junipernetworks.junos.junos_security_policies 模块 – 在瞻博 JUNOS 设备上创建和管理安全策略
注意
此模块是 junipernetworks.junos 集合(版本 9.1.0)的一部分。
如果您正在使用 ansible 包,您可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install junipernetworks.junos。您需要进一步的要求才能使用此模块,有关详细信息,请参阅 要求。
要在 playbook 中使用它,请指定:junipernetworks.junos.junos_security_policies。
junipernetworks.junos 2.9.0 中的新增功能
概要
此模块提供在瞻博 JUNOS 设备上声明式创建和管理安全策略的功能
要求
执行此模块的主机需要满足以下要求。
ncclient (>=v0.6.4)
xmltodict (>=0.12.0)
参数
参数 |
注释 |
|---|---|
安全策略的字典 |
|
流量的来源安全区域列表 |
|
流量来源的安全区域的名称 |
|
流量的目标安全区域列表 |
|
流量目标安全区域的名称 |
|
为相关类别定义的策略列表 |
|
安全策略的描述 |
|
配置安全策略匹配条件 |
|
指定要用作匹配条件的 IP 或远程过程调用 (RPC) 应用程序或应用程序集 |
|
匹配任何预定义或自定义的应用程序或应用程序集 选择
|
|
用作匹配条件的预定义或自定义应用程序或应用程序集的名称 |
|
定义匹配条件。您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选择
|
|
任何 IPv4 地址 选择
|
|
任何 IPv6 地址 选择
|
|
排除目标地址 选择
|
|
指定在安全策略中用作匹配条件的动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 any 会安装将应用程序作为通配符的策略(默认) 选择
|
|
指定动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 none 会忽略来自 AppID 的分类结果,并且不会在安全策略查找中使用动态应用程序 选择
|
|
标识要用作策略匹配条件的单个源区域或多个源区域 |
|
匹配任何区域 选择
|
|
junos-host 选择
|
|
单个或多个源区域的名称 |
|
定义匹配条件。您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选择
|
|
任何 IPv4 地址 选择
|
|
任何 IPv6 地址 选择
|
|
排除源地址 选择
|
|
源终端用户配置文件名称 |
|
标识要用作策略匹配条件的用户和角色 |
|
任何用户或角色,以及关键字 authenticated_user、unauthenticated_user 和 unknown_user 选择
|
|
所有已通过身份验证的用户和角色 选择
|
|
特定用户和角色的列表 |
|
任何没有将 IP_address 映射到身份验证源并且身份验证源正在运行的用户或角色 选择
|
|
任何没有将 IP 地址映射到身份验证源的用户或角色,因为身份验证源已与 SRX 系列设备断开连接 选择
|
|
标识要用作策略匹配条件的单个目标区域或多个目标区域 |
|
匹配任何区域 选择
|
|
junos-host 选择
|
|
单个或多个目标区域的名称 |
|
URL 类别 |
|
应用于任何 URL 类别 选择
|
|
要匹配的 URL 类别的名称 |
|
不应用于 URL 类别 选择
|
|
策略的名称 |
|
运行此策略的调度程序的名称 |
|
指定当数据包与定义的条件匹配时要执行的策略操作 |
|
启用对策略允许通过设备的双向所有网络流量进行计数(以字节或千字节为单位);从客户端到服务器的始发流量(从 from_zone 到 to_zone),以及从服务器到始发客户端的返回流量 选择
|
|
在防火墙处阻止服务。设备丢弃数据包 选择
|
|
记录特定策略的流量信息。当会话开始 (session_init) 或关闭 (session_close) 时,将记录流量信息 |
|
在会话关闭时启用日志记录 选择
|
|
在会话初始化时启用日志记录 选择
|
|
在防火墙处阻止服务。设备丢弃数据包 |
|
在安全策略中启用应用程序服务 |
|
指定 advanced_anti_malware 策略名称 |
|
指定配置为应用程序防火墙一部分的规则集,以应用于允许的流量 |
|
要使用的规则集的名称 |
|
指定配置为 AppQoS(应用程序感知服务质量)一部分的规则集,以应用于允许的流量 |
|
指定 GPRS 隧道协议配置文件名称 |
|
指定 GPRS 流控制协议配置文件名称 |
|
指定 icap 重定向配置文件名称 |
|
入侵检测和防御 (IDP) 选择
|
|
指定 IDP 策略名称 |
|
启用或禁用数据包捕获的选项 选择
|
|
指定从 LAN 到达的数据包所需的 WX 重定向 选择
|
|
指定从 WAN 到达的数据包的反向流所需的 WX 重定向 选择
|
|
指定安全情报馈送后操作 |
|
将目标用户身份添加到安全馈送 |
|
将目标 IP 地址添加到安全馈送 |
|
将源用户身份添加到安全馈送 |
|
将源 IP 地址添加到安全源。 |
|
指定安全智能策略名称。 |
|
当策略使用拒绝操作阻止 HTTPS 流量时,您可以应用重定向 SSL 代理配置文件。 |
|
启用 SSL 代理。 选择
|
|
SSL 代理配置文件的名称。 |
|
为安全策略启用统一访问控制 (UAC)。 |
|
指定 Junos OS Enforcer 上预配置的强制门户安全策略,以启用强制门户功能。 |
|
启用统一访问控制 (UAC) 选择
|
|
指定 UTM 策略名称。 |
|
指定安全策略允许的流量是否仅限于目标 IP 地址已通过目标 NAT 规则转换的数据包,或者仅限于目标 IP 地址未转换的数据包。 选择
|
|
配置防火墙身份验证方法。 |
|
配置直通防火墙用户身份验证。 |
|
指定访问配置文件的名称。 |
|
配置防火墙身份验证以忽略非浏览器 HTTP/HTTPS 流量。 选择
|
|
指定一个 user-agent 值,用于验证用户的浏览器流量是否为 HTTP/HTTPS 流量。 |
|
指定配置文件中允许通过此策略访问的用户或用户组的名称。 |
|
指定用于 SSL 卸载的 SSL 终止配置文件。 |
|
启用将 HTTP 请求重定向到设备,并将客户端系统重定向到网页进行身份验证。 选择
|
|
将未经身份验证的 HTTP 请求重定向到设备的内部 HTTPS Web 服务器。 选择
|
|
启用推送到身份管理设备。 选择
|
|
配置用户角色防火墙身份验证,并将源 IP 地址映射到用户名及其关联的角色(组)。 |
|
指定用于身份验证的访问配置文件的名称。 |
|
配置防火墙身份验证以忽略非浏览器 HTTP/HTTPS 流量。 选择
|
|
指定一个 user-agent 值,用于验证用户的浏览器流量是否为 HTTP/HTTPS 流量。 |
|
指定在 Windows Management Instrumentation 客户端 (WMIC) 不可用于获取集成用户防火墙功能的 IP_to_user 映射时,进行防火墙身份验证的域的名称。 |
|
对于 HTTPS 流量,指定用于 SSL 卸载的 SSL 终止配置文件的名称。 |
|
启用网页重定向。 选择
|
|
启用重定向到 HTTPS。 选择
|
|
指定该策略允许访问先前已通过 Web 身份验证的用户或用户组。 |
|
为每个策略指定 TCP 选项。您可以根据您的要求为每个策略配置同步和序列检查,并且由于每个策略都有两个方向,您可以为两个方向或仅为一个方向配置 TCP MSS 值。 |
|
配置到达入口接口(初始方向)、匹配特定策略并创建会话的数据包的 TCP 最大分段大小 (MSS)。 |
|
配置与特定策略匹配并在会话的反方向传输的数据包的 TCP 最大分段大小 (MSS)。 |
|
启用每个策略的序列检查。sequence_check_required 值会覆盖全局值 no_sequence_check。 选择
|
|
启用每个策略的同步检查。syn_check_required 值会覆盖全局值 no_syn_check。 选择
|
|
启用每个策略的窗口缩放。 选择
|
|
封装传出的 IP 数据包并解封装传入的 IP 数据包。 |
|
ipsec 策略的名称。 |
|
配对策略的名称。 |
|
在防火墙处阻止服务。设备会丢弃数据包,并向 TCP 流量的源主机发送 TCP 重置 (RST) 段,向 UDP 流量发送 ICMP “目标不可达,端口不可达”消息(类型 3,代码 3)。 |
|
启用基于匹配条件的拒绝数据包。 选择
|
|
当策略使用拒绝或拒绝操作阻止 HTTP 或 HTTPS 流量时,您可以选择向客户端提供通知或将客户端请求重定向到信息丰富的网页。 |
|
当策略使用拒绝操作阻止 HTTPS 流量时,您可以应用重定向 SSL 代理配置文件。当您应用 SSL 代理配置文件时,SSL 代理会解密流量,并且应用程序识别功能会识别应用程序。 |
|
启用 SSL 代理。 选择
|
|
SSL 代理配置文件的名称。 |
|
全局安全策略列表。 |
|
为相关类别定义的策略列表 |
|
安全策略的描述 |
|
配置安全策略匹配条件 |
|
指定要用作匹配条件的 IP 或远程过程调用 (RPC) 应用程序或应用程序集 |
|
匹配任何预定义或自定义的应用程序或应用程序集 选择
|
|
用作匹配条件的预定义或自定义应用程序或应用程序集的名称 |
|
定义匹配条件。您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选择
|
|
任何 IPv4 地址 选择
|
|
任何 IPv6 地址 选择
|
|
排除目标地址 选择
|
|
指定在安全策略中用作匹配条件的动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 any 会安装将应用程序作为通配符的策略(默认) 选择
|
|
指定动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 none 会忽略来自 AppID 的分类结果,并且不会在安全策略查找中使用动态应用程序 选择
|
|
标识要用作策略匹配条件的单个源区域或多个源区域 |
|
匹配任何区域 选择
|
|
junos-host 选择
|
|
单个或多个源区域的名称 |
|
定义匹配条件。您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选择
|
|
任何 IPv4 地址 选择
|
|
任何 IPv6 地址 选择
|
|
排除源地址 选择
|
|
源终端用户配置文件名称 |
|
标识要用作策略匹配条件的用户和角色 |
|
任何用户或角色,以及关键字 authenticated_user、unauthenticated_user 和 unknown_user 选择
|
|
所有已通过身份验证的用户和角色 选择
|
|
特定用户和角色的列表 |
|
任何没有将 IP_address 映射到身份验证源并且身份验证源正在运行的用户或角色 选择
|
|
任何没有将 IP 地址映射到身份验证源的用户或角色,因为身份验证源已与 SRX 系列设备断开连接 选择
|
|
标识要用作策略匹配条件的单个目标区域或多个目标区域 |
|
匹配任何区域 选择
|
|
junos-host 选择
|
|
单个或多个目标区域的名称 |
|
URL 类别 |
|
应用于任何 URL 类别 选择
|
|
要匹配的 URL 类别的名称 |
|
不应用于 URL 类别 选择
|
|
策略的名称 |
|
运行此策略的调度程序的名称 |
|
指定当数据包与定义的条件匹配时要执行的策略操作 |
|
启用对策略允许通过设备的双向所有网络流量进行计数(以字节或千字节为单位);从客户端到服务器的始发流量(从 from_zone 到 to_zone),以及从服务器到始发客户端的返回流量 选择
|
|
在防火墙处阻止服务。设备丢弃数据包 选择
|
|
记录特定策略的流量信息。当会话开始 (session_init) 或关闭 (session_close) 时,将记录流量信息 |
|
在会话关闭时启用日志记录 选择
|
|
在会话初始化时启用日志记录 选择
|
|
在防火墙处阻止服务。设备丢弃数据包 |
|
在安全策略中启用应用程序服务 |
|
指定 advanced_anti_malware 策略名称 |
|
指定配置为应用程序防火墙一部分的规则集,以应用于允许的流量 |
|
要使用的规则集的名称 |
|
指定配置为 AppQoS(应用程序感知服务质量)一部分的规则集,以应用于允许的流量 |
|
指定 GPRS 隧道协议配置文件名称 |
|
指定 GPRS 流控制协议配置文件名称 |
|
指定 icap 重定向配置文件名称 |
|
入侵检测和防御 (IDP) 选择
|
|
指定 IDP 策略名称 |
|
启用或禁用数据包捕获的选项 选择
|
|
指定从 LAN 到达的数据包所需的 WX 重定向 选择
|
|
指定从 WAN 到达的数据包的反向流所需的 WX 重定向 选择
|
|
指定安全情报馈送后操作 |
|
将目标用户身份添加到安全馈送 |
|
将目标 IP 地址添加到安全馈送 |
|
将源用户身份添加到安全馈送 |
|
将源 IP 地址添加到安全源。 |
|
指定安全智能策略名称。 |
|
当策略使用拒绝操作阻止 HTTPS 流量时,您可以应用重定向 SSL 代理配置文件。 |
|
启用 SSL 代理。 选择
|
|
SSL 代理配置文件的名称。 |
|
为安全策略启用统一访问控制 (UAC)。 |
|
指定 Junos OS Enforcer 上预配置的强制门户安全策略,以启用强制门户功能。 |
|
启用统一访问控制 (UAC) 选择
|
|
指定 UTM 策略名称。 |
|
指定安全策略允许的流量是否仅限于目标 IP 地址已通过目标 NAT 规则转换的数据包,或者仅限于目标 IP 地址未转换的数据包。 选择
|
|
配置防火墙身份验证方法。 |
|
配置直通防火墙用户身份验证。 |
|
指定访问配置文件的名称。 |
|
配置防火墙身份验证以忽略非浏览器 HTTP/HTTPS 流量。 选择
|
|
指定一个 user-agent 值,用于验证用户的浏览器流量是否为 HTTP/HTTPS 流量。 |
|
指定配置文件中允许通过此策略访问的用户或用户组的名称。 |
|
指定用于 SSL 卸载的 SSL 终止配置文件。 |
|
启用将 HTTP 请求重定向到设备,并将客户端系统重定向到网页进行身份验证。 选择
|
|
将未经身份验证的 HTTP 请求重定向到设备的内部 HTTPS Web 服务器。 选择
|
|
启用推送到身份管理设备。 选择
|
|
配置用户角色防火墙身份验证,并将源 IP 地址映射到用户名及其关联的角色(组)。 |
|
指定用于身份验证的访问配置文件的名称。 |
|
配置防火墙身份验证以忽略非浏览器 HTTP/HTTPS 流量。 选择
|
|
指定一个 user-agent 值,用于验证用户的浏览器流量是否为 HTTP/HTTPS 流量。 |
|
指定在 Windows Management Instrumentation 客户端 (WMIC) 不可用于获取集成用户防火墙功能的 IP_to_user 映射时,进行防火墙身份验证的域的名称。 |
|
对于 HTTPS 流量,指定用于 SSL 卸载的 SSL 终止配置文件的名称。 |
|
启用网页重定向。 选择
|
|
启用重定向到 HTTPS。 选择
|
|
指定该策略允许访问先前已通过 Web 身份验证的用户或用户组。 |
|
为每个策略指定 TCP 选项。您可以根据您的要求为每个策略配置同步和序列检查,并且由于每个策略都有两个方向,您可以为两个方向或仅为一个方向配置 TCP MSS 值。 |
|
配置到达入口接口(初始方向)、匹配特定策略并创建会话的数据包的 TCP 最大分段大小 (MSS)。 |
|
配置与特定策略匹配并在会话的反方向传输的数据包的 TCP 最大分段大小 (MSS)。 |
|
启用每个策略的序列检查。sequence_check_required 值会覆盖全局值 no_sequence_check。 选择
|
|
启用每个策略的同步检查。syn_check_required 值会覆盖全局值 no_syn_check。 选择
|
|
启用每个策略的窗口缩放。 选择
|
|
封装传出的 IP 数据包并解封装传入的 IP 数据包。 |
|
ipsec 策略的名称。 |
|
配对策略的名称。 |
|
在防火墙处阻止服务。设备会丢弃数据包,并向 TCP 流量的源主机发送 TCP 重置 (RST) 段,向 UDP 流量发送 ICMP “目标不可达,端口不可达”消息(类型 3,代码 3)。 |
|
启用基于匹配条件的拒绝数据包。 选择
|
|
当策略使用拒绝或拒绝操作阻止 HTTP 或 HTTPS 流量时,您可以选择向客户端提供通知或将客户端请求重定向到信息丰富的网页。 |
|
当策略使用拒绝操作阻止 HTTPS 流量时,您可以应用重定向 SSL 代理配置文件。当您应用 SSL 代理配置文件时,SSL 代理会解密流量,并且应用程序识别功能会识别应用程序。 |
|
启用 SSL 代理。 选择
|
|
SSL 代理配置文件的名称。 |
|
此选项仅与状态 *parsed* 一起使用。 此选项的值应该是通过执行命令 **show configuration security policies** 从 JunOS 设备收到的输出。 状态 *parsed* 从 |
|
配置应处于的状态。 状态 *rendered*、*gathered* 和 *parsed* 不会对设备执行任何更改。 状态 *rendered* 会将 状态 *replaced* 会将运行配置替换为提供的配置。 状态 *replaced* 和状态 *overridden* 具有相同的行为。 状态 *gathered* 会从设备中获取运行配置,并按照资源模块 argspec 的格式将其转换为结构化数据,然后该值在结果的 *gathered* 键中返回。 状态 *parsed* 从 选择
|
注释
注意
此模块要求在被管理的设备上启用 netconf 系统服务。
此模块与连接
netconf一起使用。请参阅Junos OS 平台选项。
针对 JunOS v18.4R1 进行了测试。
示例
# Using merged
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
#
# vagrant@vsrx> show security zones
#
# Security zone: one
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/0.0
#
# Security zone: three
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/2.0
#
# Security zone: two
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/1.0
#
# Security zone: junos-host
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 0
# Interfaces:
#
- junipernetworks.junos.junos_security_policies:
config:
from_zones:
- name: one
to_zones:
- name: two
policies:
- match:
application:
names:
- junos-dhcp-relay
- junos-finger
destination_address:
addresses:
- a2
- a4
destination_address_excluded: true
dynamic_application:
names:
- any
source_address:
addresses:
- a1
- a3
source_address_excluded: true
source_end_user_profile: test_end_user_profile
source_identity:
unknown_user: true
url_category:
names:
- Enhanced_Web_Chat
name: test_policy_1
then:
count: true
deny: true
log: session-close
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
addresses:
- a1
name: test_policy_2
then:
reject:
enable: true
profile: test_dyn_app
ssl_proxy:
enable: true
profile_name: SECURITY-SSL-PROXY
- name: three
policies:
- match:
application:
any: true
destination_address:
addresses:
- a2
source_address:
addresses:
- a1
name: test_policy_3
then:
permit:
application_services:
application_traffic_control_rule_set: test_traffic_control
gprs_gtp_profile: gtp1
icap_redirect: test_icap
reverse_redirect_wx: 'True'
uac_policy:
enable: true
firewall_authentication:
push_to_identity_management: true
web_authentication:
- FWClient1
tcp_options:
initial_tcp_mss: 64
window_scale: true
global:
policies:
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any_ipv6: true
name: test_glob_1
then:
deny: true
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any_ipv6: true
name: test_glob_2
then:
deny: true
state: merged
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies>
# <nc:policy>
# <nc:from-zone-name>one</nc:from-zone-name>
# <nc:to-zone-name>two</nc:to-zone-name>
# <nc:policy>
# <nc:name>test_policy_1</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:source-address>a3</nc:source-address>
# <nc:source-address-excluded/>
# <nc:destination-address>a2</nc:destination-address>
# <nc:destination-address>a4</nc:destination-address>
# <nc:destination-address-excluded/>
# <nc:application>junos-dhcp-relay</nc:application>
# <nc:application>junos-finger</nc:application>
# <nc:source-end-user-profile>test_end_user_profile</nc:source-end-user-profile>
# <nc:source-identity>unknown-user</nc:source-identity>
# <nc:url-category>Enhanced_Web_Chat</nc:url-category>
# <nc:dynamic-application>any</nc:dynamic-application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# <nc:count></nc:count>
# <nc:log>
# <nc:session-close/>
# </nc:log>
# </nc:then>
# </nc:policy>
# <nc:policy>
# <nc:name>test_policy_2</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:reject>
# <nc:profile>test_dyn_app</nc:profile>
# <nc:ssl-proxy>
# <nc:profile-name>SECURITY-SSL-PROXY</nc:profile-name>
# </nc:ssl-proxy>
# </nc:reject>
# </nc:then>
# </nc:policy>
# </nc:policy>
# <nc:policy>
# <nc:from-zone-name>one</nc:from-zone-name>
# <nc:to-zone-name>three</nc:to-zone-name>
# <nc:policy>
# <nc:name>test_policy_3</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:destination-address>a2</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:permit>
# <nc:application-services>
# <nc:application-traffic-control>
# <nc:rule-set>test_traffic_control</nc:rule-set>
# </nc:application-traffic-control>
# <nc:gprs-gtp-profile>gtp1</nc:gprs-gtp-profile>
# <nc:icap-redirect>test_icap</nc:icap-redirect>
# <nc:reverse-redirect-wx/>
# <nc:uac-policy></nc:uac-policy>
# </nc:application-services>
# <nc:firewall-authentication>
# <nc:push-to-identity-management/>
# <nc:web-authentication>
# <nc:client-match>FWClient1</nc:client-match>
# </nc:web-authentication>
# </nc:firewall-authentication>
# <nc:tcp-options>
# <nc:initial-tcp-mss>64</nc:initial-tcp-mss>
# <nc:window-scale/>
# </nc:tcp-options>
# </nc:permit>
# </nc:then>
# </nc:policy>
# </nc:policy>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_1</nc:name>
# <nc:match>
# <nc:source-address>any-ipv6</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# <nc:policy>
# <nc:name>test_glob_2</nc:name>
# <nc:match>
# <nc:source-address>any-ipv6</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>
# "
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using Replaced
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/>
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using overridden
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: overridden
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/>
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using deleted
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
state: deleted
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "after": {},
# "before": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/></nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Using parsed
# parsed.cfg
# ------------
# <?xml version="1.0" encoding="UTF-8"?>
# <rpc-reply>
# <configuration>
# <version>18.4R1-S3.1</version>
# <services>
# <ssl>
# <termination>
# <profile>
# <name>test_ssl_term</name>
# <server-certificate>SECURITY-cert</server-certificate>
# </profile>
# </termination>
# <proxy>
# <profile>
# <name>SECURITY-SSL-PROXY</name>
# <root-ca>SECURITY-cert</root-ca>
# </profile>
# </proxy>
# </ssl>
# <icap-redirect>
# <profile>
# <name>test_icap</name>
# <server>
# <name>test_icap_server</name>
# <host>10.10.10.11</host>
# </server>
# </profile>
# </icap-redirect>
# <user-identification>
# <device-information>
# <end-user-profile>
# <profile-name>
# <name>test_end_user_profile</name>
# <domain-name>test_domain</domain-name>
# <attribute>
# <name>device-identity</name>
# <string>Windows</string>
# </attribute>
# </profile-name>
# </end-user-profile>
# </device-information>
# </user-identification>
# </services>
# <security>
# <address-book>
# <name>global</name>
# <address>
# <name>a1</name>
# <ip-prefix>200.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a2</name>
# <ip-prefix>201.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a3</name>
# <ip-prefix>202.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a4</name>
# <ip-prefix>203.0.113.0/24</ip-prefix>
# </address>
# </address-book>
# <dynamic-application>
# <profile>
# <name>test_dyn_app</name>
# <redirect-message>
# <type>
# <custom-text>
# <content>hello_world</content>
# </custom-text>
# </type>
# </redirect-message>
# </profile>
# </dynamic-application>
# <policies>
# <policy>
# <from-zone-name>one</from-zone-name>
# <to-zone-name>two</to-zone-name>
# <policy>
# <name>test_policy_1</name>
# <match>
# <source-address>a1</source-address>
# <source-address>a3</source-address>
# <destination-address>a2</destination-address>
# <destination-address>a4</destination-address>
# <source-address-excluded />
# <destination-address-excluded />
# <application>junos-dhcp-relay</application>
# <application>junos-finger</application>
# <source-identity>authenticated-user</source-identity>
# <source-identity>unknown-user</source-identity>
# <source-end-user-profile>
# <source-end-user-profile-name>test_end_user_profile</source-end-user-profile-name>
# </source-end-user-profile>
# <dynamic-application>any</dynamic-application>
# <url-category>Enhanced_Web_Chat</url-category>
# </match>
# <then>
# <deny />
# <log>
# <session-close />
# </log>
# <count></count>
# </then>
# </policy>
# <policy>
# <name>test_policy_2</name>
# <match>
# <source-address>a1</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <reject>
# <profile>test_dyn_app</profile>
# <ssl-proxy>
# <profile-name>SECURITY-SSL-PROXY</profile-name>
# </ssl-proxy>
# </reject>
# </then>
# </policy>
# </policy>
# <policy>
# <from-zone-name>one</from-zone-name>
# <to-zone-name>three</to-zone-name>
# <policy>
# <name>test_policy_3</name>
# <match>
# <source-address>a1</source-address>
# <destination-address>a2</destination-address>
# <application>any</application>
# </match>
# <then>
# <permit>
# <firewall-authentication>
# <web-authentication>
# <client-match>FWClient1</client-match>
# </web-authentication>
# <push-to-identity-management />
# </firewall-authentication>
# <destination-address>
# <drop-untranslated />
# </destination-address>
# <application-services>
# <gprs-gtp-profile>gtp1</gprs-gtp-profile>
# <uac-policy></uac-policy>
# <icap-redirect>test_icap</icap-redirect>
# <application-traffic-control>
# <rule-set>test_traffic_control</rule-set>
# </application-traffic-control>
# <reverse-redirect-wx />
# </application-services>
# <tcp-options>
# <initial-tcp-mss>64</initial-tcp-mss>
# <window-scale />
# </tcp-options>
# </permit>
# </then>
# </policy>
# </policy>
# <global>
# <policy>
# <name>test_glob_1</name>
# <match>
# <source-address>any-ipv6</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <deny />
# </then>
# </policy>
# <policy>
# <name>test_glob_2</name>
# <match>
# <source-address>any-ipv6</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <deny />
# </then>
# </policy>
# </global>
# </policies>
# <zones>
# <security-zone>
# <name>one</name>
# <interfaces>
# <name>ge-0/0/0.0</name>
# </interfaces>
# </security-zone>
# <security-zone>
# <name>two</name>
# <interfaces>
# <name>ge-0/0/1.0</name>
# </interfaces>
# </security-zone>
# <security-zone>
# <name>three</name>
# <interfaces>
# <name>ge-0/0/2.0</name>
# </interfaces>
# </security-zone>
# </zones>
# <gprs>
# <gtp>
# <profile>
# <name>gtp1</name>
# </profile>
# </gtp>
# </gprs>
# </security>
# <interfaces>
# <interface>
# <name>ge-0/0/0</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>200.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>ge-0/0/1</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>201.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>ge-0/0/2</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>202.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>fxp0</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <dhcp></dhcp>
# </inet>
# </family>
# </unit>
# </interface>
# </interfaces>
# <class-of-service>
# <application-traffic-control>
# <rule-sets>
# <name>test_traffic_control</name>
# <rule>
# <name>test_rule</name>
# <match>
# <application-known />
# </match>
# <then>
# <log />
# </then>
# </rule>
# </rule-sets>
# </application-traffic-control>
# </class-of-service>
# <access>
# <profile>
# <name>WEBAUTH</name>
# <client>
# <name>FWClient1</name>
# <firewall-user>
# <password>$9$kq5Ftu1cSe</password>
# </firewall-user>
# </client>
# </profile>
# <firewall-authentication>
# <web-authentication>
# <default-profile>WEBAUTH</default-profile>
# </web-authentication>
# </firewall-authentication>
# </access>
# </configuration>
# <database-status-information></database-status-information>
# </rpc-reply>
#
- name: Parse NTP global running config
junipernetworks.junos.junos_security_policies:
running_config: "{{ lookup('file', './parsed.cfg') }}"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "parsed": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# }
# Using gathered
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: authenticated-user, unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, drop-untranslated, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob_1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
state: gathered
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "changed": false,
# "gathered": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# }
# }
# Using rendered
#
# Before state
# ------------
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: rendered
#
# -------------------------
# Module Execution Result
# -------------------------
# "rendered": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
返回值
此处记录了常见的返回值 此处,以下是此模块独有的字段。
Key |
描述 |
|---|---|
模块执行后的结果配置。 返回:当发生更改时 示例: |
|
模块执行之前的配置。 返回:当状态为 *merged*、*replaced*、*overridden* 或 *deleted* 时 示例: |
|
推送到远程设备的命令集。 返回:当状态为 *merged*、*replaced*、*overridden* 或 *deleted* 时 示例: |
|
从远程设备收集的关于网络资源的结构化数据的事实。 返回:当状态为 *gathered* 时 示例: |
|
在 *running_config* 选项中提供的设备原生配置,根据模块 argspec 解析为结构化数据。 返回:当状态为 *parsed* 时 示例: |
|
任务中提供的配置以设备原生格式呈现(脱机)。 返回:当状态为 *rendered* 时 示例: |