-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpalo-test-rules.yaml
80 lines (74 loc) · 2.05 KB
/
palo-test-rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# FILENAME
# playbook to test a number of security rules
## DESCRIPTION
# Example playbook that will connect to the firewall using credentials provided saved in either host.yaml or vars.yaml files
## REQUIREMENTS
# pip install ansible
# ansible-galaxy install PaloAltoNetworks.paloaltonetworks
## EXECUTE
# ansible-playbook palo-configure-bgp.yaml
---
- name: test a number of security rules
hosts: PA-VM-02
connection: local
gather_facts: False
collections:
- paloaltonetworks.panos
tasks:
- name: check security rules for Google DNS
panos_match_rule:
provider: '{{ provider }}'
source_ip: '10.0.0.0'
destination_ip: '8.8.8.8'
application: 'dns'
destination_port: '53'
protocol: '17'
register: result
- debug: msg='{{ result.rule }}'
- name: check security rules inbound SSH with user match
panos_match_rule:
provider: '{{ provider }}'
source_ip: '0.0.0.0'
source_user: 'mydomain\jsmith'
destination_ip: '192.168.100.115'
destination_port: '22'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check NAT rules for source NAT
panos_match_rule:
provider: '{{ provider }}'
rule_type: 'nat'
source_zone: 'Prod-DMZ'
source_ip: '10.10.118.50'
to_interface: 'ethernet1/2'
destination_zone: 'Internet'
destination_ip: '0.0.0.0'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check NAT rules for inbound web
panos_match_rule:
provider: '{{ provider }}'
rule_type: 'nat'
source_zone: 'Internet'
source_ip: '0.0.0.0'
to_interface: 'ethernet1/1'
destination_zone: 'Prod DMZ'
destination_ip: '192.168.118.50'
destination_port: '80'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
- name: check security rules for outbound POP3 in vsys4
panos_match_rule:
provider: '{{ provider }}'
vsys_id: 'vsys4'
source_ip: '10.0.0.0'
destination_ip: '4.3.2.1'
application: 'pop3'
destination_port: '110'
protocol: '6'
register: result
- debug: msg='{{ result.rule }}'
...