Forum Discussion
ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy
- Apr 12, 2023
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost
Hey johnramzf5 i have a few messages out to friends who coded this, as the documentation says in fhte bigip_firewall_rule there should be a module to do this (however it doesnt exist) so i am trying to figure out if it was renamed to something else.
- Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the
bigip_security_policy
module. Rules can also be pre-ordered using thebigip_security_policy
module and then later updated using thebigip_firewall_rule
module.
Thank you Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue. So it is not adding individual rules to the policy but rules lists.
In the example,
- the rule list " RLIST_1" was already created in task 1
- then the content of the rules added for that Rule List
- then that Rules List was added to the policy.
A Rules List needs to be added to Policy in a particular order, not a single rule
I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.
Thank you and I am looking forward to hearing from you
John
- Matt_MabisApr 12, 2023Employee
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost
- johnramzf5Apr 13, 2023Altocumulus
Thank you, Matt. This put me in the right direction. When I tried your code above, the rule list was added BUT the rule list was empty. So I added the code that you commented out AT THE END of playbook, and that did it :
# - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost
Now the rule list WITH RULES is there and in the desired order.
- Matt_MabisApr 15, 2023Employee
Nice!!!
Glad all is working for ya!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com