zscaler.ziacloud.zia_cloud_firewall_rule module – Firewall Filtering policy rule.

Note

This module is part of the zscaler.ziacloud collection (version 2.0.3).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_cloud_firewall_rule.

New in zscaler.ziacloud 1.0.0

Synopsis 

Adds a new Firewall Filtering policy rule.

Requirements 

The below requirements are needed on the host that executes this module.

Zscaler SDK Python can be obtained from PyPI https://pypi.org/project/zscaler-sdk-python/

Parameters 

Parameter	Comments
action string	The action the Firewall Filtering policy rule takes when packets match the rule Choices: `"ALLOW"` `"BLOCK_DROP"` `"BLOCK_RESET"` `"BLOCK_ICMP"` `"EVAL_NWAPP"`
api_key string	A string that contains the obfuscated API key.
app_service_groups list / elements=integer	Application service groups on which this rule is applied
app_services list / elements=integer	Application services on which this rule is applied
client_id string	The client ID for OAuth2 authentication.
client_secret string	The client secret for OAuth2 authentication.
cloud string	The Zscaler cloud name provisioned for your organization. Choices: `"zscloud"` `"zscaler"` `"zscalerone"` `"zscalertwo"` `"zscalerthree"` `"zscalerbeta"` `"zscalergov"` `"zscalerten"` `"beta"` `"production"`
departments list / elements=integer	The departments to which the Firewall Filtering policy rule applies
description string	Additional information about the rule
dest_addresses list / elements=string	List of destination IP addresses to which this rule will be applied. CIDR notation can be used for destination IP addresses.
dest_countries list / elements=string	Destination countries for which the rule is applicable. If not set, the rule is not restricted to specific destination countries. Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes
dest_ip_categories list / elements=string	IP address categories of destination for which the DNAT rule is applicable. If not set, the rule is not restricted to specific destination IP categories.
dest_ip_groups list / elements=integer	User-defined destination IP address groups on which the rule is applied. If not set, the rule is not restricted to a specific destination IP address group.
dest_ipv6_groups list / elements=integer	Destination IPv6 address groups for which the rule is applicable. If not set, the rule is not restricted to a specific source IPv6 address group.
device_groups list / elements=integer	Name-ID pairs of device groups for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. If no value is set, this field is ignored during the policy evaluation.
device_trust_levels list / elements=string	List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations. If no value is set, this field is ignored during the policy evaluation. Choices: `"ANY"` `"UNKNOWN_DEVICETRUSTLEVEL"` `"LOW_TRUST"` `"MEDIUM_TRUST"` `"HIGH_TRUST"`
devices list / elements=integer	Name-ID pairs of devices for which rule must be applied. Specifies devices that are managed using Zscaler Client Connector. If no value is set, this field is ignored during the policy evaluation.
enable_full_logging boolean	Aggregate The service groups together individual sessions based on user, rule, network service, network application and records them periodically. Full The service logs all sessions of the rule individually, except HTTPS or HTTPS. Full logging on all other rules requires the Full Logging license. Only Block rules support full logging. Choices: `false` ← (default) `true`
enabled boolean	Determines whether the Firewall Filtering policy rule is enabled or disabled Choices: `false` `true`
exclude_src_countries boolean	Indicates whether the countries specified in the sourceCountries field are included or excluded from the rule. A true value denotes that the specified source countries are excluded from the rule. A false value denotes that the rule is applied to the source countries if there is a match. Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes Choices: `false` `true`
groups list / elements=integer	The groups to which the Firewall Filtering policy rule applies
id integer	Unique identifier for the Firewall Filtering policy rule
labels list / elements=integer	Labels that are applicable to the rule.
location_groups list / elements=integer	The location groups to which the Firewall Filtering policy rule applies
locations list / elements=integer	The locations to which the Firewall Filtering policy rule applies
name string / required	Name of the Firewall Filtering policy rule
nw_application_groups list / elements=integer	User-defined network service application group on which the rule is applied. If not set, the rule is not restricted to a specific network service application group.
nw_applications list / elements=string	User-defined network service applications on which the rule is applied. If not set, the rule is not restricted to a specific network service application. Use Info Resource zia_cloud_applications_info to retrieve the list of applications
nw_service_groups list / elements=integer	User-defined network service group on which the rule is applied. If not set, the rule is not restricted to a specific network service group.
nw_services list / elements=integer	User-defined network services on which the rule is applied. If not set, the rule is not restricted to a specific network service.
order integer	Rule order number of the Firewall Filtering policy rule
password string	A string that contains the password for the API admin.
private_key string	The private key for JWT-based OAuth2 authentication.
provider dictionary	A dict containing authentication credentials.
api_key string	Obfuscated API key.
client_id string	OAuth2 client ID.
client_secret string	OAuth2 client secret.
cloud string	Zscaler cloud name. Choices: `"zscloud"` `"zscaler"` `"zscalerone"` `"zscalertwo"` `"zscalerthree"` `"zscalerbeta"` `"zscalergov"` `"zscalerten"` `"beta"` `"production"`
password string	Password for the API admin.
private_key string	Private key for OAuth2 JWT.
sandbox_cloud string	Sandbox Cloud environment.
sandbox_token string	Sandbox API Key.
use_legacy_client boolean	Whether to use the legacy Zscaler API client. Choices: `false` ← (default) `true`
username string	Email ID of the API admin.
vanity_domain string	Vanity domain for OAuth2.
rank integer	Admin rank of the Firewall Filtering policy rule Default: `7`
sandbox_cloud string	The Sandbox cloud environment for API access.
sandbox_token string	A string that contains the Sandbox API Key.
source_countries list / elements=string	The list of source countries that must be included or excluded from the rule based on the excludeSrcCountries field value. If no value is set, this field is ignored during policy evaluation and the rule is applied to all source countries. Provide a ISO3166 Alpha2 code. visit the following site for reference https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes
src_ip_groups list / elements=integer	User-defined source IP address groups for which the rule is applicable. If not set, the rule is not restricted to a specific source IP address group.
src_ips list / elements=string	User-defined source IP addresses for which the rule is applicable. If not set, the rule is not restricted to a specific source IP address.
src_ipv6_groups list / elements=integer	Source IPv6 address groups for which the rule is applicable. If not set, the rule is not restricted to a specific source IPv6 address group.
state string	Specifies the desired state of the resource. Choices: `"present"` ← (default) `"absent"`
time_windows list / elements=integer	The time interval in which the Firewall Filtering policy rule applies
use_legacy_client boolean	Whether to use the legacy Zscaler API client. Choices: `false` ← (default) `true`
username string	A string that contains the email ID of the API admin.
users list / elements=integer	The users to which the Firewall Filtering policy rule applies
vanity_domain string	The vanity domain provisioned by Zscaler for OAuth2 flows.
workload_groups list / elements=integer	The list of preconfigured workload groups to which the policy must be applied.

Notes 

Note

Check mode is supported.

Examples 

- name: Create/update  firewall filtering rule
  zscaler.ziacloud.zia_cloud_firewall_rule:
    provider: '{{ provider }}'
    state: present
    name: "Ansible_Example_Rule"
    description: "TT#1965232865"
    action: "ALLOW"
    enabled: true
    order: 1
    enable_full_logging: true
    exclude_src_countries: true
    source_countries:
      - BR
      - CA
      - US
    dest_countries:
      - BR
      - CA
      - US
    device_trust_levels:
      - "UNKNOWN_DEVICETRUSTLEVEL"
      - "LOW_TRUST"
      - "MEDIUM_TRUST"
      - "HIGH_TRUST"

Authors

William Guilherme (@willguibr)

zscaler.ziacloud.zia_cloud_firewall_rule module – Firewall Filtering policy rule.

Synopsis

Requirements

Parameters

Notes

Examples