Resource Type: panos_security_policy_rule

Defined in:
lib/puppet/type/panos_security_policy_rule.rb

Overview

This type provides Puppet with the capilities to manage “Security Policy Rules” on Palo Alto devices.

Properties

  • action (defaults to: allow)

    To specify the action for traffic that matches the attributes defined in a rule, select from the following actions:

    • allow: Allows the traffic.

    • deny: Blocks traffic, and enforces the default Deny Action defined for the application that is being denied. To view the deny action defined by default for an application,

    view the application details in Objects > Applications. Because the default deny action varies by application, the firewall could block the session and send a reset for one application, while it could drop the session silently for another application.

    • drop: Silently drops the application. A TCP reset is not sent to the host/application, unless ‘ICMP Unreachable` is set to true.

    • reset-client: Sends a TCP reset to the client-side device.

    • reset-server: Sends a TCP reset to the server-side device.

    • reset-both: Sends a TCP reset to both the client-side and server-side devices.

  • anti_virus_profile

    Specify the anti-virus profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

  • applications (defaults to: ["any"])

    Select specific applications for the security rule. If an application has multiple functions, you can select the overall application or individual functions. If you select the overall application, all functions are included and the application definition is automatically updated as future functions are added.

  • categories (defaults to: ["any"])

    The destination URL categories. The following values are valid:

    • [‘any’]: Allow or deny all sessions regardless of the URL category.

    • A list of specific categories or custom categories. E.g [‘gambling’,‘malware’,‘my_custom_category’]

  • data_filtering_profile

    Specify the data filtering profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

  • description

    Provide a description of the service.

  • destination_address (defaults to: ["any"])

    Specify one or more destination addresses, address groups or regions

  • destination_zones (defaults to: ["any"])

    Specify one or more destination zones. Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to “Defining Security Zones”. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.

    Note: On intrazone rules, you cannot define a Destination Zone because these types of rules only match traffic with a source and a destination within the same zone. To specify the zones that match an intrazone rule you only need to set the Source Zone.

  • disable

    Specify if the security policy rule should be disabled.

  • disable_server_response_inspection

    To disable packet inspection from the server to the client, enable this option. This option may be useful under heavy server load conditions.

  • ensure (defaults to: present)

    Whether this resource should be present or absent on the target system.

  • file_blocking_profile

    Specify the file blocking profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

  • group_profile

    Specify the group profile, can only be set when ‘profile_type` is `group`.

  • hip_profiles (defaults to: ["any"])

    Specifiy one or more HIP profiles. A HIP enables you to collect information about the security status of your end hosts, such as whether they have the latest security patches and antivirus definitions installed. Using host information profiles for policy enforcement enables granular security that ensures that the remote hosts accessing your critical resources are adequately maintained and in adherence with your security standards before they are allowed access to your network resources.

  • icmp_unreachable

    Only available for Layer 3 interfaces. When you configure security policy to drop traffic or to reset the connection, the traffic does not reach the destination host. In such cases, for all UDP traffic and for TCP traffic that is dropped, you can enable the firewall to send an ICMP Unreachable response to the source IP address from where the traffic originated. Enabling this setting allows the source to gracefully close or clear the session and prevents applications from breaking.

  • insert_after

    Specifies where the rule should be inserted.

    • If specified with an empty string, the rule will be inserted at the TOP. NOTE: Only one rule should be set to top

    • If a rule name is specified, the rule will be inserted after the given rule.

    • If this attribute is omitted, the rule will be added at the bottom. NOTE: Rules cannot be moved to the bottom once created. Instead specify the rule name to insert after.

  • ip_dscp

    Specify the IP DSCP QoS marking setting, only if ‘qos_type` is `ip-dscp`.

  • ip_precedence

    Specify the IP Precedence QoS marking setting, only if ‘qos_type` is `ip-precedence`.

  • log_end (defaults to: true)

    Generates a traffic log entry for the end of a session

  • log_setting

    To forward the local traffic log and threat log entries to remote destinations, such as Panorama and syslog servers, specifiy which log forwarding profile should be used. Note that the generation of threat log entries is determined by the security profiles.

  • log_start

    Generates a traffic log entry for the start of a session

  • negate_destination

    Matches on the reverse of the ‘destination_address` value.

  • negate_source

    Matches on the reverse of the ‘source_address` value.

  • profile_type

    Specify which type of profile will be used.

  • qos_type

    Specify which QoS profile should be used to change the Quality of Service setting on packets matching the rule.

  • rule_type (defaults to: universal)

    Specifies whether the rule applies to traffic within a zone, between zones, or both:

    • universal: Applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.

    For example, if you create a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

    • intrazone: Applies the rule to all matching traffic within the specified source zones (you cannot specify a destination zone for

    intrazone rules). For example, if you set the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.

    • interzone: Applies the rule to all matching traffic between the specified source and destination zones. For example, if you set

    the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.

  • schedule_profile

    Specify the schedule profile to limit the days and times when the rule is in effect

  • services (defaults to: ["application-default"])

    Select services to limit to specific TCP and/or UDP port numbers. The following values are valid:

    • [‘any’]: The selected applications are allowed or denied on any protocol or port.

    • [‘application-default’]: The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks®.

    This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage.

    Note that when you use this option, the firewall still checks for all applications on all ports but, with this configuration, applications are only allowed on their default ports and protocols.

    • A list of services. E.g. [‘service-http’, ‘service-https’, ‘my_custom_service’]

  • source_address (defaults to: ["any"])

    The list of source addresses, address groups, or regions

  • source_users (defaults to: ["any"])

    The following source values are supported:

    • [‘any’]: Include any traffic regardless of user data.

    • [‘pre-logon’]: Include remote users that are connected to the network using GlobalProtect, but are not logged into their system.

    When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in.

    • [‘known-user’]: Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the domain users group on a domain.

    • [‘unknown’]: Includes all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use unknown for guest

    level access to something because they will have an IP on your network but will not be authenticated to the domain and will not have IP to user mapping information on the firewall.

    • Or provide a list of specific users. E.g. [‘admin’,‘john.doe’,‘jane.doe’]

    Note: If you are using a RADIUS server and not the User-ID agent, the list of users does not display; you must enter user information manually.

  • source_zones (defaults to: ["any"])

    Zones must be of the same type (Layer 2, Layer 3, or virtual wire).

    Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.

  • spyware_profile

    Specify the spyware profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

  • tags

    A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword.For example, you may want to tag certain rules with specific words like Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.

  • url_filtering_profile

    Specify the URL filtering profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

  • vulnerability_profile

    Specify the vulnerability profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

  • wildfire_analysis_profile

    Specify the wildfire analysis profile, can only be set when ‘profile_type` is `profiles`. To unset specify `none`.

Parameters

  • name (namevar)

    The display-name of the security-policy-rule. Restricted to 31 characters on PAN-OS version 7.1.0.