firewall_rule_facts - Facts about firewall rules based on specified policy¶
New in version 2.5.
Synopsis¶
- Retrieve rule specific information based on the policy specified in the facts module run. Specifying the policy is a required field. In addition, you can choose to expand fields like source, destination and services from href to their native element type and name by using the expand list with specified fields to expand. There are other search capabilities such as finding a rule based on partial match and rules within specific ranges.
Requirements (on host that executes module)¶
- smc-python >= 0.6.0
Options¶
| parameter | required | default | choices | comments | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| as_yaml |
no |
|
Set this boolean to true if the output should be exported into yaml format. By default the output format is actually dict, but using this field allows you to also use the provided jinja templates to format into yaml and reuse for playbook runs. |
||||||||||||||||
| case_sensitive |
no | True |
Whether to do a case sensitive match on the filter specified |
||||||||||||||||
| exact_match |
no |
Whether to do an exact match on the filter specified |
|||||||||||||||||
| expand |
no |
|
Specifying fields which should be expanded from href into their native elements. Expanded fields will be returned as a dict of lists with the key being the element type and list being the name values for that element type |
||||||||||||||||
| filter |
yes |
The name of the FW Policy for which to retrieve rules |
|||||||||||||||||
| limit |
no | 10 |
Limit the number of results. Set to 0 to remove limit. |
||||||||||||||||
| rule_range |
no |
Provide a rule range to retrieve. Firewall rules will be displayed based on the ranges provided in a top down fashion. |
|||||||||||||||||
| search |
no |
Provide a search string for which to use as a match against a rule/s name or comments field. Mutually exclusive with rule_range |
|||||||||||||||||
| smc_address |
no |
FQDN with port of SMC. The default value is the environment variable |
|||||||||||||||||
| smc_alt_filepath |
no |
Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored. |
|||||||||||||||||
| smc_api_key |
no |
API key for api client. The default value is the environment variable |
|||||||||||||||||
| smc_api_version |
no |
Optional API version to connect to. If none is provided, the latest SMC version API will be used based on the Management Center version. Can be set though the environment variable |
|||||||||||||||||
| smc_domain |
no |
Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable |
|||||||||||||||||
| smc_extra_args |
no |
Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.
| |||||||||||||||||
|
|||||||||||||||||||
| smc_logging |
no |
Optionally enable SMC API logging to a file
| |||||||||||||||||
|
|||||||||||||||||||
| smc_timeout |
no |
Optional timeout for connections to the SMC. Can be set through environment |
|||||||||||||||||
Examples¶
- name: Facts about all engines within SMC
hosts: localhost
gather_facts: no
tasks:
- name: Show rules for policy 'TestPolicy' (only shows name, type)
firewall_rule_facts:
filter: TestPolicy
- name: Search for specific rule/s using search value (partial searching supported)
firewall_rule_facts:
filter: TestPolicy
search: rulet
- name: Dump the results in yaml format, showing details of rule
firewall_rule_facts:
filter: TestPolicy
search: rulet
as_yaml: true
- name: Resolve the source, destination and services fields
firewall_rule_facts:
filter: TestPolicy
search: rulet
as_yaml: true
expand:
- sources
- destinations
- services
- name: Get specific rules based on range order (rules 1-10)
firewall_rule_facts:
filter: TestPolicy
rule_range: 1-3
as_yaml: true
- name: Get firewall rule as yaml
register: results
firewall_rule_facts:
smc_logging:
level: 10
path: ansible-smc.log
filter: TestPolicy
search: rulet
#rule_range: 1-3
as_yaml: true
expand:
- services
- destinations
- sources
- name: Write the yaml using a jinja template
template: src=templates/facts_yaml.j2 dest=./firewall_rules_test.yml
vars:
playbook: firewall_rule
Return Values¶
Common return values are documented Return Values, the following are the fields unique to this module:
| name | description | returned | type | sample |
|---|---|---|---|---|
| firewall_rule |
Obtain metadata through a simple rule search
|
always | list | [{'comment': None, 'policy': 'TestPolicy', 'inspection_policy': 'High-Security Inspection Template', 'rules': [{'type': 'fw_ipv4_access_rule', 'name': 'Rule @2097166.2', 'pos': 1}, {'type': 'fw_ipv4_access_rule', 'name': 'ruletest', 'pos': 2}, {'type': 'fw_ipv4_access_rule', 'name': 'Rule @2097168.0', 'pos': 3}, {'type': 'fw_ipv4_access_rule', 'name': 'nested', 'pos': 4}], 'template': 'Firewall Inspection Template'}] |
Notes¶
Note
- If a filter is not used in the query, this will return all results for the element type specified. The return data in this case will only contain the metadata for the element which will be name and type. To get detailed information about an element, use a filter. When using filters on network or service elements, the filter value will search the element fields, for example, you could use a filter of ‘1.1.1.1’ when searching for hosts and all hosts with this IP will be returned. The same applies for services. If you are unsure of the service name but know the port you require, your filter can be by port.