Forum Discussion

johnramzf5's avatar
johnramzf5
Icon for Altocumulus rankAltocumulus
Apr 03, 2023
Solved

ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy

The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cann...
  • Matt_Mabis's avatar
    Matt_Mabis
    Apr 12, 2023

    Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

    I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

    1) I had to know the existing order of the policy to place in a specific location.
    2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location.  This is why i commented out the bigip_firewall_rule 

    I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

    Let me know if this helps

     

    ---
    - hosts: f5
      connection: local
      name: Test-Firewall
      gather_facts: False
    
      tasks:
      - name: SetFact
        ansible.builtin.set_fact:
          provider: 
            server: "{{ ansible_host }}"
            user: "{{ ansible_user }}"
            password: "{{ ansible_ssh_pass }}"
            server_port: 443
            validate_certs: "no"
    
      - name: CREATE FIREWALL RULE LIST
        f5networks.f5_modules.bigip_firewall_rule_list:
          name: "RLIST-1"
          state: present
          rules:
            - "RULE-A"
            - "RULE-B"
          provider: "{{ provider }}"
        delegate_to: localhost
    
      - name: CREATE FIREWALL RULES
        f5networks.f5_modules.bigip_firewall_rule:
          parent_rule_list: "RLIST-1"
          name: "{{ item.name }}"
          state: present
          protocol: "{{ item.protocol }}"
          source:
            - vlan: Internal
            - address_list: "{{ item.source_address }}"
          destination:
            - address_list: "{{ item.destination_address }}"
            - port_range: "{{ item.dest_port }}"
          action: "{{ item.action }}"
          logging: true
          provider: "{{ provider }}"
        with_items:
        - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
        - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
        delegate_to: localhost
    
      # - name: Add rule list to Policy
      #   f5networks.f5_modules.bigip_firewall_rule:
      #     parent_policy: "POL-TEST1"
      #     rule_list: "RLIST-1"
      #     name: "RLIST-1"
      #     provider: "{{ provider }}"
      #   delegate_to: localhost
    
      - name: Order Policy in specific order
        f5networks.f5_modules.bigip_firewall_policy:
          name: "POL-TEST1"
          description: test
          rules: 
            - "Existing-RLIST"
            - "Existing-RList-2"
            - "RLIST-1"
            - "Existing-RList-3"
            - "Existing-RList-4"
          provider: "{{ provider }}"
        delegate_to: localhost