panos_security_policy
This resource allows you to manage the full security posture.
Note:
panos_security_policiesis known aspanos_security_policy.
This resource manages the full set of security rules in a vsys, enforcing both the contents of individual rules as well as their ordering. Rules are defined in a rule config block.
For each security rule, there are three styles of profile settings:
The Profile Setting is implicitly chosen based on what params are configured for the security rule. If you want a Profile Setting of Group, then the group param should be set to the desired Group Profile. If you want a Profile Setting of Profiles, then you will need to specify one or more of the following params:
If the group param and none of the Profiles params are specified, then the Profile Setting is set to None.
Example Usage
resource "panos_security_policy" "example" {
rule {
name = "allow bizdev to dmz"
source_zones = ["bizdev"]
source_addresses = ["any"]
source_users = ["any"]
hip_profiles = ["any"]
destination_zones = ["dmz"]
destination_addresses = ["any"]
applications = ["any"]
services = ["application-default"]
categories = ["any"]
action = "allow"
}
rule {
name = "deny sales to eng"
source_zones = ["sales"]
source_addresses = ["any"]
source_users = ["any"]
hip_profiles = ["any"]
destination_zones = ["eng"]
destination_addresses = ["any"]
applications = ["any"]
services = ["application-default"]
categories = ["any"]
action = "deny"
}
}
Argument Reference
The following arguments are supported:
vsys- (Optional) The vsys to put the security policy into (default:vsys1).rulebase- (Optional, Deprecated) The rulebase. For firewalls, there is only therulebasevalue (default), but on Panorama, there is alsopre-rulebaseandpost-rulebase.rule- A security rule definition (see below). The security rule ordering will match how they appear in the terraform plan file.
The following arguments are valid for each rule section:
name- (Required) The security rule name.type- (Optional) Rule type. This can beuniversal(default),interzone, orintrazone.description- (Optional) The description.tags- (Optional) List of tags for this security rule.source_zones- (Required) List of source zones.source_addresses- (Required) List of source addresses.negate_source- (Optional, bool) If the source should be negated.source_users- (Required) List of source users.hip_profiles- (Required) List of HIP profiles.destination_zones- (Required) List of destination zones.destination_addresses- (Required) List of destination addresses.negate_destination- (Optional, bool) If the destination should be negated.applications- (Required) List of applications.services- (Required) List of services.categories- (Required) List of categories.action- (Optional) Action for the matched traffic. This can beallow(default),deny,drop,reset-client,reset-server, orreset-both.log_setting- (Optional) Log forwarding profile.log_start- (Optional, bool) Log the start of the traffic flow.log_end- (Optional, bool) Log the end of the traffic flow (default:true).disabled- (Optional, bool) Set totrueto disable this rule.schedule- (Optional) The security policy schedule.icmp_unreachable- (Optional) Set totrueto enable ICMP unreachable.disable_server_response_inspection- (Optional) Set totrueto disable server response inspection.group- (Optional) Profile Setting:Group- The group profile name.virus- (Optional) Profile Setting:Profiles- The antivirus setting.spyware- (Optional) Profile Setting:Profiles- The anti-spyware setting.vulnerability- (Optional) Profile Setting:Profiles- The Vulnerability Protection setting.url_filtering- (Optional) Profile Setting:Profiles- The URL filtering setting.file_blocking- (Optional) Profile Setting:Profiles- The file blocking setting.wildfire_analysis- (Optional) Profile Setting:Profiles- The WildFire Analysis setting.data_filtering- (Optional) Profile Setting:Profiles- The Data Filtering setting.
© 2018 HashiCorp
Licensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/panos/r/security_policy.html