Forum Discussion
johnramzf5
Altocumulus
AltocumulusANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy
The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cannot find a parameter in this module (bigip_firewall_rule) to set the "rule list" position/order within the Firewall policy
Here are the playbook tasks
- name: CREATE FIREWALL RULE LIST
bigip_firewall_rule_list:
name: RLIST_1
state: present
rules:
- RULE A
- RULE B
provider: "{{ provider }}"
- name: CREATE FIREWALL RULES
bigip_firewall_rule:
parent_rule_list: RLIST_1
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: EXTERNAL
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE B, protocol: tcp, source_address:10.20.10.2 destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
- name: Add rule list to Policy
bigip_firewall_rule:
parent_policy: POL-TEST1
rule_list: RLIST_1
name: RLIST_1
provider: "{{ provider }}"
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost
- Matt_Mabis
Employee
Hey johnramzf5 i have a few messages out to friends who coded this, as the documentation says in fhte bigip_firewall_rule there should be a module to do this (however it doesnt exist) so i am trying to figure out if it was renamed to something else.
- Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the
bigip_security_policymodule. Rules can also be pre-ordered using thebigip_security_policymodule and then later updated using thebigip_firewall_rulemodule.
Im guessing this is what you are trying to do (add to an existing policy in a certain order), the only caviat to this is you might have to know the existing policy rules names to be able to put in that specific order... ill try some things out as well but figured id reach out to let u know im checking it out.
johnramzf5Thank you Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue. So it is not adding individual rules to the policy but rules lists.
In the example,
- the rule list " RLIST_1" was already created in task 1
- then the content of the rules added for that Rule List
- then that Rules List was added to the policy.
A Rules List needs to be added to Policy in a particular order, not a single rule
I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.
Thank you and I am looking forward to hearing from you
John
- Matt_Mabis
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost
- Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the
Ansible you say? Matt_Mabis may be able to help here.
- johnramzf5
Thank you Leslie, I hope Matt_Mabis gets a chance to look into it
