junipernetworks.junos.junos_security_policies_global 模块 – 管理 Juniper JUNOS 设备上的全局安全策略设置
注意
此模块是 junipernetworks.junos 集合(版本 9.1.0)的一部分。
如果您正在使用 ansible 包,您可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install junipernetworks.junos。您需要其他要求才能使用此模块,请参阅 要求 了解详细信息。
要在 playbook 中使用它,请指定:junipernetworks.junos.junos_security_policies_global。
junipernetworks.junos 2.9.0 中的新增功能
概要
此模块提供对 Juniper JUNOS 设备上的全局安全策略设置的声明式管理
要求
执行此模块的主机上需要以下要求。
ncclient (>=v0.6.4)
xmltodict (>=0.12.0)
参数
参数 |
注释 |
|---|---|
安全策略的字典 |
|
配置默认的安全策略,该策略定义设备对不匹配任何用户定义策略的数据包执行的操作。 选项
|
|
启用设备以在修改其关联的安全策略时重新评估活动会话。如果该会话仍然匹配最初允许该会话的策略,则该会话保持打开状态。 |
|
启用设备以在修改其关联的安全策略时重新评估活动会话。如果该会话仍然匹配最初允许该会话的策略,则该会话保持打开状态。 选项
|
|
当修改或删除策略时,extensive 选项会检查是否有任何合适的策略允许保持这些会话处于活动状态。 选项
|
|
配置策略统计信息。 |
|
启用策略统计信息。 选项
|
|
配置系统范围的策略统计信息。 选项
|
|
配置在数据包匹配条件时,在动态应用程序识别 (AppID) 之前发生的默认策略操作。 |
|
指定会话关闭时间和会话初始化时间的日志详细信息。 |
|
启用会话关闭时间的日志记录 选项
|
|
启用会话初始化时间的日志记录 选项
|
|
当您更新会话时,会配置会话超时,该会话超时指定会话超时的详细信息(以秒为单位)。 |
|
ICMP 会话的超时值(秒) |
|
ICMP6 会话的超时值(秒) |
|
OSPF 会话的超时值(秒) |
|
其他会话的超时值(秒) |
|
TCP 会话的超时值(秒) |
|
UDP 会话的超时值(秒) |
|
安全策略的字典 |
|
用于配置跟踪文件选项的字典 |
|
最大跟踪文件数 |
|
优化输出以包含包含正则表达式的行。 |
|
只有配置跟踪操作的用户才能访问日志文件。 选项
|
|
最大跟踪文件大小 |
|
world_readable 选项允许任何用户读取该文件。 选项
|
|
要执行的跟踪操作。 选项
|
|
禁用远程跟踪。 选项
|
|
此选项仅与状态parsed一起使用。 此选项的值应该是从 JunOS 设备通过执行命令 show security policies 收到的输出。 状态 parsed 从 |
|
配置应保持的状态 状态 rendered、gathered 和 parsed 不会对设备执行任何更改。 状态 rendered 会将 状态 replaced 会将运行配置替换为提供的配置 状态 replaced 和状态 overridden 具有相同的行为 状态 gathered 会从设备获取运行配置,并根据资源模块 argspec 将其转换为结构化数据,并且该值将返回到结果中的 gathered 键中。 状态 parsed 从 选项
|
注释
注意
此模块需要在被管理的设备上启用 netconf 系统服务。
此模块使用连接
netconf。请参阅 Junos OS 平台选项。
针对 JunOS v18.4R1 进行了测试
示例
# Using merged
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# default-policy {
# permit-all;
# }
#
- name: Update the running configuration with provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: merged
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true,
# "system_wide": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 3,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "before": {},
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"><nc:policies>
# <nc:policy-rematch> <nc:extensive/></nc:policy-rematch><nc:policy-stats>
# <nc:system-wide>enable</nc:system-wide></nc:policy-stats><nc:pre-id-default-policy>
# <nc:then><nc:log><nc:session-init/></nc:log><nc:session-timeout><nc:icmp>10</nc:icmp>
# <nc:others>10</nc:others></nc:session-timeout></nc:then></nc:pre-id-default-policy>
# <nc:traceoptions><nc:file><nc:files>3</nc:files><nc:match>/[A-Z]*/gm</nc:match>
# <nc:size>10k</nc:size><nc:no-world-readable/></nc:file><nc:flag><nc:name>all
# </nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies></nc:security>"
# After state
# -----------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# permit-all;
# }
# policy-rematch extensive;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
#
# Using Replaced
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# permit-all;
# }
# policy-rematch extensive;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
- name: Replace the running configuration with provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
default_policy: deny-all
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "before": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/><nc:policies><nc:default-policy><nc:deny-all/></nc:default-policy>
# <nc:policy-rematch> </nc:policy-rematch><nc:policy-stats> </nc:policy-stats><nc:pre-id-default-policy>
# <nc:then><nc:log><nc:session-init/></nc:log><nc:session-timeout><nc:icmp>10</nc:icmp><nc:others>10
# </nc:others></nc:session-timeout></nc:then></nc:pre-id-default-policy><nc:traceoptions><nc:file>
# <nc:files>4</nc:files><nc:match>/[A-Z]*/gm</nc:match><nc:size>10k</nc:size><nc:no-world-readable/>
# </nc:file><nc:flag><nc:name>all</nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies>
# </nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
# Using overridden
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# permit-all;
# }
# policy-rematch extensive;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
- name: Replace the running configuration with provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
default_policy: deny-all
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: overridden
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "before": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/><nc:policies><nc:default-policy><nc:deny-all/></nc:default-policy>
# <nc:policy-rematch> </nc:policy-rematch><nc:policy-stats> </nc:policy-stats><nc:pre-id-default-policy>
# <nc:then><nc:log><nc:session-init/></nc:log><nc:session-timeout><nc:icmp>10</nc:icmp><nc:others>10
# </nc:others></nc:session-timeout></nc:then></nc:pre-id-default-policy><nc:traceoptions><nc:file>
# <nc:files>4</nc:files><nc:match>/[A-Z]*/gm</nc:match><nc:size>10k</nc:size><nc:no-world-readable/>
# </nc:file><nc:flag><nc:name>all</nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies>
# </nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
# Using deleted
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
- name: Delete the running configuration
junipernetworks.junos.junos_security_policies_global:
config:
state: deleted
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {},
# "before": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/></nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx# show security policies
#
#
# Using gathered
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
- name: Gather the running configuration
junipernetworks.junos.junos_security_policies_global:
config:
state: gathered
#
# -------------------------
# Module Execution Result
# -------------------------
# "gathered": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# }
#
# Using rendered
#
# Before state
# ------------
#
- name: Render the provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
default_policy: deny-all
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "rendered": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"><nc:policies>
# <nc:default-policy><nc:deny-all/></nc:default-policy><nc:policy-rematch> </nc:policy-rematch>
# <nc:policy-stats> </nc:policy-stats><nc:pre-id-default-policy><nc:then><nc:log><nc:session-init/>
# </nc:log><nc:session-timeout><nc:icmp>10</nc:icmp><nc:others>10</nc:others></nc:session-timeout>
# </nc:then></nc:pre-id-default-policy><nc:traceoptions><nc:file><nc:files>4</nc:files>
# <nc:match>/[A-Z]*/gm</nc:match><nc:size>10k</nc:size><nc:no-world-readable/></nc:file><nc:flag>
# <nc:name>all</nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies>
# </nc:security>"
#
# Using parsed
# parsed.cfg
# ------------
# <?xml version="1.0" encoding="UTF-8"?>
# <rpc-reply message-id="urn:uuid:0cadb4e8-5bba-47f4-986e-72906227007f">
# <configuration changed-seconds="1590139550" changed-localtime="2020-05-22 09:25:50 UTC">
# <version>18.4R1-S2.4</version>
# <security>
# <policies>
# <traceoptions>
# <no-remote-trace />
# <file>
# <size>10k</size>
# <files>3</files>
# <no-world-readable />
# <match>/[A-Z]*/gm</match>
# </file>
# <flag>
# <name>all</name>
# </flag>
# </traceoptions>
# <default-policy>
# <permit-all />
# </default-policy>
# <policy-rematch>
# <extensive />
# </policy-rematch>
# <policy-stats>
# <system-wide>enable</system-wide>
# </policy-stats>
# <pre-id-default-policy>
# <then>
# <log>
# <session-init />
# </log>
# <session-timeout>
# <icmp>10</icmp>
# <others>10</others>
# </session-timeout>
# </then>
# </pre-id-default-policy>
# </policies>
# </security>
# </configuration>
# </rpc-reply>
#
#
- name: Parse security policies global running config
junipernetworks.junos.junos_security_policies_global:
running_config: "{{ lookup('file', './parsed.cfg') }}"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#
# "parsed": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true,
# "system_wide": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 3,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# }
#
#
返回值
常见的返回值记录在这里,以下是此模块独有的字段
键 |
描述 |
|---|---|
模块执行后的结果配置。 返回:当发生更改时 示例: |
|
模块执行前的配置。 返回:当状态为merged,replaced,overridden,deleted时 示例: |
|
推送至远程设备的命令集。 返回:当状态为merged,replaced,overridden或deleted时 示例: |
|
从远程设备收集的关于网络资源的结构化数据的事实。 返回:当状态为gathered时 示例: |
|
running_config选项中提供的设备本机配置,根据模块参数规范解析为结构化数据。 返回:当状态为parsed时 示例: |
|
任务中提供的配置以设备本机格式呈现(离线)。 返回:当状态为rendered时 示例: |