zscaler.ziacloud.zia_cloud_firewall_filtering_rule module – Firewall Filtering policy rule.

Note

This module is part of the zscaler.ziacloud collection (version 1.3.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_cloud_firewall_filtering_rule.

New in zscaler.ziacloud 1.0.0

Synopsis

  • Adds a new Firewall Filtering policy rule.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action the Firewall Filtering policy rule takes when packets match the rule

Choices:

  • "ALLOW"

  • "BLOCK_DROP"

  • "BLOCK_RESET"

  • "BLOCK_ICMP"

  • "EVAL_NWAPP"

api_key

string

A string that contains the obfuscated API key.

app_service_groups

list / elements=integer

Application service groups on which this rule is applied

app_services

list / elements=integer

Application services on which this rule is applied

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

departments

list / elements=integer

The departments to which the Firewall Filtering policy rule applies

description

string

Additional information about the rule

dest_addresses

list / elements=string

List of destination IP addresses to which this rule will be applied.

CIDR notation can be used for destination IP addresses.

dest_countries

list / elements=string

Destination countries for which the rule is applicable.

If not set, the rule is not restricted to specific destination countries.

Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes

dest_ip_categories

list / elements=string

IP address categories of destination for which the DNAT rule is applicable.

If not set, the rule is not restricted to specific destination IP categories.

dest_ip_groups

list / elements=integer

User-defined destination IP address groups on which the rule is applied.

If not set, the rule is not restricted to a specific destination IP address group.

dest_ipv6_groups

list / elements=integer

Destination IPv6 address groups for which the rule is applicable.

If not set, the rule is not restricted to a specific source IPv6 address group.

device_groups

list / elements=integer

Name-ID pairs of device groups for which the rule must be applied.

This field is applicable for devices that are managed using Zscaler Client Connector.

If no value is set, this field is ignored during the policy evaluation.

device_trust_levels

list / elements=string

List of device trust levels for which the rule must be applied.

This field is applicable for devices that are managed using Zscaler Client Connector.

The trust levels are assigned to the devices based on your posture configurations.

If no value is set, this field is ignored during the policy evaluation.

Choices:

  • "ANY"

  • "UNKNOWN_DEVICETRUSTLEVEL"

  • "LOW_TRUST"

  • "MEDIUM_TRUST"

  • "HIGH_TRUST"

devices

list / elements=integer

Name-ID pairs of devices for which rule must be applied.

Specifies devices that are managed using Zscaler Client Connector.

If no value is set, this field is ignored during the policy evaluation.

enable_full_logging

boolean

Aggregate The service groups together individual sessions based on user, rule, network service, network application and records them periodically.

Full The service logs all sessions of the rule individually, except HTTPS or HTTPS.

Full logging on all other rules requires the Full Logging license. Only Block rules support full logging.

Choices:

  • false ← (default)

  • true

enabled

boolean

Determines whether the Firewall Filtering policy rule is enabled or disabled

Choices:

  • false

  • true

exclude_src_countries

boolean

Indicates whether the countries specified in the sourceCountries field are included or excluded from the rule.

A true value denotes that the specified source countries are excluded from the rule.

A false value denotes that the rule is applied to the source countries if there is a match.

Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes

Choices:

  • false

  • true

groups

list / elements=integer

The groups to which the Firewall Filtering policy rule applies

id

integer

Unique identifier for the Firewall Filtering policy rule

labels

list / elements=integer

Labels that are applicable to the rule.

location_groups

list / elements=integer

The location groups to which the Firewall Filtering policy rule applies

locations

list / elements=integer

The locations to which the Firewall Filtering policy rule applies

name

string / required

Name of the Firewall Filtering policy rule

nw_application_groups

list / elements=integer

User-defined network service application group on which the rule is applied.

If not set, the rule is not restricted to a specific network service application group.

nw_applications

list / elements=integer

User-defined network service applications on which the rule is applied.

If not set, the rule is not restricted to a specific network service application.

nw_service_groups

list / elements=integer

User-defined network service group on which the rule is applied.

If not set, the rule is not restricted to a specific network service group.

nw_services

list / elements=integer

User-defined network services on which the rule is applied.

If not set, the rule is not restricted to a specific network service.

order

integer

Rule order number of the Firewall Filtering policy rule

password

string

A string that contains the password for the API admin.

provider

dictionary

A dict object containing connection details. This is optional; credentials can also be provided directly at the top level.

api_key

string

A string that contains the obfuscated API key.

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

password

string

A string that contains the password for the API admin.

sandbox_token

string

A string that contains the Sandbox API Key.

username

string

A string that contains the email ID of the API admin.

rank

integer

Admin rank of the Firewall Filtering policy rule

Default: 7

sandbox_token

string

A string that contains the Sandbox API Key.

source_countries

list / elements=string

The list of source countries that must be included or excluded from the rule based on the excludeSrcCountries field value.

If no value is set, this field is ignored during policy evaluation and the rule is applied to all source countries.

Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes

src_ip_groups

list / elements=integer

User-defined source IP address groups for which the rule is applicable.

If not set, the rule is not restricted to a specific source IP address group.

src_ips

list / elements=string

User-defined source IP addresses for which the rule is applicable.

If not set, the rule is not restricted to a specific source IP address.

src_ipv6_groups

list / elements=integer

Source IPv6 address groups for which the rule is applicable.

If not set, the rule is not restricted to a specific source IPv6 address group.

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

time_windows

list / elements=integer

The time interval in which the Firewall Filtering policy rule applies

username

string

A string that contains the email ID of the API admin.

users

list / elements=integer

The users to which the Firewall Filtering policy rule applies

workload_groups

list / elements=integer

The list of preconfigured workload groups to which the policy must be applied.

Notes

Note

  • Check mode is supported.

Examples

- name: Create/update  firewall filtering rule
  zscaler.ziacloud.zia_cloud_firewall_filtering_rule:
    provider: '{{ provider }}'
    state: present
    name: "Ansible_Example_Rule"
    description: "TT#1965232865"
    action: "ALLOW"
    enabled: true
    order: 1
    enable_full_logging: true
    exclude_src_countries: true
    source_countries:
      - BR
      - CA
      - US
    dest_countries:
      - BR
      - CA
      - US
    device_trust_levels:
      - "UNKNOWN_DEVICETRUSTLEVEL"
      - "LOW_TRUST"
      - "MEDIUM_TRUST"
      - "HIGH_TRUST"

Authors

  • William Guilherme (@willguibr)