junipernetworks.junos.junos_security_policies_global 模块 – 管理 Juniper JUNOS 设备上的全局安全策略设置
注意
此模块是 junipernetworks.junos 集合 (版本 9.1.0) 的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用: ansible-galaxy collection install junipernetworks.junos。您需要其他要求才能使用此模块,请参阅 要求 获取详细信息。
要在剧本中使用它,请指定: junipernetworks.junos.junos_security_policies_global。
junipernetworks.junos 2.9.0 中的新增功能
概要
此模块提供对 Juniper JUNOS 设备上的全局安全策略设置的声明式管理。
要求
执行此模块的主机需要以下要求。
ncclient (>=v0.6.4)
xmltodict (>=0.12.0)
参数
参数 |
注释 |
|---|---|
安全策略字典 |
|
配置默认安全策略,该策略定义设备对与任何用户定义策略都不匹配的数据包采取的操作。 选项
|
|
启用设备在修改其关联的安全策略时重新评估活动会话。如果会话仍然与最初允许会话的策略匹配,则会话将保持打开状态。 |
|
启用设备在修改其关联的安全策略时重新评估活动会话。如果会话仍然与最初允许会话的策略匹配,则会话将保持打开状态。 选项
|
|
修改或删除策略时,extensive 选项检查是否有任何合适的策略允许保持这些会话处于活动状态。 选项
|
|
配置策略统计信息。 |
|
启用策略统计信息。 选项
|
|
配置系统范围的策略统计信息。 选项
|
|
配置在数据包匹配条件时,动态应用程序识别 (AppID) 之前发生的默认策略操作。 |
|
指定会话关闭时间和会话初始化时间的日志详细信息。 |
|
启用会话关闭时间的日志记录 选项
|
|
启用会话初始化时间的日志记录 选项
|
|
更新会话时,将配置会话超时,该超时以秒为单位指定会话超时详细信息。 |
|
ICMP 会话的超时值(秒) |
|
ICMPv6 会话的超时值(秒) |
|
OSPF 会话的超时值(秒) |
|
其他会话的超时值(秒) |
|
TCP 会话的超时值(秒) |
|
UDP 会话的超时值(秒) |
|
安全策略字典 |
|
配置跟踪文件选项的字典 |
|
最大跟踪文件数量 |
|
细化输出以包含包含正则表达式的行。 |
|
只有配置跟踪操作的用户才能访问日志文件。 选项
|
|
最大跟踪文件大小 |
|
world_readable 选项允许任何用户读取文件。 选项
|
|
要执行的跟踪操作。 选项
|
|
禁用远程跟踪。 选项
|
|
此选项仅与 state *parsed* 一起使用。 此选项的值应为通过执行命令 **show security policies** 从 JunOS 设备接收到的输出。 state *parsed* 从 |
|
配置应保留的状态 状态 *rendered*、*gathered* 和 *parsed* 不会对设备进行任何更改。 状态 *rendered* 将 状态 *replaced* 将使用提供的配置替换运行配置 状态 *replaced* 和状态 *overridden* 的行为相同 状态 *gathered* 将从设备获取运行配置,并将其转换为符合资源模块 argspec 格式的结构化数据,并将该值返回到结果中的 *gathered* 密钥中。 状态 *parsed* 从 选项
|
注释
注意
此模块要求在被管理的设备上启用 netconf 系统服务。
此模块适用于连接
netconf。请参阅 Junos OS 平台选项。
针对 JunOS v18.4R1 进行了测试
示例
# Using merged
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# default-policy {
# permit-all;
# }
#
- name: Update the running configuration with provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: merged
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true,
# "system_wide": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 3,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "before": {},
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"><nc:policies>
# <nc:policy-rematch> <nc:extensive/></nc:policy-rematch><nc:policy-stats>
# <nc:system-wide>enable</nc:system-wide></nc:policy-stats><nc:pre-id-default-policy>
# <nc:then><nc:log><nc:session-init/></nc:log><nc:session-timeout><nc:icmp>10</nc:icmp>
# <nc:others>10</nc:others></nc:session-timeout></nc:then></nc:pre-id-default-policy>
# <nc:traceoptions><nc:file><nc:files>3</nc:files><nc:match>/[A-Z]*/gm</nc:match>
# <nc:size>10k</nc:size><nc:no-world-readable/></nc:file><nc:flag><nc:name>all
# </nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies></nc:security>"
# After state
# -----------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# permit-all;
# }
# policy-rematch extensive;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
#
# Using Replaced
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# permit-all;
# }
# policy-rematch extensive;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
- name: Replace the running configuration with provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
default_policy: deny-all
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "before": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/><nc:policies><nc:default-policy><nc:deny-all/></nc:default-policy>
# <nc:policy-rematch> </nc:policy-rematch><nc:policy-stats> </nc:policy-stats><nc:pre-id-default-policy>
# <nc:then><nc:log><nc:session-init/></nc:log><nc:session-timeout><nc:icmp>10</nc:icmp><nc:others>10
# </nc:others></nc:session-timeout></nc:then></nc:pre-id-default-policy><nc:traceoptions><nc:file>
# <nc:files>4</nc:files><nc:match>/[A-Z]*/gm</nc:match><nc:size>10k</nc:size><nc:no-world-readable/>
# </nc:file><nc:flag><nc:name>all</nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies>
# </nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
# Using overridden
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# permit-all;
# }
# policy-rematch extensive;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
- name: Replace the running configuration with provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
default_policy: deny-all
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: overridden
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "before": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/><nc:policies><nc:default-policy><nc:deny-all/></nc:default-policy>
# <nc:policy-rematch> </nc:policy-rematch><nc:policy-stats> </nc:policy-stats><nc:pre-id-default-policy>
# <nc:then><nc:log><nc:session-init/></nc:log><nc:session-timeout><nc:icmp>10</nc:icmp><nc:others>10
# </nc:others></nc:session-timeout></nc:then></nc:pre-id-default-policy><nc:traceoptions><nc:file>
# <nc:files>4</nc:files><nc:match>/[A-Z]*/gm</nc:match><nc:size>10k</nc:size><nc:no-world-readable/>
# </nc:file><nc:flag><nc:name>all</nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies>
# </nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
# Using deleted
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
- name: Delete the running configuration
junipernetworks.junos.junos_security_policies_global:
config:
state: deleted
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {},
# "before": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/></nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx# show security policies
#
#
# Using gathered
#
# Before state
# ------------
#
# vagrant@vsrx# show security policies
# traceoptions {
# no-remote-trace;
# file size 10k files 4 no-world-readable match "/[A-Z]*/gm";
# flag all;
# }
# default-policy {
# deny-all;
# }
# policy-rematch;
# policy-stats;
# pre-id-default-policy {
# then {
# log {
# session-init;
# }
# session-timeout {
# icmp 10;
# others 10;
# }
# }
# }
#
- name: Gather the running configuration
junipernetworks.junos.junos_security_policies_global:
config:
state: gathered
#
# -------------------------
# Module Execution Result
# -------------------------
# "gathered": {
# "default_policy": "deny-all",
# "policy_rematch": {
# "enable": true
# },
# "policy_stats": {
# "enable": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 4,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# }
#
# Using rendered
#
# Before state
# ------------
#
- name: Render the provided configuration
junipernetworks.junos.junos_security_policies_global:
config:
default_policy: deny-all
policy_rematch:
enable: true
policy_stats:
enable: true
pre_id_default_policy_action:
log:
session_init: true
session_timeout:
icmp: 10
others: 10
traceoptions:
file:
files: 4
match: /[A-Z]*/gm
size: 10k
no_world_readable: true
flag: all
no_remote_trace: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "rendered": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"><nc:policies>
# <nc:default-policy><nc:deny-all/></nc:default-policy><nc:policy-rematch> </nc:policy-rematch>
# <nc:policy-stats> </nc:policy-stats><nc:pre-id-default-policy><nc:then><nc:log><nc:session-init/>
# </nc:log><nc:session-timeout><nc:icmp>10</nc:icmp><nc:others>10</nc:others></nc:session-timeout>
# </nc:then></nc:pre-id-default-policy><nc:traceoptions><nc:file><nc:files>4</nc:files>
# <nc:match>/[A-Z]*/gm</nc:match><nc:size>10k</nc:size><nc:no-world-readable/></nc:file><nc:flag>
# <nc:name>all</nc:name></nc:flag><nc:no-remote-trace/></nc:traceoptions></nc:policies>
# </nc:security>"
#
# Using parsed
# parsed.cfg
# ------------
# <?xml version="1.0" encoding="UTF-8"?>
# <rpc-reply message-id="urn:uuid:0cadb4e8-5bba-47f4-986e-72906227007f">
# <configuration changed-seconds="1590139550" changed-localtime="2020-05-22 09:25:50 UTC">
# <version>18.4R1-S2.4</version>
# <security>
# <policies>
# <traceoptions>
# <no-remote-trace />
# <file>
# <size>10k</size>
# <files>3</files>
# <no-world-readable />
# <match>/[A-Z]*/gm</match>
# </file>
# <flag>
# <name>all</name>
# </flag>
# </traceoptions>
# <default-policy>
# <permit-all />
# </default-policy>
# <policy-rematch>
# <extensive />
# </policy-rematch>
# <policy-stats>
# <system-wide>enable</system-wide>
# </policy-stats>
# <pre-id-default-policy>
# <then>
# <log>
# <session-init />
# </log>
# <session-timeout>
# <icmp>10</icmp>
# <others>10</others>
# </session-timeout>
# </then>
# </pre-id-default-policy>
# </policies>
# </security>
# </configuration>
# </rpc-reply>
#
#
- name: Parse security policies global running config
junipernetworks.junos.junos_security_policies_global:
running_config: "{{ lookup('file', './parsed.cfg') }}"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#
# "parsed": {
# "default_policy": "permit-all",
# "policy_rematch": {
# "enable": true,
# "extensive": true
# },
# "policy_stats": {
# "enable": true,
# "system_wide": true
# },
# "pre_id_default_policy_action": {
# "log": {
# "session_init": true
# },
# "session_timeout": {
# "icmp": 10,
# "others": 10
# }
# },
# "traceoptions": {
# "file": {
# "files": 3,
# "match": "/[A-Z]*/gm",
# "no_world_readable": true,
# "size": "10k"
# },
# "flag": "all",
# "no_remote_trace": true
# }
# }
#
#
返回值
常见的返回值已在 此处 记录,以下是此模块特有的字段
键 |
描述 |
|---|---|
模块执行后的结果配置。 返回:发生更改时 示例: |
|
模块执行之前的配置。 返回:当 state 为 merged、replaced、overridden、deleted 时 示例: |
|
推送到远程设备的命令集。 返回:当 state 为 merged、replaced、overridden 或 deleted 时 示例: |
|
从远程设备收集到的关于网络资源的结构化数据事实。 返回:当 state 为 gathered 时 示例: |
|
根据模块 argspec 将 running_config 选项中提供的设备原生配置解析为结构化数据。 返回:当 state 为 parsed 时 示例: |
|
以设备原生格式渲染的任务中提供的配置(离线)。 返回:当 state 为 rendered 时 示例: |