topic Re: Ansible disable firewall rules in Automation/API Discussions

Ansible disable firewall rules

michalstaporek — Wed, 07 Aug 2019 10:32:26 GMT

Hello All,

I have recently started experimenting with Ansible and managed to add/remove some rules. It's been a steep learning curve so far, I must admit.
What I am trying to do now is to get Ansible to disable unused firewall rules. As part of the firewall clean-up we have a high number of rules that we ave identified as not being used. The plan is to disable them and if there are no complains from users after a period of time delete them completely. The argument for disabling them first is that if we disable something that is actully needed we can then quickly re-enable the rule.
I have manually exported a list of unused rules to a file and wanted to loop through the file and disable all listed policies. The file I am using only contains the name of the rule, one policy per line. The playbook is constructed as follows:

---
- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'

  - name: Disable rules
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item }}'
      disabled: 'yes'
      commit: 'False'
    with_lines: cat ./vars/lab_fw_rules

I was hoping that this will only disbale the listed rules but in fact it is disabling the rules and also updating them with default settings for each property, i.e. 'any' source address, 'any' destination address, 'any' application, etc.
Thinking about it now I believe that this is correct behaviour because I am instructing Ansible to update the rule and as I am not specifying any other properties than 'disabled' it just takes the defaults.
Can anyone possibly suggest a solution?

Re: Ansible disable firewall rules

gfreeman — Fri, 09 Aug 2019 15:55:42 GMT

Intereestingly enough, I actually just wrote a whole blog post talking about updating things in PAN-OS with Ansible:

https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/ba-p/275173

This post doesn't cover security rules specifically, but the logic is the exact same, and there is a panos_security_rule_facts, so the approach is the exact same.

Hope this helps!

Re: Ansible disable firewall rules

michalstaporek — Thu, 15 Aug 2019 14:05:47 GMT

Thank you very much, that helped a lot!

If anyone is interested, this is what did the trick for us

---

- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'

  - name: Set up an empty list variables
    set_fact:
      vsys1_rules: []

  - name: Build a list of vsys1 unused rules from a file
    set_fact:
      vsys1_rules: '{{ vsys1_rules + [ item ] }}'
    with_lines: cat ./vars/lab_fw_rules

  - name: Get all rules in vsys1 and their config
    panos_security_rule_facts:
      provider: '{{ provider }}'
      all_details: 'yes'
    register: all_rules

  - name: Disable unused rules in vsys1
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item.rule_name }}'
      action: '{{ item.action }}'
      antivirus: '{{ item.antivirus | default(omit, true) }}'
      application: '{{ item.application }}'
      category: '{{ item.category }}'
      data_filtering: '{{ item.data_filtering | default(omit, true) }}'
      description: '{{ item.description | default(omit, true) }}'
      destination_ip: '{{ item.destination_ip }}'
      destination_zone: '{{ item.destination_zone }}'
      disable_server_response_inspection: '{{ item.disable_server_response_inspection }}'
      disabled: 'yes'
      file_blocking: '{{ item.file_blocking | default(omit, true) }}'
      group_profile: '{{ item.group_profile | default(omit, true) }}'
      hip_profiles: '{{ item.hip_profiles | default(omit, true) }}'
      icmp_unreachable: '{{ item.icmp_unreachable | default(omit, true) }}'
      log_end: '{{ item.log_end }}'
      log_setting: '{{ item.log_setting | default(omit, true) }}'
      log_start: '{{ item.log_start }}'
      negate_destination: '{{ item.negate_destination }}'
      negate_source: '{{ item.negate_source }}'
      rule_type: '{{ item.rule_type }}'
      schedule: '{{ item.schedule | default(omit, true) }}'
      service: '{{ item.service }}'
      source_ip: '{{ item.source_ip }}'
      source_user: '{{ item.source_user }}'
      source_zone: '{{ item.source_zone }}'
      spyware: '{{ item.spyware | default(omit, true) }}'
      tag_name: '{{ item.tag_name | default(omit, true) }}'
      url_filtering: '{{ item.url_filtering | default(omit, true) }}'
      vsys: 'vsys1'
      vulnerability: '{{ item.vulnerability | default(omit, true) }}'
      wildfire_analysis: '{{ item.wildfire_analysis | default(omit, true) }}'
      commit: false
    loop: '{{ all_rules.policy }}'
    loop_control:
      label: '{{ item.rule_name }}'
    when:
      - item.rule_name in vsys1_rules

Re: Ansible disable firewall rules

cheetoz23 — Sun, 01 Aug 2021 14:49:52 GMT

I have tried something similar to update the existing security rule by removing ip address:111.1.1.1 if it is present in source ip address.

anything else we need to change in this below script?

---

- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

vars:
  rmadr:"111.1.1.1"

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'


  - name: Get all rules in vsys1 and their config
    panos_security_rule_facts:
      provider: '{{ provider }}'
      all_details: 'yes'
    register: all_rules

  - name: remove address from all security rules
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item.rule_name }}'
      action: '{{ item.action }}'
      application: '{{ item.application | default(omit, true)}}'
      description: '{{ item.description | default(omit, true) }}'
      destination_ip: '{{ item.destination_ip | default(omit, true)}}'
      destination_zone: '{{ item.destination_zone| default(omit, true) }}'
      service: '{{ item.service | default(omit, true)}}'
      source_ip: '{{ item.source_ip | difference([rmadr]}}'
      source_user: '{{ item.source_user | default(omit, true) }}'
      source_zone: '{{ item.source_zone | default(omit, true)}}'
    loop: '{{ all_rules.rulenames}}'
    loop_control:
      label: '{{ item.rule_name }}'
    when:
      - item.source_ip
      - rmadr in source_ip