panos

Table of Contents

1. Module Description - What the module does and why it is useful
2. Setup - The basics of getting started with PANOS
   • Setup requirements
   • Getting started with PANOS
   • SSL Certificate Verification
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module

Module Description

The PANOS module configures Palo Alto firewalls running PANOS 7.1.0 or PANOS 8.1.0.

When committing changes to resources, include panos_commit in your manifest, or execute the commit task. You must do this before they can be made available to the running configuration.

The module provides a Puppet task to manually commit, store_config to a file, and set_config from a file.

Setup

Install the module on either a Puppet server or Puppet agent, by running puppet module install puppetlabs-panos. To install from source, download the tar file from GitHub and run puppet module install <file_name>.tar.gz --force.

This module installs the Builder and Puppet Resource API gems, if necessary. To activate the Puppet Resource API gem on the server, reload the puppetserver service. In most cases, this happens automatically and causes little to no interruption to service.

Setup Requirements

Device access

The PANOS module requires access to the device's web management interface.

Proxy Puppet agent

Since a Puppet agent is not available for Palo Alto devices, we need a proxy Puppet agent (either a compile server, or another agent) to run Puppet on behalf of the device.

Install dependencies

Once the module has been installed, install dependencies of the module:

1. Classify or apply the panos class on each server (server of servers, and if present, compile servers and replica server) that serves catalogs for this module.
2. Classify or apply the panos class on each proxy Puppet agent that proxies for Palo Alto devices.

Run puppet agent -t on the server(s) before using the module on the agent(s).

Getting started with PANOS

To get started, create or edit /etc/puppetlabs/puppet/device.conf on the proxy Puppet agent, add a section for the device (this will become the device's certname), specify a type of panos, and specify a url to a credentials file.

For example:

[firewall.example.com]
type panos
url file:////etc/puppetlabs/puppet/devices/firewall.example.com.conf

Next, create a credentials file. See the HOCON documentation for information on quoted/unquoted strings and connecting the device.

There are two valid types of credential files that can be placed in /etc/puppetlabs/puppet/devices/firewall.example.com.conf:

• (a) A file containing the host, username and password in plain text, for example:

  host: 10.0.10.20
  user: admin
  password: admin
  ssl: false
  

• (b) A file containing the host and an API key obtained from the device, for example:

  host: 10.0.10.20
  apikey: LUFRPT10cHhRNXMyR2wrYW1MSzg5cldhNElodmVkL1U9OEV1cGY5ZjJyc2xGL1Z4Qk9TNFM2dz09
  ssl: false
  

To obtain an API key for the device, it is possible to use the panos::apikey task. Before running this task, install the module on your machine, along with Puppet Bolt. When complete, execute the following command:

bolt task run panos::apikey --nodes pan --modulepath <module_installation_dir> --inventoryfile <inventory_yaml_path>

The following inventory file can be used to connect to your firewall.

# inventory.yaml
nodes:
  - name: firewall.example.com
    alias: pan
    config:
      transport: remote
      remote:
        remote-transport: panos
        user: admin
        password: admin
        ssl: false

The --modulepath param can be retrieved by typing puppet config print modulepath.

Test your setup and get the certificate signed:

puppet device --verbose --target firewall.example.com

This will sign the certificate and set up the device for Puppet.

For more information, see the puppet device documentation

To get more practice using PANOS, try out the hands-on labs.

SSL Certificate Verification

To configure SSL certificate verification, add the following ssl keys to your credentials file:

• ssl: to enable SSL verification. Valid options are false, where no certificate verification happens but HTTPS is still used, or true, where certificate verification occurs. It defaults to true.
• ssl_ca_file: the full path to a CA certificate in PEM format. The certificate of the target needs to be signed by this CA. The file needs to exist on the proxy agent's local file system. Only one of ssl_ca_file and ssl_fingerprint can be provided. Example: '/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem'. Alternatively it will use the certs in OpenSSL::X509::DEFAULT_CERT_FILE, e.g.:

ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE' if no ssl.ca_file is provided

• ssl_fingerprint: a string specifying the SHA256 fingerprint of the firewall's certificate in hex notation. This can be generated by openssl x509 -sha256 -fingerprint -noout -in cert.pem or seen in your browser's SSL certificate information. Only one of ssl_ca_file and ssl_fingerprint can be provided. Example: '9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13'
• ssl_ciphers: array specifying the allowed ciphers for the connection, a list of supported ciphers can be displayed by executing ruby -ropenssl -e 'puts OpenSSL::Cipher.ciphers', for more details refer to the OpenSSL docs on ciphers.
• ssl_version: a string representing the ssl version, e.g. SSLv23 is the default, alternatively the following can be specified:

TLSv1
TLSv1_1
TLSv1_2

For more information refer to the OpenSSL docs.

NOTE: Although not advisable, you can turn off SSL by setting ssl: false. In doing so you increase the risk of your firewall configuration being hijacked by a potential attacker.

host: 10.0.10.20
username: admin
password: admin
ssl_ciphers: [ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, AES256-GCM-SHA384]
ssl: true
ssl_version: SSLv23
ssl_fingerprint: "EA:21:E5:8F:13:98:73:DB:A6:25:0D:10:1A:08:57:55:34:B4:2C:A8:73:B9:CE:DC:96:4A:74:70:14:A0:7B:6D"

Usage

Now you can manage resources on the Palo Alto device. The module gives you access to various resources on the Palo Alto device, listed in the REFERENCE.md.

The repo's acceptance test examples contain a useful reference on the use of the module's Types.

Note: pw_hash function in the above example requires puppetlabs-stdlib

Puppet Device

To get information from the device, use the puppet device --resource command. For example, to retrieve addresses on the device, run the following:

puppet device --resource --target firewall.example.com panos_address

To create a new address, write a manifest. Start by making a file named manifest.pp with the following content:

panos_address { 'somenewaddress':
  ensure => 'present',
  ip_range => '10.0.0.1-10.0.0.5',
  tags => [],
}

Execute the following command:

puppet device --target firewall.example.com --apply manifest.pp

This will apply the manifest. Puppet will check if the address already exists and if it is absent it will create it (idempotency check). When you query for addresses you will see that the new address is available. To do this, run the following command again:

puppet device --resource --target firewall.example.com panos_address

Note that if you get errors, run the above commands with --verbose - this will give you error message output.

Reference

For full type reference documentation, see the REFERENCE.md

Limitations

This module has only been tested with PANOS 7.1.0 and 8.1.0

Development

Contributions are welcome, especially if they can be of use to other users.

Checkout the repo by forking and creating your feature branch.

Type

Add new types to the type directory. We use the Resource API format.

These PANOS types extend the Resource API by adding in xpath values, which are used by their respective providers when retireving data from the PANOS API. If the attribute expects multiple values to be returned, it will declare xpath_array.

Here is a simple example:

  require 'puppet/resource_api'

  Puppet::ResourceApi.register_type(
    name: 'new_thing',
    docs: 'Configure the new thing of the device',
    features: ['remote_resource'],
    base_xpath: 'some/xapth/to/the/type',
    attributes: {
      ensure:       {
        type:       'Enum[present, absent]',
        desc:       'Whether the new thing should be present or absent on the target system.',
        default:    'present',
      },
      name:         {
        type:      'String',
        desc:      'The name of the new thing',
        xpath:     'some/xapth/to/the/type',
        behaviour: :namevar,
      },
      # Other fields in resource API format
    },
  )

Provider

Add a provider — see existing examples. Parsing logic is contained in each types respective provider directory with a common base provider available.

Testing

There are two levels of testing found under spec.

To test this module you will need to have a Palo Alto machine available. The virtual machine images from their support area work fine in VirtualBox and VMware. Alternatively you can use the PAYG offering on AWS. Note that the VMs do not need to have license deployed that is usable for development.

• XML API docs
• Palo Alto on AWS

Unit Testing

Unit tests test the parsing and command generation logic, executed locally.

First execute bundle exec rake spec_prep to ensure that the local types are made available to the spec tests. Then execute with bundle exec rake spec.

Acceptance Testing

Acceptance tests are executed on actual devices.

Use test values and make sure that these are non-destructive.

The acceptance tests locate the Palo Alto box that is used for testing through environment variables. The current test setup allows for three different scenarios:

• Static configuration: the VM or physical box is already running somewhere. Set PANOS_TEST_HOST to the FQDN/IP of the box and PANOS_TEST_PLATFORM to a platform string in the form of palo-alto-VERSION-x86_64.
• VMPooler: if you have a VMPooler instance available, set VMPOOLER_HOST to the hostname of your VMPooler instance (it defaults to Puppet's internal service), and PANOS_TEST_PLATFORM to the platform string of VMPooler you want to use.
• ABS: when running on Puppet's internal infrastructure, it passes reserved instances into the job through ABS_RESOURCE_HOSTS.

To specify the username and password used to connect to the box, set PANOS_TEST_USER and PANOS_TEST_PASSWORD respectively. Palo Alto's VMs default to admin/admin, which is also used as a default, if you don't specify anything.

After you have configured the system under test, you can run the acceptance tests directly using:

bundle exec rspec spec/acceptance

or using the legacy rake task

bundle exec rake beaker

Cutting a release

To cut a new release, from a current main checkout:

• Start the release branch with git checkout -b release-prep
• Execute the Puppet Strings rake task to update the REFERENCE.md:

bundle exec rake 'strings:generate[,,,,,REFERENCE.md,true]'

• Make sure that all PRs are tagged appropriately

Reference

Table of Contents

Classes

• panos: This class calls the panos::install class.
• panos::agent: This class installs dependencies of this module into puppet agent
• panos::install: This class installs dependencies of this module into the puppet agent, and/or the puppetserver service.
• panos::install::agent: This class install dependencies of this module into puppet agent
• panos::install::server: This class installs dependencies of this module into puppetserver, and restarts the puppetserver service to activate.
• panos::server: This class installs dependencies of this module into puppetserver, and restarts the puppetserver service to activate.

Resource types

• panos_address: This type provides Puppet with the capabilities to manage "address" objects on Palo Alto devices.
• panos_address_group: This type provides Puppet with the capabilities to manage "address_groups" objects on Palo Alto devices.
• panos_admin: This type provides Puppet with the capabilities to manage "administrator" user accounts on Palo Alto devices.
• panos_arbitrary_commands: This type provides Puppet with the capabilities to execute arbitrary configuration commands on Palo Alto devices.
• panos_commit: When evaluated, this resource commits all outstanding changes in the target device's configuration to the active configuration.
• panos_ipv6_path_monitor: This type provides Puppet with the capabilities to manage IPv6 Path Monitors on Palo Alto devices.
• panos_ipv6_static_route: This type provides Puppet with the capabilities to manage IPv6 Static Routes on Palo Alto devices.
• panos_nat_policy: This type provides Puppet with the capabilities to manage "NAT Policy Rule" objects on Palo Alto devices.
• panos_path_monitor: This type provides Puppet with the capabilities to manage IPv4 Path Monitors on Palo Alto devices.
• panos_security_policy_rule: This type provides Puppet with the capilities to manage "Security Policy Rules" on Palo Alto devices.
• panos_service: This type provides Puppet with the capabilities to manage "service" objects on Palo Alto devices.
• panos_service_group: This type provides Puppet with the capabilities to manage "Service Group" objects on Palo Alto devices.
• panos_static_route: This type provides Puppet with the capabilities to manage IPv4 Static Routes on Palo Alto devices.
• panos_tag: This type provides Puppet with the capabilities to manage "tags" objects on Palo Alto devices.
• panos_virtual_router: This type provides Puppet with the capabilities to manage "virtual router" objects on Palo Alto devices.
• panos_zone: This type provides Puppet with the capabilities to manage "zone" objects on Palo Alto devices.

Tasks

• apikey: Retrieve a PAN-OS apikey
• commit: Commit a candidate configuration to a firewall.
• set_config: upload and/or apply a configuration to a firewall.
• store_config: Retrieve the configuration running on the firewall and save to local file.

Classes

panos

This class calls the panos::install class.

Examples

Declaring the class

include panos

panos::agent

This class installs dependencies of this module into puppet agent

• Note Deprecated, use panos::install::agent

Examples

Declaring the class

include panos::agent

panos::install

This class installs dependencies of this module into the puppet agent, and/or the puppetserver service.

Examples

Declaring the class

include panos::install

panos::install::agent

This class install dependencies of this module into puppet agent

Examples

Declaring the class

include panos::install::agent

panos::install::server

This class installs dependencies of this module into puppetserver, and restarts the puppetserver service to activate.

Examples

Declaring the class

include panos::install::server

panos::server

This class installs dependencies of this module into puppetserver, and restarts the puppetserver service to activate.

• Note Deprecated, use panos::install::server

Examples

Declaring the class

include panos::server

Resource types

panos_address

This type provides Puppet with the capabilities to manage "address" objects on Palo Alto devices.

Properties

The following properties are available in the panos_address type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

description

Data type: Optional[String]

Provide a description of this address.

ip_netmask

Data type: Optional[String]

Provide an IP address or a network using the slash notation (Ex. 192.168.80.150 or 192.168.80.0/24). You can also provide an IPv6 address or an IPv6 address with its prefix (Ex. 2001:db8:123:1::1 or 2001:db8:123:1::/64). You need to provide exactly one of ip_netmask, ip_range, or fqdn.

ip_range

Data type: Optional[String]

Provide an IP address range (Ex. 10.0.0.1-10.0.0.4). Each of the IP addresses in the range can also be in an IPv6 form (Ex. 2001:db8:123:1::1-2001:db8:123:1::11). You need to provide exactly one of ip_netmask, ip_range, or fqdn.

fqdn

Data type: Optional[String]

Provide a fully qualified domain name. You need to provide exactly one of ip_netmask, ip_range, or fqdn. The FQDN initially resolves at commit time. Entries are subsequently refreshed when the firewall performs a check every 30 minutes; all changes in the IP address for the entries are picked up at the refresh cycle The FQDN is resolved by the system DNS server or a DNS proxy object, if a proxy is configured.

tags

Data type: Array[String]

The Palo Alto tags to apply to this address. Do not confuse this with the tag metaparameter used to filter resource application.

Default value: []

Parameters

The following parameters are available in the panos_address type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,63}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the address.

panos_address_group

This type provides Puppet with the capabilities to manage "address_groups" objects on Palo Alto devices.

Properties

The following properties are available in the panos_address_group type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

description

Data type: Optional[String]

Provide a description of this address-group.

type

Data type: Enum["static", "dynamic"]

A static or dynamic address-group.

static_members

Data type: Optional[Array[String]]

One or more panos_address or panos_address_group that form this group. Used only when type is static.

dynamic_filter

Data type: Optional[String]

To create a dynamic address group, use the match criteria to assemble the members to be included in the group. Define the Match criteria using the AND or OR operators. example: 'tag1' and 'tag2' or 'tag3' Used only when type is dynamic.

tags

Data type: Array[String]

The Palo Alto tags to apply to this address-group. Do not confuse this with the tag metaparameter used to filter resource application.

Default value: []

Parameters

The following parameters are available in the panos_address_group type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,63}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the address-group.

panos_admin

This type provides Puppet with the capabilities to manage "administrator" user accounts on Palo Alto devices.

Properties

The following properties are available in the panos_admin type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

password_hash

Data type: Optional[String]

Provide a password hash.

authentication_profile

Data type: Optional[String]

Provide an authentication profile. You can use this setting for RADIUS, TACACS+, LDAP, Kerberos, or local database authentication.

client_certificate_only

Data type: Boolean

Enable this option to use client certificate authentication for web access. If you select this option, a username and password are not required; the certificate is sufficient to authenticate access to the firewall.

ssh_key

Data type: Optional[String]

Provide the users public key in plain text

role

Data type: Enum["superuser", "superreader", "devicereader", "deviceadmin", "custom"]

Specify the access level for the administrator.

• superuser: Has full access to the firewall and can define new administrator accounts and virtual systems. You must have superuser privileges to create an administrative user with superuser privileges.

• superreader: Has read-only access to the firewall.

• deviceadmin: Has full access to all firewall settings except for defining new accounts or virtual systems.

• devicereader: Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).

role_profile

Data type: Optional[String]

Specify the role profile for the user The following built in roles are available:

• auditadmin: The Audit Administrator is responsible for the regular review of the firewall’s audit data.

• cryptoadmin: The Cryptographic Administrator is responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to the firewall.

• securityadmin: The Security Administrator is responsible for all other administrative tasks (e.g. creating the firewall’s security policy) not addressed by the other two administrative roles.

Parameters

The following parameters are available in the panos_admin type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\.]{1,31}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The username.

panos_arbitrary_commands

This type provides Puppet with the capabilities to execute arbitrary configuration commands on Palo Alto devices.

Properties

The following properties are available in the panos_arbitrary_commands type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

xml

Data type: String

The XML to be set on the device. If working with large XML structures it is recommended to use the file() function e.g.: file(path/to/file.xml).

Parameters

The following parameters are available in the panos_arbitrary_commands type.

xpath

namevar

Data type: String

The PANOS API XPath on which to set the xml.

panos_commit

When evaluated, this resource commits all outstanding changes in the target device's configuration to the active configuration.

• Note It is automatically scheduled after all other PANOS resources.

Properties

The following properties are available in the panos_commit type.

commit

Data type: Boolean

Whether a commit should happen

Parameters

The following parameters are available in the panos_commit type.

name

namevar

Data type: Enum["commit"]

The name of the resource you want to manage. Can only be "commit".

panos_ipv6_path_monitor

This type provides Puppet with the capabilities to manage IPv6 Path Monitors on Palo Alto devices.

• Note Can only be configured on PAN-OS 8.1.0 devices.

Properties

The following properties are available in the panos_ipv6_path_monitor type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

source

Data type: String

Specify the IP address that the firewall will use as the source in the ICMP ping to the monitored destination:

• If the interface has multiple IP addresses, select one.
• If you specify an interface, the firewall uses the first IP address assigned to the interface by default.
• If you specify DHCP (Use DHCP Client address), the firewall uses the address that DHCP assigned to the interface. To see the DHCP address, select NetworkInterfacesEthernet and in the row for the Ethernet interface, click on Dynamic DHCP Client. The IP Address appears in the Dynamic IP Interface Status window.

destination

Data type: String

Specify a robust, stable IP address or address object for which the firewall will monitor the path. The monitored destination and the static route destination must use the same address family (IPv4 or IPv6)

interval

Data type: String

Specify the ICMP ping interval in seconds to determine how frequently the firewall monitors the path (pings the monitored destination; range is 1-60; default is 3).

Default value: 3

count

Data type: String

Specify the number of consecutive ICMP ping packets that do not return from the monitored destination before the firewall considers the link down. Based on the Any or All failure condition, if path monitoring is in failed state, the firewall removes the static route from the RIB (range is 3-10; default is 5).

For example, a Ping Interval of 3 seconds and Ping Count of 5 missed pings (the firewall receives no ping in the last 15 seconds) means path monitoring detects a link failure. If path monitoring is in failed state and the firewall receives a ping after 15 seconds, the link is deemed up; based on the Any or All failure condition, path monitoring to Any or All monitored destinations can be deemed up, and the Preemptive Hold Time starts.

Default value: 5

enable

Data type: Optional[Boolean]

Select to enable path monitoring of this specific destination for the static route; the firewall sends ICMP pings to this destination.

Parameters

The following parameters are available in the panos_ipv6_path_monitor type.

path

namevar

Data type: String

The name to identify the path monitor with.

route

namevar

Data type: String

A name to identify a static route.

panos_ipv6_static_route

This type provides Puppet with the capabilities to manage IPv6 Static Routes on Palo Alto devices.

Properties

The following properties are available in the panos_ipv6_static_route type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

nexthop

Data type: Optional[String]

The address of the next hop location for the route

nexthop_type

Data type: Optional[Enum["ipv6-address", "next-vr", "discard", "none"]]

The type of address used for the next hop.

• ipv6-address: Select to enter the IP address of the next hop router.
• next-vr: Select to select a virtual router in the firewall as the next hop. This allows you to route internally between virtual routers within a single firewall.
• discard: Select if you want to drop traffic that is addressed to this destination.
• none: Select if there is no next hop for the route.

bfd_profile

Data type: String

To enable Bidirectional Forwarding Detection (BFD) for a static route on a PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, or VM-Series firewall, specify one of the following:

• default: a BFD profile that you have created on the firewall
• None: to disable BFD for the static route.

To use BFD on a static route:

• Both the firewall and the peer at the opposite end of the static route must support BFD sessions.
• The static route nexthop_type must be ip-address and you must enter a valid IP address in nexthop.
• The interface attribute cannot be none; you must specify an interface (even if you are using a DHCP address).

Default value: None

interface

Data type: Optional[String]

The interface used by the route, interfaces pulled from the virtual router this belongs to.

metric

Data type: Variant[String, Integer[1, 65535]]

Specify a valid metric for the static route (1 - 65535).

Default value: 10

admin_distance

Data type: Optional[Variant[String,Integer[10, 240]]]

Specify the administrative distance for the static route (10-240; default is 10).

destination

Data type: String

Enter an IP address and network mask in Classless Inter-domain Routing (CIDR) notation: ip_address/mask (for example, 192.168.2.0/24 for IPv4 or 2001:db8::/32 for IPv6).

no_install

Data type: Boolean

Select if you do not want to install the route in the forwarding table. The route is retained in the configuration for future reference. Note: can only be set on PAN-OS version 7.1.0.

route_type

Data type: Optional[Enum["unicast", "multicast", "both", "no-install"]]

Specify the route table into which the firewall installs the static route:

• unicast: Installs the route into the unicast route table.
• multicast: Installs the route into the multicast route table.
• both: Installs the route into the unicast and multicast route tables.
• no-install: Does not install the route in the route table (RIB); the firewall retains the static route for future reference until you delete the route.

Note: can only be set on PAN-OS version 8.1.0.

path_monitoring

Data type: Optional[Boolean]

Specify true to enable path monitoring for the static route.

Note: can only be set on PAN-OS version 8.1.0. Note: must be enabled if using panos_ipv6_monitor_destinations for the static route.

failure_condition

Data type: Optional[Enum["any", "all"]]

Specify the condition under which the firewall considers the monitored path down and thus the static route down:

• any: If any one of the monitored destinations for the static route is unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.
• all: If all of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.

Specify all to avoid the possibility of a single monitored destination signaling a static route failure when that monitored destination is simply offline for maintenance, for example.

Note: can only be set on PAN-OS version 8.1.0.

enable

Data type: Optional[Boolean]

Specify true to enable path monitoring of this specific destination for the static route; the firewall sends ICMP pings to this destination.

Note: can only be set on PAN-OS version 8.1.0.

hold_time

Data type: Optional[Variant[String, Integer[0, 1440]]]

Specify the number of minutes a downed path monitor must remain in Up stat:the path monitor evaluates all of its member monitored destinations and must remain Up before the firewall reinstalls the static route into the RIB. If the timer expires without the link going down or flapping, the link is deemed stable, path monitor can remain Up, and the firewall can add the static route back into the RIB.

If the link goes down or flaps during the hold time, path monitor fails and the timer restarts when the downed monitor returns to Up state. A Preemptive Hold Time of zero causes the firewall to reinstall the static route into the RIB immediately upon the path monitor coming up. Range is 0-1,440; default is 2.

Note: can only be set on PAN-OS version 8.1.0.

Parameters

The following parameters are available in the panos_ipv6_static_route type.

route

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,31}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

A name to identify a static route.

vr_name

namevar

Data type: String

The name of the virtual router the static route is associate with.

panos_nat_policy

This type provides Puppet with the capabilities to manage "NAT Policy Rule" objects on Palo Alto devices.

Properties

The following properties are available in the panos_nat_policy type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

description

Data type: Optional[String]

A description of the NAT Policy Rule

nat_type

Data type: Enum["ipv4", "nat64", "nptv6"]

The nat type of the policy

Default value: ipv4

from

Data type: Array[String]

Specify one or more source zones for the original (non-NAT) packet. Zones must be of the same type (Layer 2, Layer 3, or virtual wire). You can specify multiple zones to simplify management. For example, you can configure settings so that multiple internal NAT addresses are directed to the same external IP address.

Default value: ["any"]

to

Data type: Array[String]

Specify one or more destinations zones for the original (non-NAT) packet. Zones must be of the same type (Layer 2, Layer 3, or virtual wire). You can specify multiple zones to simplify management. For example, you can configure settings so that multiple internal NAT addresses are directed to the same external IP address.

destination_interface

Data type: Optional[String]

Specify the destination interface of packets the firewall translates. You can use the destination interface to translate IP addresses differently in the case where the network is connected to two ISPs with different IP address pools

service

Data type: String

Specify the service for which the firewall translates the source or destination address.

Default value: any

source

Data type: Array[String]

Specify a combination of source addresses for the firewall to translate. For NPTv6, the prefixes configured for Source Address and Destination Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.

Default value: ["any"]

destination

Data type: Array[String]

Specify a combination of destination addresses for the firewall to translate. For NPTv6, the prefixes configured for Source Address and Destination Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.

Default value: ["any"]

source_translation_type

Data type: Optional[Enum["dynamic-ip", "static-ip", "dynamic-ip-and-port", "none"]]

The size of the address range is limited by the type of address pool:

• dynamic-ip-and-port: Address selection is based on a hash of the source IP address. For a given source IP address, the firewall will use the same translated source address for all sessions. Dynamic IP and Port source NAT supports approximately 64k concurrent sessions on each IP address in the NAT pool. On some platforms, over-subscription is supported, which will allow a single IP to host more than 64k concurrent sessions. Palo Alto Networks Dynamic IP/port NAT supports more NAT sessions than are supported by the number of available IP addresses and ports. The firewall can use IP address and port combinations up to two times (simultaneously) on the PA-200, PA-500, PA-2000 Series and PA-3000 Series firewalls, four times on the PA-4020 and PA-5020 firewalls, and eight times on the PA‑4050, PA-4060, PA-5050, and PA-5060 firewalls when destination IP addresses are unique.

• dynamic-ip: The next available address in the specified range is used, but the port number is unchanged. Up to 32k consecutive IP addresses are supported. A dynamic IP pool can contain multiple subnets, so you can translate your internal network addresses to two or more separate public subnets.

  • Advanced (Fall back Dynamic IP Translation)—Use this option to create a fall back pool that will perform IP and port translation and will be used if the primary pool runs out of addresses. You can define addresses for the pool by using the Translated Address option or the Interface Address option, which is for interfaces that receive an IP address dynamically. When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.

• static-ip: The same address is always used for the translation and the port is unchanged. For example, if the source range is 192.168.0.1-192.168.0.10 and the translation range is 10.0.0.1-10.0.0.10, address 192.168.0.2 is always translated to 10.0.0.2. The address range is virtually unlimited.

  • NPTv6 must use Static IP translation for Source Address Translation. For NPTv6, the prefixes configured for Translated Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.

• None: Translation is not performed.

sat_interface

Data type: Optional[String]

The interface used in SAT

sat_interface_ip

Data type: Optional[String]

The interface used in SAT

source_translated_address

Data type: Optional[Array[String]]

The translated source addresses.

source_translated_static_address

Data type: Optional[String]

The translated source addresses.

fallback_address_type

Data type: Optional[Enum["translated-address", "interface-address"]]

Whether the NAT policy used translated-address or interface-address as a fallback

fallback_address

Data type: Optional[Array[String]]

The translated addresses used as a fallback. Required if fallback_address_type is set to translated-address

fallback_interface

Data type: Optional[String]

The interface used as fallback. Required if fallback_address_type is set to interface-address

fallback_interface_ip

Data type: Optional[String]

The ip of the interface used as fallback. Required if fallback_address_type is set to interface-address

fallback_interface_ip_type

Data type: Optional[Enum["floating-ip", "ip"]]

The type of ip for the interface used as fallback. Required if fallback_address_type is set to interface-address

bi_directional

Data type: Optional[Boolean]

Enable bidirectional translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure. Note: If you enable bidirectional translation, you must ensure that you have security policies in place to control the traffic in both directions. Without such policies, the bidirectional feature allows packets to be translated automatically in both directions.

destination_translated_address

Data type: Optional[String]

The address to which the packets are translated.

For NPTv6, the prefixes configured for Destination prefix Translated Address must be in the format xxxx:xxxx::/yy. The address cannot have an interface identifier (host) portion defined. The range of supported prefix lengths is /32 to /64.

destination_translated_port

Data type: Optional[String]

The port of the translated address

Note that Translated Port is not supported for NPTv6 because NPTv6 is strictly prefix translation. The Port and Host address section is simply forwarded unchanged.

disable

Data type: Optional[Boolean]

A boolean control to disable the NAT policy.

tags

Data type: Optional[Array[String]]

A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword.

insert_after

Data type: Optional[String]

Specifies where the rule should be inserted.

• If specified with an empty string, the rule will be inserted at the TOP. NOTE: Only one rule should be set to top
• If a rule name is specified, the rule will be inserted after the given rule.
• If this attribute is omitted, the rule will be added at the bottom. NOTE: Rules cannot be moved to the bottom once created. Instead specify the rule name to insert after.

Parameters

The following parameters are available in the panos_nat_policy type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,63}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the zone. Restricted to 31 characters on PAN-OS version 7.1.0.

panos_path_monitor

This type provides Puppet with the capabilities to manage IPv4 Path Monitors on Palo Alto devices.

• Note Can only be configured on PAN-OS 8.1.0 devices.

Properties

The following properties are available in the panos_path_monitor type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

source

Data type: String

Specify the IP address that the firewall will use as the source in the ICMP ping to the monitored destination:

• If the interface has multiple IP addresses, select one.
• If you specify an interface, the firewall uses the first IP address assigned to the interface by default.
• If you specify DHCP (Use DHCP Client address), the firewall uses the address that DHCP assigned to the interface. To see the DHCP address, select NetworkInterfacesEthernet and in the row for the Ethernet interface, click on Dynamic DHCP Client. The IP Address appears in the Dynamic IP Interface Status window.

destination

Data type: String

Specify a robust, stable IP address or address object for which the firewall will monitor the path. The monitored destination and the static route destination must use the same address family (IPv4 or IPv6)

interval

Data type: Optional[String]

Specify the ICMP ping interval in seconds to determine how frequently the firewall monitors the path (pings the monitored destination; range is 1-60; default is 3).

Default value: 3

count

Data type: Optional[String]

Specify the number of consecutive ICMP ping packets that do not return from the monitored destination before the firewall considers the link down. Based on the Any or All failure condition, if path monitoring is in failed state, the firewall removes the static route from the RIB (range is 3-10; default is 5).

For example, a Ping Interval of 3 seconds and Ping Count of 5 missed pings (the firewall receives no ping in the last 15 seconds) means path monitoring detects a link failure. If path monitoring is in failed state and the firewall receives a ping after 15 seconds, the link is deemed up; based on the Any or All failure condition, path monitoring to Any or All monitored destinations can be deemed up, and the Preemptive Hold Time starts.

Default value: 5

enable

Data type: Optional[Boolean]

Select to enable path monitoring of this specific destination for the static route; the firewall sends ICMP pings to this destination.

Parameters

The following parameters are available in the panos_path_monitor type.

path

namevar

Data type: String

The name to identify the path monitor with.

route

namevar

Data type: String

A name to identify the static route which is usually the virtual router name followed by a forward slash.

panos_security_policy_rule

This type provides Puppet with the capilities to manage "Security Policy Rules" on Palo Alto devices.

Properties

The following properties are available in the panos_security_policy_rule type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

rule_type

Data type: Enum["universal", "interzone", "intrazone"]

Specifies whether the rule applies to traffic within a zone, between zones, or both:

• universal: Applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones. For example, if you create a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

• intrazone: Applies the rule to all matching traffic within the specified source zones (you cannot specify a destination zone for intrazone rules). For example, if you set the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B.

• interzone: Applies the rule to all matching traffic between the specified source and destination zones. For example, if you set the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.

Default value: universal

description

Data type: Optional[String]

Provide a description of the service.

tags

Data type: Optional[Array[String]]

A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword.For example, you may want to tag certain rules with specific words like Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.

source_zones

Data type: Array[String]

Zones must be of the same type (Layer 2, Layer 3, or virtual wire).

Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.

Default value: ["any"]

source_address

Data type: Array[String]

The list of source addresses, address groups, or regions

Default value: ["any"]

negate_source

Data type: Optional[Boolean]

Matches on the reverse of the source_address value.

source_users

Data type: Array[String]

The following source values are supported:

• ['any']: Include any traffic regardless of user data.

• ['pre-logon']: Include remote users that are connected to the network using GlobalProtect, but are not logged into their system. When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in.

• ['known-user']: Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the domain users group on a domain.

• ['unknown']: Includes all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use unknown for guest level access to something because they will have an IP on your network but will not be authenticated to the domain and will not have IP to user mapping information on the firewall.

• Or provide a list of specific users. E.g. ['admin','john.doe','jane.doe']

Note: If you are using a RADIUS server and not the User-ID agent, the list of users does not display; you must enter user information manually.

Default value: ["any"]

hip_profiles

Data type: Array[String]

Specifiy one or more HIP profiles. A HIP enables you to collect information about the security status of your end hosts, such as whether they have the latest security patches and antivirus definitions installed. Using host information profiles for policy enforcement enables granular security that ensures that the remote hosts accessing your critical resources are adequately maintained and in adherence with your security standards before they are allowed access to your network resources.

Default value: ["any"]

destination_zones

Data type: Array[String]

Specify one or more destination zones. Zones must be of the same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to “Defining Security Zones”. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases.

Note: On intrazone rules, you cannot define a Destination Zone because these types of rules only match traffic with a source and a destination within the same zone. To specify the zones that match an intrazone rule you only need to set the Source Zone.

Default value: ["any"]

destination_address

Data type: Array[String]

Specify one or more destination addresses, address groups or regions

Default value: ["any"]

negate_destination

Data type: Optional[Boolean]

Matches on the reverse of the destination_address value.

applications

Data type: Array[String]

Select specific applications for the security rule. If an application has multiple functions, you can select the overall application or individual functions. If you select the overall application, all functions are included and the application definition is automatically updated as future functions are added.

Default value: ["any"]

services

Data type: Array[String]

Select services to limit to specific TCP and/or UDP port numbers. The following values are valid:

• ['any']: The selected applications are allowed or denied on any protocol or port.

• ['application-default']: The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks®. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage.

Note that when you use this option, the firewall still checks for all applications on all ports but, with this configuration, applications are only allowed on their default ports and protocols.

• A list of services. E.g. ['service-http', 'service-https', 'my_custom_service']

Default value: ["application-default"]

categories

Data type: Array[String]

The destination URL categories. The following values are valid:

• ['any']: Allow or deny all sessions regardless of the URL category.

• A list of specific categories or custom categories. E.g ['gambling','malware','my_custom_category']

Default value: ["any"]

action

Data type: Enum["deny", "allow", "drop", "reset-client", "reset-server", "reset-both"]

To specify the action for traffic that matches the attributes defined in a rule, select from the following actions:

• allow: Allows the traffic.

• deny: Blocks traffic, and enforces the default Deny Action defined for the application that is being denied. To view the deny action defined by default for an application, view the application details in Objects > Applications. Because the default deny action varies by application, the firewall could block the session and send a reset for one application, while it could drop the session silently for another application.

• drop: Silently drops the application. A TCP reset is not sent to the host/application, unless ICMP Unreachable is set to true.

• reset-client: Sends a TCP reset to the client-side device.

• reset-server: Sends a TCP reset to the server-side device.

• reset-both: Sends a TCP reset to both the client-side and server-side devices.

Default value: allow

icmp_unreachable

Data type: Optional[Boolean]

Only available for Layer 3 interfaces. When you configure security policy to drop traffic or to reset the connection, the traffic does not reach the destination host. In such cases, for all UDP traffic and for TCP traffic that is dropped, you can enable the firewall to send an ICMP Unreachable response to the source IP address from where the traffic originated. Enabling this setting allows the source to gracefully close or clear the session and prevents applications from breaking.

log_start

Data type: Optional[Boolean]

Generates a traffic log entry for the start of a session

log_end

Data type: Optional[Boolean]

Generates a traffic log entry for the end of a session

Default value: true

log_setting

Data type: Optional[String]

To forward the local traffic log and threat log entries to remote destinations, such as Panorama and syslog servers, specifiy which log forwarding profile should be used. Note that the generation of threat log entries is determined by the security profiles.

profile_type

Data type: Optional[Enum["profiles", "group", "none"]]

Specify which type of profile will be used.

group_profile

Data type: Optional[String]

Specify the group profile, can only be set when profile_type is group.

anti_virus_profile

Data type: Optional[String]

Specify the anti-virus profile, can only be set when profile_type is profiles. To unset specify none.

url_filtering_profile

Data type: Optional[String]

Specify the URL filtering profile, can only be set when profile_type is profiles. To unset specify none.

data_filtering_profile

Data type: Optional[String]

Specify the data filtering profile, can only be set when profile_type is profiles. To unset specify none.

file_blocking_profile

Data type: Optional[String]

Specify the file blocking profile, can only be set when profile_type is profiles. To unset specify none.

spyware_profile

Data type: Optional[String]

Specify the spyware profile, can only be set when profile_type is profiles. To unset specify none.

vulnerability_profile

Data type: Optional[String]

Specify the vulnerability profile, can only be set when profile_type is profiles. To unset specify none.

wildfire_analysis_profile

Data type: Optional[String]

Specify the wildfire analysis profile, can only be set when profile_type is profiles. To unset specify none.

schedule_profile

Data type: Optional[String]

Specify the schedule profile to limit the days and times when the rule is in effect

qos_type

Data type: Optional[Enum["follow-c2s-flow", "ip-precedence", "ip-dscp", "none"]]

Specify which QoS profile should be used to change the Quality of Service setting on packets matching the rule.

ip_dscp

Data type: Optional[String]

Specify the IP DSCP QoS marking setting, only if qos_type is ip-dscp.

ip_precedence

Data type: Optional[String]

Specify the IP Precedence QoS marking setting, only if qos_type is ip-precedence.

disable_server_response_inspection

Data type: Optional[Boolean]

To disable packet inspection from the server to the client, enable this option. This option may be useful under heavy server load conditions.

disable

Data type: Optional[Boolean]

Specify if the security policy rule should be disabled.

insert_after

Data type: Optional[String]

Specifies where the rule should be inserted.

• If specified with an empty string, the rule will be inserted at the TOP. NOTE: Only one rule should be set to top
• If a rule name is specified, the rule will be inserted after the given rule.
• If this attribute is omitted, the rule will be added at the bottom. NOTE: Rules cannot be moved to the bottom once created. Instead specify the rule name to insert after.

Parameters

The following parameters are available in the panos_security_policy_rule type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,63}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the security-policy-rule. Restricted to 31 characters on PAN-OS version 7.1.0.

panos_service

This type provides Puppet with the capabilities to manage "service" objects on Palo Alto devices.

Properties

The following properties are available in the panos_service type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

description

Data type: Optional[String]

Provide a description of this service.

protocol

Data type: Enum["tcp", "udp"]

Specify the protocol used by the service

Default value: tcp

port

Data type: String

Port can be a single port number, a range 1-65535, or comma separated values 80, 8080, 443

src_port

Data type: Optional[String]

Port can be a single port number, a range 1-65535, or comma separated values 80, 8080, 443

tags

Data type: Array[String]

The Palo Alto tags to apply to this address-group. Do not confuse this with the tag metaparameter used to filter resource application.

Default value: []

Parameters

The following parameters are available in the panos_service type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,63}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the service.

panos_service_group

This type provides Puppet with the capabilities to manage "Service Group" objects on Palo Alto devices.

Properties

The following properties are available in the panos_service_group type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

services

Data type: Array[String]

An array of panos_service, or panos_service_group that form this group.

tags

Data type: Array[String]

The Palo Alto tags to apply to this service-group. Do not confuse this with the tag metaparameter used to filter resource application.

Default value: []

Parameters

The following parameters are available in the panos_service_group type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,63}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the service-group.

panos_static_route

This type provides Puppet with the capabilities to manage IPv4 Static Routes on Palo Alto devices.

Properties

The following properties are available in the panos_static_route type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

nexthop

Data type: Optional[String]

The address of the next hop location for the route

nexthop_type

Data type: Optional[Enum["ip-address", "next-vr", "discard", "none"]]

The type of address used for the next hop.

• ip-address: Select to enter the IP address of the next hop router.
• next-vr: Select to select a virtual router in the firewall as the next hop. This allows you to route internally between virtual routers within a single firewall.
• discard: Select if you want to drop traffic that is addressed to this destination.
• none: Select if there is no next hop for the route.

bfd_profile

Data type: String

To enable Bidirectional Forwarding Detection (BFD) for a static route on a PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, or VM-Series firewall, specify one of the following:

• default: a BFD profile that you have created on the firewall
• none: to disable BFD for the static route.

To use BFD on a static route:

• Both the firewall and the peer at the opposite end of the static route must support BFD sessions.
• The static route nexthop_type must be ip-address and you must enter a valid IP address in nexthop.
• The interface attribute cannot be none; you must specify an interface (even if you are using a DHCP address).

Default value: None

interface

Data type: Optional[String]

The interface used by the route, interfaces pulled from the virtual router this belongs to.

metric

Data type: Variant[String, Integer[1, 65535]]

Specify a valid metric for the static route (1 - 65535; default is 10).

Default value: 10

admin_distance

Data type: Optional[Variant[String,Integer[10, 240]]]

Specify the administrative distance for the static route (10-240).

destination

Data type: String

Enter an IP address and network mask in Classless Inter-domain Routing (CIDR) notation: ip_address/mask (for example, 192.168.2.0/24 for IPv4 or 2001:db8::/32 for IPv6).

no_install

Data type: Boolean

Select if you do not want to install the route in the forwarding table. The route is retained in the configuration for future reference. Note: can only be set on PAN-OS version 7.1.0.

route_type

Data type: Optional[Enum["unicast", "multicast", "both", "no-install"]]

Specify the route table into which the firewall installs the static route:

• unicast: Installs the route into the unicast route table.
• multicast: Installs the route into the multicast route table.
• both: Installs the route into the unicast and multicast route tables.
• no-install: Does not install the route in the route table (RIB); the firewall retains the static route for future reference until you delete the route.

Note: can only be set on PAN-OS version 8.1.0.

path_monitoring

Data type: Optional[Boolean]

Specify true to enable path monitoring for the static route.

Note: can only be set on PAN-OS version 8.1.0. Note: must be enabled if using panos_monitor_destinations for the static route.

failure_condition

Data type: Optional[Enum["any", "all"]]

Specify the condition under which the firewall considers the monitored path down and thus the static route down:

• any: If any one of the monitored destinations for the static route is unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.
• all: If all of the monitored destinations for the static route are unreachable by ICMP, the firewall removes the static route from the RIB and FIB and adds the dynamic or static route that has the next lowest metric going to the same destination to the FIB.

Specify all to avoid the possibility of a single monitored destination signaling a static route failure when that monitored destination is simply offline for maintenance, for example.

Note: can only be set on PAN-OS version 8.1.0.

enable

Data type: Optional[Boolean]

Specify true to enable path monitoring of this specific destination for the static route; the firewall sends ICMP pings to this destination.

Note: can only be set on PAN-OS version 8.1.0.

hold_time

Data type: Optional[Variant[String, Integer[0, 1440]]]

Specify the number of minutes a downed path monitor must remain in Up stat:the path monitor evaluates all of its member monitored destinations and must remain Up before the firewall reinstalls the static route into the RIB. If the timer expires without the link going down or flapping, the link is deemed stable, path monitor can remain Up, and the firewall can add the static route back into the RIB.

If the link goes down or flaps during the hold time, path monitor fails and the timer restarts when the downed monitor returns to Up state. A Preemptive Hold Time of zero causes the firewall to reinstall the static route into the RIB immediately upon the path monitor coming up. Range is 0-1,440; default is 2.

Note: can only be set on PAN-OS version 8.1.0.

Parameters

The following parameters are available in the panos_static_route type.

route

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,31}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

A name to identify a static route.

vr_name

namevar

Data type: String

The name of the virtual router the static route is associate with.

panos_tag

This type provides Puppet with the capabilities to manage "tags" objects on Palo Alto devices.

Properties

The following properties are available in the panos_tag type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

color

Data type: Optional[String]

The color of the tag

comments

Data type: Optional[String]

Add a label or description to remind you what the tag is used for.

Parameters

The following parameters are available in the panos_tag type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,127}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the tag.

panos_virtual_router

This type provides Puppet with the capabilities to manage "virtual router" objects on Palo Alto devices.

Properties

The following properties are available in the panos_virtual_router type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

interfaces

Data type: Optional[Array[String]]

The color of the tag

ad_static

Data type: String

Static IPv4 Administrative distance. Range is 10-240.

Default value: 10

ad_static_ipv6

Data type: String

Static IPv6 Administrative distance. Range is 10-240.

Default value: 10

ad_ospf_int

Data type: String

OSPF Interface Administrative distance. Range is 10-240.

Default value: 30

ad_ospf_ext

Data type: String

OSPF External Administrative distance. Range is 10-240.

Default value: 110

ad_ospfv3_int

Data type: String

OSPFv3 External Administrative distance. Range is 10-240.

Default value: 30

ad_ospfv3_ext

Data type: String

OSPFv3 Interface Administrative distance. Range is 10-240.

Default value: 110

ad_ibgp

Data type: String

IBGP Administrative distance. Range is 10-240.

Default value: 200

ad_ebgp

Data type: String

EBGP administrative distance. Range is 10-240.

Default value: 20

ad_rip

Data type: String

RIP administrative distance. Range is 10-240.

Default value: 120

Parameters

The following parameters are available in the panos_virtual_router type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-_\s\.]{1,31}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the tag.

panos_zone

This type provides Puppet with the capabilities to manage "zone" objects on Palo Alto devices.

Properties

The following properties are available in the panos_zone type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

network

Data type: Enum["tap", "virtual-wire", "layer2", "layer3", "tunnel"]

The network type of this zone. An interface can belong to only one zone in one virtual system. Note: tunnel can only be set on PAN-OS version 8.1.0.

Default value: layer3

interfaces

Data type: Optional[Array[String]]

One or more interfaces used by this zone.

zone_protection_profile

Data type: Optional[String]

Specify a profile that specifies how the security gateway responds to attacks from this zone

log_setting

Data type: Optional[String]

Specify a log forwarding profile for forwarding zone protection logs to an external system

enable_user_identification

Data type: Optional[Boolean]

If you configured User-ID™ to perform IP address-to-username mapping (discovery), select this option to apply the mapping information to traffic in this zone. If you disable this option, firewall logs, reports, and policies will exclude user mapping information for traffic within the zone.

By default, if you enable this option, the firewall applies user mapping information to the traffic of all subnetworks in the zone. To limit the information to specific subnetworks within the zone, use the include_list and exclude_list.

Note: User-ID performs discovery for the zone only if it falls within the network range that User-ID monitors. If the zone is outside that range, the firewall does not apply user mapping information to the zone traffic even if enable_user_identification is seelcted.

enable_packet_buffer_protection

Data type: Optional[Boolean]

If you have configured Packet Buffer Protection on the device, enable this option to apply the packet buffer protection settings to this zone. Packet buffer protection is applied to the ingress zone only.

Note: can only be set on PAN-OS version 8.1.0.

nsx_service_profile

Data type: Optional[Boolean]

Specify if the zone should have a nsx service profile. Note: can only be set on PAN-OS version 7.1.0.

include_list

Data type: Optional[Array[String]]

By default, if you do not specify subnetworks in this list, the firewall applies the user mapping information it discovers to all the traffic of this zone for use in logs, reports, and policies.

To limit the application of user mapping information to specific subnetworks within the zone, then for each subnetwork click Add and select an address (or address group) object or type the IP address range (for example, 10.1.1.1/24). The exclusion of all other subnetworks is implicit: you do not need to add them to the exclude_list.

Add entries to the exclude_list only to exclude user mapping information for a subset of the subnetworks in the include_list. For example, if you add 10.0.0.0/8 to the Include List and add 10.2.50.0/22 to the exclude_list, the firewall includes user mapping information for all the zone subnetworks of 10.0.0.0/8 except 10.2.50.0/22, and excludes information for all zone subnetworks outside of 10.0.0.0/8. Note that you can only include subnetworks that fall within the network range that User-ID monitors.

exclude_list

Data type: Optional[Array[String]]

To exclude user mapping information for a subset of the subnetworks in the include_list, for each subnetwork to exclude, specify an address (or address group) or type the IP address range.

Note: If you add entries to the Exclude List but not the Include List, the firewall excludes user mapping information for all subnetworks within the zone, not just the subnetworks you added.

Parameters

The following parameters are available in the panos_zone type.

name

namevar

Data type: Pattern[/^[a-zA-z0-9\-\s_\.]{1,31}$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display-name of the zone.

Tasks

apikey

Retrieve a PAN-OS apikey

Supports noop? false

commit

Commit a candidate configuration to a firewall.

Supports noop? false

set_config

upload and/or apply a configuration to a firewall.

Supports noop? false

Parameters

config_file

Data type: String

The filename of the configuration file to upload

apply

Data type: Boolean

true: upload and immediately apply the config. false: upload the config, without applying

store_config

Retrieve the configuration running on the firewall and save to local file.

Supports noop? false

Parameters

config_file

Data type: String

The filename to save the configuration on Bolt host

Change log

All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

v2.0.0 (2021-07-19)

Full Changelog

Changed

• (IAC-1604) Removal of puppet5 and resource api module #131 (pmcmaw)
• (IAC-999) - Removal of inappropriate terminology #123 (david22swan)

Added

• pdksync - (feat) Add support for Puppet 7 #125 (daianamezdrea)

Fixed

• (maint) Improve transport schema docs [no-ci] #109 (DavidS)

v1.2.1 (2019-07-29)

Full Changelog

Fixed

• (maint) fixing up the fingerprint hexdigest in the initialize #105 (Thomas-Franklin)
• Update README.md #89 (kylehansel)

v1.2.0 (2019-06-10)

Full Changelog

Added

• (FM-8107) Add insert\_after attribute for policy rule ordering #96 (da-ar)
• (FM-8111) increase system facts #94 (shermdog)
• (FM-8104) Add implicit default values #92 (shermdog)

Fixed

• (FM-8109) Don't munge nil values unless profile_type is set #97 (da-ar)
• (FM-8110) fix panos_nat_policy source address translation #93 (shermdog)
• (FM-8097) fix store_config task metadata for Bolt and RSAPI transports #90 (shermdog)

v1.1.0 (2019-04-26)

Full Changelog

Added

• (FM-7973) Adding hands on labs for bolt and puppet device #80 (davinhanlon)

Fixed

• (maint) updating the ssl_fingerprint to accept spaced and colon SHA25… #83 (Thomas-Franklin)
• (FM-7971) backwards compatibility with PE 2019.0 #82 (Thomas-Franklin)

1.0.0 (2019-03-14)

Full Changelog

Added

• (FM-7625) implement finegrained configuration support for SSL verification #76 (Thomas-Franklin)
• (FM-7602) Implement Resource API transports for bolt and ACE #73 (DavidS)

Fixed

• (maint) add resource_api install module as a dependency #72 (DavidS)

0.2.0 (2018-10-23)

Full Changelog

Added

• Allow color numbers instead of descriptive names #68 (DavidS)
• (PDK-1143) changes to work with composite namevars from simple provider #65 (Thomas-Franklin)

Fixed

• (FM-7496) fix for running apply runs from a PE/PS installation #66 (Thomas-Franklin)

0.1.0

Features

Bugfixes

Known Issues

* This Changelog was automatically generated by github_changelog_generator