ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy

johnramzf5 · ‎02-Apr-2023

The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cannot find a parameter in this module (bigip_firewall_rule) to set the "rule list" position/order within the Firewall policy

Here are the playbook tasks

- name: CREATE FIREWALL RULE LIST
bigip_firewall_rule_list:
name: RLIST_1
state: present
rules:
- RULE A
- RULE B
provider: "{{ provider }}"
- name: CREATE FIREWALL RULES
bigip_firewall_rule:
parent_rule_list: RLIST_1
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: EXTERNAL
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE B, protocol: tcp, source_address:10.20.10.2 destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
- name: Add rule list to Policy
bigip_firewall_rule:
parent_policy: POL-TEST1
rule_list: RLIST_1
name: RLIST_1
provider: "{{ provider }}"

Matt_Mabis · ‎11-Apr-2023

Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule

I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

Let me know if this helps

---
- hosts: f5
  connection: local
  name: Test-Firewall
  gather_facts: False

  tasks:
  - name: SetFact
    ansible.builtin.set_fact:
      provider: 
        server: "{{ ansible_host }}"
        user: "{{ ansible_user }}"
        password: "{{ ansible_ssh_pass }}"
        server_port: 443
        validate_certs: "no"

  - name: CREATE FIREWALL RULE LIST
    f5networks.f5_modules.bigip_firewall_rule_list:
      name: "RLIST-1"
      state: present
      rules:
        - "RULE-A"
        - "RULE-B"
      provider: "{{ provider }}"
    delegate_to: localhost

  - name: CREATE FIREWALL RULES
    f5networks.f5_modules.bigip_firewall_rule:
      parent_rule_list: "RLIST-1"
      name: "{{ item.name }}"
      state: present
      protocol: "{{ item.protocol }}"
      source:
        - vlan: Internal
        - address_list: "{{ item.source_address }}"
      destination:
        - address_list: "{{ item.destination_address }}"
        - port_range: "{{ item.dest_port }}"
      action: "{{ item.action }}"
      logging: true
      provider: "{{ provider }}"
    with_items:
    - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
    - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
    delegate_to: localhost

  # - name: Add rule list to Policy
  #   f5networks.f5_modules.bigip_firewall_rule:
  #     parent_policy: "POL-TEST1"
  #     rule_list: "RLIST-1"
  #     name: "RLIST-1"
  #     provider: "{{ provider }}"
  #   delegate_to: localhost

  - name: Order Policy in specific order
    f5networks.f5_modules.bigip_firewall_policy:
      name: "POL-TEST1"
      description: test
      rules: 
        - "Existing-RLIST"
        - "Existing-RList-2"
        - "RLIST-1"
        - "Existing-RList-3"
        - "Existing-RList-4"
      provider: "{{ provider }}"
    delegate_to: localhost

View solution in original post

Leslie_Hubertus · ‎03-Apr-2023

Ansible you say? @Matt_Mabis may be able to help here.

johnramzf5 · ‎04-Apr-2023

Thank you Leslie, I hope @Matt_Mabis gets a chance to look into it

Matt_Mabis · ‎06-Apr-2023

Hey @johnramzf5 i have a few messages out to friends who coded this, as the documentation says in fhte bigip_firewall_rule there should be a module to do this (however it doesnt exist) so i am trying to figure out if it was renamed to something else.

Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the bigip_security_policy module. Rules can also be pre-ordered using the bigip_security_policy module and then later updated using the bigip_firewall_rule module.

Im guessing this is what you are trying to do (add to an existing policy in a certain order), the only caviat to this is you might have to know the existing policy rules names to be able to put in that specific order... ill try some things out as well but figured id reach out to let u know im checking it out.

johnramzf5 · ‎06-Apr-2023

Thank you @Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue. So it is not adding individual rules to the policy but rules lists.

In the example,

- the rule list " RLIST_1" was already created in task 1

- then the content of the rules added for that Rule List

- then that Rules List was added to the policy.

A Rules List needs to be added to Policy in a particular order, not a single rule

I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.

Thank you and I am looking forward to hearing from you

John

Matt_Mabis · ‎11-Apr-2023

Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.

I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats

1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule

I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)

Let me know if this helps

---
- hosts: f5
  connection: local
  name: Test-Firewall
  gather_facts: False

  tasks:
  - name: SetFact
    ansible.builtin.set_fact:
      provider: 
        server: "{{ ansible_host }}"
        user: "{{ ansible_user }}"
        password: "{{ ansible_ssh_pass }}"
        server_port: 443
        validate_certs: "no"

  - name: CREATE FIREWALL RULE LIST
    f5networks.f5_modules.bigip_firewall_rule_list:
      name: "RLIST-1"
      state: present
      rules:
        - "RULE-A"
        - "RULE-B"
      provider: "{{ provider }}"
    delegate_to: localhost

  - name: CREATE FIREWALL RULES
    f5networks.f5_modules.bigip_firewall_rule:
      parent_rule_list: "RLIST-1"
      name: "{{ item.name }}"
      state: present
      protocol: "{{ item.protocol }}"
      source:
        - vlan: Internal
        - address_list: "{{ item.source_address }}"
      destination:
        - address_list: "{{ item.destination_address }}"
        - port_range: "{{ item.dest_port }}"
      action: "{{ item.action }}"
      logging: true
      provider: "{{ provider }}"
    with_items:
    - {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
    - {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
    delegate_to: localhost

  # - name: Add rule list to Policy
  #   f5networks.f5_modules.bigip_firewall_rule:
  #     parent_policy: "POL-TEST1"
  #     rule_list: "RLIST-1"
  #     name: "RLIST-1"
  #     provider: "{{ provider }}"
  #   delegate_to: localhost

  - name: Order Policy in specific order
    f5networks.f5_modules.bigip_firewall_policy:
      name: "POL-TEST1"
      description: test
      rules: 
        - "Existing-RLIST"
        - "Existing-RList-2"
        - "RLIST-1"
        - "Existing-RList-3"
        - "Existing-RList-4"
      provider: "{{ provider }}"
    delegate_to: localhost

johnramzf5 · ‎12-Apr-2023

Thank you, Matt. This put me in the right direction. When I tried your code above, the rule list was added BUT the rule list was empty. So I added the code that you commented out AT THE END of playbook, and that did it :

# - name: Add rule list to Policy
  #   f5networks.f5_modules.bigip_firewall_rule:
  #     parent_policy: "POL-TEST1"
  #     rule_list: "RLIST-1"
  #     name: "RLIST-1"
  #     provider: "{{ provider }}"
  #   delegate_to: localhost

Now the rule list WITH RULES is there and in the desired order.

Matt_Mabis · ‎14-Apr-2023

Nice!!!

Glad all is working for ya!

DevCentral

ANSIBLE Configuration of a firewall rule list to be added on desired position in the firewall policy

Khoros Kudos Award 2022