Forum Discussion

johnramzf5's avatar
johnramzf5
Icon for Altocumulus rankAltocumulus
Apr 03, 2023

ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy

The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cannot find a parameter in this module (bigip_firewall_rule) to set the "rule list" position/order within the Firewall policy

Here are the playbook tasks

- name: CREATE FIREWALL RULE LIST
bigip_firewall_rule_list:
name: RLIST_1
state: present
rules:
- RULE A
- RULE B
provider: "{{ provider }}"
- name: CREATE FIREWALL RULES
bigip_firewall_rule:
parent_rule_list: RLIST_1
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: EXTERNAL
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE B, protocol: tcp, source_address:10.20.10.2 destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
- name: Add rule list to Policy
bigip_firewall_rule:
parent_policy: POL-TEST1
rule_list: RLIST_1
name: RLIST_1
provider: "{{ provider }}"

 

  • Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

    I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

    1) I had to know the existing order of the policy to place in a specific location.
    2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location.  This is why i commented out the bigip_firewall_rule 

    I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

    Let me know if this helps

     

    ---
    - hosts: f5
      connection: local
      name: Test-Firewall
      gather_facts: False
    
      tasks:
      - name: SetFact
        ansible.builtin.set_fact:
          provider: 
            server: "{{ ansible_host }}"
            user: "{{ ansible_user }}"
            password: "{{ ansible_ssh_pass }}"
            server_port: 443
            validate_certs: "no"
    
      - name: CREATE FIREWALL RULE LIST
        f5networks.f5_modules.bigip_firewall_rule_list:
          name: "RLIST-1"
          state: present
          rules:
            - "RULE-A"
            - "RULE-B"
          provider: "{{ provider }}"
        delegate_to: localhost
    
      - name: CREATE FIREWALL RULES
        f5networks.f5_modules.bigip_firewall_rule:
          parent_rule_list: "RLIST-1"
          name: "{{ item.name }}"
          state: present
          protocol: "{{ item.protocol }}"
          source:
            - vlan: Internal
            - address_list: "{{ item.source_address }}"
          destination:
            - address_list: "{{ item.destination_address }}"
            - port_range: "{{ item.dest_port }}"
          action: "{{ item.action }}"
          logging: true
          provider: "{{ provider }}"
        with_items:
        - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
        - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
        delegate_to: localhost
    
      # - name: Add rule list to Policy
      #   f5networks.f5_modules.bigip_firewall_rule:
      #     parent_policy: "POL-TEST1"
      #     rule_list: "RLIST-1"
      #     name: "RLIST-1"
      #     provider: "{{ provider }}"
      #   delegate_to: localhost
    
      - name: Order Policy in specific order
        f5networks.f5_modules.bigip_firewall_policy:
          name: "POL-TEST1"
          description: test
          rules: 
            - "Existing-RLIST"
            - "Existing-RList-2"
            - "RLIST-1"
            - "Existing-RList-3"
            - "Existing-RList-4"
          provider: "{{ provider }}"
        delegate_to: localhost

     

     

  • Hey johnramzf5  i have a few messages out to friends who coded this, as the documentation says in fhte bigip_firewall_rule there should be a module to do this (however it doesnt exist)  so i am trying to figure out if it was renamed to something else.

    • Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the bigip_security_policy module. Rules can also be pre-ordered using the bigip_security_policy module and then later updated using the bigip_firewall_rule module.
    Im guessing this is what you are trying to do (add to an existing policy in a certain order), the only caviat to this is you might have to know the existing policy rules names to be able to put in that specific order... ill try some things out as well but figured id reach out to let u know im checking it out.
    • johnramzf5's avatar
      johnramzf5
      Icon for Altocumulus rankAltocumulus

      Thank you Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue.  So it is not adding individual rules to the policy but rules lists.

      In the example,

      - the rule list " RLIST_1" was already created in task 1

      - then the content of the rules added for that Rule List 

      - then that Rules List was added to the policy. 

      A Rules List needs to be added to Policy in a particular order, not a single rule

      I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.

      Thank you and I am looking forward to hearing from you

      John

       

       

       

      • Matt_Mabis's avatar
        Matt_Mabis
        Icon for Employee rankEmployee

        Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

        I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

        1) I had to know the existing order of the policy to place in a specific location.
        2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location.  This is why i commented out the bigip_firewall_rule 

        I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

        Let me know if this helps

         

        ---
        - hosts: f5
          connection: local
          name: Test-Firewall
          gather_facts: False
        
          tasks:
          - name: SetFact
            ansible.builtin.set_fact:
              provider: 
                server: "{{ ansible_host }}"
                user: "{{ ansible_user }}"
                password: "{{ ansible_ssh_pass }}"
                server_port: 443
                validate_certs: "no"
        
          - name: CREATE FIREWALL RULE LIST
            f5networks.f5_modules.bigip_firewall_rule_list:
              name: "RLIST-1"
              state: present
              rules:
                - "RULE-A"
                - "RULE-B"
              provider: "{{ provider }}"
            delegate_to: localhost
        
          - name: CREATE FIREWALL RULES
            f5networks.f5_modules.bigip_firewall_rule:
              parent_rule_list: "RLIST-1"
              name: "{{ item.name }}"
              state: present
              protocol: "{{ item.protocol }}"
              source:
                - vlan: Internal
                - address_list: "{{ item.source_address }}"
              destination:
                - address_list: "{{ item.destination_address }}"
                - port_range: "{{ item.dest_port }}"
              action: "{{ item.action }}"
              logging: true
              provider: "{{ provider }}"
            with_items:
            - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
            - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
            delegate_to: localhost
        
          # - name: Add rule list to Policy
          #   f5networks.f5_modules.bigip_firewall_rule:
          #     parent_policy: "POL-TEST1"
          #     rule_list: "RLIST-1"
          #     name: "RLIST-1"
          #     provider: "{{ provider }}"
          #   delegate_to: localhost
        
          - name: Order Policy in specific order
            f5networks.f5_modules.bigip_firewall_policy:
              name: "POL-TEST1"
              description: test
              rules: 
                - "Existing-RLIST"
                - "Existing-RList-2"
                - "RLIST-1"
                - "Existing-RList-3"
                - "Existing-RList-4"
              provider: "{{ provider }}"
            delegate_to: localhost