08-07-2019 03:32 AM
Hello All,
I have recently started experimenting with Ansible and managed to add/remove some rules. It's been a steep learning curve so far, I must admit.
What I am trying to do now is to get Ansible to disable unused firewall rules. As part of the firewall clean-up we have a high number of rules that we ave identified as not being used. The plan is to disable them and if there are no complains from users after a period of time delete them completely. The argument for disabling them first is that if we disable something that is actully needed we can then quickly re-enable the rule.
I have manually exported a list of unused rules to a file and wanted to loop through the file and disable all listed policies. The file I am using only contains the name of the rule, one policy per line. The playbook is constructed as follows:
---
- name: Disable existing security rules on the firewall
hosts: localhost
connection: local
gather_facts: False
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: Grab the credentials from ansible-vault
include_vars: 'firewall-secrets.yml'
no_log: 'yes'
- name: Disable rules
panos_security_rule:
provider: '{{ provider }}'
rule_name: '{{ item }}'
disabled: 'yes'
commit: 'False'
with_lines: cat ./vars/lab_fw_rules
I was hoping that this will only disbale the listed rules but in fact it is disabling the rules and also updating them with default settings for each property, i.e. 'any' source address, 'any' destination address, 'any' application, etc.
Thinking about it now I believe that this is correct behaviour because I am instructing Ansible to update the rule and as I am not specifying any other properties than 'disabled' it just takes the defaults.
Can anyone possibly suggest a solution?
08-09-2019 08:55 AM
Intereestingly enough, I actually just wrote a whole blog post talking about updating things in PAN-OS with Ansible:
This post doesn't cover security rules specifically, but the logic is the exact same, and there is a panos_security_rule_facts, so the approach is the exact same.
Hope this helps!
08-09-2019 08:55 AM
Intereestingly enough, I actually just wrote a whole blog post talking about updating things in PAN-OS with Ansible:
This post doesn't cover security rules specifically, but the logic is the exact same, and there is a panos_security_rule_facts, so the approach is the exact same.
Hope this helps!
08-15-2019 07:05 AM
Thank you very much, that helped a lot!
If anyone is interested, this is what did the trick for us
---
- name: Disable existing security rules on the firewall
hosts: localhost
connection: local
gather_facts: False
roles:
- role: PaloAltoNetworks.paloaltonetworks
tasks:
- name: Grab the credentials from ansible-vault
include_vars: 'firewall-secrets.yml'
no_log: 'yes'
- name: Set up an empty list variables
set_fact:
vsys1_rules: []
- name: Build a list of vsys1 unused rules from a file
set_fact:
vsys1_rules: '{{ vsys1_rules + [ item ] }}'
with_lines: cat ./vars/lab_fw_rules
- name: Get all rules in vsys1 and their config
panos_security_rule_facts:
provider: '{{ provider }}'
all_details: 'yes'
register: all_rules
- name: Disable unused rules in vsys1
panos_security_rule:
provider: '{{ provider }}'
rule_name: '{{ item.rule_name }}'
action: '{{ item.action }}'
antivirus: '{{ item.antivirus | default(omit, true) }}'
application: '{{ item.application }}'
category: '{{ item.category }}'
data_filtering: '{{ item.data_filtering | default(omit, true) }}'
description: '{{ item.description | default(omit, true) }}'
destination_ip: '{{ item.destination_ip }}'
destination_zone: '{{ item.destination_zone }}'
disable_server_response_inspection: '{{ item.disable_server_response_inspection }}'
disabled: 'yes'
file_blocking: '{{ item.file_blocking | default(omit, true) }}'
group_profile: '{{ item.group_profile | default(omit, true) }}'
hip_profiles: '{{ item.hip_profiles | default(omit, true) }}'
icmp_unreachable: '{{ item.icmp_unreachable | default(omit, true) }}'
log_end: '{{ item.log_end }}'
log_setting: '{{ item.log_setting | default(omit, true) }}'
log_start: '{{ item.log_start }}'
negate_destination: '{{ item.negate_destination }}'
negate_source: '{{ item.negate_source }}'
rule_type: '{{ item.rule_type }}'
schedule: '{{ item.schedule | default(omit, true) }}'
service: '{{ item.service }}'
source_ip: '{{ item.source_ip }}'
source_user: '{{ item.source_user }}'
source_zone: '{{ item.source_zone }}'
spyware: '{{ item.spyware | default(omit, true) }}'
tag_name: '{{ item.tag_name | default(omit, true) }}'
url_filtering: '{{ item.url_filtering | default(omit, true) }}'
vsys: 'vsys1'
vulnerability: '{{ item.vulnerability | default(omit, true) }}'
wildfire_analysis: '{{ item.wildfire_analysis | default(omit, true) }}'
commit: false
loop: '{{ all_rules.policy }}'
loop_control:
label: '{{ item.rule_name }}'
when:
- item.rule_name in vsys1_rules
08-01-2021 07:49 AM
I have tried something similar to update the existing security rule by removing ip address:111.1.1.1 if it is present in source ip address.
anything else we need to change in this below script?
--- - name: Disable existing security rules on the firewall hosts: localhost connection: local gather_facts: False vars:
rmadr:"111.1.1.1"
tasks: - name: Grab the credentials from ansible-vault include_vars: 'firewall-secrets.yml' no_log: 'yes' - name: Get all rules in vsys1 and their config panos_security_rule_facts: provider: '{{ provider }}' all_details: 'yes' register: all_rules - name: remove address from all security rules panos_security_rule: provider: '{{ provider }}' rule_name: '{{ item.rule_name }}' action: '{{ item.action }}' application: '{{ item.application | default(omit, true)}}' description: '{{ item.description | default(omit, true) }}' destination_ip: '{{ item.destination_ip | default(omit, true)}}' destination_zone: '{{ item.destination_zone| default(omit, true) }}' service: '{{ item.service | default(omit, true)}}' source_ip: '{{ item.source_ip | difference([rmadr]}}' source_user: '{{ item.source_user | default(omit, true) }}' source_zone: '{{ item.source_zone | default(omit, true)}}' loop: '{{ all_rules.rulenames}}' loop_control: label: '{{ item.rule_name }}' when:
- item.source_ip - rmadr in source_ip
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
