Ansible disable firewall rules

L0 Member

Ansible disable firewall rules

Hello All,

I have recently started experimenting with Ansible and managed to add/remove some rules. It's been a steep learning curve so far, I must admit.
What I am trying to do now is to get Ansible to disable unused firewall rules. As part of the firewall clean-up we have a high number of rules that we ave identified as not being used. The plan is to disable them and if there are no complains from users after a period of time delete them completely. The argument for disabling them first is that if we disable something that is actully needed we can then quickly re-enable the rule.
I have manually exported a list of unused rules to a file and wanted to loop through the file and disable all listed policies. The file I am using only contains the name of the rule, one policy per line. The playbook is constructed as follows:

---
- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'

  - name: Disable rules
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item }}'
      disabled: 'yes'
      commit: 'False'
    with_lines: cat ./vars/lab_fw_rules

 

I was hoping that this will only disbale the listed rules but in fact it is disabling the rules and also updating them with default settings for each property, i.e. 'any' source address, 'any' destination address, 'any' application, etc.
Thinking about it now I believe that this is correct behaviour because I am instructing Ansible to update the rule and as I am not specifying any other properties than 'disabled' it just takes the defaults.
Can anyone possibly suggest a solution?

Tags (1)
Highlighted
L4 Transporter

Re: Ansible disable firewall rules

Intereestingly enough, I actually just wrote a whole blog post talking about updating things in PAN-OS with Ansible:

 

https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/b...

 

This post doesn't cover security rules specifically, but the logic is the exact same, and there is a panos_security_rule_facts, so the approach is the exact same.

 

Hope this helps!

L0 Member

Re: Ansible disable firewall rules

Thank you very much, that helped a lot!

 

If anyone is interested, this is what did the trick for us

---

- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'

  - name: Set up an empty list variables
    set_fact:
      vsys1_rules: []

  - name: Build a list of vsys1 unused rules from a file
    set_fact:
      vsys1_rules: '{{ vsys1_rules + [ item ] }}'
    with_lines: cat ./vars/lab_fw_rules

  - name: Get all rules in vsys1 and their config
    panos_security_rule_facts:
      provider: '{{ provider }}'
      all_details: 'yes'
    register: all_rules

  - name: Disable unused rules in vsys1
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item.rule_name }}'
      action: '{{ item.action }}'
      antivirus: '{{ item.antivirus | default(omit, true) }}'
      application: '{{ item.application }}'
      category: '{{ item.category }}'
      data_filtering: '{{ item.data_filtering | default(omit, true) }}'
      description: '{{ item.description | default(omit, true) }}'
      destination_ip: '{{ item.destination_ip }}'
      destination_zone: '{{ item.destination_zone }}'
      disable_server_response_inspection: '{{ item.disable_server_response_inspection }}'
      disabled: 'yes'
      file_blocking: '{{ item.file_blocking | default(omit, true) }}'
      group_profile: '{{ item.group_profile | default(omit, true) }}'
      hip_profiles: '{{ item.hip_profiles | default(omit, true) }}'
      icmp_unreachable: '{{ item.icmp_unreachable | default(omit, true) }}'
      log_end: '{{ item.log_end }}'
      log_setting: '{{ item.log_setting | default(omit, true) }}'
      log_start: '{{ item.log_start }}'
      negate_destination: '{{ item.negate_destination }}'
      negate_source: '{{ item.negate_source }}'
      rule_type: '{{ item.rule_type }}'
      schedule: '{{ item.schedule | default(omit, true) }}'
      service: '{{ item.service }}'
      source_ip: '{{ item.source_ip }}'
      source_user: '{{ item.source_user }}'
      source_zone: '{{ item.source_zone }}'
      spyware: '{{ item.spyware | default(omit, true) }}'
      tag_name: '{{ item.tag_name | default(omit, true) }}'
      url_filtering: '{{ item.url_filtering | default(omit, true) }}'
      vsys: 'vsys1'
      vulnerability: '{{ item.vulnerability | default(omit, true) }}'
      wildfire_analysis: '{{ item.wildfire_analysis | default(omit, true) }}'
      commit: false
    loop: '{{ all_rules.policy }}'
    loop_control:
      label: '{{ item.rule_name }}'
    when:
      - item.rule_name in vsys1_rules
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!