-
Notifications
You must be signed in to change notification settings - Fork 52
/
fw_objects.yml
110 lines (102 loc) · 4.62 KB
/
fw_objects.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
# fw_objects.yml - Create various objects on a PAN-OS device.
#
# Description
# ===========
#
# Demonstrates how to create tags, address objects, address groups, service objects, and service groups using the
# appropriate PAN-OS Ansible modules. These tasks use the Ansible 'with_items' keyword for looping
# (https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html#iterating-over-a-list-of-hashes).
#
# This playbook requires connection details for the device to be specified in the variables 'ip_address', 'username',
# and 'password'. These may be defined as host variables (see `host_vars/firewall.yml` for an example) or
# extra vars.
#
# Modules Used
# ============
#
# panos_tag_object - https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_tag_object.html
# panos_address_object - https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_address_object.html
# panos_address_group - https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_address_group.html
# panos_service_object - https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_service_object.html
# panos_service_group - https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_service_group.html
#
# Usage
# =====
#
# $ ansible-playbook -i inventory fw_objects.yml --extra-vars @device.yml
- hosts: '{{ target | default("firewall") }}'
connection: local
vars:
device:
ip_address: '{{ ip_address }}'
username: '{{ username | default(omit) }}'
password: '{{ password | default(omit) }}'
api_key: '{{ api_key | default(omit) }}'
tasks:
- name: Create tag objects
paloaltonetworks.panos.panos_tag_object:
provider: '{{ device }}'
name: '{{ item.name }}'
color: '{{ item.color }}'
commit: false
with_items:
- {name: 'Prod', color: 'red'}
- {name: 'SI', color: 'blue gray'}
- {name: 'Dev', color: 'green'}
- name: Create address objects
paloaltonetworks.panos.panos_address_object:
provider: '{{ device }}'
name: '{{ item.name }}'
value: '{{ item.value }}'
description: '{{ item.description }}'
tag: '{{ item.tag|default([]) }}'
commit: false
with_items:
- {name: 'Test-1.1.1.1', value: '1.1.1.1', description: 'Description One', tag: ['Prod']}
- {name: 'Test-2.2.2.2', value: '2.2.2.2', description: 'Description Two', tag: ['Prod']}
- {name: 'Test-3.3.3.3', value: '3.3.3.3', description: 'Description Three', tag: ['Prod']}
- {name: 'Test-4.4.4.4', value: '4.4.4.4', description: 'Description Four', tag: ['SI']}
- {name: 'Test-5.5.5.5', value: '5.5.5.5', description: 'Description Five', tag: ['SI']}
- name: Create address ranges
paloaltonetworks.panos.panos_address_object:
provider: '{{ device }}'
name: '{{ item.name }}'
value: '{{ item.value }}'
description: '{{ item.description|default(omit) }}'
address_type: 'ip-range'
commit: false
with_items:
- {name: 'Test-Range-1', value: '1.1.1.1-2.2.2.2', description: 'Test Range 1'}
- {name: 'Test-Range-2', value: '2.2.2.2-3.3.3.3', description: 'Test Range 2'}
- {name: 'Test-Range-3', value: '3.3.3.3-4.4.4.4', description: 'Test Range 3'}
- name: Create address groups
paloaltonetworks.panos.panos_address_group:
provider: '{{ device }}'
name: '{{ item.name }}'
static_value: '{{ item.static_value }}'
tag: '{{ item.tag|default([]) }}'
commit: false
with_items:
- {name: 'Prod-Instances', static_value: ['Test-1.1.1.1', 'Test-2.2.2.2', 'Test-3.3.3.3'], tag: ['Prod']}
- {name: 'SI-Instances', static_value: ['Test-4.4.4.4', 'Test-5.5.5.5'], tag: ['SI']}
- name: Create service objects
paloaltonetworks.panos.panos_service_object:
provider: '{{ device }}'
name: '{{ item.name }}'
destination_port: '{{ item.destination_port }}'
description: '{{ item.description }}'
tag: '{{ item.tag|default({}) }}'
commit: false
with_items:
- {name: 'ssh-tcp-22', destination_port: '22', description: 'SSH on tcp/22', tag: ['Prod']}
- {name: 'mysql-tcp-3306', destination_port: '3306', description: 'MySQL on tcp/3306', tag: ['Prod']}
- name: Create service group objects
paloaltonetworks.panos.panos_service_group:
provider: '{{ device }}'
name: '{{ item.name }}'
value: '{{ item.value }}'
tag: '{{ item.tag|default({}) }}'
commit: false
with_items:
- {name: 'Prod-Services', value: ['ssh-tcp-22', 'mysql-tcp-3306'], tag: ['Prod']}