos_address_object:
    provider: '{{ provider }}'
    name: 'Test-Three'
    address_type: 'fqdn'
    value: 'foo.bar.baz'
    description: 'Description Three'

- name: Delete object 'Test-Two'
  panos_address_object:
    provider: '{{ provider }}'
    name: 'Test-Two'
    state: 'absent'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_admin – Add or modify PAN-OS user accounts password

New in version 2.3.

DEPRECATED
Removed in Ansible

version: 2.12

Why

This module is a subset of panos_administrator’s functionality.

Alternative

Use panos_administrator instead.

Synopsis

  • PanOS module that allows changes to the user account passwords by doing API calls to the Firewall using pan-api as the protocol.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
admin_password
- / required
New password for admin_username user
admin_username
-
Default:
admin
Username that needs password change.
api_key
-
API key that can be used instead of username/password credentials.
commit
-
Default:
yes
Commit configuration if changed.
ip_address
- / required
IP address (or hostname) of PAN-OS device being configured.
password
- / required
Password credentials to use for auth unless api_key is set.
port
-
Default:
443
Port used to connect to the PAN-OS device being configured.
role
-
Default:
None
role for admin user
username
-
Default:
admin
Username credentials to use for auth unless api_key is set.

Notes

Note

  • Checkmode is not supported.

Examples
# Set the password of user admin to "badpassword"
# Doesn't commit the candidate config
  - name: set admin password
    panos_admin:
      ip_address: "192.168.1.1"
      password: "admin"
      admin_username: admin
      admin_password: "badpassword"
      commit: False
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
status
string
 success
success status

Sample:
okey dokey


Status

  • This module will be removed in version 2.12. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_administrator – Manage PAN-OS administrator user accounts

New in version 2.8.

Synopsis

  • Manages PAN-OS administrator user accounts.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
admin_password
-
New plain text password for the admin_username user.
If this is not specified, then the password is left as-is.
Takes priority over admin_phash
admin_phash
-
New password hash for the admin_username user
If this is not specified, then the phash is left as-is.
admin_username
-
Default:
admin
Admin name.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
authentication_profile
-
The authentication profile.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
device_admin
boolean
    Choices:
  • no
  • yes
Admin type - device admin
device_admin_read_only
boolean
    Choices:
  • no
  • yes
Admin type - device admin, read only
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
panorama_admin
boolean
    Choices:
  • no
  • yes
This is for Panorama only.
Make the user a Panorama admin only
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
password_profile
-
The password profile for this user.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
role_profile
-
The role based profile.
ssh_public_key
-
Use public key authentication (ssh)
state
string
    Choices:
  • present ←
  • absent
The state.
superuser
boolean
    Choices:
  • no
  • yes
Admin type - superuser
superuser_read_only
boolean
    Choices:
  • no
  • yes
Admin type - superuser, read only
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
list
This is for multi-vsys physical firewalls only.
The list of vsys this admin should manage.
vsys_read_only
list
This is for multi-vsys physical firewalls only.
The list of vsys this read only admin should manage.
web_client_cert_only
boolean
    Choices:
  • no
  • yes
Use only client certificate authenciation (Web)

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • Because “request password-hash” does not always generate the same hash with the same password every time, it isn’t possible to tell if the admin’s password is correct or not. Specifying check mode or state=present with admin_password specified will always report changed=True in the return value.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
# Configure user "foo"
# Doesn't commit the candidate config
  - name: configure foo administrator
    panos_administrator:
      provider: '{{ provider }}'
      admin_username: 'foo'
      admin_password: 'secret'
      superuser: true
      commit: false
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
status
string
 success
success status

Sample:
done


Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_admpwd – change admin password of PAN-OS device using SSH with SSH key

New in version 2.3.

Synopsis

  • Change the admin password of PAN-OS via SSH using a SSH key for authentication.

  • Useful for AWS instances where the first login should be done via SSH.

Requirements

The below requirements are needed on the host that executes this module.

  • paramiko

Parameters
Parameter Choices/Defaults Comments
ip_address
- / required
IP address (or hostname) of PAN-OS device
key_filename
- / required
filename of the SSH Key to use for authentication
newpassword
- / required
password to configure for admin on the PAN-OS device
username
-
Default:
admin
username for initial authentication

Examples
# Tries for 10 times to set the admin password of 192.168.1.1 to "badpassword"
# via SSH, authenticating using key /tmp/ssh.key
- name: set admin password
  panos_admpwd:
    ip_address: "192.168.1.1"
    username: "admin"
    key_filename: "/tmp/ssh.key"
    newpassword: "badpassword"
  register: result
  until: not result|failed
  retries: 10
  delay: 30
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
status
string
 success
success status

Sample:
Last login: Fri Sep 16 11:09:20 2016 from 10.35.34.56.....Configuration committed successfully


Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_api_key – retrieve api_key for username/password combination

New in version 2.8.

Synopsis

  • This module will allow retrieval of the api_key for a given username/password

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Checkmode is NOT supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: retrieve api_key
  panos_op:
    provider: '{{ provider }}'
  register: auth

- name: show system info
  panos_op:
    ip_address: '{{ ip_address }}'
    api_key: '{{ auth.api_key }}'
    cmd: show system info
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_key
string
 success
output of the api_key

Sample:
LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09


Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_aggregate – Configures a BGP Aggregation Prefix Policy

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
as_set
-
Default:
no
Generate AS-set attribute.
attr_as_path_limit
-
Add AS path limit attribute if it does not exist.
attr_as_path_prepend_times
-
Prepend local AS for specified number of times.
attr_as_path_type
-
    Choices:
  • none ←
  • remove
  • prepend
  • remove-and-prepend
AS path update options.
attr_community_argument
-
Argument to the action community value if needed.
attr_community_type
-
    Choices:
  • none ←
  • remove-all
  • remove-regex
  • append
  • overwrite
Community update options.
attr_extended_community_argument
-
Argument to the action extended community value if needed.
attr_extended_community_type
-
    Choices:
  • none ←
  • remove-all
  • remove-regex
  • append
  • overwrite
Extended community update options.
attr_local_preference
-
New Local Preference value.
attr_med
-
New Multi-Exit Discriminator value.
attr_nexthop
-
Next-hop address.
attr_origin
-
    Choices:
  • igp
  • egp
  • incomplete ←
New route origin.
attr_weight
-
New weight value.
commit
-
Default:
yes
Commit configuration if changed.
enable
boolean
    Choices:
  • no
  • yes ←
Enable policy.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of policy.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
prefix
-
Aggregating address prefix.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
summary
-
Summarize route.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist; see panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create BGP Aggregation Rule
  panos_bgp_aggregate:
    provider: '{{ provider }}'
    vr_name: 'default'
    name: 'aggr-rule-01'
    prefix: '10.0.0.0/24'
    enable: true
    summary: true

- name: Remove BGP Aggregation Rule
  panos_bgp_aggregate:
    provider: '{{ provider }}'
    vr_name: 'default'
    name: 'aggr-rule-01'
    state: 'absent'
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_auth – Configures a BGP Authentication Profile

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of Authentication Profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
replace
boolean
    Choices:
  • no
  • yes
Deprecated
This is the behavior of state=present, so this can safely be removed from your playbooks.
The secret is encrypted so the state cannot be compared.
This option forces removal of a matching item before applying the new config.
secret
-
Secret.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist; see panos_virtual_router.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

  • Since the secret value is encrypted in PAN-OS, there is no way to verify if the secret is properly set or not. Invoking this module with state=present will always apply the config to PAN-OS.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create BGP Authentication Profile
  panos_bgp_auth:
    provider: '{{ provider }}'
    vr_name: 'my virtual router'
    name: auth-profile-1
    secret: SuperSecretCode
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_conditional_advertisement – Configures a BGP conditional advertisement

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

  • In the PAN-OS GUI, this resource cannot be created without also creating at least one non-exist filter and one advertise filter. The API behaves a little differently; you can create the conditional advertisement itself, but the API will start throwing errors if you try to update it and there is not at least one non-exist filter and one advertise filter.

  • In order for a conditional advertisement to be valid, you must specify at least one non-exist and one advertise filter.

  • When modifying a BGP conditional advertisement, any filters attached are left as-is, unless advertise_filter or non_exist_filter are specified.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
advertise_filter
-
Deprecated
Use panos_bgp_policy_filter to define filters after creation.
Advertisement filter object returned by panos_bgp_policy_filter.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
enable
boolean
    Choices:
  • no
  • yes
Enable this policy.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of Conditional Advertisement policy.
non_exist_filter
-
Deprecated
Use panos_bgp_policy_filter to define filters after creation.
Non-Exist filter object returned by panos_bgp_policy_filter.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
used_by
list
List of Peer Groups using this policy.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist and have BGP configured.
See panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create BGP Conditional Advertisement Rule
  panos_bgp_conditional_advertisement:
    provider: '{{ provider }}'
    name: 'cond-rule-01'
    enable: true
    non_exist_filter: '{{ non_exist.panos_obj }}'
    advertise_filter: '{{ advertise.panos_obj }}'
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_dampening – Configures a BGP Dampening Profile

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
cutoff
float
Cutoff threshold value.
decay_half_life_reachable
integer
Decay half-life while reachable (in seconds).
decay_half_life_unreachable
integer
Decay half-life while unreachable (in seconds).
enable
boolean
    Choices:
  • no
  • yes ←
Enable profile.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
max_hold_time
integer
Maximum of hold-down time (in seconds).
name
- / required
Name of Dampening Profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
reuse
float
Reuse threshold value.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist.
See panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create BGP Dampening Profile
  panos_bgp_dampening:
    name: damp-profile-1
    enable: true
    commit: true
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp – Configures Border Gateway Protocol (BGP)

New in version 2.9.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
aggregate_med
-
Aggregate route only if they have same MED attributes.
allow_redist_default_route
-
Default:
no
Allow redistribute default route to BGP.
always_compare_med
-
Default:
no
Always compare MEDs.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
as_format
-
Default:
2-byte
AS format '2-byte'/'4-byte'.
commit
-
Default:
yes
Commit configuration if changed.
confederation_member_as
-
Confederation requires member-AS number.
default_local_preference
-
Default:
100
Default local preference.
deterministic_med_comparison
-
Default:
yes
Deterministic MEDs comparison.
ecmp_multi_as
-
Default:
no
Support multiple AS in ECMP.
enable
-
Default:
yes
Enable BGP.
enforce_first_as
-
Default:
yes
Enforce First AS for EBGP.
gr_local_restart_time
-
Local restart time to advertise to peer (in seconds).
gr_max_peer_restart_time
-
Maximum of peer restart time accepted (in seconds).
gr_stale_route_time
-
Time to remove stale routes after peer restart (in seconds).
graceful_restart_enable
-
Default:
yes
Enable graceful restart.
install_route
-
Default:
no
Populate BGP learned route to global route table.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
local_as
-
Local Autonomous System (AS) number.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
reflector_cluster_id
-
Route reflector cluster ID.
reject_default_route
-
Default:
yes
Reject default route.
router_id
- / required
Router ID in IP format (eg. 1.1.1.1)
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Configure and enable BGP
  panos_bgp:
    provider: '{{ provider }}'
    router_id: '1.1.1.1'
    local_as: '64512'
    commit: true
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_peer_group – Configures a BGP Peer Group

New in version 2.9.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
aggregated_confed_as_path
boolean
    Choices:
  • no
  • yes
The peers understand Aggregated Confederation AS Path.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
enable
boolean
    Choices:
  • no
  • yes ←
Enable BGP peer group.
export_nexthop
-
    Choices:
  • resolve ←
  • use-self
Export locally resolved nexthop.
import_nexthop
-
    Choices:
  • original ←
  • use-peer
type=ebgp only; override nexthop with peer address.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of the BGP peer group.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
remove_private_as
boolean
    Choices:
  • no
  • yes
type=ebgp only; remove private AS when exporting route.
soft_reset_with_stored_info
boolean
    Choices:
  • no
  • yes
Enable soft reset with stored info.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
type
-
    Choices:
  • ebgp ←
  • ibgp
  • ebgp-confed
  • ibgp-confed
Peer group type.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist; see panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create BGP Peer Group
  panos_bgp_peer_group:
    provider: '{{ provider }}'
    name: 'peer-group-1'
    enable: true
    aggregated_confed_as_path: true
    soft_reset_with_stored_info: false
    commit: true
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_peer – Configures a BGP Peer

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
address_family_identifier
-
    Choices:
  • ipv4
  • ipv6
Peer address family type.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
bfd_profile
-
BFD profile configuration.
commit
-
Default:
yes
Commit configuration if changed.
connection_authentication
-
BGP auth profile name.
connection_hold_time
integer
Hold time (in seconds).
connection_idle_hold_time
integer
Idle hold time (in seconds).
connection_incoming_allow
boolean
    Choices:
  • no
  • yes
Allow incoming connections.
connection_incoming_remote_port
integer
Restrict remote port for incoming BGP connections.
connection_keep_alive_interval
integer
Keep-alive interval (in seconds).
connection_min_route_adv_interval
integer
Minimum Route Advertisement Interval (in seconds).
connection_multihop
integer
IP TTL value used for sending BGP packet. set to 0 means eBGP use 2, iBGP use 255.
connection_open_delay_time
integer
Open delay time (in seconds).
connection_outgoing_allow
boolean
    Choices:
  • no
  • yes
Allow outgoing connections.
connection_outgoing_local_port
integer
Use specific local port for outgoing BGP connections.
enable
boolean
    Choices:
  • no
  • yes ←
Enable BGP Peer.
enable_mp_bgp
boolean
    Choices:
  • no
  • yes
Enable MP-BGP extentions.
enable_sender_side_loop_detection
boolean
    Choices:
  • no
  • yes
Enable sender side loop detection.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
local_interface
-
Interface to accept BGP session.
local_interface_ip
-
Specify exact IP address if interface has multiple addresses.
max_prefixes
integer
Maximum of prefixes to receive from peer.
name
- / required
Name of BGP Peer.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
peer_address_ip
-
IP address of peer.
peer_as
-
Peer AS number.
peer_group
- / required
Name of the peer group; it must already exist; see panos_bgp_peer_group.
peering_type
-
    Choices:
  • unspecified
  • bilateral
Peering type.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
reflector_client
-
    Choices:
  • non-client
  • client
  • meshed-client
Reflector client type.
state
string
    Choices:
  • present ←
  • absent
The state.
subsequent_address_multicast
boolean
    Choices:
  • no
  • yes
Select SAFI for this peer.
subsequent_address_unicast
boolean
    Choices:
  • no
  • yes
Select SAFI for this peer.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist; see panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create BGP Peer
  panos_bgp_peer:
    provider: '{{ provider }}'
    peer_group: 'peer-group-1'
    name: 'peer-1'
    enable: true
    local_interface: 'ethernet1/1'
    local_interface_ip: '192.168.1.1'
    peer_address_ip: '10.1.1.1'
    peer_as: '64512'
    commit: true
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_policy_filter – Configures a BGP Policy Import/Export Rule

New in version 2.9.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
address_prefix
list
List of address prefix strings or dicts with "name"/"exact" keys.
Using the dict form for address prefixes should only be used with policy_type=aggregate.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
enable
boolean
    Choices:
  • no
  • yes ←
Enable filter.
filter_type
- / required
    Choices:
  • non-exist
  • advertise
  • suppress
The type of filter.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
match_afi
-
    Choices:
  • ip
  • ipv6
Address Family Identifier.
match_as_path_regex
-
AS-path regular expression.
match_community_regex
-
Community AS-path regular expression.
match_extended_community_regex
-
Extended Community AS-path regular expression.
match_from_peer
-
Filter by peer that sent this route.
match_med
-
Multi-Exit Discriminator.
match_nexthop
-
Next-hop attributes.
match_route_table
-
    Choices:
  • unicast
  • multicast
  • both
Route table to match rule.
match_safi
-
    Choices:
  • ip
  • ipv6
Subsequent Address Family Identifier.
name
- / required
Name of filter.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
policy_name
-
The name of the policy object.
policy_type
- / required
    Choices:
  • conditional-advertisement
  • aggregate
The type of policy object.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
-
    Choices:
  • present ←
  • absent
  • return-object
Add or remove BGP Policy Filter.
state=return-object is deprecated and will be removed in 2.12.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist and have BGP configured.
See panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
panos_obj
string
 success
a serialized policy filter is returned when state == 'return-object'

Sample:
LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09


Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_policy_rule – Configures a BGP Policy Import/Export Rule

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
action
-
    Choices:
  • allow
  • deny
Rule action.
action_as_path_limit
integer
Add AS path limit attribute if it does not exist.
action_as_path_prepend_times
integer
Prepend local AS for specified number of times.
action_as_path_type
-
    Choices:
  • none
  • remove
  • prepend
  • remove-and-prepend
AS path update options.
action_community_argument
-
Argument to the action community value if needed.
action_community_type
-
    Choices:
  • none
  • remove-all
  • remove-regex
  • append
  • overwrite
Community update options.
action_dampening
-
Route flap dampening profile; only with "import" type.
action_extended_community_argument
-
Argument to the action extended community value if needed.
action_extended_community_type
-
Extended community update options.
action_local_preference
integer
New local preference value.
action_med
integer
New MED value.
action_nexthop
-
Nexthop address.
action_origin
-
    Choices:
  • igp
  • egp
  • incomplete
New route origin.
action_weight
integer
New weight value; only with "import" type.
address_prefix
-
List of address prefix strings or dicts with "name"/"exact" keys.
If a list entry is a string, then exact=False for that name.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
enable
boolean
    Choices:
  • no
  • yes ←
Enable rule.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
match_afi
-
    Choices:
  • ip
  • ipv6
Address Family Identifier.
match_as_path_regex
-
AS-path regular expression.
match_community_regex
-
Community AS-path regular expression.
match_extended_community_regex
-
Extended Community AS-path regular expression.
match_from_peer
list
Filter by peer that sent this route.
match_med
integer
Multi-Exit Discriminator.
match_nexthop
list
Next-hop attributes.
match_route_table
-
    Choices:
  • unicast
  • multicast
  • both
Route table to match rule.
match_safi
-
    Choices:
  • ip
  • ipv6
Subsequent Address Family Identifier.
name
- / required
Name of filter.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
type
- / required
    Choices:
  • import
  • export
The type of rule.
used_by
list
Peer-groups that use this rule.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist; see panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
# Add a BGP Policy
  - name: Create Policy Import Rule
    panos_bgp_policy_rule:
      provider: '{{ provider }}'
      vr_name: 'default'
      name: 'import-rule-001'
      type: 'import'
      enable: true
      action: 'allow'
      address_prefix:
        - '10.1.1.0/24'
        - name: '10.1.2.0/24'
          exact: false
        - name: '10.1.3.0/24'
          exact: true
      action_dampening: 'dampening-profile'

  - name: Create Policy Export Rule
    panos_bgp_policy_rule:
      provider: '{{ provider }}'
      vr_name: 'default'
      name: 'export-rule-001'
      type: 'export'
      enable: true
      action: 'allow'

  - name: Remove Export Rule
    panos_bgp_policy_rule:
      provider: '{{ provider }}'
      state: 'absent'
      vr_name: 'default'
      name: 'export-rule-001'
      type: 'export'
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_bgp_redistribute – Configures a BGP Redistribution Rule

New in version 2.8.

Synopsis

  • Use BGP to publish and consume routes from disparate networks.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
address_family_identifier
-
    Choices:
  • ipv4 ←
  • ipv6
Address Family Identifier.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
enable
boolean
    Choices:
  • no
  • yes ←
Enable rule.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
metric
integer
Metric value.
name
- / required
An IPv4 subnet or a defined Redistribution Profile in the virtual router.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
route_table
-
    Choices:
  • unicast ←
  • multicast
  • both
Summarize route.
set_as_path_limit
integer
Add the AS_PATHLIMIT path attribute.
set_community
list
Add the COMMUNITY path attribute.
set_extended_community
list
Add the EXTENDED COMMUNITY path attribute.
set_local_preference
integer
Add the LOCAL_PREF path attribute.
set_med
integer
Add the MULTI_EXIT_DISC path attribute.
set_origin
-
    Choices:
  • igp
  • egp
  • incomplete ←
New route origin.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist.
See panos_virtual_router

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: BGP use Redistribution Policy 1
  panos_bgp_redistribute:
    provider: '{{ provider }}'
    name: '10.2.3.0/24'
    enable: true
    commit: true
    address_family_identifier: ipv4
    set_origin: incomplete
    vr_name: default
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_cert_gen_ssh – generates a self-signed certificate using SSH protocol with SSH key

New in version 2.3.

Synopsis

  • This module generates a self-signed certificate that can be used by GlobalProtect client, SSL connector, or

  • otherwise. Root certificate must be preset on the system first. This module depends on paramiko for ssh.

Requirements

The below requirements are needed on the host that executes this module.

  • paramiko

Parameters
Parameter Choices/Defaults Comments
cert_cn
- / required
Default:
None
Certificate CN (common name) embedded in the certificate signature.
cert_friendly_name
- / required
Default:
None
Human friendly certificate name (not CN but just a friendly name).
ip_address
- / required
Default:
None
IP address (or hostname) of PAN-OS device being configured.
key_filename
- / required
Default:
None
Location of the filename that is used for the auth. Either key_filename or password is required.
password
- / required
Default:
None
Password credentials to use for auth. Either key_filename or password is required.
rsa_nbits
-
Default:
2048
Number of bits used by the RSA algorithm for the certificate generation.
signed_by
- / required
Default:
None
Undersigning authority (CA) that MUST already be presents on the device.
username
-
Default:
admin
User name to use for auth. Default is admin.

Notes

Note

  • Checkmode is not supported.

Examples
# Generates a new self-signed certificate using ssh
- name: generate self signed certificate
  panos_cert_gen_ssh:
    ip_address: "192.168.1.1"
    username: "admin"
    password: "paloalto"
    cert_cn: "1.1.1.1"
    cert_friendly_name: "test123"
    signed_by: "root-ca"
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_check – check if PAN-OS device is ready for configuration

New in version 2.3.

Synopsis

  • Check if PAN-OS device is ready for being configured (no pending jobs).

  • The check could be done once or multiple times until the device is ready.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
initial_delay
integer
Default:
0
Length of time (in seconds) to wait before doing any readiness checks.
interval
integer
Default:
0
Length of time (in seconds) to wait between checks.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
timeout
integer
Default:
60
Length of time (in seconds) to wait for jobs to finish.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Checkmode is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Single check.
- name: check if ready
  panos_check:
    provider: '{{ provider }}'
    timeout: 0

# Wait 2 minutes, then check every 5 seconds for 10 minutes.
- name: wait for reboot
  panos_check:
    provider: '{{ provider }}'
    initial_delay: 120
    interval: 5
    timeout: 600
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_commit – Commit a PAN-OS device’s candidate configuration

New in version 2.3.

Synopsis

  • Module that will commit the candidate configuration of a PAN-OS device.

  • The new configuration will become active immediately.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
devicegroup
-
Deprecated
Use device_group instead.
(Panorama only) The device group.
include_template
boolean
    Choices:
  • no
  • yes
(Panorama only) Include template changes with the commit.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: commit candidate config on firewall
  panos_commit:
    provider: '{{ provider }}'

- name: commit candidate config on Panorama
  panos_commit:
    provider: '{{ provider }}'
    device_group: 'Cloud-Edge'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_dag – create a dynamic address group

New in version 2.3.

DEPRECATED
Removed in Ansible

version: 2.12

Why

This module’s functionality is a subset of panos_address_group.

Alternative

Use panos_address_group instead.

Synopsis

  • Create a dynamic address group object in the firewall used for policy rules

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
-
API key that can be used instead of username/password credentials.
commit
-
Default:
yes
commit if changed
dag_match_filter
- / required
Default:
None
dynamic filter user by the dynamic address group
dag_name
- / required
Default:
None
name of the dynamic address group
description
-
The description of the object.
devicegroup
-
Default:
None
The name of the Panorama device group. The group must exist on Panorama. If device group is not defined it is assumed that we are contacting a firewall.
ip_address
- / required
Default:
None
IP address (or hostname) of PAN-OS device
operation
- / required
Default:
None
The operation to perform Supported values are add/list/delete.
password
- / required
Default:
None
password for authentication
tag_name
-
Default:
None
Add administrative tags to the DAG
username
-
Default:
admin
username for authentication

Examples
- name: dag
    panos_dag:
        ip_address: "192.168.1.1"
        password: "admin"
        dag_name: "dag-1"
        dag_match_filter: "'aws-tag.aws:cloudformation:logical-id.ServerInstance' and 'instanceState.running'"
        description: 'Add / create dynamic address group to allow access to SaaS Applications'
        operation: 'add'
Status

  • This module will be removed in version 2.12. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer), Vinay Venkataraghavan (@vinayvenkat)

panos_dag_tags – Create tags for DAG’s on PAN-OS devices

New in version 2.5.

DEPRECATED
Removed in Ansible

version: 2.9

Why

Using new modern API calls in the panos_registered_ip

Alternative

Use panos_registered_ip instead.

Synopsis

  • Create the ip address to tag associations. Tags will in turn be used to create DAG’s

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
-
API key that can be used instead of username/password credentials.
commit
-
Default:
yes
commit if changed
description
-
The purpose / objective of the static Address Group
devicegroup
-
- Device groups are used for the Panorama interaction with Firewall(s). The group must exists on Panorama. If device group is not define we assume that we are contacting Firewall.
ip_address
- / required
IP address (or hostname) of PAN-OS device
ip_to_register
-
IP that will be registered with the given tag names.
operation
-
The action to be taken. Supported values are add/update/find/delete.
password
- / required
password for authentication
tag_names
-
The list of the tags that will be added or removed from the IP address.
username
-
Default:
admin
username for authentication

Notes

Note

  • Checkmode is not supported.

  • Panorama is not supported.

  • use panos_registered_ip from now on

Examples
- name: Create the tags to map IP addresses
  panos_dag_tags:
    ip_address: "{{ ip_address }}"
    password: "{{ password }}"
    ip_to_register: "{{ ip_to_register }}"
    tag_names: "{{ tag_names }}"
    description: "Tags to allow certain IP's to access various SaaS Applications"
    operation: 'add'
  tags: "adddagip"

- name: List the IP address to tag mapping
  panos_dag_tags:
    ip_address: "{{ ip_address }}"
    password: "{{ password }}"
    tag_names: "{{ tag_names }}"
    description: "List the IP address to tag mapping"
    operation: 'list'
  tags: "listdagip"

- name: Unregister an IP address from a tag mapping
  panos_dag_tags:
    ip_address: "{{ ip_address }}"
    password: "{{ password }}"
    ip_to_register: "{{ ip_to_register }}"
    tag_names: "{{ tag_names }}"
    description: "Unregister IP address from tag mappings"
    operation: 'delete'
  tags: "deletedagip"
Status

  • This module will be removed in version 2.9. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Vinay Venkataraghavan (@vinayvenkat)

panos_facts – Collects facts from Palo Alto Networks device

New in version 2.8.

Synopsis

  • Collects fact information from Palo Alto Networks firewall running PanOS.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
gather_subset
-
Default:
['!config']
Scopes what information is gathered from the device. Possible values for this argument include all, system, session, interfaces, ha, vr, vsys and config. You can specify a list of values to include a larger subset. Values can also be used with an initial ! to specify that a specific subset should not be collected. Certain subsets might be supported by Panorama.
host
-
Removed
Use provider instead.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Tested on PanOS 8.0.5

  • Checkmode is not supported.

  • Panorama is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Gather facts
- name: Get facts
  panos_facts:
    provider: '{{ provider }}'
    gather_subset: ['config']
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
ansible_net_config
string
 When config is specified in gather_subset.
Device confiration in XML format.
ansible_net_full_commit_required
boolean
 When system is specified in gather_subset.
Specifies whether full commit is required to apply changes.
ansible_net_ha_enabled
boolean
 When ha is specified in gather_subset.
Specifies whether HA is enabled or not.
ansible_net_ha_localmode
string
 When ha is specified in gather_subset.
Specifies the HA mode on local node.

Sample:
Active-Passive
ansible_net_ha_localstate
string
 When ha is specified in gather_subset.
Specifies the HA state on local node.

Sample:
active
ansible_net_hostname
string
 When system is specified in gather_subset.
Hostname of the local node.
ansible_net_interfaces
complex
 When interface is specified in gather_subset.
Network interface information.
  comment
string
Interface description/comment.
  ip
list
List of interface IP addresses in CIDR format.

Sample:
192.0.2.1/24
  ipv6
list
List of interface IPv6 addresses in CIDR format.

Sample:
2001:db8::0000:1/64
  name
string
Interface name.

Sample:
ae1.23
  tag
integer
VLAN tag for the subinterface.

Sample:
23
ansible_net_kbps
integer
 When session is specified in gather_subset.
Current kb/s throughput.
ansible_net_model
string
 When system is specified in gather_subset.
Device model of the local node.
ansible_net_multivsys
string
 When system is specified in gather_subset.
Specifies whether multivsys mode is enabled on local node.

Sample:
True
ansible_net_pps
integer
 When session is specified in gather_subset.
Current packets/s throughput.
ansible_net_serial
string
 When system is specified in gather_subset.
Serial number of the local node.
ansible_net_session_max
integer
 When session is specified in gather_subset.
Maximum number of sessions on local node.
ansible_net_session_usage
integer
 When session is specified in gather_subset.
Current number of active sessions on local node
ansible_net_uncommitted_changes
boolean
 When system is specified in gather_subset.
Specifies if commit is required to apply changes.
ansible_net_uptime
string
 When system is specified in gather_subset.
Uptime of the local node.

Sample:
469 days, 19:30:16
ansible_net_version
string
 When system is specified in gather_subset.
PanOS version of the local node.
ansible_net_virtual_routers
complex
 When vr is specified in gather_subset.
Virtual Router information.
  vr_asn
integer
BGP autonomous system number.

Sample:
65001
  vr_iflist
list
List interfaces in the VR.

Sample:
['ae2.12', 'ae2.14']
  vr_name
string
Name of the virtual router.
  vr_routerid
string
BGP router ID.

Sample:
192.0.2.1
ansible_net_virtual_systems
complex
 When vsys is specified in gather_subset.
Virtual System information.
  vsys_currentsessions
integer
Number of active sessions on VSYS.
  vsys_description
string
VSYS description/name.
  vsys_id
integer
VSYS ID.
  vsys_iflist
list
List of interfaces attached to the VSYS.
  vsys_name
integer
VSYS name.

Sample:
vsys1
  vsys_vrlist
list
List of virtual routers attached to the VSYS.
  vsys_vsys_maxsessions
integer
Number of configured maximum sessions on VSYS. 0 for unlimited.
  vsys_zonelist
list
List of security zones attached to the VSYS.


Status
Authors

  • Tomi Raittinen (@traittinen)

panos_ike_crypto_profile – Configures IKE Crypto profile on the firewall with subset of settings

New in version 2.8.

Synopsis

  • Use the IKE Crypto Profiles page to specify protocols and algorithms for identification, authentication, and

  • encryption (IKEv1 or IKEv2, Phase 1).

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
authentication
-
    Choices:
  • md5
  • sha1 ←
  • sha256
  • sha384
  • sha512
Authentication hashes used for IKE phase 1 proposal.
commit
-
Default:
yes
Commit configuration if changed.
dh_group
-
    Choices:
  • group1
  • group2 ←
  • group5
  • group14
  • group19
  • group20
Specify the priority for Diffie-Hellman (DH) groups.

aliases: d, h, g, r, o, u, p
encryption
-
    Choices:
  • des
  • 3des ←
  • aes-128-cbc
  • aes-192-cbc
  • aes-256-cbc ←
Default:
['aes-256-cbc', '3des']
Encryption algorithms used for IKE phase 1 proposal.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
lifetime_days
-
IKE phase 1 key lifetime in days.
lifetime_hours
-
IKE phase 1 key lifetime in hours. If no key lifetime is specified, default to 8 hours.
lifetime_minutes
-
IKE phase 1 key lifetime in minutes.
lifetime_seconds
-
IKE phase 1 key lifetime in seconds.

aliases: l, i, f, e, t, i, m, e, _, s, e, c
name
- / required
Name for the profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Add IKE crypto config to the firewall
    panos_ike_crypto_profile:
      provider: '{{ provider }}'
      state: 'present'
      name: 'vpn-0cc61dd8c06f95cfd-0'
      dh_group: ['group2']
      authentication: ['sha1']
      encryption: ['aes-128-cbc']
      lifetime_seconds: '28800'
Status
Authors

  • Ivan Bojer (@ivanbojer)

panos_ike_gateway – Configures IKE gateway on the firewall with subset of settings

New in version 2.8.

Synopsis

  • Use this to manage or define a gateway, including the configuration information necessary to perform Internet Key Exchange (IKE) protocol negotiation with a peer gateway. This is the Phase 1 portion of the IKE/IPSec VPN setup.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
-
Default:
yes
Commit configuration if changed.
dead_peer_detection_interval
-
Default:
99
Time in seconds to check for a dead peer.
dead_peer_detection_retry
-
Default:
10
Retry attempts before peer is marked dead.
enable_dead_peer_detection
-
Default:
no
True to enable Dead Peer Detection on the gateway.

aliases: d, e, a, d, _, p, e, e, r, _, d, e, t, e, c, t, i, o, n
enable_fragmentation
-
Default:
no
True to enable IKE fragmentation
Incompatible with pre-shared keys, or 'aggressive' exchange mode

aliases: f, r, a, g, m, e, n, t, a, t, i, o, n
enable_liveness_check
-
Default:
yes
Enable sending empty information liveness check message.
enable_nat_traversal
-
Default:
no
True to NAT Traversal mode

aliases: n, a, t, _, t, r, a, v, e, r, s, a, l
enable_passive_mode
-
Default:
yes
True to have the firewall only respond to IKE connections and never initiate them.

aliases: p, a, s, s, i, v, e, _, m, o, d, e
ikev1_crypto_profile
-
Default:
default
Crypto profile for IKEv1.

aliases: c, r, y, p, t, o, _, p, r, o, f, i, l, e, _, n, a, m, e
ikev1_exchange_mode
-
    Choices:
  • auto
  • main
  • aggressive
Default:
None
The IKE exchange mode to use
ikev2_crypto_profile
-
Default:
default
Crypto profile for IKEv2.

aliases: c, r, y, p, t, o, _, p, r, o, f, i, l, e, _, n, a, m, e
interface
-
Default:
ethernet1/1
Specify the outgoing firewall interface to the VPN tunnel.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
liveness_check_interval
-
Default:
5
Delay interval before sending probing packets (in seconds).

aliases: l, i, v, e, n, e, s, s, _, c, h, e, c, k
local_id_type
-
    Choices:
  • ipaddr
  • fwdn
  • ufqdn
  • keyid
  • dn
Default:
None
Specify the type of local ID.
local_id_value
-
Default:
None
The value for the local_id. (See also local_id_type, above.)
local_ip_address
-
Default:
None
Bind IKE gateway to the specified interface IP address
It should include the mask, such as '192.168.1.1/24'
local_ip_address_type
-
    Choices:
  • ip
  • floating-ip
Default:
None
The address type of the bound interface IP address
name
- / required
Name for the profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
peer_id_check
-
    Choices:
  • exact
  • wildcard
Default:
None
Type of checking to do on peer_id.
peer_id_type
-
    Choices:
  • ipaddr
  • fwdn
  • ufqdn
  • keyid
  • dn
Default:
None
Specify the type of peer ID.
peer_id_value
-
Default:
None
The value for the peer_id. (See also peer_id_type, above.)
peer_ip_value
-
Default:
127.0.0.1
IPv4 address of the peer gateway.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
pre_shared_key
-
Default:
CHANGEME
Specify pre-shared key.

aliases: p, s, k
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
version
-
Default:
ike2
Specify the priority for Diffie-Hellman (DH) groups.

aliases: p, r, o, t, o, c, o, l, _, v, e, r, s, i, o, n

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Add IKE gateway config to the firewall
  panos_ike_gateway:
    provider: '{{ provider }}'
    state: 'present'
    name: 'IKEGW-Ansible'
    version: 'ikev2'
    interface: 'ethernet1/1'
    enable_passive_mode: True
    enable_liveness_check: True
    liveness_check_interval: '5'
    peer_ip_value: '1.2.3.4'
    pre_shared_key: 'CHANGEME'
    ikev2_crypto_profile: 'IKE-Ansible'
    commit: False
Status
Authors

  • Ivan Bojer (@ivanbojer)

panos_import – import file on PAN-OS devices

New in version 2.3.

Synopsis

  • Import file on PAN-OS device

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • requests

  • requests_toolbelt

Parameters
Parameter Choices/Defaults Comments
category
-
Default:
software
Category of file uploaded. The default is software.
file
-
Default:
None
Location of the file to import into device.
ip_address
- / required
IP address (or hostname) of PAN-OS device.
password
- / required
Password for device authentication.
url
-
Default:
None
URL of the file that will be imported to device.
username
-
Default:
admin
Username for device authentication.

Examples
# import software image PanOS_vm-6.1.1 on 192.168.1.1
- name: import software image into PAN-OS
  panos_import:
    ip_address: 192.168.1.1
    username: admin
    password: admin
    file: /tmp/PanOS_vm-6.1.1
    category: software
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_interface – configure data-port network interfaces

New in version 2.3.

Synopsis

  • Configure data-port (DP) network interface. By default DP interfaces are static.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
adjust_tcp_mss
boolean
    Choices:
  • no
  • yes
Adjust TCP MSS for layer3 interface.
aggregate_group
-
Aggregate interface name.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
comment
-
Interface comment.
commit
boolean
    Choices:
  • no
  • yes ←
Commit if changed
create_default_route
boolean
    Choices:
  • no ←
  • yes
Whether or not to add default route with router learned via DHCP.
dhcp_default_route_metric
integer
Metric for the DHCP default route.
enable_dhcp
boolean
    Choices:
  • no
  • yes ←
Enable DHCP on this interface.
if_name
- / required
Name of the interface to configure.
ip
list
List of static IP addresses.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
ipv4_mss_adjust
integer
(7.1+) TCP MSS adjustment for IPv4.
ipv6_enabled
boolean
    Choices:
  • no
  • yes
Enable IPv6.
ipv6_mss_adjust
integer
(7.1+) TCP MSS adjustment for IPv6.
link_duplex
-
    Choices:
  • auto
  • full
  • half
Link duplex.
link_speed
-
    Choices:
  • auto
  • 10
  • 100
  • 1000
Link speed.
link_state
-
    Choices:
  • auto
  • up
  • down
Link state.
lldp_enabled
-
Enable LLDP for layer2 interface.
lldp_profile
-
LLDP profile name for layer2 interface.
management_profile
-
Interface management profile name.
mode
-
    Choices:
  • layer3 ←
  • layer2
  • virtual-wire
  • tap
  • ha
  • decrypt-mirror
  • aggregate-group
The interface mode.
mtu
integer
MTU for layer3 interface.
netflow_profile
-
Netflow profile for layer3 interface.
netflow_profile_l2
-
Netflow profile name for layer2 interface.
operation
-
Removed
Use state instead.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. This param is required if the PAN-OS device is Panorama.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vlan_name
-
The VLAN to put this interface in.
If the VLAN does not exist it is created.
Only specify this if mode=layer2.
vr_name
-
Default:
default
Name of the virtual router; it must already exist.
vsys
string
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.
vsys_dg
-
Deprecated
Use vsys to specify the vsys instead.
Name of the vsys (if firewall) or device group (if panorama) to put this object.
zone_name
-
Name of the zone for the interface.
If the zone does not exist it is created.
If the zone already exists its mode should match mode.

Notes

Note

  • Checkmode is supported.

  • If the PAN-OS device is a firewall and vsys is not specified, then the vsys will default to vsys=vsys1.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Create ethernet1/1 as DHCP.
- name: enable DHCP client on ethernet1/1 in zone public
  panos_interface:
    provider: '{{ provider }}'
    if_name: "ethernet1/1"
    zone_name: "public"
    create_default_route: "yes"

# Update ethernet1/2 with a static IP address in zone dmz.
- name: ethernet1/2 as static in zone dmz
  panos_interface:
    provider: '{{ provider }}'
    if_name: "ethernet1/2"
    mode: "layer3"
    ip: ["10.1.1.1/24"]
    enable_dhcp: false
    zone_name: "dmz"
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_ipsec_profile – Configures IPSec Crypto profile on the firewall with subset of settings

New in version 2.8.

Synopsis

  • IPSec Crypto profiles specify protocols and algorithms for authentication and encryption in VPN tunnels based on IPSec SA negotiation (Phase 2).

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
ah_authentication
-
    Choices:
  • md5
  • sha1
  • sha256
  • sha384
  • sha512
Authentication algorithms for AH mode.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
-
Default:
yes
Commit configuration if changed.
dh_group
-
    Choices:
  • no-pfs
  • group1
  • group2 ←
  • group5
  • group14
  • group19
  • group20
Diffie-Hellman (DH) groups.

aliases: d, h, g, r, o, u, p
esp_authentication
-
    Choices:
  • none
  • md5
  • sha1 ←
  • sha256
  • sha384
  • sha512
Authentication algorithms for ESP mode.

aliases: a, u, t, h, e, n, t, i, c, a, t, i, o, n
esp_encryption
-
    Choices:
  • des
  • 3des ←
  • null
  • aes-128-cbc
  • aes-192-cbc
  • aes-256-cbc ←
  • aes-128-gcm
  • aes-256-gcm
Default:
['aes-256-cbc', '3des']
Encryption algorithms for ESP mode.

aliases: e, n, c, r, y, p, t, i, o, n
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
lifesize_gb
-
IPSec SA lifetime in gigabytes.
lifesize_kb
-
IPSec SA lifetime in kilobytes.
lifesize_mb
-
IPSec SA lifetime in megabytes.
lifesize_tb
-
IPSec SA lifetime in terabytes.
lifetime_days
-
IPSec SA lifetime in days.
lifetime_hours
-
IPSec SA lifetime in hours. If no other key lifetimes are specified, default to 1 hour.

aliases: l, i, f, e, t, i, m, e, _, h, r, s
lifetime_minutes
-
IPSec SA lifetime in minutes.
lifetime_seconds
-
IPSec SA lifetime in seconds.
name
- / required
Name for the profile.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Add IPSec crypto config to the firewall
    panos_ipsec_profile:
      provider: '{{ provider }}'
      state: 'present'
      name: 'ipsec-vpn-0cc61dd8c06f95cfd-0'
      esp_authentication: ['sha1']
      esp_encryption: ['aes-128-cbc']
      lifetime_seconds: '3600'
Status
Authors

  • Ivan Bojer (@ivanbojer)

panos_ipsec_tunnel – Configures IPSec Tunnels on the firewall with subset of settings

New in version 2.8.

Synopsis

  • Use IPSec Tunnels to establish and manage IPSec VPN tunnels between firewalls. This is the Phase 2 portion of the

  • IKE/IPSec VPN setup.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
ak_ike_gateway
-
Default:
default
Name of the existing IKE gateway (auto-key).

aliases: i, k, e, _, g, t, w, _, n, a, m, e
ak_ipsec_crypto_profile
-
Default:
default
Name of the existing IPsec profile or use default (auto-key).

aliases: i, p, s, e, c, _, p, r, o, f, i, l, e
anti_replay
-
Default:
yes
Enable anti-replay check on this tunnel.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
-
Default:
yes
Commit configuration if changed.
copy_flow_label
boolean
    Choices:
  • no ←
  • yes
– Copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended) (7.0+).
copy_tos
boolean
    Choices:
  • no ←
  • yes
Copy IP TOS bits from inner packet to IPSec packet (not recommended).
disabled
-
Default:
no
Disable the IPsec tunnel.
enable_tunnel_monitor
-
Default:
no
Enable tunnel monitoring on this tunnel.
gps_certificate_profile
-
– Profile for authenticating GlobalProtect gateway certificates (global-protect-satellite).
gps_interface
-
– Interface to communicate with portal (global-protect-satellite).
gps_interface_ipv4_floating_ip
-
– Floating IPv4 IP address in HA Active-Active configuration (7.0+) (global-protect-satellite).
gps_interface_ipv4_ip
-
– Exact IPv4 IP address if interface has multiple IP addresses (global-protect-satellite).
gps_interface_ipv6_floating_ip
-
– Floating IPv6 IP address in HA Active-Active configuration (8.0+) (global-protect-satellite).
gps_interface_ipv6_ip
-
– Exact IPv6 IP address if interface has multiple IP addresses (8.0+) (global-protect-satellite).
gps_local_certificate
-
GlobalProtect satellite certificate file name (global-protect-satellite).
gps_portal_address
-
– GlobalProtect portal address (global-protect-satellite).
gps_prefer_ipv6
boolean
    Choices:
  • no ←
  • yes
– Prefer to register portal in IPv6 (8.0+) (global-protect-satellite).
gps_publish_connected_routes
boolean
    Choices:
  • no ←
  • yes
– Enable publishing of connected and static routes (global-protect-satellite).
gps_publish_routes
list
Specify list of routes to publish to GlobalProtect gateway (global-protect-satellite).
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
ipv6
boolean
    Choices:
  • no ←
  • yes
Use IPv6 for the IPsec tunnel (7.0+)
mk_auth_key
-
– Authentication key (manual-key).
mk_auth_type
-
    Choices:
  • md5
  • sha1
  • sha256
  • sha384
  • sha512
Authentication type for tunnel access (manual-key).
mk_esp_encryption
-
    Choices:
  • des
  • 3des
  • aes-128-cbc
  • aes-192-cbc
  • aes-256-cbc
  • null
Encryption algorithm for tunnel traffic (manual-key).
mk_esp_encryption_key
-
Encryption key (manual-key).
mk_interface
-
– Interface to terminate tunnel (manual-key).
mk_local_address_floating_ip
-
– Floating IP address in HA Active-Active configuration (manual-key).
mk_local_address_ip
-
– Exact IP address if interface has multiple IP addresses (manual-key).
mk_local_spi
-
Outbound SPI in hex (manual-key).
mk_protocol
-
    Choices:
  • esp
  • ah
– Protocol for traffic through the tunnel (manual-key).
mk_remote_address
-
– Tunnel peer IP address (manual-key).
mk_remote_spi
-
– Inbound SPI in hex (manual-key).
name
- / required
Name for the IPSec tunnel.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
tunnel_interface
-
Default:
tunnel.1
Specify existing tunnel interface that will be used.
tunnel_monitor_dest_ip
-
Destination IP to send ICMP probe.
tunnel_monitor_profile
-
Default:
None
Monitoring action.
tunnel_monitor_proxy_id
-
Default:
None
Which proxy-id (or proxy-id-v6) the monitoring traffic will use.
type
-
    Choices:
  • auto-key ←
  • manual-key
  • or 'global-protect-satellite'
Type of IPsec tunnel.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Add IPSec tunnel to IKE gateway profile
  panos_ipsec_tunnel:
    provider: '{{ provider }}'
    name: 'IPSecTunnel-Ansible'
    tunnel_interface: 'tunnel.2'
    ak_ike_gateway: 'IKEGW-Ansible'
    ak_ipsec_crypto_profile: 'IPSec-Ansible'
    state: 'present'
    commit: False
Status
Authors

  • Ivan Bojer (@ivanbojer)

panos_lic – apply authcode to a device/instance

New in version 2.3.

Synopsis

  • Apply an authcode to a device.

  • The authcode should have been previously registered on the Palo Alto Networks support portal.

  • The device should have Internet access.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
auth_code
-
authcode to be applied.
If this is not given, then "request license fetch" is performed instead.
force
boolean
    Choices:
  • no ←
  • yes
Whether to apply authcode even if device is already licensed / has a serial number.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported

  • Checkmode is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Activate my authcode
  panos_lic:
    provider: '{{ provider }}'
    auth_code: "IBADCODE"
  register: result

- debug:
    msg: 'Serial number is {{ result.serialnumber }}'
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
licenses
list
 when not using auth_code
List of PAN-OS licenses (as dicts) as a result of this module's execution.
serialnumber
string
 success
PAN-OS serial number when this module began execution.

Sample:
973080716


Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_loadcfg – load configuration on PAN-OS device

New in version 2.3.

Synopsis

  • Load configuration on PAN-OS device

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

Parameters
Parameter Choices/Defaults Comments
commit
-
Default:
yes
commit if changed
file
-
Default:
None
configuration file to load
ip_address
- / required
IP address (or hostname) of PAN-OS device
password
- / required
password for authentication
username
-
Default:
admin
username for authentication

Examples
# Import and load config file from URL
  - name: import configuration
    panos_import:
      ip_address: "192.168.1.1"
      password: "admin"
      url: "{{ConfigURL}}"
      category: "configuration"
    register: result
  - name: load configuration
    panos_loadcfg:
      ip_address: "192.168.1.1"
      password: "admin"
      file: "{{result.filename}}"
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_loopback_interface – configure network loopback interfaces

New in version 2.8.

Synopsis

  • Configure loopback interfaces on PanOS

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
adjust_tcp_mss
boolean
    Choices:
  • no
  • yes
Adjust TCP MSS.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
comment
-
Interface comment.
commit
boolean
    Choices:
  • no
  • yes ←
Commit if changed
if_name
- / required
Name of the interface to configure.
ip
list
List of static IP addresses.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
ipv4_mss_adjust
integer
(7.1+) TCP MSS adjustment for IPv4.
ipv6_enabled
boolean
    Choices:
  • no
  • yes
Enable IPv6.
ipv6_mss_adjust
integer
(7.1+) TCP MSS adjustment for IPv6.
management_profile
-
Interface management profile name.
mtu
integer
MTU for loopback interface.
netflow_profile
-
Netflow profile for loopback interface.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. This param is required if the PAN-OS device is Panorama.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist.
vsys
string
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.
vsys_dg
-
Deprecated
Use vsys to specify the vsys instead.
Name of the vsys (if firewall) or device group (if panorama) to put this object.
zone_name
-
Name of the zone for the interface. If the zone does not exist it is created but if the
zone exists and it is not of the correct mode the operation will fail.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Delete loopback.1
- name: delete loopback.1
  panos_loopback_interface:
    provider: '{{ provider }}'
    if_name: "loopback.1"
    state: 'absent'

# Update/create loopback comment.
- name: update loopback.1 comment
  panos_loopback_interface:
    provider: '{{ provider }}'
    if_name: "loopback.1"
    ip: ["10.1.1.1/32"]
    comment: "Loopback iterface"
Status
Authors

  • Geraint Jones (@nexus_moneky_nz)

panos_management_profile – Manage interface management profiles

New in version 2.6.

Synopsis

  • This module will allow you to manage interface management profiles on PAN-OS.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Perform a commit if a change is made.
http
boolean
    Choices:
  • no
  • yes
Enable http
http_ocsp
boolean
    Choices:
  • no
  • yes
Enable http-ocsp
https
boolean
    Choices:
  • no
  • yes
Enable https
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
The management profile name.
panorama_template
-
Deprecated
Use template instead.
(Panorama only) The template name.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
permitted_ip
list
The list of permitted IP addresses
ping
boolean
    Choices:
  • no
  • yes
Enable ping
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
response_pages
boolean
    Choices:
  • no
  • yes
Enable response pages
snmp
boolean
    Choices:
  • no
  • yes
Enable snmp
ssh
boolean
    Choices:
  • no
  • yes
Enable ssh
state
string
    Choices:
  • present ←
  • absent
The state.
telnet
boolean
    Choices:
  • no
  • yes
Enable telnet
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
userid_service
boolean
    Choices:
  • no
  • yes
Enable userid service
userid_syslog_listener_ssl
boolean
    Choices:
  • no
  • yes
Enable userid syslog listener ssl
userid_syslog_listener_udp
boolean
    Choices:
  • no
  • yes
Enable userid syslog listener udp
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: ensure mngt profile foo exists and allows ping and ssh and commit
  panos_management_profile:
    provider: '{{ provider }}'
    name: 'foo'
    ping: true
    ssh: true

- name: make sure mngt profile bar does not exist without doing a commit
  panos_management_profile:
    provider: '{{ provider }}'
    name: 'bar'
    state: 'absent'
    commit: false
Status
Authors

  • UNKNOWN

panos_match_rule – Test for match against a security rule on PAN-OS devices or Panorama management console

New in version 2.5.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
application
-
The application.
category
-
URL category
destination_ip
- / required
The destination IP address.
destination_port
integer / required
The destination port.
destination_zone
-
The destination zone.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
protocol
integer / required
The IP protocol number from 1 to 255.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
rule_type
-
    Choices:
  • security ←
  • nat
Type of rule.
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
source_ip
- / required
The source IP address.
source_port
integer
The source port.
source_user
-
The source user or group.
source_zone
-
The source zone.
to_interface
-
The inbound interface in a NAT rule.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.
vsys_id
-
Removed
Use vsys instead.

Notes

Note

  • Checkmode is not supported.

  • Panorama NOT is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: check security rules for Google DNS
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '10.0.0.0'
    destination_ip: '8.8.8.8'
    application: 'dns'
    destination_port: '53'
    protocol: '17'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules inbound SSH with user match
  panos_match_rule:
    provider: '{{ provider }}'
    source_ip: '0.0.0.0'
    source_user: 'mydomain\jsmith'
    destination_ip: '192.168.100.115'
    destination_port: '22'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for source NAT
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Prod-DMZ'
    source_ip: '10.10.118.50'
    to_interface: 'ethernet1/2'
    destination_zone: 'Internet'
    destination_ip: '0.0.0.0'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check NAT rules for inbound web
  panos_match_rule:
    provider: '{{ provider }}'
    rule_type: 'nat'
    source_zone: 'Internet'
    source_ip: '0.0.0.0'
    to_interface: 'ethernet1/1'
    destination_zone: 'Prod DMZ'
    destination_ip: '192.168.118.50'
    destination_port: '80'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'

- name: check security rules for outbound POP3 in vsys4
  panos_match_rule:
    provider: '{{ provider }}'
    vsys_id: 'vsys4'
    source_ip: '10.0.0.0'
    destination_ip: '4.3.2.1'
    application: 'pop3'
    destination_port: '110'
    protocol: '6'
  register: result
- debug: msg='{{ result.rule }}'
Status
Authors

  • Robert Hagen (@rnh556)

panos_mgtconfig – Module used to configure some of the device management

New in version 2.4.

Synopsis

  • Configure management settings of device. Not all configuration options are configurable at this time.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
-
Default:
yes
Commit configuration if changed.
devicegroup
-
Removed
dns_server_primary
-
IP address of primary DNS server.
dns_server_secondary
-
IP address of secondary DNS server.
domain
-
The domain of the device
hostname
-
The hostname of the device.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
login_banner
-
Login banner text.
ntp_server_primary
-
IP address (or hostname) of primary NTP server.
ntp_server_secondary
-
IP address (or hostname) of secondary NTP server.
panorama_primary
-
IP address (or hostname) of primary Panorama server.
panorama_secondary
-
IP address (or hostname) of secondary Panorama server.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
timezone
-
Device timezone.
update_server
-
IP or hostname of the update server.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
verify_update_server
boolean
    Choices:
  • no
  • yes
Verify the identify of the update server.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: set dns and panorama
  panos_mgtconfig:
    provider: '{{ provider }}'
    dns_server_primary: "1.1.1.1"
    dns_server_secondary: "1.1.1.2"
    panorama_primary: "1.1.1.3"
    panorama_secondary: "1.1.1.4"
    ntp_server_primary: "1.1.1.5"
    ntp_server_secondary: "1.1.1.6"
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer), Patrik Malinen (@pmalinen), Francesco Vigo (@fvigo)

panos_nat_rule – create a policy NAT rule

New in version 2.4.

Synopsis

  • Create a policy nat rule. Keep in mind that we can either end up configuring source NAT, destination NAT, or both.

  • Instead of splitting it into two we will make a fair attempt to determine which one the user wants.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
description
-
NAT rule description.
destination_ip
list
Default:
['any']
list of destination addresses
destination_zone
list / required
destination zone
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
devicegroup
-
Deprecated
Use device_group instead.
The device group to place the NAT rule into.
Panorama only; ignored for firewalls.
dnat_address
-
dnat translated address
dnat_port
-
dnat translated port
existing_rule
-
If location=before or location=after, this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule.
If location=before or location=after, existing_rule is required.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
location
-
    Choices:
  • top
  • bottom
  • before
  • after
Position to place the created rule in the rule base. Supported values are top/bottom/before/after.
nat_type
-
    Choices:
  • ipv4 ←
  • nat64
  • nptv6
Type of NAT.
operation
-
Removed
Use state instead.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
rule_name
- / required
name of the SNAT rule
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
service
-
Default:
any
service
snat_address_type
-
    Choices:
  • interface-address
  • translated-address ←
type of source translation.
snat_bidirectional
boolean
    Choices:
  • no
  • yes
bidirectional flag
snat_dynamic_address
list
Source NAT translated address.
Used when snat_type=dynamic-ip or snat_type=dynamic-ip-and-port.
snat_interface
-
snat interface
snat_interface_address
-
snat interface address
snat_static_address
-
Source NAT translated address. Used with Static-IP translation.
snat_type
-
    Choices:
  • static-ip
  • dynamic-ip
  • dynamic-ip-and-port
Default:
None
type of source translation
source_ip
list
Default:
['any']
list of source addresses
source_zone
list / required
list of source zones
state
string
    Choices:
  • present ←
  • absent
  • enable
  • disable
The state of the NAT rule.
tag
list
Administrative tags.
tag_name
-
Deprecated
Use tag instead.
Administrative tag.
to_interface
-
Default:
any
Original packet's destination interface.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Create a source and destination nat rule
- name: Create NAT SSH rule for 10.0.1.101
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: "Web SSH"
    source_zone: ["external"]
    destination_zone: "external"
    source: ["any"]
    destination: ["10.0.0.100"]
    service: "service-tcp-221"
    snat_type: "dynamic-ip-and-port"
    snat_interface: "ethernet1/2"
    dnat_address: "10.0.1.101"
    dnat_port: "22"

- name: disable a specific security rule
  panos_nat_rule:
    provider: '{{ provider }}'
    rule_name: 'Prod-Legacy 1'
    state: 'disable'
Status
Authors

  • Luigi Mori (@jtschichold),Ivan Bojer (@ivanbojer),Robert Hagen (@rnh556),Michael Richardson (@mrichardson03)

panos_object_facts – Retrieve facts about objects on PAN-OS devices

New in version 2.8.

Synopsis

  • Retrieves tag information objects on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
-
Name of object to retrieve.
Mutually exclusive with name_regex.
name_regex
-
A python regex for an object's name to retrieve.
Mutually exclusive with name.
object_type
-
    Choices:
  • address ←
  • address-group
  • service
  • service-group
  • tag
Type of object to retrieve.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Panorama is supported.

  • Check mode is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Retrieve address group object 'Prod'
  panos_object_facts:
    provider: '{{ provider }}'
    name: 'Prod'
    object_type: 'address-group'
  register: result

- name: Retrieve service group object 'Prod-Services'
  panos_object_facts:
    provider: '{{ provider }}'
    name: 'Prod-Services'
    object_type: 'service-group'
  register: result

- name: Find all address objects with "Prod" in the name
  panos_object_facts:
    provider: '{{ provider }}'
    name_regex: '.*Prod.*'
    object_type: 'address'
  register: result
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
objects
list
 always
List of object dicts.
results
dictionary
 when "name" is specified
Dict containing object attributes. Empty if object is not found.


Status
Authors

  • Michael Richardson (@mrichardson03)

panos_object – create/read/update/delete object in PAN-OS or Panorama

New in version 2.4.

DEPRECATED
Removed in Ansible

version: 2.9

Why

Updated to idempotent modules

Alternative

Use panos_address_object, panos_address_group, panos_service_object, panos_service_group, or panos_tag_object as appropriate.

Synopsis

  • Policy objects form the match criteria for policy rules and many other functions in PAN-OS. These may include

  • address object, address groups, service objects, service groups, and tag.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
address
-
The IP address of the host or network in CIDR notation.
address_type
-
The type of address object definition. Valid types are ip-netmask and ip-range.
addressgroup
-
A static group of address objects or dynamic address group.
addressobject
-
The name of the address object.
api_key
-
API key that can be used instead of username/password credentials.
color
-
- The color of the tag object. Valid values are red, green, blue, yellow, copper, orange, purple, gray, light green, cyan, light gray, blue gray, lime, black, gold, and brown.
commit
-
Default:
no
Commit the config change.
description
-
The description of the object.
destination_port
-
The destination port to be used in a service object definition.
devicegroup
-
Default:
None
The name of the (preexisting) Panorama device group.
If undefined and ip_address is Panorama, this defaults to shared.
dynamic_value
-
The filter match criteria to be used in a dynamic addressgroup definition.
ip_address
- / required
IP address (or hostname) of PAN-OS device or Panorama management console being configured.
operation
- / required
The operation to be performed. Supported values are add/delete/find.
password
- / required
Password credentials to use for authentication.
protocol
-
The IP protocol to be used in a service object definition. Valid values are tcp or udp.
servicegroup
-
A group of service objects.
serviceobject
-
The name of the service object.
services
-
The group of service objects used in a servicegroup definition.
source_port
-
The source port to be used in a service object definition.
static_value
-
A group of address objects to be used in an addressgroup definition.
tag_name
-
The name of an object or rule tag.
username
-
Default:
admin
Username credentials to use for authentication.
vsys
-
Default:
vsys1
The vsys to put the object into.
Firewall only.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

Examples
- name: search for shared address object
  panos_object:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'find'
    address: 'DevNet'

- name: create an address group in devicegroup using API key
  panos_object:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'add'
    addressgroup: 'Prod_DB_Svrs'
    static_value: ['prod-db1', 'prod-db2', 'prod-db3']
    description: 'Production DMZ database servers'
    tag_name: 'DMZ'
    devicegroup: 'DMZ Firewalls'

- name: create a global service for TCP 3306
  panos_object:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'add'
    serviceobject: 'mysql-3306'
    destination_port: '3306'
    protocol: 'tcp'
    description: 'MySQL on tcp/3306'

- name: create a global tag
  panos_object:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    operation: 'add'
    tag_name: 'ProjectX'
    color: 'yellow'
    description: 'Associated with Project X'

- name: delete an address object from a devicegroup using API key
  panos_object:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    operation: 'delete'
    addressobject: 'Win2K test'
Status

  • This module will be removed in version 2.9. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Bob Hagen (@rnh556)

panos_op – execute arbitrary OP commands on PANW devices (e.g. show interface all)

New in version 2.5.

Synopsis

  • This module will allow user to pass and execute any supported OP command on the PANW device.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
cmd
- / required
The OP command to be performed.
cmd_is_xml
boolean
    Choices:
  • no ←
  • yes
The cmd is already given in XML format, so don't convert it.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Checkmode is NOT supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: show list of all interfaces
  panos_op:
    provider: '{{ provider }}'
    cmd: 'show interfaces all'

- name: show system info
  panos_op:
    provider: '{{ provider }}'
    cmd: 'show system info'

- name: show system info as XML command
  panos_op:
    provider: '{{ provider }}'
    cmd: '<show><system><info/></system></show>'
    cmd_is_xml: true
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
stdout
string
 success
output of the given OP command as JSON formatted string

Sample:
{system: {app-release-date: 2017/05/01 15:09:12}}
stdout_xml
string
 success
output of the given OP command as an XML formatted string

Sample:
<response status=success><result><system><hostname>fw2</hostname>


Status
Authors

  • Ivan Bojer (@ivanbojer)

panos_pg – create a security profiles group

New in version 2.3.

Synopsis

  • Create a security profile group

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
commit if changed
data_filtering
-
name of the data filtering profile
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
file_blocking
-
name of the file blocking profile
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
pg_name
- / required
name of the security profile group
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
spyware
-
name of the spyware profile
state
string
    Choices:
  • present ←
  • absent
The state.
url_filtering
-
name of the url filtering profile
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
virus
-
name of the anti-virus profile
vsys
string
Default:
vsys1
The vsys this object belongs to.
vulnerability
-
name of the vulnerability profile
wildfire
-
name of the wildfire analysis profile

Notes

Note

  • Panorama is supported.

  • Checkmode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: setup security profile group
  panos_pg:
    provider: '{{ provider }}'
    pg_name: "pg-default"
    virus: "default"
    spyware: "default"
    vulnerability: "default"
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_query_rules – PANOS module that allows search for security rules in PANW NGFW devices

New in version 2.5.

DEPRECATED
Removed in Ansible

version: 2.12

Why

Querying rules is handled better by panos_match_rule.

Alternative

Use panos_match_rule

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

  • The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches

  • the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
-
API key that can be used instead of username/password credentials.
application
-
Default:
None
Name of the application or application group to be queried.
destination_ip
-
Default:
None
The destination IP address to be queried.
destination_port
-
Default:
None
The destination port to be queried.
destination_zone
-
Default:
None
Name of the destination security zone to be queried.
devicegroup
-
Default:
None
The Panorama device group in which to conduct the query.
ip_address
- / required
IP address (or hostname) of PAN-OS firewall or Panorama management console being queried.
password
- / required
Password credentials to use for authentication.
protocol
-
Default:
None
The protocol used to be queried. Must be either tcp or udp.
source_ip
-
Default:
None
The source IP address to be queried.
source_port
-
Default:
None
The source port to be queried.
source_zone
-
Default:
None
Name of the source security zone to be queried.
tag_name
-
Default:
None
Name of the rule tag to be queried.
username
-
Default:
admin
Username credentials to use for authentication.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

Examples
- name: search for rules with tcp/3306
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    source_zone: 'DevNet'
    destination_zone: 'DevVPC'
    destination_port: '3306'
    protocol: 'tcp'

- name: search devicegroup for inbound rules to dmz host
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    api_key: '{{ api_key }}'
    destination_zone: 'DMZ'
    destination_ip: '10.100.42.18'
    address: 'DeviceGroupA'

- name: search for rules containing a specified rule tag
  panos_query_rules:
    ip_address: '{{ ip_address }}'
    username: '{{ username }}'
    password: '{{ password }}'
    tag_name: 'ProjectX'
Status

  • This module will be removed in version 2.12. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Bob Hagen (@rnh556)

panos_redistribution – Configures a Redistribution Profile on a virtual router

New in version 2.8.

Synopsis

  • Configures a Redistribution Profile on a virtual router

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
action
-
    Choices:
  • no-redist ←
  • redist
Rule action.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
bgp_filter_community
-
BGP filter on community.
bgp_filter_extended_community
-
BGP filter on extended community.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
filter_destination
-
Filter destination.
filter_interface
-
Filter interface.
filter_nexthop
-
Filter nexthop.
filter_type
-
Any of 'static', 'connect', 'rip', 'ospf', or 'bgp'.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of rule.
ospf_filter_area
-
OSPF filter on area.
ospf_filter_pathtype
-
Any of 'intra-area', 'inter-area', 'ext-1', or 'ext-2'.
ospf_filter_tag
-
OSPF filter on tag.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
priority
integer
Priority ID.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
type
-
    Choices:
  • ipv4 ←
  • ipv6
Name of rule.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Default:
default
Name of the virtual router; it must already exist; see panos_virtual_router.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create Redistribution Profile
  panos_redistribution:
    provider: '{{ provider }}'
    name: 'my-profile'
    priority: 42
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_registered_ip_facts – Retrieve facts about registered IPs on PAN-OS devices

New in version 2.7.

Synopsis

  • Retrieves tag information about registered IPs on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
tags
-
List of tags to retrieve facts for. If not specified, retrieve all tags.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Panorama is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Get facts for all registered IPs
  panos_registered_ip_facts:
    provider: '{{ provider }}'
  register: registered_ip_facts

- name: Get facts for specific tag
  panos_registered_ip_facts:
    provider: '{{ provider }}'
    tags: ['First_Tag']
  register: first_tag_registered_ip_facts
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
results
dictionary
 always
IP addresses as keys, tags as values.

Sample:
{'1.1.1.1': ['First_Tag', 'Second_Tag']}


Status
Authors

  • Michael Richardson (@mrichardson03)

panos_registered_ip – Register IP addresses for use with dynamic address groups on PAN-OS devices

New in version 2.7.

Synopsis

  • Registers tags for IP addresses that can be used to build dynamic address groups.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
ips
- / required
List of IP addresses to register/unregister.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
tags
- / required
List of tags that the IP address will be registered to.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Check mode is supported.

  • Panorama is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Add 'First_Tag' tag to 1.1.1.1
  panos_registered_ip:
    provider: '{{ provider }}'
    ips: ['1.1.1.1']
    tags: ['First_Tag']
    state: 'present'

- name: Add 'First_Tag' tag to 1.1.1.2
  panos_registered_ip:
    provider: '{{ provider }}'
    ips: ['1.1.1.2']
    tags: ['First_Tag']
    state: 'present'

- name: Add 'Second_Tag' tag to 1.1.1.1
  panos_registered_ip:
    provider: '{{ provider }}'
    ips: ['1.1.1.1']
    tags: ['Second_Tag']
    state: 'present'

- name: Remove 'Second_Tag' from 1.1.1.1
  panos_registered_ip:
    provider: '{{ provider }}'
    ips: ['1.1.1.1']
    tags: ['Second_Tag']
    state: 'absent'

- name: Remove 'First_Tag' from 1.1.1.2 (will unregister entirely)
  panos_registered_ip:
    provider: '{{ provider }}'
    ips: ['1.1.1.2']
    tags: ['First_Tag']
    state: 'absent'
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
results
dictionary
 always
After performing action, returns tags for given IPs. IP addresses as keys, tags as values.

Sample:
{'1.1.1.1': ['First_Tag', 'Second_Tag']}


Status
Authors

  • Michael Richardson (@mrichardson03)

panos_restart – Restart a device

New in version 2.3.

Synopsis

  • Restart a PAN-OS device.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Restart PAN-OS
  panos_restart:
    provider: '{{ provider }}'
Status
Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)

panos_sag – Create a static address group

New in version 2.4.

DEPRECATED
Removed in Ansible

version: 2.12

Why

This module’s functionality is a subset of panos_address_group.

Alternative

Use panos_address_group instead.

Synopsis

  • Create a static address group object in the firewall used for policy rules.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
-
API key that can be used instead of username/password credentials.
commit
-
Default:
yes
commit if changed
description
-
Default:
None
The purpose / objective of the static Address Group
devicegroup
-
Default:
None
- The name of the Panorama device group. The group must exist on Panorama. If device group is not defined it is assumed that we are contacting a firewall.
ip_address
- / required
Default:
None
IP address (or hostname) of PAN-OS device
operation
- / required
Default:
None
The operation to perform Supported values are add/list/delete.
password
- / required
Default:
None
password for authentication
sag_name
- / required
Default:
None
name of the dynamic address group
static_match_filter
- / required
Default:
None
Static filter used by the address group
tags
-
Default:
None
Tags to be associated with the address group
username
-
Default:
admin
username for authentication

Examples
- name: sag
  panos_sag:
    ip_address: "192.168.1.1"
    password: "admin"
    sag_name: "sag-1"
    static_value: ['test-addresses', ]
    description: "A description for the static address group"
    tags: ["tags to be associated with the group", ]
Status

  • This module will be removed in version 2.12. [deprecated]

  • For more information see DEPRECATED.

Authors

  • Vinay Venkataraghavan @vinayvenkat

panos_security_rule_facts – Get information about a security rule

New in version 2.8.

Synopsis

  • Get information about a single security rule or the names of all security rules.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
rule_name
-
Name of the security rule.
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Checkmode is not supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Get a list of all security rules
  panos_security_rule_facts:
    provider: '{{ provider }}'
  register: sec_rules

- debug:
    msg: '{{ sec_rules.rules }}'

- name: Get the definition for rule 'HTTP Multimedia'
  panos_security_rule_facts:
    provider: '{{ provider }}'
    rule_name: 'HTTP Multimedia'
  register: rule1

- debug:
    msg: '{{ rule1.spec }}'
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
rules
list
 When rule_name is not specified
List of security rules present

Sample:
['rule1', 'rule2', 'rule3']
spec
complex
 When rule_name is specified
The security rule definition
  action
string
The rule action.
  antivirus
string
Name of the already defined antivirus profile.
  application
list
List of applications, application groups, and/or application filters.
  category
list
List of destination URL categories.
  data_filtering
string
Name of the already defined data_filtering profile.
  description
string
Description of the security rule.
  destination_ip
list
List of destination addresses.
  destination_zone
list
List of destination zones.
  disable_server_response_inspection
boolean
Disables packet inspection from the server to the client.
  disabled
boolean
Disable this rule.
  file_blocking
string
Name of the already defined file_blocking profile.
  group_profile
string
Security profile group setting.
  hip_profiles
list
GlobalProtect host information profile list.
  icmp_unreachable
boolean
Send 'ICMP Unreachable'.
  log_end
boolean
Whether to log at session end.
  log_setting
string
Log forwarding profile.
  log_start
boolean
Whether to log at session start.
  negate_destination
boolean
Match on the reverse of the 'destination_ip' attribute
  negate_source
boolean
Match on the reverse of the 'source_ip' attribute
  rule_name
string
Name of the security rule.
  rule_type
string
Type of security rule (version 6.1 of PanOS and above).
  schedule
string
Schedule in which this rule is active.
  service
list
List of services and/or service groups.
  source_ip
list
List of source addresses.
  source_user
list
List of source users.
  source_zone
list
List of source zones.
  spyware
string
Name of the already defined spyware profile.
  tag_name
list
List of tags associated with the rule.
  url_filtering
string
Name of the already defined url_filtering profile.
  vulnerability
string
Name of the already defined vulnerability profile.
  wildfire_analysis
string
Name of the already defined wildfire_analysis profile.


Status
Authors

  • Garfield Lee Freeman (@shinmog)

panos_security_rule – Create security rule policy on PAN-OS devices or Panorama management console

New in version 2.4.

Synopsis

  • Security policies allow you to enforce rules and take action, and can be as general or specific as needed.

  • The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches

  • the traffic is applied, the more specific rules must precede the more general ones.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
action
-
    Choices:
  • allow ←
  • deny
  • drop
  • reset-client
  • reset-server
  • reset-both
Action to apply once rules matches.
antivirus
-
Name of the already defined antivirus profile.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
application
list
Default:
['any']
List of applications, application groups, and/or application filters.
category
list
Default:
['any']
List of destination URL categories.
commit
boolean
    Choices:
  • no ←
  • yes
Commit configuration if changed.
data_filtering
-
Name of the already defined data_filtering profile.
description
-
Description of the security rule.
destination_ip
list
Default:
['any']
List of destination addresses.
destination_zone
list
Default:
['any']
List of destination zones.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
devicegroup
-
Deprecated
Use device_group instead.
Device groups are logical groups of firewalls in Panorama.
disable_server_response_inspection
boolean
    Choices:
  • no ←
  • yes
Disables packet inspection from the server to the client. Useful under heavy server load conditions.
disabled
boolean
    Choices:
  • no ←
  • yes
Disable this rule.
existing_rule
-
If 'location' is set to 'before' or 'after', this option specifies an existing rule name. The new rule will be created in the specified position relative to this rule. If 'location' is set to 'before' or 'after', this option is required.
file_blocking
-
Name of the already defined file_blocking profile.
group_profile
-
- Security profile group that is already defined in the system. This property supersedes antivirus, vulnerability, spyware, url_filtering, file_blocking, data_filtering, and wildfire_analysis properties.
hip_profiles
list
Default:
['any']
- If you are using GlobalProtect with host information profile (HIP) enabled, you can also base the policy on information collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the firewall about the user's local configuration.
icmp_unreachable
boolean
    Choices:
  • no
  • yes
Send 'ICMP Unreachable'. Used with 'deny', 'drop', and 'reset' actions.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
location
-
    Choices:
  • top
  • bottom
  • before
  • after
Position to place the created rule in the rule base. Supported values are top/bottom/before/after.
log_end
boolean
    Choices:
  • no
  • yes ←
Whether to log at session end.
log_setting
-
Log forwarding profile.
log_start
boolean
    Choices:
  • no ←
  • yes
Whether to log at session start.
negate_destination
boolean
    Choices:
  • no ←
  • yes
Match on the reverse of the 'destination_ip' attribute
negate_source
boolean
    Choices:
  • no ←
  • yes
Match on the reverse of the 'source_ip' attribute
negate_target
boolean
    Choices:
  • no
  • yes
Exclude this rule from the listed firewalls in Panorama.
operation
-
Removed
Use state instead.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
rule_name
- / required
Name of the security rule.
rule_type
-
    Choices:
  • universal ←
  • intrazone
  • interzone
Type of security rule (version 6.1 of PanOS and above).
rulebase
string
    Choices:
  • pre-rulebase
  • rulebase
  • post-rulebase
The rulebase in which the rule is to exist. If left unspecified, this defaults to rulebase=pre-rulebase for Panorama. For NGFW, this is always set to be rulebase=rulebase.
schedule
-
Schedule in which this rule is active.
service
list
Default:
['application-default']
List of services and/or service groups.
source_ip
list
Default:
['any']
List of source addresses.
source_user
list
Default:
['any']
Use users to enforce policy for individual users or a group of users.
source_zone
list
Default:
['any']
List of source zones.
spyware
-
Name of the already defined spyware profile.
state
string
    Choices:
  • present ←
  • absent
The state.
tag_name
list
List of tags associated with the rule.
target
list
Apply this rule exclusively to the listed firewalls in Panorama.
url_filtering
-
Name of the already defined url_filtering profile.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.
vulnerability
-
Name of the already defined vulnerability profile.
wildfire_analysis
-
Name of the already defined wildfire_analysis profile.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: add SSH inbound rule to Panorama device group
  panos_security_rule:
    provider: '{{ provider }}'
    device_group: 'Cloud Edge'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    tag_name: ['production']
    source_zone: ['public']
    source_ip: ['any']
    destination_zone: ['private']
    destination_ip: ['1.1.1.1']
    application: ['ssh']
    action: 'allow'

- name: add a rule to allow HTTP multimedia only to CDNs
  panos_security_rule:
    provider: '{{ provider }}'
    rule_name: 'HTTP Multimedia'
    description: 'Allow HTTP multimedia only to host at 1.1.1.1'
    source_zone: ['private']
    destination_zone: ['public']
    category: ['content-delivery-networks']
    application: ['http-video', 'http-audio']
    service: ['service-http', 'service-https']
    action: 'allow'

- name: add a more complex rule that uses security profiles
  panos_security_rule:
    provider: '{{ provider }}'
    rule_name: 'Allow HTTP'
    source_zone: ['public']
    destination_zone: ['private']
    log_start: false
    log_end: true
    action: 'allow'
    antivirus: 'strict'
    vulnerability: 'strict'
    spyware: 'strict'
    url_filtering: 'strict'
    wildfire_analysis: 'default'

- name: disable a Panorama pre-rule
  panos_security_rule:
    provider: '{{ provider }}'
    device_group: 'Production edge'
    rule_name: 'Allow telnet'
    source_zone: ['public']
    destination_zone: ['private']
    source_ip: ['any']
    destination_ip: ['1.1.1.1']
    log_start: false
    log_end: true
    action: 'allow'
    disabled: true

- name: delete a device group security rule
  panos_security_rule:
    provider: '{{ provider }}'
    state: 'absent'
    device_group: 'DC Firewalls'
    rule_name: 'Allow telnet'

- name: add a rule at a specific location in the rulebase
  panos_security_rule:
    provider: '{{ provider }}'
    rule_name: 'SSH permit'
    description: 'SSH rule test'
    source_zone: ['untrust']
    destination_zone: ['trust']
    source_ip: ['any']
    source_user: ['any']
    destination_ip: ['1.1.1.1']
    category: ['any']
    application: ['ssh']
    service: ['application-default']
    action: 'allow'
    location: 'before'
    existing_rule: 'Allow MySQL'
Status
Authors

  • Ivan Bojer (@ivanbojer), Robert Hagen (@stealthllama), Michael Richardson (@mrichardson03)

panos_service_group – Create service group objects on PAN-OS devices

New in version 2.8.

Synopsis

  • Create service group objects on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit changes after creating object. If ip_address is a Panorama device, and device_group is also set, perform a commit to Panorama and a commit-all to the device group.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of service group.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
tag
list
List of tags for this service group.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
value
list / required
List of service objects to be included in the group. Must specify if state is present.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Create service group 'Prod-Services'
  panos_service_group:
    provider: '{{ provider }}'
    name: 'Prod-Services'
    value: ['ssh-tcp-22', 'mysql-tcp-3306']

- name: Delete service group 'Prod-Services'
  panos_service_group:
    provider: '{{ provider }}'
    name: 'Prod-Services'
    state: 'absent'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_service_object – Create service objects on PAN-OS devices

New in version 2.8.

Synopsis

  • Create service objects on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit changes after creating object. If ip_address is a Panorama device, and device_group is also set, perform a commit to Panorama and a commit-all to the device group.
description
-
Descriptive name for this service object.
destination_port
-
Destination port of the service object. Required if state is present.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of service object.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
protocol
-
    Choices:
  • tcp ←
  • udp
Protocol of the service.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
source_port
-
Source port of the service object.
state
string
    Choices:
  • present ←
  • absent
The state.
tag
-
List of tags for this service object.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Create service object 'ssh-tcp-22'
  panos_service_object:
    provider: '{{ provider }}'
    name: 'ssh-tcp-22'
    destination_port: '22'
    description: 'SSH on tcp/22'
    tag: ['Prod']

- name: Create service object 'mysql-tcp-3306'
  panos_service_object:
    provider: '{{ provider }}'
    name: 'mysql-tcp-3306'
    destination_port: '3306'
    description: 'MySQL on tcp/3306'

- name: Delete service object 'mysql-tcp-3306'
  panos_service_object:
    provider: '{{ provider }}'
    name: 'mysql-tcp-3306'
    state: 'absent'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_software – Install specific release of PAN-OS

New in version 2.6.

Synopsis

  • Install specific release of PAN-OS.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
restart
-
Default:
no
Restart device after installing desired version. Use in conjunction with panos_check to determine when firewall is ready again.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
version
- / required
Desired PAN-OS release for target device.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Install PAN-OS 8.1.6 and restart
  panos_software:
    provider: '{{ provider }}'
    version: '8.1.6'
    restart: true
Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
version
-
After performing the software install, returns the version installed on the device.


Status
Authors

  • Michael Richardson (@mrichardson03)

panos_static_route – Create static routes on PAN-OS devices

New in version 2.6.

Synopsis

  • Create static routes on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
admin_dist
-
Administrative distance for static route.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
destination
-
Destination network. Required if state is present.
interface
-
The Interface to use.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
metric
-
Default:
10
Metric for route.
name
- / required
Name of static route.
nexthop
-
Next hop IP address. Required if state is present.
nexthop_type
-
    Choices:
  • ip-address ←
  • discard
  • none
  • next-vr
Type of next hop.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
virtual_router
-
Default:
default
Virtual router to use.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • IPv6 is not supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create route 'Test-One'
  panos_static_route:
    provider: '{{ provider }}'
    name: 'Test-One'
    destination: '1.1.1.0/24'
    nexthop: '10.0.0.1'

- name: Create route 'Test-Two'
  panos_static_route:
    provider: '{{ provider }}'
    name: 'Test-Two'
    destination: '2.2.2.0/24'
    nexthop: '10.0.0.1'

- name: Create route 'Test-Three'
  panos_static_route:
    provider: '{{ provider }}'
    name: 'Test-Three'
    destination: '3.3.3.0/24'
    nexthop: '10.0.0.1'

- name: Delete route 'Test-Two'
  panos_static_route:
    provider: '{{ provider }}'
    name: 'Test-Two'
    state: 'absent'

- name: Create route 'Test-Four'
  panos_static_route:
    provider: '{{ provider }}'
    name: 'Test-Four'
    destination: '4.4.4.0/24'
    nexthop: '10.0.0.1'
    virtual_router: 'VR-Two'

- name: Create route 'Test-Five'
    panos_static_route:
    provider: '{{ provider }}'
    name: 'Test-Five'
    destination: '5.5.5.0/24'
    nexthop_type: 'none'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_tag_object – Create tag objects on PAN-OS devices

New in version 2.8.

Synopsis

  • Create tag objects on PAN-OS devices.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
color
-
    Choices:
  • red
  • green
  • blue
  • yellow
  • copper
  • orange
  • purple
  • gray
  • light green
  • cyan
  • light gray
  • blue gray
  • lime
  • black
  • gold
  • brown
Color for the tag.
comments
-
Comments for the tag.
commit
boolean
    Choices:
  • no
  • yes ←
Commit changes after creating object. If ip_address is a Panorama device, and device_group is also set, perform a commit to Panorama and a commit-all to the device group.
device_group
string
Default:
shared
(Panorama only) The device group the operation should target.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of the tag.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Create tag object 'Prod'
  panos_tag_object:
    provider: '{{ provider }}'
    name: 'Prod'
    color: 'red'
    comments: 'Prod Environment'

- name: Remove tag object 'Prod'
  panos_tag_object:
    provider: '{{ provider }}'
    name: 'Prod'
    state: 'absent'
Status
Authors

  • Michael Richardson (@mrichardson03)

panos_tunnel – configure tunnel interfaces

New in version 2.8.

Synopsis

  • Configure tunnel interfaces on PanOS

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
comment
-
Interface comment.
commit
boolean
    Choices:
  • no
  • yes ←
Commit if changed
if_name
- / required
Name of the interface to configure.
ip
list
List of static IP addresses.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
ipv6_enabled
boolean
    Choices:
  • no
  • yes
Enable IPv6.
management_profile
-
Interface management profile name; it must already exist.
mtu
integer
MTU for tunnel interface.
netflow_profile
-
Netflow profile for tunnel interface.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. This param is required if the PAN-OS device is Panorama.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vr_name
-
Name of the virtual router; it must already exist.
vsys
string
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.
vsys_dg
-
Deprecated
Use vsys to specify the vsys instead.
Name of the vsys (if firewall) or device group (if panorama) to put this object.
zone_name
-
Name of the zone for the interface. If the zone does not exist it is created but
if the zone exists and it is not of the correct mode the operation will fail.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Create tunnel.1
- name: create tunnel.1
  panos_tunnel:
    provider: '{{ provider }}'
    if_name: "tunnel.1"
    ip: ["10.1.1.1/32"]

# Update tunnel comment.
- name: update tunnel.1 comment
  panos_tunnel:
    provider: '{{ provider }}'
    if_name: "tunnel.1"
    ip: ["10.1.1.1/32"]
    comment: "tunnel interface"
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_userid – Allow for registration and de-registration of userid

New in version 2.6.

Synopsis

  • Userid allows for user to IP mapping that can be used in the policy rules.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
operation
-
Removed
Use state instead.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
register_ip
- / required
IP of the user's machine that needs to be registered with userid.
state
string
    Choices:
  • present ←
  • absent
The state.
userid
- / required
User UPN
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.

Notes

Note

  • Checkmode is not supported.

  • Panorama is not supported.

  • This operation is runtime and does not require explicit commit of the firewall configuration.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
- name: Register user ivanb to 10.0.1.101
  panos_userid:
    provider: '{{ provider }}'
    userid: 'ACMECORP\ivanb'
    register_ip: '10.0.1.101'
Status
Authors

  • Ivan Bojer (@ivanbojer)

panos_virtual_router – Configures a Virtual Router

New in version 2.9.

Synopsis

  • Manage PANOS Virtual Router

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
ad_ebgp
integer
Administrative distance for this protocol
ad_ibgp
integer
Administrative distance for this protocol
ad_ospf_ext
integer
Administrative distance for this protocol
ad_ospf_int
integer
Administrative distance for this protocol
ad_ospfv3_ext
integer
Administrative distance for this protocol
ad_ospfv3_int
integer
Administrative distance for this protocol
ad_rip
integer
Administrative distance for this protocol
ad_static
integer
Administrative distance for this protocol
ad_static_ipv6
integer
Administrative distance for this protocol
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
interface
list
List of interface names
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
-
Default:
default
Name of virtual router
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create Virtual Router
    panos_virtual_router:
      provider: '{{ provider }}'
      name: vr-1
      commit: true
Status
Authors

  • Joshua Colson (@freakinhippie)

panos_vlan_interface – configure VLAN interfaces

New in version 2.8.

Synopsis

  • Configure VLAN interfaces.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters
Parameter Choices/Defaults Comments
adjust_tcp_mss
boolean
    Choices:
  • no
  • yes
Adjust TCP MSS for layer3 interface.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
comment
-
Interface comment.
create_dhcp_default_route
boolean
    Choices:
  • no
  • yes
Whether or not to add default route with router learned via DHCP.
dhcp_default_route_metric
integer
Metric for the DHCP default route.
enable_dhcp
boolean
    Choices:
  • no
  • yes
Enable DHCP on this interface.
ip
list
List of static IP addresses.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
ipv4_mss_adjust
integer
(7.1+) TCP MSS adjustment for IPv4.
ipv6_enabled
boolean
    Choices:
  • no
  • yes
Enable IPv6.
ipv6_mss_adjust
integer
(7.1+) TCP MSS adjustment for IPv6.
management_profile
-
Interface management profile name.
mtu
integer
MTU for layer3 interface.
name
- / required
Name of the interface to configure.
This should be in the format "vlan.<some_number>".
netflow_profile
-
Netflow profile for layer3 interface.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. This param is required if the PAN-OS device is Panorama.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vlan_name
-
The VLAN to put this interface in.
If the VLAN does not exist it is created.
vr_name
-
Name of the virtual router
vsys
string
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.
zone_name
-
Name of the zone for the interface.
If the zone does not exist it is created.
If the zone already exists it should be mode=layer3.

Notes

Note

  • Checkmode is supported.

  • If the PAN-OS device is a firewall and vsys is not specified, then the vsys will default to vsys=vsys1.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

Examples
# Create vlan.2 as DHCP
- name: enable DHCP client on ethernet1/1 in zone public
  panos_vlan_interface:
    provider: '{{ provider }}'
    name: "vlan.2"
    zone_name: "public"
    enable_dhcp: true
    create_default_route: true

# Set vlan.7 with a static IP
- name: Configure vlan.7
  panos_vlan_interface:
    provider: '{{ provider }}'
    name: "vlan.7"
    ip: ["10.1.1.1/24"]
    management_profile: "allow ping"
    vlan_name: "dmz"
    zone_name: "L3-untrust"
    vr_name: "default"
Status
Authors

  • Garfield Lee Freeman (@shinmog)

panos_vlan – Configures VLANs

New in version 2.8.

Synopsis

  • Manage PAN-OS VLANs.

Requirements

The below requirements are needed on the host that executes this module.

  • pan-python

  • pandevice

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
interface
list
List of interface names
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
name
- / required
Name of the VLAN.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
virtual_interface
-
The VLAN interface
See panos_vlan_interface
vsys
string
The vsys this object should be imported into. Objects that are imported include interfaces, virtual routers, virtual wires, and VLANs. Interfaces are typically imported into vsys1 if no vsys is specified.

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
- name: Create VLAN
  panos_vlan:
    provider: '{{ provider }}'
    name: 'Internal'
    virtual_interface: 'vlan.2'
Status
Authors

  • Garfield Lee Freeman (@shinmog)

panos_zone – configure security zone

New in version 2.8.

Synopsis

  • Configure security zones on PAN-OS firewall or in Panorama template.

Requirements

The below requirements are needed on the host that executes this module.

Parameters
Parameter Choices/Defaults Comments
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
enable_userid
boolean
    Choices:
  • no
  • yes
Enable user identification.
exclude_acl
list
User identification ACL exclude list.
include_acl
list
User identification ACL include list.
interface
list
List of member interfaces.
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
log_setting
-
Log forwarding setting.
mode
-
    Choices:
  • tap
  • virtual-wire
  • layer2
  • layer3 ←
  • external
The mode of the security zone. Must match the mode of the interface.
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
state
string
    Choices:
  • present ←
  • absent
The state.
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
vsys
string
Default:
vsys1
The vsys this object belongs to.
zone
- / required
Name of the security zone to configure.
zone_profile
-
Zone protection profile.

Notes

Note

  • Panorama is supported.

  • Check mode is supported.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples
# Create an L3 zone.
- name: create DMZ zone on a firewall
  panos_zone:
    provider: '{{ provider }}'
    zone: 'dmz'
    mode: 'layer3'
    zone_profile: 'strict'

# Add an interface to the zone.
- name: add ethernet1/2 to zone dmz
  panos_interface:
    provider: '{{ provider }}'
    zone: 'dmz'
    mode: 'layer3'
    interface: ['ethernet1/2']
    zone_profile: 'strict'

# Delete the zone.
- name: delete the DMZ zone
  panos_interface:
    provider: '{{ provider }}'
    zone: 'dmz'
    state: 'absent'

# Add a zone to a multi-VSYS Panorama template
- name: add Cloud zone to template
  panos_interface:
    provider: '{{ provider }}'
    template: 'Datacenter Template'
    vsys: 'vsys4'
    zone: 'datacenter'
    mode: 'layer3'
    enable_userid: true
    exclude_acl: ['10.0.200.0/24']
Status
Authors

  • Robert Hagen (@stealthllama)

Release History

V2.1.0

  • Released: In development

  • Status: In development

New modules:

  • panos_security_rule_facts

  • panos_vlan

  • panos_vlan_interface

The following shorthand applies to this version’s updates:

  • provider - Any module below that lists a change of provider means that it supports a new provider dict for PAN-OS authentication credentials in addition to the old ip_address / username / password / api_key. Additionally these modules now support Panorama to firewall connections, performed by specifying Panorama IP address, username, and password, then specifying a firewall’s serial number using the serial_number param in the provider dict.

  • removed operation - This module has had the old operation param removed in favor of state. Please update your playbooks to use state instead.

  • template support - This module now supports Panorama templates.

  • full template support - This module now supports both Panorama templates and template stacks.

  • vsys support - This module now includes support for specifying the firewall vsys.

  • checkmode - This module now supports Ansible’s check mode.

Given the above shorthand, the following modules have been updated as follows:

  • panos_address_group: provider; checkmode

  • panos_address_object: provider; checkmode

  • panos_administrator: provider; full template support; checkmode; Now supports supplying the password hash directly

  • panos_api_key: provider

  • panos_bgp: provider; full template support; checkmode

  • panos_bgp_aggregate: provider; full template support; checkmode

  • panos_bgp_auth: provider; full template support; checkmode; replace is deprecated as this is now the default behavior for state=apply

  • panos_bgp_conditional_advertisement: provider; full template support; checkmode; advertise_filter and non_exist_filter have been deprecated, add filters using panos_bgp_policy_filter instead

  • panos_bgp_dampening: provider; full template support; checkmode

  • panos_bgp_peer: provider; full template support; checkmode

  • panos_bgp_peer_group: provider; full template support; checkmode

  • panos_bgp_policy_filter: provider; full template support; checkmode; “state=return-object” has been deprecated, just use states of absent/present like other modules as normal; address_prefix can now be a dict with “name”/”exact” keys or a string

  • panos_bgp_policy_rule: provider; full template support; checkmode; address_prefix can now be a dict with “name”/”exact” keys or a string

  • panos_bgp_redistribute: provider; full template support; checkmode

  • panos_check: provider; fixed #183; fixed #311

  • panos_commit: provider; added include_template param; devicegroup is deprecated, use device_group instead

  • panos_facts: provider; fixed bug when running against VM NGFW; host has been removed, use provider instead

  • panos_ike_crypto_profile: provider; full template support; checkmode

  • panos_ike_gateway: provider; full template support; checkmode; many params have been aliased to new param names to better match the pandevice naming

  • panos_interface: provider; template support; checkmode; removed operation; fixed #193; fixed #266; fixed #267; vsys_dg is deprecated, use vsys instead

  • panos_ipsec_profile: provider; full template support; checkmode

  • panos_ipsec_tunnel: provider; full template support; checkmode; many new params added to support missing functionality added in, please refer to the module documentation for the complete list of params now supported

  • panos_lic: provider; added new output licenses

  • panos_loopback_interface: provider; template support; checkmode; vsys_dg is deprecated; use vsys instead

  • panos_management_profile: provider; full template support; checkmode; panorama_template is deprecated, use template instead

  • panos_match_rule: provider; vsys_id is deprecated, use vsys; fixed #248; output stdout_lines is deprecated, use rule instead (note: this has a different format, so please update your playbooks)

  • panos_mgtconfig: provider; checkmode; devicegroup is removed as this param was not doing anything; added verify_update_server

  • panos_nat_rule: provider; removed operation; checkmode; devicegroup is deprecated, use device_group; tag_name (string type) is deprecated, use tag (list type); added enable and disable types for the state param

  • panos_object_facts: provider; added support for name regexes and a new objects output

  • panos_op: provider

  • panos_pg: provider; added Panorama support; added state

  • panos_redistribution: provider; full template support; checkmode

  • panos_registered_ip: provider; vsys support; checkmode

  • panos_registered_ip_facts: provider; vsys support

  • panos_restart: provider

  • panos_security_rule: provider; removed operation; checkmode; devicegroup is deprecated, use device_group instead

  • panos_service_group: provider; checkmode

  • panos_service_object: provider; checkmode

  • panos_software: provider; checkmode

  • panos_static_route: provider; full template support; added nexthop type of “next-vr”

  • panos_tag_object: provider; checkmode

  • panos_tunnel: provider; template support; checkmode; vsys_dg is deprecated, use vsys instead

  • panos_userid: provider; removed operation; state added as a param

  • panos_virtual_router: provider; full template support; checkmode

  • panos_zone: provider; full template support; checkmode

Generic updates across all modules mentioned above:

  • The minimum version of pandevice to run all “provider” modules is 0.9.1

  • Cleaned up module documentation

The following modules have been deprecated:

  • panos_admin

  • panos_dag

  • panos_query_rules

  • panos_sag

The following modules have not been modified:

  • panos_admpwd

  • panos_cert_gen_ssh

  • panos_dag_tags

  • panos_import

  • panos_loadcfg

  • panos_object

V2.0.4

  • Released: 2019-03-11

  • Status: Released (minor)

  • Fixes the DHCP param handling of panos_interface

V2.0.3

  • Released: 2019-03-04

  • Status: Released

New modules

  • panos_api_key: retrieve api_key for username/password combination

  • panos_bgp: Manages basic BGP configuration settings

  • panos_bgp_aggregate: Manages BGP Aggregation Policy Rules

  • panos_bgp_auth: Manages BGP Authentication Profiles

  • panos_bgp_conditional_advertisement: Manages BGP Conditional Advertisement Policy Rules

  • panos_bgp_dampening: Manages BGP Dampening Profiles

  • panos_bgp_peer: Manages BGP Peers

  • panos_bgp_peer_group: Manages BGP Peer Groups

  • panos_bgp_policy_filter: Manages BGP Policy Filters, children of Aggregate and Conditional Advertisement

  • panos_bgp_policy_rule: Manage BGP Import/Export Rules

  • panos_bgp_redistribute: Manages BGP Redistribution Rules

  • panos_loopback_interface: manage loopback interfaces

  • panos_redistribution: Manages virtual router Redistribution Profiles

Refactored modules

  • panos_ike_gateway: fixed misspelling of passive_mode and added additional module arguments to support more advanced configurations

V2.0.1

  • Released: 2018-10-08

  • Status: Released (minor)

This is minor release to address issue https://github.com/PaloAltoNetworks/ansible-pan/issues/163

V2.0.0

  • Released: 2018-09-27

  • Status: Released

New modules

  • panos_administrator: Manages Panorama / NGFW administrators

  • panos_registered_ip: Use this instead of panos_dag_tags

  • panos_registered_ip_facts: Use this instead of panos_dag_tags

  • panos_address_object: Use this instead of panos_object

  • panos_address_group: Use this instead of panos_object

  • panos_service_object: Use this instead of panos_object

  • panos_service_group: Use this instead of panos_object

  • panos_tag_object: Use this instead of panos_object

  • panos_object_facts: Get facts about objects

Removed modules

Refactored modules

Now supporting state / idempotency

  • panos_interface

  • panos_nat_rule

  • panos_security_rule

Miscellanies / Fixes

  • merged Ansible role repo together with this one

  • https://github.com/PaloAltoNetworks/ansible-pan/issues/44

  • adding beta support for connections lib

  • https://github.com/PaloAltoNetworks/ansible-pan/issues/150

V1.0.8

  • Released: 2018-09-13

  • Status: Released

New modules

  • panos_management_profile: Manages interface management profiles

  • panos_ike_crypto_profile: Use the IKE Crypto Profiles page to specify protocols and algorithms for identification, authentication, and encryption (IKEv1 or IKEv2, Phase 1).

  • panos_ipsec_profile: Configures IPSec Crypto profile on the firewall with subset of settings.

  • panos_ike_gateway: Configures IKE gateway on the firewall with subset of settings.

  • panos_ipsec_tunnel: Configure data-port (DP) network interface for DHCP. By default DP interfaces are static.

Removed modules

Refactored modules

Miscellanies

  • panos_security_rule - New [log_setting]{.title-ref} param added to specify the log forwarding profile to be used

  • re-wrote documentation

V1.0.7

  • Released: 2018-05-03

  • Status: Released

New modules

  • panos_userid: added ability to (un)register userid with ip address

  • panos_software: Upgrade and downgrade PAN-OS on firewalls and Panorama.

  • panos_userid: added ability to (un)register userid with ip address

  • panos_static_route: ability to manipulate static routing tables

Removed modules

N/A

Refactored modules

panos\_interface: Added full support for static configuration of ethernet interfaces

:   -   <https://github.com/PaloAltoNetworks/ansible-pan/pull/61>

Add functionality to list static address groups

:   -   <https://github.com/PaloAltoNetworks/ansible-pan/pull/64>

Pass api\_key to pandevice

:   -   <https://github.com/PaloAltoNetworks/ansible-pan/pull/63>

panos\_security\_rule: Security Policy position/order

:   -   <https://github.com/PaloAltoNetworks/ansible-pan/issues/14>

panos\_security\_rule: unable to add security policies in Post rule

:   -   <https://github.com/PaloAltoNetworks/ansible-pan/issues/38>

Miscellanies - https://github.com/PaloAltoNetworks/ansible-pan/pull/78 - https://github.com/PaloAltoNetworks/ansible-pan/issues/22

V1.0.6

  • Released: 2018-2-6

  • Status: Released

New modules

N/A

Removed modules

N/A

Miscellanies

Synchronized repository with RedHat Ansible official repo. Added missing modules:

:   -   panos\_op.py
    -   panos\_dag\_tags.py
    -   panos\_query\_rules.py
    -   panos\_match\_rule.py

Closed issues

V1.0.5

  • Released: 2017-12-20

  • Status: Released

New modules

  • panos_op: OP commands module that allows execution of the arbitrary op commands on the PANOS devices

Refactored modules

N/A

Removed modules

N/A

Miscellanies

N/A

Closed issues

#36 https://github.com/PaloAltoNetworks/ansible-pan/issues/36

V1.0.4

  • Released: 2017-08-31

  • Status: Released

New modules

  • panos_sag: Added the ability to add / delete static address groups.

panos\_dag\_tags: A new module to create registered IP to tag associations

:   Implemented the ability to create / delete / list IP to tag
    associations

  • panos_security_rule

  • panos_nat_rule

Refactored modules

  • panos_restart refactored to use PanDevice internally; supports Panorama

  • panos_mgtconfig refactored to use PanDevice internally; added support for NTP servers config

panos\_dag: Converted the module to use pandevice

:   Also added the ability to perform create / delete / list

Removed modules

  • panos_nat_policy (Use panos_nat_rule)

  • panos_nat_security_policy (use panos_security_rule)

  • panos_service (use panos_object)

Miscellanies

  • removed deprecated_libraries folder

  • consolidated all samples from samples/ into examples/

  • synchronized repo with core Ansible distribution

V1.0.3

Minor release with documentation updates and few BUG fixes.

V1.0.2

  • Released: 2017-04-13

Another major refactor in order to streamline the code.

  • Refactored modules

  • panos_address --> panos_object

  • panos_match_rule

  • panos_nat_policy --> panos_nat_rule

  • panos_query_rules

  • panos_security_policy --> panos_security_rule

  • panos_service --> panos_object

V1.0.1

  • Released: 2017-02-15

  • Status: Release

All modules have been touched and refactored to adhere to Ansible module development practices. Documentatio has been added as well as sample playbooks for each module.

Refactored modules (now part of core Ansible)

  • panos_admin

  • panos_admpwd

  • panos_commit

  • panos_restart

  • panos_cert_gen_ssh

  • panos_check

  • panos_dag

  • panos_service

  • panos_mgtconfig

  • panos_import

  • panos_loadcfg

  • panos_pg

  • panos_lic

  • panos_interface

New modules

  • panos_address

  • panos_security_policy

Deprecated modules

  • panos_srule

  • panos_content

  • panos_swinstall

  • panos_tunnelif

  • panos_cstapphost

  • panos_gpp_gateway

  • panos_vulnprofile

  • panos_swapif

  • panos_vulnprofile

V1.0.0

  • Released: 2016-11-27

  • Status: Release

First release that adheres to the Ansible development practices, now part of the Ansible core development. The modules have been completely refactored. Some retired and some new modules created.

V0.1.3

  • Released: 2015-12-09

  • Status: Alpha

Bug fixes and documentation updates

Alpha

  • Released: 2015-07-28

  • Status: Alpha

First alpha and documentation

Examples

Note: You can see complete examples here

Add security policy to Firewall or Panorama

Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones.

Firewall
      - name: Add test rule 1 to the firewall
        panos_security_rule:
          provider: '{{ provider }}'
          rule_name: 'Ansible test 1'
          description: 'An Ansible test rule'
          source_zone: ['internal']
          destination_zone: ['external']
          source_ip: ['1.2.3.4']
          source_user: ['any']
          destination_ip: ['any']
          category: ['any']
          application: ['any']
          service: ['service-http']
          hip_profiles: ['any']
          action: 'allow'
          commit: 'False'
Panorama
      - name: Add test pre-rule to Panorama
        panos_security_rule:
          provider: '{{ provider }}'
          rule_name: 'Ansible test 1'
          description: 'An Ansible test pre-rule'
          source_zone: ['internal']
          destination_zone: ['external']
          source_ip: ['1.2.3.4']
          source_user: ['any']
          destination_ip: ['any']
          category: ['any']
          application: ['any']
          service: ['service-http']
          hip_profiles: ['any']
          action: 'allow'
          device_group: 'DeviceGroupA'
          commit: False

Add NAT policy to Firewall or Panorama

If you define Layer 3 interfaces on the firewall, you can configure a Network Address Translation (NAT) policy to specify whether source or destination IP addresses and ports are converted between public and private addresses and ports. For example, private source addresses can be translated to public addresses on traffic sent from an internal (trusted) zone to a public (untrusted) zone. NAT is also supported on virtual wire interfaces.

Firewall
      - name: Add the service object to the firewall first
        panos_service_object:
          provider: '{{ provider }}'
          name: 'service-tcp-221'
          protocol: 'tcp'
          destination_port: '221'
          description: 'SSH on port 221'
          commit: false

      - name: Create dynamic NAT rule on the firewall
        panos_nat_rule:
          provider: '{{ provider }}'
          rule_name: 'Web SSH inbound'
          source_zone: ['external']
          destination_zone: 'external'
          source_ip: ['any']
          destination_ip: ['10.0.0.100']
          service: 'service-tcp-221'
          snat_type: 'dynamic-ip-and-port'
          snat_interface: ['ethernet1/2']
          dnat_address: '10.0.1.101'
          dnat_port: '22'
Panorama
      - name: Add the necessary service object to Panorama first
        panos_object:
          provider: '{{ provider }}'
          name: 'service-tcp-221'
          protocol: 'tcp'
          destination_port: '221'
          description: 'SSH on port 221'
          commit: false
          device_group: 'shared_services_11022'

      - name: Create dynamic NAT rule on Panorama
        panos_nat_rule:
          provider: '{{ provider }}'
          rule_name: 'Web SSH inbound'
          source_zone: ['external']
          destination_zone: 'external'
          source_ip: ['any']
          destination_ip: ['10.0.0.100']
          service: 'service-tcp-221'
          snat_type: 'dynamic-ip-and-port'
          snat_interface: ['ethernet1/2']
          dnat_address: '10.0.1.101'
          dnat_port: '22'
          device_group: 'shared_services_11022'

Change firewall admin password using SSH

Change admin password of PAN-OS device using SSH with SSH key. This is used in particular when NGFW is deployed in the cloud (such as AWS).

      - name: Change user password using ssh protocol
        panos_admpwd:
          ip_address: '{{ ip_address }}'
          password: '{{ password }}'
          newpassword: '{{ new_password }}'
          key_filename: '{{ key_filename }}'

Generates self-signed certificate

This module generates a self-signed certificate that can be used by GlobalProtect client, SSL connector, or otherwise. Root certificate must be preset on the system first. This module depends on paramiko for ssh.

      - name: generate self signed certificate
        panos_cert_gen_ssh:
          ip_address: "{{ ip_address }}"
          username: "{{ username }}"
          password: "{{ password }}"
          cert_cn: "{{ cn }}"
          cert_friendly_name: "{{ friendly_name }}"
          signed_by: "{{ signed_by }}"

Check if FW is ready

Check if PAN-OS device is ready for being configured (no pending jobs). The check could be done once or multiple times until the device is ready.

      - name: Wait for FW reboot
        panos_check:
          provider: '{{ provider }}'
        register: result
        until: not result|failed
        retries: 50
        delay: 5

Import configuration

Import file into PAN-OS device.

    - name: import configuration file into PAN-OS
      panos_import:
        ip_address: "{{ ip_address }}"
        username: "{{ username }}"
        password: "{{ password }}"
        file: "{{ config_file }}"
        category: "configuration"

DHCP on DataPort

Configure data-port (DP) network interface for DHCP. By default DP interfaces are static.

    - name: enable DHCP client on ethernet1/1 in zone external
      panos_interface:
        provider: '{{ provider }}'
        if_name: "ethernet1/1"
        zone_name: "external"
        create_default_route: "yes"
        commit: False

Load configuration

This is example playbook that imports and loads firewall configuration from a configuration file

    - name: import config
      hosts: my-firewall
      connection: local
      gather_facts: False

      vars:
        cfg_file: candidate-template-empty.xml

      roles:
        - role: PaloAltoNetworks.paloaltonetworks

      tasks:
      - name: Grab the credentials from ansible-vault
        include_vars: 'firewall-secrets.yml'
        no_log: 'yes'

      - name: wait for SSH (timeout 10min)
        wait_for: port=22 host='{{ provider.ip_address }}' search_regex=SSH timeout=600

      - name: checking if device ready
        panos_check:
          provider: '{{ provider }}'
        register: result
        until: not result|failed
        retries: 10
        delay: 10

      - name: import configuration
        panos_import:
          ip_address: '{{ provider.ip_address }}'
          username: '{{ provider.username }}'
          password: '{{ provider.password }}'
          file: '{{cfg_file}}'
          category: 'configuration'
        register: result

      - name: load configuration
        panos_loadcfg:
          ip_address: '{{ provider.ip_address }}'
          username: '{{ provider.username }}'
          password: '{{ provider.password }}'
          file: '{{result.filename}}'
          commit: False

      - name: set admin password
        panos_administrator:
          provider: '{{ provider }}'
          admin_username: 'admin'
          admin_password: '{{ provider.password }}'
          superuser: True
          commit: False

      - name: commit (blocks until finished)
        panos_commit:
          provider: '{{ provider }}'

Contributing to PANW Ansible modules

Developing Palo Alto Networks Ansible Modules

(draft)

Should you develop a module?

Developing PANW Ansible modules is easy, but often it isn’t necessary. Before you start writing a new module, ask:

Does a similar module already exist?

An existing module may cover the functionality you want. You might just need additional functionality in the existing module. If you are not sure feel free to email PANW maintainers.

Does a Pull Request already exist?

An existing Pull Request may cover the functionality you want. If someone else has already started developing a similar module, you can review and test it.

If you find an existing PR that looks like it addresses your needs, please provide feedback on the PR. Community feedback speeds up the review and merge process.

Should you write multiple modules instead of one module?

The functionality you want may be too large for a single module. You might want to split it into separate modules or enhance already existing module.

Contributing to codebase

If your use case isn’t covered by an existing module or an open PR then you’re ready to start developing a new module.

In order to do this you need to (draft):

  1. fork develop branch (NOT MASTER)

  2. do your changes

    • update / change module

    • update history.md with changes

    • make sure you run code through linter (TBD)

  3. create pull request against DEVELOP branch

Authors

Development Leads

  • Ivan Bojer (@ivanbojer)

  • Garfield Lee Freeman (@shinmog)

Contributors

  • Robert Hagen (@rnh556)

  • Luigi Mori (@jtschichold)

  • Vinay Venkataraghavan (@vinayvenkat)

  • Michael Richardson (@mrichardson03)

  • Joshua Colson (freakinhippie)

Credits

Thank you Kevin Steves, creator of the pan-python library. (https://github.com/kevinsteves/pan-python)

Also, big high-five to Brian Torres-Gil, creator of the pandevice library. (https://github.com/PaloAltoNetworks/pandevice)

License

                              Apache License
                        Version 2.0, January 2004
                     http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions.

   "License" shall mean the terms and conditions for use, reproduction,
   and distribution as defined by Sections 1 through 9 of this document.

   "Licensor" shall mean the copyright owner or entity authorized by
   the copyright owner that is granting the License.

   "Legal Entity" shall mean the union of the acting entity and all
   other entities that control, are controlled by, or are under common
   control with that entity. For the purposes of this definition,
   "control" means (i) the power, direct or indirect, to cause the
   direction or management of such entity, whether by contract or
   otherwise, or (ii) ownership of fifty percent (50%) or more of the
   outstanding shares, or (iii) beneficial ownership of such entity.

   "You" (or "Your") shall mean an individual or Legal Entity
   exercising permissions granted by this License.

   "Source" form shall mean the preferred form for making modifications,
   including but not limited to software source code, documentation
   source, and configuration files.

   "Object" form shall mean any form resulting from mechanical
   transformation or translation of a Source form, including but
   not limited to compiled object code, generated documentation,
   and conversions to other media types.

   "Work" shall mean the work of authorship, whether in Source or
   Object form, made available under the License, as indicated by a
   copyright notice that is included in or attached to the work
   (an example is provided in the Appendix below).

   "Derivative Works" shall mean any work, whether in Source or Object
   form, that is based on (or derived from) the Work and for which the
   editorial revisions, annotations, elaborations, or other modifications
   represent, as a whole, an original work of authorship. For the purposes
   of this License, Derivative Works shall not include works that remain
   separable from, or merely link (or bind by name) to the interfaces of,
   the Work and Derivative Works thereof.

   "Contribution" shall mean any work of authorship, including
   the original version of the Work and any modifications or additions
   to that Work or Derivative Works thereof, that is intentionally
   submitted to Licensor for inclusion in the Work by the copyright owner
   or by an individual or Legal Entity authorized to submit on behalf of
   the copyright owner. For the purposes of this definition, "submitted"
   means any form of electronic, verbal, or written communication sent
   to the Licensor or its representatives, including but not limited to
   communication on electronic mailing lists, source code control systems,
   and issue tracking systems that are managed by, or on behalf of, the
   Licensor for the purpose of discussing and improving the Work, but
   excluding communication that is conspicuously marked or otherwise
   designated in writing by the copyright owner as "Not a Contribution."

   "Contributor" shall mean Licensor and any individual or Legal Entity
   on behalf of whom a Contribution has been received by Licensor and
   subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of
   this License, each Contributor hereby grants to You a perpetual,
   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
   copyright license to reproduce, prepare Derivative Works of,
   publicly display, publicly perform, sublicense, and distribute the
   Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of
   this License, each Contributor hereby grants to You a perpetual,
   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
   (except as stated in this section) patent license to make, have made,
   use, offer to sell, sell, import, and otherwise transfer the Work,
   where such license applies only to those patent claims licensable
   by such Contributor that are necessarily infringed by their
   Contribution(s) alone or by combination of their Contribution(s)
   with the Work to which such Contribution(s) was submitted. If You
   institute patent litigation against any entity (including a
   cross-claim or counterclaim in a lawsuit) alleging that the Work
   or a Contribution incorporated within the Work constitutes direct
   or contributory patent infringement, then any patent licenses
   granted to You under this License for that Work shall terminate
   as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the
   Work or Derivative Works thereof in any medium, with or without
   modifications, and in Source or Object form, provided that You
   meet the following conditions:

   (a) You must give any other recipients of the Work or
       Derivative Works a copy of this License; and

   (b) You must cause any modified files to carry prominent notices
       stating that You changed the files; and

   (c) You must retain, in the Source form of any Derivative Works
       that You distribute, all copyright, patent, trademark, and
       attribution notices from the Source form of the Work,
       excluding those notices that do not pertain to any part of
       the Derivative Works; and

   (d) If the Work includes a "NOTICE" text file as part of its
       distribution, then any Derivative Works that You distribute must
       include a readable copy of the attribution notices contained
       within such NOTICE file, excluding those notices that do not
       pertain to any part of the Derivative Works, in at least one
       of the following places: within a NOTICE text file distributed
       as part of the Derivative Works; within the Source form or
       documentation, if provided along with the Derivative Works; or,
       within a display generated by the Derivative Works, if and
       wherever such third-party notices normally appear. The contents
       of the NOTICE file are for informational purposes only and
       do not modify the License. You may add Your own attribution
       notices within Derivative Works that You distribute, alongside
       or as an addendum to the NOTICE text from the Work, provided
       that such additional attribution notices cannot be construed
       as modifying the License.

   You may add Your own copyright statement to Your modifications and
   may provide additional or different license terms and conditions
   for use, reproduction, or distribution of Your modifications, or
   for any such Derivative Works as a whole, provided Your use,
   reproduction, and distribution of the Work otherwise complies with
   the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise,
   any Contribution intentionally submitted for inclusion in the Work
   by You to the Licensor shall be under the terms and conditions of
   this License, without any additional terms or conditions.
   Notwithstanding the above, nothing herein shall supersede or modify
   the terms of any separate license agreement you may have executed
   with Licensor regarding such Contributions.

6. Trademarks. This License does not grant permission to use the trade
   names, trademarks, service marks, or product names of the Licensor,
   except as required for reasonable and customary use in describing the
   origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or
   agreed to in writing, Licensor provides the Work (and each
   Contributor provides its Contributions) on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
   implied, including, without limitation, any warranties or conditions
   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
   PARTICULAR PURPOSE. You are solely responsible for determining the
   appropriateness of using or redistributing the Work and assume any
   risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory,
   whether in tort (including negligence), contract, or otherwise,
   unless required by applicable law (such as deliberate and grossly
   negligent acts) or agreed to in writing, shall any Contributor be
   liable to You for damages, including any direct, indirect, special,
   incidental, or consequential damages of any character arising as a
   result of this License or out of the use or inability to use the
   Work (including but not limited to damages for loss of goodwill,
   work stoppage, computer failure or malfunction, or any and all
   other commercial damages or losses), even if such Contributor
   has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability. While redistributing
   the Work or Derivative Works thereof, You may choose to offer,
   and charge a fee for, acceptance of support, warranty, indemnity,
   or other liability obligations and/or rights consistent with this
   License. However, in accepting such obligations, You may act only
   on Your own behalf and on Your sole responsibility, not on behalf
   of any other Contributor, and only if You agree to indemnify,
   defend, and hold each Contributor harmless for any liability
   incurred by, or claims asserted against, such Contributor by reason
   of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

Indices and tables