f5networks.f5_modules.bigip_firewall_rule – Manage AFM Firewall rules
Note
This plugin is part of the f5networks.f5_modules collection (version 1.12.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install f5networks.f5_modules.
To use it in a playbook, specify: f5networks.f5_modules.bigip_firewall_rule.
New in version 1.0.0: of f5networks.f5_modules
Synopsis
- Manages firewall rules in an AFM (Advanced Firewall Manager) firewall policy. New rules will always be added to the end of the policy. Rules can be re-ordered using the
bigip_security_policymodule. Rules can also be pre-ordered using thebigip_security_policymodule and then later updated using thebigip_firewall_rulemodule.
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| action
string
|
|
Specifies the action for the firewall rule.
When
accept, allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule and are accepted, traverse the system as if the firewall is not present.
When
drop, drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
When
reject, rejects packets with the specified source, destination, and protocol. When a packet is rejected, the firewall sends a destination unreachable message to the sender.
When
accept-decisively, allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule and are accepted, traverse the system as if the firewall is not present. If the Rule List is applied to a virtual server, management IP, or self IP firewall rule, then Accept Decisively is equivalent to Accept.
When creating a new rule, if this parameter is not provided, the default is reject.
|
|
| description
string
|
The rule description.
|
||
| destination
list / elements=dictionary
|
Specifies packet destinations to which the rule applies.
Leaving this field blank applies the rule to all addresses and all ports.
You can specify the following destination items. An IPv4 or IPv6 address, an IPv4 or IPv6 address range, geographic location, VLAN, address list, port, port range, port list or address list.
You can specify a mix of different types of items for the source address.
|
||
| address
string
|
Specifies a specific IP address.
|
||
| address_list
string
|
Specifies an existing address list.
|
||
| address_range
string
|
Specifies an address range.
|
||
| country
string
|
Specifies a country code.
|
||
| port
integer
|
Specifies a single numeric port.
This option is only valid when protocol is tcp(6) or udp(17).
|
||
| port_list
string
|
Specifes an existing port list.
This option is only valid when protocol is tcp(6) or udp(17).
|
||
| port_range
string
|
Specifies a range of ports, which is two port values separated by a hyphen. The port to the left of the hyphen should be less than the port to the right.
This option is only valid when protocol is tcp(6) or udp(17).
|
||
| icmp_message
list / elements=dictionary
|
Specifies the Internet Control Message Protocol (ICMP) or ICMPv6 message
type and code the rule uses.
This parameter is only relevant when protocol is either icmp(1) or icmpv6(58).
|
||
| code
string
|
Specifies the code returned in response to the specified ICMP message type.
You can specify codes, each set appropriate to the associated type, such as No Code (0) (associated with Echo Reply (0)) and Host Unreachable (1) (associated with Destination Unreachable (3)), or you can specify
any to indicate the system applies the rule for all codes in response to that specific ICMP message.
You can also specify an arbitrary code.
The ICMP protocol contains definitions for the existing message code and number pairs.
|
||
| type
string
|
Specifies the type of ICMP message.
You can specify control messages, such as Echo Reply (0) and Destination Unreachable (3), or you can specify
any to indicate the system applies the rule for all ICMP messages.
You can also specify an arbitrary ICMP message.
The ICMP protocol contains definitions for the existing message type and number pairs.
|
||
| irule
string
|
Specifies an iRule that is applied to the firewall rule.
An iRule can be started when the firewall rule matches traffic.
|
||
| logging
boolean
|
|
Specifies whether logging is enabled or disabled for the firewall rule.
When creating a new rule, if this parameter is not specified, the default if no.
|
|
| name
string / required
|
Specifies the name of the rule.
|
||
| parent_policy
string
|
The policy which contains the rule to be managed.
One of either parent_policy or parent_rule_list is required.
|
||
| parent_rule_list
string
|
The rule list which contains the rule to be managed.
One of either parent_policy or parent_rule_list is required.
|
||
| partition
string
|
Default:
"Common"
|
Device partition to manage resources on.
|
|
| protocol
string
|
Specifies the protocol to which the rule applies.
Protocols may be specified by either their name or numeric value.
A special protocol value any can be specified to match any protocol. The numeric equivalent of this protocol is 255.
|
||
| provider
dictionary
added in 1.0.0 of f5networks.f5_modules
|
A dict object containing connection details.
|
||
| auth_provider
string
|
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
|
||
| no_f5_teem
boolean
|
|
If
yes, TEEM telemetry data is not sent to F5.
You may omit this option by setting the environment variable
F5_TELEMETRY_OFF.
Previously used variable F5_TEEM is deprecated as its name was confusing.
|
|
| password
string / required
|
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable
F5_PASSWORD.
aliases: pass, pwd |
||
| server
string / required
|
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
|
||
| server_port
integer
|
Default:
443
|
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
|
|
| timeout
integer
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
|
||
| transport
string
|
|
Configures the transport connection to use when connecting to the remote device.
|
|
| user
string / required
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
|
||
| validate_certs
boolean
|
|
If
no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.
|
|
| rule_list
string
|
Specifies an existing rule list to use in the rule.
This parameter is mutually exclusive with many of the other individual-rule specific settings. This includes
logging, action, source, destination, irule', protocol and logging.
This parameter is only used when parent_policy is specified, otherwise it is ignored.
|
||
| schedule
string
|
Specifies a schedule for the firewall rule.
You configure schedules to define days and times when the firewall rule is made active.
|
||
| source
list / elements=dictionary
|
Specifies packet sources to which the rule applies.
Leaving this field blank applies the rule to all addresses and all ports.
You can specify the following source items. An IPv4 or IPv6 address, an IPv4 or IPv6 address range, geographic location, VLAN, address list, port, port range, port list or address list.
You can specify a mix of different types of items for the source address.
|
||
| address
string
|
Specifies a specific IP address.
|
||
| address_list
string
|
Specifies an existing address list.
|
||
| address_range
string
|
Specifies an address range.
|
||
| country
string
|
Specifies a country code.
|
||
| port
integer
|
Specifies a single numeric port.
This option is only valid when protocol is tcp(6) or udp(17).
|
||
| port_list
string
|
Specifes an existing port list.
This option is only valid when protocol is tcp(6) or udp(17).
|
||
| port_range
string
|
Specifies a range of ports, which is two port values separated by a hyphen. The port to the left of the hyphen should be less than the port to the right.
This option is only valid when protocol is tcp(6) or udp(17).
|
||
| vlan
string
|
Specifies VLANs to which the rule applies.
The VLAN source refers to the packet's source.
|
||
| state
string
|
|
When
state is present, ensures the rule exists.
When state is absent, ensures the rule is removed.
|
|
| status
string
|
|
Indicates the activity state of the rule or rule list.
When
disabled, specifies the rule or rule list does not apply at all.
When
enabled, specifies the system applies the firewall rule or rule list to the given context and addresses.
When
scheduled, specifies the system applies the rule or rule list according to the specified schedule.
When creating a new rule, if this parameter is not provided, the default is enabled.
|
|
Notes
Note
- For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
- Requires BIG-IP software version >= 12.
- The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Create a new rule in the foo firewall policy
bigip_firewall_rule:
name: foo
parent_policy: policy1
protocol: tcp
source:
- address: 1.2.3.4
- address: "::1"
- address_list: foo-list1
- address_range: 1.1.1.1-2.2.2.2
- vlan: vlan1
- country: US
- port: 22
- port_list: port-list1
- port_range: 80-443
destination:
- address: 1.2.3.4
- address: "::1"
- address_list: foo-list1
- address_range: 1.1.1.1-2.2.2.2
- country: US
- port: 22
- port_list: port-list1
- port_range: 80-443
irule: irule1
action: accept
logging: yes
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create an ICMP specific rule
bigip_firewall_rule:
name: foo
protocol: icmp
icmp_message:
type: 0
source:
- country: US
action: drop
logging: yes
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Add a new policy rule that uses an existing rule list
bigip_firewall_rule:
name: foo
parent_policy: foo_policy
rule_list: rule-list1
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description | |
|---|---|---|---|
| action
string
|
changed |
The action for the firewall rule.
Sample:
drop
|
|
| description
string
|
changed |
The rule description.
Sample:
MyRule
|
|
| destination
complex
|
changed |
The packet destinations to which the rule applies.
Sample:
hash/dictionary of values
|
|
| address
string
|
changed |
A specific IP address.
Sample:
192.168.1.1
|
|
| address_list
string
|
changed |
An existing address list.
Sample:
foo-list1
|
|
| address_range
string
|
changed |
The address range.
Sample:
1.1.1.1-2.2.2.2
|
|
| country
string
|
changed |
A country code.
Sample:
US
|
|
| port
integer
|
changed |
Single numeric port.
Sample:
8080
|
|
| port_list
string
|
changed |
An existing port list.
Sample:
port-list1
|
|
| port_range
string
|
changed |
The port range.
Sample:
80-443
|
|
| icmp_message
complex
|
changed |
The (ICMP) or ICMPv6 message type and code that the rule uses.
Sample:
hash/dictionary of values
|
|
| code
string
|
changed |
The code returned in response to the specified ICMP message type.
Sample:
1
|
|
| type
string
|
changed |
The type of ICMP message.
|
|
| irule
string
|
changed |
The iRule that is applied to the firewall rule.
Sample:
_sys_auth_radius
|
|
| logging
boolean
|
changed |
Enable or Disable logging for the firewall rule.
Sample:
True
|
|
| name
string
|
changed |
Name of the rule.
Sample:
FooRule
|
|
| parent_policy
string
|
changed |
The policy which contains the rule to be managed.
Sample:
FooPolicy
|
|
| parent_rule_list
string
|
changed |
The rule list which contains the rule to be managed.
Sample:
FooRuleList
|
|
| protocol
string
|
changed |
The protocol to which the rule applies.
Sample:
any
|
|
| rule_list
string
|
changed |
An existing rule list to use in the parent policy.
Sample:
rule-list-1
|
|
| schedule
string
|
changed |
The schedule for the firewall rule.
Sample:
Foo_schedule
|
|
| source
complex
|
changed |
The packet sources to which the rule applies.
Sample:
hash/dictionary of values
|
|
| address
string
|
changed |
A specific IP address.
Sample:
192.168.1.1
|
|
| address_list
string
|
changed |
An existing address list.
Sample:
foo-list1
|
|
| address_range
string
|
changed |
The address range.
Sample:
1.1.1.1-2.2.2.2
|
|
| country
string
|
changed |
A country code.
Sample:
US
|
|
| port
integer
|
changed |
Single numeric port.
Sample:
8080
|
|
| port_list
string
|
changed |
An existing port list.
Sample:
port-list1
|
|
| port_range
string
|
changed |
The port range.
Sample:
80-443
|
|
| vlan
string
|
changed |
Source VLANs for the packets.
Sample:
vlan1
|
|
| status
string
|
changed |
The activity state of the rule or rule list.
Sample:
scheduled
|
|
Authors
- Tim Rupp (@caphrim007)
- Wojciech Wypior (@wojtek0806)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_firewall_rule_module.html