02-Apr-2023 17:58
The goal is to create a rule list and add it to a policy in a desired position(top, 2nd, 3rd, etc). It works but in last task: "Add rule list to Policy" it adds the rule list in the LAST LINE. I cannot find a parameter in this module (bigip_firewall_rule) to set the "rule list" position/order within the Firewall policy
Here are the playbook tasks
- name: CREATE FIREWALL RULE LIST
bigip_firewall_rule_list:
name: RLIST_1
state: present
rules:
- RULE A
- RULE B
provider: "{{ provider }}"
- name: CREATE FIREWALL RULES
bigip_firewall_rule:
parent_rule_list: RLIST_1
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: EXTERNAL
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE B, protocol: tcp, source_address:10.20.10.2 destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
- name: Add rule list to Policy
bigip_firewall_rule:
parent_policy: POL-TEST1
rule_list: RLIST_1
name: RLIST_1
provider: "{{ provider }}"
Solved! Go to Solution.
11-Apr-2023 20:44 - edited 11-Apr-2023 20:48
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)
Let me know if this helps
---
- hosts: f5
connection: local
name: Test-Firewall
gather_facts: False
tasks:
- name: SetFact
ansible.builtin.set_fact:
provider:
server: "{{ ansible_host }}"
user: "{{ ansible_user }}"
password: "{{ ansible_ssh_pass }}"
server_port: 443
validate_certs: "no"
- name: CREATE FIREWALL RULE LIST
f5networks.f5_modules.bigip_firewall_rule_list:
name: "RLIST-1"
state: present
rules:
- "RULE-A"
- "RULE-B"
provider: "{{ provider }}"
delegate_to: localhost
- name: CREATE FIREWALL RULES
f5networks.f5_modules.bigip_firewall_rule:
parent_rule_list: "RLIST-1"
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: Internal
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
delegate_to: localhost
# - name: Add rule list to Policy
# f5networks.f5_modules.bigip_firewall_rule:
# parent_policy: "POL-TEST1"
# rule_list: "RLIST-1"
# name: "RLIST-1"
# provider: "{{ provider }}"
# delegate_to: localhost
- name: Order Policy in specific order
f5networks.f5_modules.bigip_firewall_policy:
name: "POL-TEST1"
description: test
rules:
- "Existing-RLIST"
- "Existing-RList-2"
- "RLIST-1"
- "Existing-RList-3"
- "Existing-RList-4"
provider: "{{ provider }}"
delegate_to: localhost
03-Apr-2023 16:23
Ansible you say? @Matt_Mabis may be able to help here.
04-Apr-2023 04:07
Thank you Leslie, I hope @Matt_Mabis gets a chance to look into it
06-Apr-2023 06:06
Hey @johnramzf5 i have a few messages out to friends who coded this, as the documentation says in fhte bigip_firewall_rule there should be a module to do this (however it doesnt exist) so i am trying to figure out if it was renamed to something else.
bigip_security_policy
module. Rules can also be pre-ordered using the bigip_security_policy
module and then later updated using the bigip_firewall_rule
module.06-Apr-2023 09:23 - edited 06-Apr-2023 10:58
Thank you @Matt_Mabis for your reply. In our case, creating the "Rule List" is required first, then adding that "Rule List" to the policy in a particular order. Just in case, I was not clear in my description of the issue. So it is not adding individual rules to the policy but rules lists.
In the example,
- the rule list " RLIST_1" was already created in task 1
- then the content of the rules added for that Rule List
- then that Rules List was added to the policy.
A Rules List needs to be added to Policy in a particular order, not a single rule
I also tried to find this module that you mentioned -bigip_security_policy- in Ansible documentation but I could not find it.
Thank you and I am looking forward to hearing from you
John
11-Apr-2023 20:44 - edited 11-Apr-2023 20:48
Sorry for the Delayed Response, my contact i think is on PTO currently so i decided to start digging myself.
I was able to control the the location of the policy by using the following code to put it in the list in a specific spot there was a few caviats
1) I had to know the existing order of the policy to place in a specific location.
2) using the bigip_firewall_policy module will ADD and place in a specific location, however this only works if a rule_list is being added (cannot exist at the time of running the bigip_firewall_policy module) if it does it will ignore putting the rule in and then wont place it in the specific location. This is why i commented out the bigip_firewall_rule
I did also created some dummy rule_lists to just test/validate (Existing-RLISTS)
Let me know if this helps
---
- hosts: f5
connection: local
name: Test-Firewall
gather_facts: False
tasks:
- name: SetFact
ansible.builtin.set_fact:
provider:
server: "{{ ansible_host }}"
user: "{{ ansible_user }}"
password: "{{ ansible_ssh_pass }}"
server_port: 443
validate_certs: "no"
- name: CREATE FIREWALL RULE LIST
f5networks.f5_modules.bigip_firewall_rule_list:
name: "RLIST-1"
state: present
rules:
- "RULE-A"
- "RULE-B"
provider: "{{ provider }}"
delegate_to: localhost
- name: CREATE FIREWALL RULES
f5networks.f5_modules.bigip_firewall_rule:
parent_rule_list: "RLIST-1"
name: "{{ item.name }}"
state: present
protocol: "{{ item.protocol }}"
source:
- vlan: Internal
- address_list: "{{ item.source_address }}"
destination:
- address_list: "{{ item.destination_address }}"
- port_range: "{{ item.dest_port }}"
action: "{{ item.action }}"
logging: true
provider: "{{ provider }}"
with_items:
- {name: RULE-A, protocol: tcp, source_address: 10.20.10.1, destination_address: 10.10.10.1, dest_port: 443-443, action: accept-decisively}
- {name: RULE-B, protocol: tcp, source_address: 10.20.10.2, destination_address: 10.10.10.2, dest_port: 443-443, action: accept-decisively}
delegate_to: localhost
# - name: Add rule list to Policy
# f5networks.f5_modules.bigip_firewall_rule:
# parent_policy: "POL-TEST1"
# rule_list: "RLIST-1"
# name: "RLIST-1"
# provider: "{{ provider }}"
# delegate_to: localhost
- name: Order Policy in specific order
f5networks.f5_modules.bigip_firewall_policy:
name: "POL-TEST1"
description: test
rules:
- "Existing-RLIST"
- "Existing-RList-2"
- "RLIST-1"
- "Existing-RList-3"
- "Existing-RList-4"
provider: "{{ provider }}"
delegate_to: localhost
12-Apr-2023 20:04 - edited 12-Apr-2023 20:05
Thank you, Matt. This put me in the right direction. When I tried your code above, the rule list was added BUT the rule list was empty. So I added the code that you commented out AT THE END of playbook, and that did it :
# - name: Add rule list to Policy # f5networks.f5_modules.bigip_firewall_rule: # parent_policy: "POL-TEST1" # rule_list: "RLIST-1" # name: "RLIST-1" # provider: "{{ provider }}" # delegate_to: localhost
Now the rule list WITH RULES is there and in the desired order.
14-Apr-2023 20:52
Nice!!!
Glad all is working for ya!