policy_vpn - Create, modify or delete Policy VPNs

New in version 2.5.

Synopsis

  • Manage a policy VPN. This module provides the ability to fully create a VPN, along with modifying central / satellite gateways as well as tags. Only satellite gateways, central gateways and tags can be deleted. All other options provided in the constructor can be modified or added.

Options

parameter required default choices comments
apply_nat
 no

Whether to apply NAT to this VPN. Doing so may require NAT rules be in place.
central_gw
 no
Central gateways to add to the policy VPN. Can be SMC managed internal hosts or external gateways.
Dictionary object central_gw
parameter required default choices comments
preshared_key
 no
Set a preshared key. This is only required if the gateway is an external_gateway
type
 yes
  • internal_gateway
  • external_gateway
Type of element, either external gateway or internal SMC managed engine.
name
 yes
Name of the central gateway to add
gateway_tunnel
 no
Used when modifying a specific gateway tunnel configuration. This can be used to change a preshared key or disable a specific tunnel
Dictionary object gateway_tunnel
parameter required default choices comments
preshared_key
 no
Reset the preshared key for this tunnel
enabled
 no
  • yes
  • no
Enable or disable this tunnel
tunnel_side_a
 yes
The A side of the tunnel. Use facts to retrieve this value.
tunnel_side_b
 yes
The B side of the tunnel. Use facts to retrieve this value.
name
 yes

The name of the policy VPN
satellite_gw
 no
Central gateways to add to the policy VPN. Can be SMC managed internal hosts or external gateways.
Dictionary object satellite_gw
parameter required default choices comments
preshared_key
 no
Set a preshared key. This is only required if the gateway is an external_gateway
type
 yes
  • internal
  • external
Type of element, either external gateway or internal SMC managed engine.
name
 yes
Name of the satellite gateway to add
smc_address
 no

FQDN with port of SMC. The default value is the environment variable SMC_ADDRESS
smc_alt_filepath
 no

Provide an alternate path location to read the credentials from. File is expected to be stored in ~.smcrc. If provided, url and api_key settings are not required and will be ignored.
smc_api_key
 no

API key for api client. The default value is the environment variable SMC_API_KEY Required if url
smc_api_version
 no

Optional API version to connect to. If none is provided, the latest SMC version API will be used based on the Management Center version. Can be set though the environment variable SMC_API_VERSION
smc_domain
 no

Optional domain to log in to. If no domain is provided, 'Shared Domain' is used. Can be set throuh the environment variable SMC_DOMAIN
smc_extra_args
 no
Extra arguments to pass to login constructor. These are generally only used if specifically requested by support personnel.
Dictionary object smc_extra_args
parameter required default choices comments
verify
 no True
  • yes
  • no
Is the connection to SMC is HTTPS, you can set this to True, or provide a path to a client certificate to verify the SMC SSL certificate. You can also explicitly set this to False.
smc_logging
 no
Optionally enable SMC API logging to a file
Dictionary object smc_logging
parameter required default choices comments
path
 yes
Full path to the log file
level
 no
Log level as specified by the standard python logging library, in int format. Default setting is logging.DEBUG.
smc_timeout
 no

Optional timeout for connections to the SMC. Can be set through environment SMC_TIMEOUT
state
 no present
  • present
  • absent

Create or delete a firewall cluster
tags
 no

Optional tags to add to this engine
vpn_profile
 no VPN-A Suite

Optional VPN profile to use for this policy VPN

Examples

- name: Add gateways to a policy VPN (VPN is created if it doesn't exist)
  policy_vpn:
    name: mynewvpn
    central_gw:
      - name: myfirewall
        type: internal_gateway
    satellite_gw:
      - name: newextgw
        type: external_gateway
    tags:
      - footag

# Retrieve tunnel_side_a and tunnel_side_b values by calling policy_vpn_facts
- name: Change a preshared key for existing tunnel and enable the tunnel
  policy_vpn:
    name: mynewvpn
    gateway_tunnel:
      - tunnel_side_a: anothergw
        tunnel_side_b: fw33 - Primary
        preshared_key: abc123
        enabled: yes

- name: Delete a single satellite gateway from this VPN
  policy_vpn:
    name: mynewvpn
    satellite_gw:
      - name: newextgw
        type: external_gateway
    state: absent

- name: Delete tags from a policy VPN
  policy_vpn:
    name: mynewvpn
    tags:
      - footag
    state: absent

- name: Delete the entire policy VPN
  policy_vpn:
    name: mynewvpn
    state: absent

Return Values

Common return values are documented Return Values, the following are the fields unique to this module:

name description returned type sample
state


Author

  • David LePage (@gabstopper)

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.