zscaler.ziacloud.zia_cloud_firewall_dns_rules module – Firewall DNS policy rule.

Note

This module is part of the zscaler.ziacloud collection (version 2.0.3).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_cloud_firewall_dns_rules.

New in zscaler.ziacloud 2.0.0

Synopsis

  • Adds a new Firewall DNS policy rule.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action the Firewall DNS policy rule takes when packets match the rule

Choices:

  • "ALLOW"

  • "BLOCK"

  • "REDIR_REQ"

  • "REDIR_RES"

  • "REDIR_ZPA"

  • "REDIR_REQ_DOH"

  • "REDIR_REQ_KEEP_SENDER"

  • "REDIR_REQ_TCP"

  • "REDIR_REQ_UDP"

  • "BLOCK_WITH_RESPONSE"

api_key

string

A string that contains the obfuscated API key.

application_groups

list / elements=integer

User-defined network service application group on which the rule is applied.

If not set, the rule is not restricted to a specific network service application group.

applications

list / elements=string

User-defined network service applications on which the rule is applied.

If not set, the rule is not restricted to a specific network service application.

block_response_code

string

When the action is selected as BLOCK_WITH_RESPONSE to block the DNS traffic

Send a response code to the client, specify the response code using this field.

Choices:

  • "FORMERR"

  • "SERVFAIL"

  • "NXDOMAIN"

  • "NOTIMP"

  • "REFUSED"

capture_pcap

boolean

Indicates whether packet capture (PCAP) is enabled or not

Choices:

  • false

  • true

client_id

string

The client ID for OAuth2 authentication.

client_secret

string

The client secret for OAuth2 authentication.

cloud

string

The Zscaler cloud name provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

  • "beta"

  • "production"

departments

list / elements=integer

The departments to which the Firewall DNS policy rule applies

description

string

Additional information about the rule

dest_addresses

list / elements=string

List of destination IP addresses to which this rule will be applied.

CIDR notation can be used for destination IP addresses.

dest_countries

list / elements=string

Destination countries for which the rule is applicable.

If not set, the rule is not restricted to specific destination countries.

Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes

dest_ip_categories

list / elements=string

IP address categories of destination for which the DNAT rule is applicable.

If not set, the rule is not restricted to specific destination IP categories.

dest_ip_groups

list / elements=integer

User-defined destination IP address groups on which the rule is applied.

If not set, the rule is not restricted to a specific destination IP address group.

dest_ipv6_groups

list / elements=integer

Destination IPv6 address groups for which the rule is applicable.

If not set, the rule is not restricted to a specific source IPv6 address group.

dns_gateway

dictionary

The DNS gateway used to redirect traffic, specified when the rule action is to redirect DNS request to an external DNS service.

id

integer

A unique identifier for an entity

dns_rule_request_types

list / elements=string

DNS request types to which the rule applies

Choices:

  • "A"

  • "NS"

  • "MD"

  • "MF"

  • "CNAME"

  • "SOA"

  • "MB"

  • "MG"

  • "MR"

  • "NULL"

  • "WKS"

  • "PTR"

  • "HINFO"

  • "MINFO"

  • "MX"

  • "TXT"

  • "RP"

  • "AFSDB"

  • "X25"

  • "ISDN"

  • "RT"

  • "NSAP"

  • "NSAP_PTR"

  • "SIG"

  • "KEY"

  • "PX"

  • "GPOS"

  • "AAAA"

  • "LOC"

  • "NXT"

  • "EID"

  • "NIMLOC"

  • "SRV"

  • "ATMA"

  • "NAPTR"

  • "KX"

  • "CERT"

  • "A6"

  • "DNAME"

  • "SINK"

  • "OPT"

  • "APL"

  • "DS"

  • "SSHFP"

  • "PSECKEF"

  • "RRSIG"

  • "NSEC"

  • "DNSKEY"

  • "DHCID"

  • "NSEC3"

  • "NSEC3PARAM"

  • "TLSA"

  • "HIP"

  • "NINFO"

  • "RKEY"

  • "TALINK"

  • "CDS"

  • "CDNSKEY"

  • "OPENPGPKEY"

  • "CSYNC"

  • "ZONEMD"

  • "SVCB"

  • "HTTPS"

enabled

boolean

Determines whether the Firewall DNS policy rule is enabled or disabled

Choices:

  • false

  • true

groups

list / elements=integer

The groups to which the Firewall DNS policy rule applies

id

integer

Unique identifier for the Firewall DNS policy rule

labels

list / elements=integer

Labels that are applicable to the rule.

location_groups

list / elements=integer

The location groups to which the Firewall DNS policy rule applies

locations

list / elements=integer

The locations to which the Firewall DNS policy rule applies

name

string / required

Name of the Firewall DNS policy rule

order

integer

Rule order number of the Firewall DNS policy rule

password

string

A string that contains the password for the API admin.

private_key

string

The private key for JWT-based OAuth2 authentication.

protocols

list / elements=string

List of protocols to which this rule applies

Choices:

  • "ANY_RULE"

  • "SMRULEF_CASCADING_ALLOWED"

  • "TCP_RULE"

  • "UDP_RULE"

  • "DOHTTPS_RULE"

provider

dictionary

A dict containing authentication credentials.

api_key

string

Obfuscated API key.

client_id

string

OAuth2 client ID.

client_secret

string

OAuth2 client secret.

cloud

string

Zscaler cloud name.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

  • "beta"

  • "production"

password

string

Password for the API admin.

private_key

string

Private key for OAuth2 JWT.

sandbox_cloud

string

Sandbox Cloud environment.

sandbox_token

string

Sandbox API Key.

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

Choices:

  • false ← (default)

  • true

username

string

Email ID of the API admin.

vanity_domain

string

Vanity domain for OAuth2.

rank

integer

Admin rank of the Firewall DNS policy rule

Default: 7

res_categories

list / elements=string

List of destination domain categories to which the rule applies

sandbox_cloud

string

The Sandbox cloud environment for API access.

sandbox_token

string

A string that contains the Sandbox API Key.

source_countries

list / elements=string

The list of source countries that must be included or excluded from the rule based on the excludeSrcCountries field value.

If no value is set, this field is ignored during policy evaluation and the rule is applied to all source countries.

Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes

src_ip_groups

list / elements=integer

User-defined source IP address groups for which the rule is applicable.

If not set, the rule is not restricted to a specific source IP address group.

src_ips

list / elements=string

User-defined source IP addresses for which the rule is applicable.

If not set, the rule is not restricted to a specific source IP address.

src_ipv6_groups

list / elements=integer

Source IPv6 address groups for which the rule is applicable.

If not set, the rule is not restricted to a specific source IPv6 address group.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

time_windows

list / elements=integer

The time interval in which the Firewall DNS policy rule applies

use_legacy_client

boolean

Whether to use the legacy Zscaler API client.

Choices:

  • false ← (default)

  • true

username

string

A string that contains the email ID of the API admin.

users

list / elements=integer

The users to which the Firewall DNS policy rule applies

vanity_domain

string

The vanity domain provisioned by Zscaler for OAuth2 flows.

zpa_ip_group

dictionary

The ZPA IP pool used for domain name resolution when action is REDIR_ZPA.

id

integer

Unique identifier of the ZPA IP group.

name

string

Name of the ZPA IP group.

Notes

Note

  • Check mode is supported.

Examples

- name: Create/update  Firewall DNS rule
  zscaler.ziacloud.zia_cloud_firewall_filtering_rule:
    provider: '{{ provider }}'
    state: present
    name: "Ansible_Example_Rule"
    description: "TT#1965232865"
    action: "ALLOW"
    enabled: true
    order: 1
    source_countries:
      - BR
      - CA
      - US
    dest_countries:
      - BR
      - CA
      - US

Authors

  • William Guilherme (@willguibr)