Forum Discussion
AltocumulusANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)Let me know if this helps
--- - hosts: f5 connection: local name: Test-Firewall gather_facts: False tasks: - name: SetFact ansible.builtin.set_fact: provider: server: "{{ ansible_host }}" user: "{{ ansible_user }}" password: "{{ ansible_ssh_pass }}" server_port: 443 validate_certs: "no" - name: CREATE FIREWALL RULE LIST f5networks.f5_modules.bigip_firewall_rule_list: name: "RLIST-1" state: present rules: - "RULE-A" - "RULE-B" provider: "{{ provider }}" delegate_to: localhost - name: CREATE FIREWALL RULES f5networks.f5_modules.bigip_firewall_rule: parent_rule_list: "RLIST-1" name: "{{ item.name }}" state: present protocol: "{{ item.protocol }}" source: - vlan: Internal - address_list: "{{ item.source_address }}" destination: - address_list: "{{ item.destination_address }}" - port_range: "{{ item.dest_port }}" action: "{{ item.action }}" logging: true provider: "{{ provider }}" with_items: - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively} - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively} delegate_to: localhost # - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost - name: Order Policy in specific order f5networks.f5_modules.bigip_firewall_policy: name: "POL-TEST1" description: test rules: - "Existing-RLIST" - "Existing-RList-2" - "RLIST-1" - "Existing-RList-3" - "Existing-RList-4" provider: "{{ provider }}" delegate_to: localhost
AltocumulusThank you Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue. So it is not adding individual rules to the policy but rules lists.
In the example,
- the rule list " RLIST_1" was already created in task 1
- then the content of the rules added for that Rule List
- then that Rules List was added to the policy.
A Rules List needs to be added to Policy in a particular order, not a single rule
I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.
Thank you and I am looking forward to hearing from you
John
EmployeeSorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)
Let me know if this helps
---
- hosts: f5
connection: local
name: Test-Firewall
gather_facts: False
tasks:
- name: SetFact
ansible.builtin.set_fact:
provider:
server: "{{ ansible_host }}"
user: "{{ ansible_user }}"
password: "{{ ansible_ssh_pass }}"
server_port: 443
validate_certs: "no"
- name: CREATE FIREWALL RULE LIST
f5networks.f5_modules.bigip_firewall_rule_list:
name: "RLIST-1"
state: present
rules:
- "RULE-A"
- "RULE-B"
provider: "{{ provider }}"
delegate_to: localhost
- name: CREATE FIREWALL RULES
f5networks.f5_modules.bigip_firewall_rule:
parent_rule_list: "RLIST-1"
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: Internal
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
delegate_to: localhost
# - name: Add rule list to Policy
# f5networks.f5_modules.bigip_firewall_rule:
# parent_policy: "POL-TEST1"
# rule_list: "RLIST-1"
# name: "RLIST-1"
# provider: "{{ provider }}"
# delegate_to: localhost
- name: Order Policy in specific order
f5networks.f5_modules.bigip_firewall_policy:
name: "POL-TEST1"
description: test
rules:
- "Existing-RLIST"
- "Existing-RList-2"
- "RLIST-1"
- "Existing-RList-3"
- "Existing-RList-4"
provider: "{{ provider }}"
delegate_to: localhost
- johnramzf5
Thank you, Matt. This put me in the right direction. When I tried your code above, the rule list was added BUT the rule list was empty. So I added the code that you commented out AT THE END of playbook, and that did it :
# - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhostNow the rule list WITH RULES is there and in the desired order.
- Matt_Mabis
Nice!!!
Glad all is working for ya!
