Forum Discussion

johnramzf5's avatar
johnramzf5
Icon for Altocumulus rankAltocumulus
Apr 03, 2023

ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy

The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cann...
Ansible Firewall module
application delivery
  • Matt_Mabis's avatar
    Matt_Mabis
    Apr 12, 2023

    Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

    I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

    1) I had to know the existing order of the policy to place in a specific location.
    2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location.  This is why i commented out the bigip_firewall_rule 

    I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

    Let me know if this helps

     

    ---
- hosts: f5
  connection: local
  name: Test-Firewall
  gather_facts: False

  tasks:
  - name: SetFact
    ansible.builtin.set_fact:
      provider: 
        server: "{{ ansible_host }}"
        user: "{{ ansible_user }}"
        password: "{{ ansible_ssh_pass }}"
        server_port: 443
        validate_certs: "no"

  - name: CREATE FIREWALL RULE LIST
    f5networks.f5_modules.bigip_firewall_rule_list:
      name: "RLIST-1"
      state: present
      rules:
        - "RULE-A"
        - "RULE-B"
      provider: "{{ provider }}"
    delegate_to: localhost

  - name: CREATE FIREWALL RULES
    f5networks.f5_modules.bigip_firewall_rule:
      parent_rule_list: "RLIST-1"
      name: "{{ item.name }}"
      state: present
      protocol: "{{ item.protocol }}"
      source:
        - vlan: Internal
        - address_list: "{{ item.source_address }}"
      destination:
        - address_list: "{{ item.destination_address }}"
        - port_range: "{{ item.dest_port }}"
      action: "{{ item.action }}"
      logging: true
      provider: "{{ provider }}"
    with_items:
    - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
    - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
    delegate_to: localhost

  # - name: Add rule list to Policy
  #   f5networks.f5_modules.bigip_firewall_rule:
  #     parent_policy: "POL-TEST1"
  #     rule_list: "RLIST-1"
  #     name: "RLIST-1"
  #     provider: "{{ provider }}"
  #   delegate_to: localhost

  - name: Order Policy in specific order
    f5networks.f5_modules.bigip_firewall_policy:
      name: "POL-TEST1"
      description: test
      rules: 
        - "Existing-RLIST"
        - "Existing-RList-2"
        - "RLIST-1"
        - "Existing-RList-3"
        - "Existing-RList-4"
      provider: "{{ provider }}"
    delegate_to: localhost

     

     

johnramzf5's avatar
johnramzf5
Icon for Altocumulus rankAltocumulus

Thank you Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue.  So it is not adding individual rules to the policy but rules lists.

In the example,

- the rule list " RLIST_1" was already created in task 1

- then the content of the rules added for that Rule List 

- then that Rules List was added to the policy. 

A Rules List needs to be added to Policy in a particular order, not a single rule

I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.

Thank you and I am looking forward to hearing from you

John

 

 

 

Matt_Mabis's avatar
Matt_Mabis
Icon for Employee rankEmployee
Apr 12, 2023

Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location.  This is why i commented out the bigip_firewall_rule 

I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

Let me know if this helps

 

---
- hosts: f5
  connection: local
  name: Test-Firewall
  gather_facts: False

  tasks:
  - name: SetFact
    ansible.builtin.set_fact:
      provider: 
        server: "{{ ansible_host }}"
        user: "{{ ansible_user }}"
        password: "{{ ansible_ssh_pass }}"
        server_port: 443
        validate_certs: "no"

  - name: CREATE FIREWALL RULE LIST
    f5networks.f5_modules.bigip_firewall_rule_list:
      name: "RLIST-1"
      state: present
      rules:
        - "RULE-A"
        - "RULE-B"
      provider: "{{ provider }}"
    delegate_to: localhost

  - name: CREATE FIREWALL RULES
    f5networks.f5_modules.bigip_firewall_rule:
      parent_rule_list: "RLIST-1"
      name: "{{ item.name }}"
      state: present
      protocol: "{{ item.protocol }}"
      source:
        - vlan: Internal
        - address_list: "{{ item.source_address }}"
      destination:
        - address_list: "{{ item.destination_address }}"
        - port_range: "{{ item.dest_port }}"
      action: "{{ item.action }}"
      logging: true
      provider: "{{ provider }}"
    with_items:
    - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
    - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
    delegate_to: localhost

  # - name: Add rule list to Policy
  #   f5networks.f5_modules.bigip_firewall_rule:
  #     parent_policy: "POL-TEST1"
  #     rule_list: "RLIST-1"
  #     name: "RLIST-1"
  #     provider: "{{ provider }}"
  #   delegate_to: localhost

  - name: Order Policy in specific order
    f5networks.f5_modules.bigip_firewall_policy:
      name: "POL-TEST1"
      description: test
      rules: 
        - "Existing-RLIST"
        - "Existing-RList-2"
        - "RLIST-1"
        - "Existing-RList-3"
        - "Existing-RList-4"
      provider: "{{ provider }}"
    delegate_to: localhost

 

 

  • johnramzf5's avatar
    johnramzf5
    Icon for Altocumulus rankAltocumulus
    Apr 13, 2023

    Thank you, Matt. This put me in the right direction. When I tried your code above, the rule list was added BUT the rule list was empty. So I added the code that you commented out AT THE END of playbook, and that did it :

    # - name: Add rule list to Policy
  #   f5networks.f5_modules.bigip_firewall_rule:
  #     parent_policy: "POL-TEST1"
  #     rule_list: "RLIST-1"
  #     name: "RLIST-1"
  #     provider: "{{ provider }}"
  #   delegate_to: localhost

    Now the rule list WITH RULES is there and in the desired order.

    • Matt_Mabis's avatar
      Matt_Mabis
      Icon for Employee rankEmployee
      Apr 15, 2023

      Nice!!!

      Glad all is working for ya!