zscaler.ziacloud.zia_ssl_inspection_rules module – Creates a new SSL inspection rule

Note

This module is part of the zscaler.ziacloud collection (version 2.0.3).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_ssl_inspection_rules.

New in zscaler.ziacloud 2.0.0

Synopsis 

Creates a new SSL inspection rule

Requirements 

The below requirements are needed on the host that executes this module.

Zscaler SDK Python can be obtained from PyPI https://pypi.org/project/zscaler-sdk-python/

Parameters 

Parameter	Comments
action dictionary	Action block that defines what happens when SSL traffic matches the rule. This includes whether to decrypt, block, or bypass SSL inspection.
decrypt_sub_actions dictionary	Additional sub-actions that can be configured when decrypting SSL traffic.
block_ssl_traffic_with_no_sni_enabled boolean	Whether to block SSL traffic that does not have Server Name Indication (SNI). Choices: `false` `true`
block_undecrypt boolean	Whether to block SSL traffic that cannot be decrypted. Choices: `false` `true`
http2_enabled boolean	Whether HTTP/2 inspection is enabled. Choices: `false` `true`
min_client_tls_version string	Minimum TLS version allowed for client-side connections. Choices: `"CLIENT_TLS_1_0"` `"CLIENT_TLS_1_1"` `"CLIENT_TLS_1_2"` `"CLIENT_TLS_1_3"`
min_server_tls_version string	Minimum TLS version allowed for server-side connections. Choices: `"SERVER_TLS_1_0"` `"SERVER_TLS_1_1"` `"SERVER_TLS_1_2"` `"SERVER_TLS_1_3"`
ocsp_check boolean	Whether to perform OCSP checks on server certificates. Choices: `false` `true`
server_certificates string	Specifies the server certificate behavior during SSL inspection.
do_not_decrypt_sub_actions dictionary	Additional sub-actions that can be configured when bypassing SSL decryption.
block_ssl_traffic_with_no_sni_enabled boolean	Whether to block SSL traffic without Server Name Indication (SNI). Choices: `false` `true`
bypass_other_policies boolean	Whether to bypass additional policies for non-decrypted traffic. Choices: `false` `true`
min_tls_version string	Minimum TLS version required for bypassed SSL traffic. Choices: `"SERVER_TLS_1_0"` `"SERVER_TLS_1_1"` `"SERVER_TLS_1_2"` `"SERVER_TLS_1_3"`
ocsp_check boolean	Whether to perform OCSP checks on server certificates even if traffic is not decrypted. Choices: `false` `true`
server_certificates string	Specifies the server certificate behavior when not decrypting.
override_default_certificate boolean	Whether to override the default SSL inspection certificate for this rule. Choices: `false` `true`
show_eun boolean	Whether to show End User Notification (EUN) on blocked traffic. Choices: `false` `true`
show_eunatp boolean	Whether to show Advanced Threat Protection (ATP) notification on blocked traffic. Choices: `false` `true`
ssl_interception_cert dictionary	SSL interception certificate to be used when overriding the default certificate.
id integer / required	ID of the SSL interception certificate.
type string / required	The primary action taken on matched traffic. Choices: `"BLOCK"` `"DECRYPT"` `"DO_NOT_DECRYPT"`
api_key string	A string that contains the obfuscated API key.
client_id string	The client ID for OAuth2 authentication.
client_secret string	The client secret for OAuth2 authentication.
cloud string	The Zscaler cloud name provisioned for your organization. Choices: `"zscloud"` `"zscaler"` `"zscalerone"` `"zscalertwo"` `"zscalerthree"` `"zscalerbeta"` `"zscalergov"` `"zscalerten"` `"beta"` `"production"`
cloud_applications list / elements=string	The list of cloud applications to which the File Type Control policy rule must be applied Use the info resource zia_cloud_applications_info to retrieve the list of supported app_policy and ssl_policy applications
departments list / elements=integer	The departments to which the SSL Inspection Rule applies
description string	Additional information about the rule
dest_ip_groups list / elements=integer	User-defined destination IP address groups on which the rule is applied. If not set, the rule is not restricted to a specific destination IP address group.
device_groups list / elements=integer	Name-ID pairs of device groups for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. If no value is set, this field is ignored during the policy evaluation.
device_trust_levels list / elements=string	List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations. If no value is set, this field is ignored during the policy evaluation. Choices: `"ANY"` `"UNKNOWN_DEVICETRUSTLEVEL"` `"LOW_TRUST"` `"MEDIUM_TRUST"` `"HIGH_TRUST"`
devices list / elements=integer	Name-ID pairs of devices for which rule must be applied. Specifies devices that are managed using Zscaler Client Connector. If no value is set, this field is ignored during the policy evaluation.
enabled boolean	Determines whether the SSL Inspection Rule is enabled or disabled Choices: `false` `true`
groups list / elements=integer	The groups to which the SSL Inspection Rule applies
id integer	Unique identifier for the SSL Inspection Rule
labels list / elements=integer	Labels that are applicable to the rule.
location_groups list / elements=integer	The location groups to which the SSL Inspection Rule applies
locations list / elements=integer	The locations to which the SSL Inspection Rule applies
name string / required	Name of the SSL Inspection Rule
order integer	Rule order number of the SSL Inspection Rule
password string	A string that contains the password for the API admin.
platforms list / elements=string	Zscaler Client Connector device platforms for which the rule must be applied. If not set, rule is applied to all device platforms Choices: `"SCAN_IOS"` `"SCAN_ANDROID"` `"SCAN_MACOS"` `"SCAN_WINDOWS"` `"NO_CLIENT_CONNECTOR"` `"SCAN_LINUX"`
private_key string	The private key for JWT-based OAuth2 authentication.
provider dictionary	A dict containing authentication credentials.
api_key string	Obfuscated API key.
client_id string	OAuth2 client ID.
client_secret string	OAuth2 client secret.
cloud string	Zscaler cloud name. Choices: `"zscloud"` `"zscaler"` `"zscalerone"` `"zscalertwo"` `"zscalerthree"` `"zscalerbeta"` `"zscalergov"` `"zscalerten"` `"beta"` `"production"`
password string	Password for the API admin.
private_key string	Private key for OAuth2 JWT.
sandbox_cloud string	Sandbox Cloud environment.
sandbox_token string	Sandbox API Key.
use_legacy_client boolean	Whether to use the legacy Zscaler API client. Choices: `false` ← (default) `true`
username string	Email ID of the API admin.
vanity_domain string	Vanity domain for OAuth2.
proxy_gateways list / elements=integer	The proxy chaining gateway for which this rule is applicable. Ignore if the forwarding method is not Proxy Chaining.
rank integer	Admin rank of the SSL Inspection Rule Default: `7`
road_warrior_for_kerberos boolean	When set to true, the rule is applied to remote users that use PAC with Kerberos authentication. Otherwise, it is a don’t care. Choices: `false` `true`
sandbox_cloud string	The Sandbox cloud environment for API access.
sandbox_token string	A string that contains the Sandbox API Key.
source_ip_groups list / elements=integer	User-defined destination IP address groups on which the rule is applied. If not set, the rule is not restricted to a specific destination IP address group.
state string	Specifies the desired state of the resource. Choices: `"present"` ← (default) `"absent"`
time_windows list / elements=integer	The time interval in which the SSL Inspection Rule applies
url_categories list / elements=string	The URL categories to which the rule applies Use the info resource zia_url_categories_info to retrieve the category names.
use_legacy_client boolean	Whether to use the legacy Zscaler API client. Choices: `false` ← (default) `true`
user_agent_types list / elements=string	Any number of user agents to which the rule applies. Choices: `"OPERA"` `"FIREFOX"` `"MSIE"` `"MSEDGE"` `"CHROME"` `"SAFARI"` `"OTHER"` `"MSCHREDGE"`
username string	A string that contains the email ID of the API admin.
users list / elements=integer	The users to which the SSL Inspection Rule applies
vanity_domain string	The vanity domain provisioned by Zscaler for OAuth2 flows.
workload_groups list / elements=integer	The list of preconfigured workload groups to which the policy must be applied.
zpa_app_segments list / elements=dictionary	The list of ZPA Application Segments for which this rule is applicable. This field is applicable only for the ZPA forwarding method.
external_id string / required	Indicates the external ID. Applicable only when this reference is of an external entity.
name string / required	The name of the Application Segment

Notes 

Note

Check mode is supported.

Examples 

- name: Create/update  firewall filtering rule
  zscaler.ziacloud.zia_cloud_firewall_filtering_rule:
    provider: '{{ provider }}'
    state: present
    name: "Ansible_Example_Rule"
    description: "TT#1965232865"
    action: "ALLOW"
    enabled: true
    order: 1
    enable_full_logging: true
    exclude_src_countries: true
    source_countries:
      - BR
      - CA
      - US
    dest_countries:
      - BR
      - CA
      - US
    device_trust_levels:
      - "UNKNOWN_DEVICETRUSTLEVEL"
      - "LOW_TRUST"
      - "MEDIUM_TRUST"
      - "HIGH_TRUST"

Authors

William Guilherme (@willguibr)

zscaler.ziacloud.zia_ssl_inspection_rules module – Creates a new SSL inspection rule

Synopsis

Requirements

Parameters

Notes

Examples