Ansible disable firewall rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Ansible disable firewall rules

L1 Bithead

Hello All,

I have recently started experimenting with Ansible and managed to add/remove some rules. It's been a steep learning curve so far, I must admit.
What I am trying to do now is to get Ansible to disable unused firewall rules. As part of the firewall clean-up we have a high number of rules that we ave identified as not being used. The plan is to disable them and if there are no complains from users after a period of time delete them completely. The argument for disabling them first is that if we disable something that is actully needed we can then quickly re-enable the rule.
I have manually exported a list of unused rules to a file and wanted to loop through the file and disable all listed policies. The file I am using only contains the name of the rule, one policy per line. The playbook is constructed as follows:

---
- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'

  - name: Disable rules
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item }}'
      disabled: 'yes'
      commit: 'False'
    with_lines: cat ./vars/lab_fw_rules

 

I was hoping that this will only disbale the listed rules but in fact it is disabling the rules and also updating them with default settings for each property, i.e. 'any' source address, 'any' destination address, 'any' application, etc.
Thinking about it now I believe that this is correct behaviour because I am instructing Ansible to update the rule and as I am not specifying any other properties than 'disabled' it just takes the defaults.
Can anyone possibly suggest a solution?

1 accepted solution

Accepted Solutions

L5 Sessionator

Intereestingly enough, I actually just wrote a whole blog post talking about updating things in PAN-OS with Ansible:

 

https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/b...

 

This post doesn't cover security rules specifically, but the logic is the exact same, and there is a panos_security_rule_facts, so the approach is the exact same.

 

Hope this helps!

View solution in original post

3 REPLIES 3

L5 Sessionator

Intereestingly enough, I actually just wrote a whole blog post talking about updating things in PAN-OS with Ansible:

 

https://live.paloaltonetworks.com/t5/Automation-API-Blog/Ansible-Using-Facts-Modules-to-do-Updates/b...

 

This post doesn't cover security rules specifically, but the logic is the exact same, and there is a panos_security_rule_facts, so the approach is the exact same.

 

Hope this helps!

Thank you very much, that helped a lot!

 

If anyone is interested, this is what did the trick for us

---

- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
  - name: Grab the credentials from ansible-vault
    include_vars: 'firewall-secrets.yml'
    no_log: 'yes'

  - name: Set up an empty list variables
    set_fact:
      vsys1_rules: []

  - name: Build a list of vsys1 unused rules from a file
    set_fact:
      vsys1_rules: '{{ vsys1_rules + [ item ] }}'
    with_lines: cat ./vars/lab_fw_rules

  - name: Get all rules in vsys1 and their config
    panos_security_rule_facts:
      provider: '{{ provider }}'
      all_details: 'yes'
    register: all_rules

  - name: Disable unused rules in vsys1
    panos_security_rule:
      provider: '{{ provider }}'
      rule_name: '{{ item.rule_name }}'
      action: '{{ item.action }}'
      antivirus: '{{ item.antivirus | default(omit, true) }}'
      application: '{{ item.application }}'
      category: '{{ item.category }}'
      data_filtering: '{{ item.data_filtering | default(omit, true) }}'
      description: '{{ item.description | default(omit, true) }}'
      destination_ip: '{{ item.destination_ip }}'
      destination_zone: '{{ item.destination_zone }}'
      disable_server_response_inspection: '{{ item.disable_server_response_inspection }}'
      disabled: 'yes'
      file_blocking: '{{ item.file_blocking | default(omit, true) }}'
      group_profile: '{{ item.group_profile | default(omit, true) }}'
      hip_profiles: '{{ item.hip_profiles | default(omit, true) }}'
      icmp_unreachable: '{{ item.icmp_unreachable | default(omit, true) }}'
      log_end: '{{ item.log_end }}'
      log_setting: '{{ item.log_setting | default(omit, true) }}'
      log_start: '{{ item.log_start }}'
      negate_destination: '{{ item.negate_destination }}'
      negate_source: '{{ item.negate_source }}'
      rule_type: '{{ item.rule_type }}'
      schedule: '{{ item.schedule | default(omit, true) }}'
      service: '{{ item.service }}'
      source_ip: '{{ item.source_ip }}'
      source_user: '{{ item.source_user }}'
      source_zone: '{{ item.source_zone }}'
      spyware: '{{ item.spyware | default(omit, true) }}'
      tag_name: '{{ item.tag_name | default(omit, true) }}'
      url_filtering: '{{ item.url_filtering | default(omit, true) }}'
      vsys: 'vsys1'
      vulnerability: '{{ item.vulnerability | default(omit, true) }}'
      wildfire_analysis: '{{ item.wildfire_analysis | default(omit, true) }}'
      commit: false
    loop: '{{ all_rules.policy }}'
    loop_control:
      label: '{{ item.rule_name }}'
    when:
      - item.rule_name in vsys1_rules

L0 Member

 

I have tried something similar to update the existing security rule by removing ip address:111.1.1.1 if it is present in source ip address

anything else we need to change in this below script? 

---

- name: Disable existing security rules on the firewall
  hosts: localhost
  connection: local
  gather_facts: False

vars:
rmadr:"111.1.1.1"
tasks: - name: Grab the credentials from ansible-vault include_vars: 'firewall-secrets.yml' no_log: 'yes' - name: Get all rules in vsys1 and their config panos_security_rule_facts: provider: '{{ provider }}' all_details: 'yes' register: all_rules - name: remove address from all security rules panos_security_rule: provider: '{{ provider }}' rule_name: '{{ item.rule_name }}' action: '{{ item.action }}' application: '{{ item.application | default(omit, true)}}' description: '{{ item.description | default(omit, true) }}' destination_ip: '{{ item.destination_ip | default(omit, true)}}' destination_zone: '{{ item.destination_zone| default(omit, true) }}' service: '{{ item.service | default(omit, true)}}' source_ip: '{{ item.source_ip | difference([rmadr]}}' source_user: '{{ item.source_user | default(omit, true) }}' source_zone: '{{ item.source_zone | default(omit, true)}}' loop: '{{ all_rules.rulenames}}' loop_control: label: '{{ item.rule_name }}' when:
  - item.source_ip - rmadr in source_ip

 

  • 1 accepted solution
  • 6294 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!