Forum Discussion
AltocumulusANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost
AltocumulusThank you, Matt. This put me in the right direction. When I tried your code above, the rule list was added BUT the rule list was empty. So I added the code that you commented out AT THE END of playbook, and that did it :
# - name: Add rule list to Policy
# f5networks.f5_modules.bigip_firewall_rule:
# parent_policy: "POL-TEST1"
# rule_list: "RLIST-1"
# name: "RLIST-1"
# provider: "{{ provider }}"
# delegate_to: localhostNow the rule list WITH RULES is there and in the desired order.
EmployeeNice!!!
Glad all is working for ya!
