junipernetworks.junos.junos_security_policies 模块 – 在 Juniper JUNOS 设备上创建和管理安全策略
注意
此模块是 junipernetworks.junos 集合 (版本 9.1.0) 的一部分。
如果您使用的是 ansible 包,则可能已安装此集合。它不包含在 ansible-core 中。要检查是否已安装它,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install junipernetworks.junos。您需要其他要求才能使用此模块,请参阅 Requirements 了解详细信息。
要在剧本中使用它,请指定:junipernetworks.junos.junos_security_policies。
junipernetworks.junos 2.9.0 中的新增功能
概要
此模块提供 Juniper JUNOS 设备上安全策略的声明式创建和管理。
需求
以下需求在执行此模块的主机上是必需的。
ncclient (>=v0.6.4)
xmltodict (>=0.12.0)
参数
参数 |
注释 |
|---|---|
安全策略字典 |
|
流量源自的安全区域列表 |
|
流量源自的安全区域名称 |
|
流量的目标安全区域列表 |
|
流量的目标安全区域名称 |
|
为关联类别定义的策略列表 |
|
安全策略的描述 |
|
配置安全策略匹配条件 |
|
指定用作匹配条件的 IP 或远程过程调用 (RPC) 应用程序或应用程序集 |
|
匹配任何预定义或自定义应用程序或应用程序集 选项
|
|
用作匹配条件的预定义或自定义应用程序或应用程序集的名称 |
|
定义匹配条件,您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选项
|
|
任何 IPv4 地址 选项
|
|
任何 IPv6 地址 选项
|
|
排除目标地址 选项
|
|
指定用作安全策略中匹配条件的动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 any 会将策略安装为通配符应用程序(默认值) 选项
|
|
指定动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 none 会忽略来自 AppID 的分类结果,并且不使用安全策略查找中的动态应用程序 选项
|
|
标识用作策略匹配条件的单个源区域或多个源区域 |
|
匹配任何区域 选项
|
|
junos-host 选项
|
|
单个或多个源区域的名称 |
|
定义匹配条件,您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选项
|
|
任何 IPv4 地址 选项
|
|
任何 IPv6 地址 选项
|
|
排除源地址 选项
|
|
源端用户配置文件名称 |
|
标识用作策略匹配条件的用户和角色 |
|
任何用户或角色,以及关键字 authenticated_user、unauthenticated_user 和 unknown_user 选项
|
|
所有已通过身份验证的用户和角色 选项
|
|
特定用户和角色列表 |
|
任何用户或角色,其 IP 地址未映射到身份验证源,并且身份验证源已启动并正在运行 选项
|
|
任何用户或角色,其 IP 地址未映射到身份验证源,因为身份验证源已与 SRX 系列设备断开连接 选项
|
|
标识用作策略匹配条件的单个目标区域或多个目标区域 |
|
匹配任何区域 选项
|
|
junos-host 选项
|
|
单个或多个目标区域的名称 |
|
URL 分类 |
|
应用于任何 URL 分类 选项
|
|
要匹配的 URL 分类名称 |
|
不应用于 URL 分类 选项
|
|
策略名称 |
|
运行此策略的调度程序名称 |
|
指定当数据包匹配定义的条件时要执行的策略操作 |
|
启用对策略允许通过设备双向传递的所有网络流量(从客户端到服务器的原始流量(从 from_zone 到 to_zone),以及从服务器到原始客户端的返回流量)的计数(以字节或千字节为单位); 选项
|
|
阻止防火墙处的服务,设备会丢弃数据包 选项
|
|
为特定策略记录流量信息,在会话开始 (session_init) 或关闭 (session_close) 时记录流量信息 |
|
启用会话关闭时间的日志记录 选项
|
|
启用会话初始化时间的日志记录 选项
|
|
阻止防火墙处的服务,设备会丢弃数据包 |
|
在安全策略中启用应用程序服务 |
|
指定 advanced_anti_malware 策略名称 |
|
指定配置为应用程序防火墙一部分的规则集,以应用于允许的流量 |
|
要使用的规则集名称 |
|
指定配置为 AppQoS(应用程序感知质量服务)一部分的规则集,以应用于允许的流量 |
|
指定 GPRS 隧道协议配置文件名称 |
|
指定 GPRS 流控制协议配置文件名称 |
|
指定 icap 重定向配置文件名称 |
|
入侵检测和防御 (IDP) 选项
|
|
指定 IDP 策略名称 |
|
启用或禁用数据包捕获选项 选项
|
|
指定来自LAN的数据包所需的WX重定向 选项
|
|
指定来自WAN的数据包反向流所需的WX重定向 选项
|
|
指定安全情报源的后续操作 |
|
将目标用户身份添加到安全情报源 |
|
将目标IP地址添加到安全情报源 |
|
将源用户身份添加到安全情报源 |
|
将源IP地址添加到安全情报源 |
|
指定security_intelligence策略名称 |
|
当策略使用拒绝操作阻止HTTPS流量时,您可以应用重定向SSL代理配置文件。 |
|
启用SSL代理 选项
|
|
SSL代理配置文件名称 |
|
为安全策略启用统一访问控制 (UAC) |
|
指定Junos OS Enforcer上用于受限门户的预配置安全策略,以启用受限门户功能。 |
|
启用统一访问控制 (UAC) 选项
|
|
指定UTM策略名称 |
|
指定安全策略允许的流量是否仅限于目标IP地址已通过目标NAT规则转换的数据包,或目标IP地址未转换的数据包。 选项
|
|
配置防火墙身份验证方法 |
|
配置直通防火墙用户身份验证 |
|
指定访问配置文件的名称 |
|
配置防火墙身份验证以忽略非浏览器HTTP/HTTPS流量 选项
|
|
指定要用于验证用户浏览器流量是否为HTTP/HTTPS流量的用户代理值。 |
|
指定配置文件中允许此策略访问的用户或用户组的名称。 |
|
指定用于SSL卸载的SSL终止配置文件。 |
|
启用将HTTP请求重定向到设备并将客户端系统重定向到网页进行身份验证的功能。 选项
|
|
将未经身份验证的HTTP请求重定向到设备的内部HTTPS Web服务器。 选项
|
|
启用推送到身份管理设备。 选项
|
|
配置用户角色防火墙身份验证,并将源IP地址映射到用户名及其关联的角色(组)。 |
|
指定要用于身份验证的访问配置文件的名称。 |
|
配置防火墙身份验证以忽略非浏览器HTTP/HTTPS流量 选项
|
|
指定要用于验证用户浏览器流量是否为HTTP/HTTPS流量的用户代理值。 |
|
如果Windows管理规范客户端(WMIC)不可用以获取集成用户防火墙功能的IP_to_user映射,则指定发生防火墙身份验证的域的名称。 |
|
对于HTTPS流量,请指定用于SSL卸载的SSL终止配置文件的名称。 |
|
启用网页重定向。 选项
|
|
启用重定向到HTTPS。 选项
|
|
指定策略允许访问先前已通过Web身份验证的用户或用户组。 |
|
指定每个策略的TCP选项。您可以根据您的需求为每个策略配置同步和顺序检查,并且由于每个策略都有两个方向,因此您可以为两个方向或仅一个方向配置TCP MSS值。 |
|
为到达入口接口(初始方向)、匹配特定策略并为此创建会话的数据包配置TCP最大段大小(MSS)。 |
|
为匹配特定策略并以会话反向方向传输的数据包配置TCP最大段大小(MSS)。 |
|
启用每个策略的顺序检查。sequence_check_required值会覆盖全局值no_sequence_check。 选项
|
|
启用每个策略的同步检查。syn_check_required值会覆盖全局值no_syn_check。 选项
|
|
启用每个策略的window_scale。 选项
|
|
封装传出的IP数据包并解封装传入的IP数据包。 |
|
ipsec策略的名称 |
|
配对策略的名称 |
|
阻止防火墙的服务。设备会丢弃数据包,并向源主机发送TCP重置(RST)段(对于TCP流量)或ICMP“目标不可达,端口不可达”消息(类型3,代码3)(对于UDP流量)。 |
|
启用基于匹配条件的拒绝数据包。 选项
|
|
当策略使用拒绝或否定操作阻止HTTP或HTTPS流量时,您可以选择向客户端提供通知或将客户端请求重定向到信息性网页。 |
|
当策略使用拒绝操作阻止HTTPS流量时,您可以应用重定向SSL代理配置文件。当您应用SSL代理配置文件时,SSL代理会解密流量,并且应用程序识别功能会识别应用程序。 |
|
启用SSL代理 选项
|
|
SSL代理配置文件名称 |
|
全局安全策略列表 |
|
为关联类别定义的策略列表 |
|
安全策略的描述 |
|
配置安全策略匹配条件 |
|
指定用作匹配条件的 IP 或远程过程调用 (RPC) 应用程序或应用程序集 |
|
匹配任何预定义或自定义应用程序或应用程序集 选项
|
|
用作匹配条件的预定义或自定义应用程序或应用程序集的名称 |
|
定义匹配条件,您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选项
|
|
任何 IPv4 地址 选项
|
|
任何 IPv6 地址 选项
|
|
排除目标地址 选项
|
|
指定用作安全策略中匹配条件的动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 any 会将策略安装为通配符应用程序(默认值) 选项
|
|
指定动态应用程序或动态应用程序组 |
|
将动态应用程序配置为 none 会忽略来自 AppID 的分类结果,并且不使用安全策略查找中的动态应用程序 选项
|
|
标识用作策略匹配条件的单个源区域或多个源区域 |
|
匹配任何区域 选项
|
|
junos-host 选项
|
|
单个或多个源区域的名称 |
|
定义匹配条件,您可以指定一个或多个 IP 地址、地址集或通配符地址 |
|
IP 地址、IP 地址集或地址簿条目,或通配符地址(表示为 ABCD/wildcard_mask) |
|
任何 IPv4 或 IPv6 地址 选项
|
|
任何 IPv4 地址 选项
|
|
任何 IPv6 地址 选项
|
|
排除源地址 选项
|
|
源端用户配置文件名称 |
|
标识用作策略匹配条件的用户和角色 |
|
任何用户或角色,以及关键字 authenticated_user、unauthenticated_user 和 unknown_user 选项
|
|
所有已通过身份验证的用户和角色 选项
|
|
特定用户和角色列表 |
|
任何用户或角色,其 IP 地址未映射到身份验证源,并且身份验证源已启动并正在运行 选项
|
|
任何用户或角色,其 IP 地址未映射到身份验证源,因为身份验证源已与 SRX 系列设备断开连接 选项
|
|
标识用作策略匹配条件的单个目标区域或多个目标区域 |
|
匹配任何区域 选项
|
|
junos-host 选项
|
|
单个或多个目标区域的名称 |
|
URL 分类 |
|
应用于任何 URL 分类 选项
|
|
要匹配的 URL 分类名称 |
|
不应用于 URL 分类 选项
|
|
策略名称 |
|
运行此策略的调度程序名称 |
|
指定当数据包匹配定义的条件时要执行的策略操作 |
|
启用对策略允许通过设备双向传递的所有网络流量(从客户端到服务器的原始流量(从 from_zone 到 to_zone),以及从服务器到原始客户端的返回流量)的计数(以字节或千字节为单位); 选项
|
|
阻止防火墙处的服务,设备会丢弃数据包 选项
|
|
为特定策略记录流量信息,在会话开始 (session_init) 或关闭 (session_close) 时记录流量信息 |
|
启用会话关闭时间的日志记录 选项
|
|
启用会话初始化时间的日志记录 选项
|
|
阻止防火墙处的服务,设备会丢弃数据包 |
|
在安全策略中启用应用程序服务 |
|
指定 advanced_anti_malware 策略名称 |
|
指定配置为应用程序防火墙一部分的规则集,以应用于允许的流量 |
|
要使用的规则集名称 |
|
指定配置为 AppQoS(应用程序感知质量服务)一部分的规则集,以应用于允许的流量 |
|
指定 GPRS 隧道协议配置文件名称 |
|
指定 GPRS 流控制协议配置文件名称 |
|
指定 icap 重定向配置文件名称 |
|
入侵检测和防御 (IDP) 选项
|
|
指定 IDP 策略名称 |
|
启用或禁用数据包捕获选项 选项
|
|
指定来自LAN的数据包所需的WX重定向 选项
|
|
指定来自WAN的数据包反向流所需的WX重定向 选项
|
|
指定安全情报源的后续操作 |
|
将目标用户身份添加到安全情报源 |
|
将目标IP地址添加到安全情报源 |
|
将源用户身份添加到安全情报源 |
|
将源IP地址添加到安全情报源 |
|
指定security_intelligence策略名称 |
|
当策略使用拒绝操作阻止HTTPS流量时,您可以应用重定向SSL代理配置文件。 |
|
启用SSL代理 选项
|
|
SSL代理配置文件名称 |
|
为安全策略启用统一访问控制 (UAC) |
|
指定Junos OS Enforcer上用于受限门户的预配置安全策略,以启用受限门户功能。 |
|
启用统一访问控制 (UAC) 选项
|
|
指定UTM策略名称 |
|
指定安全策略允许的流量是否仅限于目标IP地址已通过目标NAT规则转换的数据包,或目标IP地址未转换的数据包。 选项
|
|
配置防火墙身份验证方法 |
|
配置直通防火墙用户身份验证 |
|
指定访问配置文件的名称 |
|
配置防火墙身份验证以忽略非浏览器HTTP/HTTPS流量 选项
|
|
指定要用于验证用户浏览器流量是否为HTTP/HTTPS流量的用户代理值。 |
|
指定配置文件中允许此策略访问的用户或用户组的名称。 |
|
指定用于SSL卸载的SSL终止配置文件。 |
|
启用将HTTP请求重定向到设备并将客户端系统重定向到网页进行身份验证的功能。 选项
|
|
将未经身份验证的HTTP请求重定向到设备的内部HTTPS Web服务器。 选项
|
|
启用推送到身份管理设备。 选项
|
|
配置用户角色防火墙身份验证,并将源IP地址映射到用户名及其关联的角色(组)。 |
|
指定要用于身份验证的访问配置文件的名称。 |
|
配置防火墙身份验证以忽略非浏览器HTTP/HTTPS流量 选项
|
|
指定要用于验证用户浏览器流量是否为HTTP/HTTPS流量的用户代理值。 |
|
如果Windows管理规范客户端(WMIC)不可用以获取集成用户防火墙功能的IP_to_user映射,则指定发生防火墙身份验证的域的名称。 |
|
对于HTTPS流量,请指定用于SSL卸载的SSL终止配置文件的名称。 |
|
启用网页重定向。 选项
|
|
启用重定向到HTTPS。 选项
|
|
指定策略允许访问先前已通过Web身份验证的用户或用户组。 |
|
指定每个策略的TCP选项。您可以根据您的需求为每个策略配置同步和顺序检查,并且由于每个策略都有两个方向,因此您可以为两个方向或仅一个方向配置TCP MSS值。 |
|
为到达入口接口(初始方向)、匹配特定策略并为此创建会话的数据包配置TCP最大段大小(MSS)。 |
|
为匹配特定策略并以会话反向方向传输的数据包配置TCP最大段大小(MSS)。 |
|
启用每个策略的顺序检查。sequence_check_required值会覆盖全局值no_sequence_check。 选项
|
|
启用每个策略的同步检查。syn_check_required值会覆盖全局值no_syn_check。 选项
|
|
启用每个策略的window_scale。 选项
|
|
封装传出的IP数据包并解封装传入的IP数据包。 |
|
ipsec策略的名称 |
|
配对策略的名称 |
|
阻止防火墙的服务。设备会丢弃数据包,并向源主机发送TCP重置(RST)段(对于TCP流量)或ICMP“目标不可达,端口不可达”消息(类型3,代码3)(对于UDP流量)。 |
|
启用基于匹配条件的拒绝数据包。 选项
|
|
当策略使用拒绝或否定操作阻止HTTP或HTTPS流量时,您可以选择向客户端提供通知或将客户端请求重定向到信息性网页。 |
|
当策略使用拒绝操作阻止HTTPS流量时,您可以应用重定向SSL代理配置文件。当您应用SSL代理配置文件时,SSL代理会解密流量,并且应用程序识别功能会识别应用程序。 |
|
启用SSL代理 选项
|
|
SSL代理配置文件名称 |
|
此选项仅与状态 *parsed* 一起使用。 此选项的值应为通过执行命令 **show configuration security policies** 从JunOS设备接收到的输出。 状态 *parsed* 从 |
|
配置应保留的状态 状态 *rendered*、*gathered* 和 *parsed* 不会对设备进行任何更改。 状态 *rendered* 将把 状态 *replaced* 将用提供的配置替换运行配置。 状态 *replaced* 和状态 *overridden* 的行为相同。 状态 *gathered* 将从设备获取运行配置,并将其转换为符合资源模块argspec格式的结构化数据,并将该值返回到结果中的 *gathered* 键中。 状态 *parsed* 从 选项
|
注释
注意
此模块要求在被管理的设备上启用netconf系统服务。
此模块与连接
netconf配合使用。请参阅 Junos OS平台选项
针对JunOS v18.4R1进行了测试。
示例
# Using merged
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
#
# vagrant@vsrx> show security zones
#
# Security zone: one
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/0.0
#
# Security zone: three
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/2.0
#
# Security zone: two
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 1
# Interfaces:
# ge-0/0/1.0
#
# Security zone: junos-host
# Send reset for non-SYN session TCP packets: Off
# Policy configurable: Yes
# Interfaces bound: 0
# Interfaces:
#
- junipernetworks.junos.junos_security_policies:
config:
from_zones:
- name: one
to_zones:
- name: two
policies:
- match:
application:
names:
- junos-dhcp-relay
- junos-finger
destination_address:
addresses:
- a2
- a4
destination_address_excluded: true
dynamic_application:
names:
- any
source_address:
addresses:
- a1
- a3
source_address_excluded: true
source_end_user_profile: test_end_user_profile
source_identity:
unknown_user: true
url_category:
names:
- Enhanced_Web_Chat
name: test_policy_1
then:
count: true
deny: true
log: session-close
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
addresses:
- a1
name: test_policy_2
then:
reject:
enable: true
profile: test_dyn_app
ssl_proxy:
enable: true
profile_name: SECURITY-SSL-PROXY
- name: three
policies:
- match:
application:
any: true
destination_address:
addresses:
- a2
source_address:
addresses:
- a1
name: test_policy_3
then:
permit:
application_services:
application_traffic_control_rule_set: test_traffic_control
gprs_gtp_profile: gtp1
icap_redirect: test_icap
reverse_redirect_wx: 'True'
uac_policy:
enable: true
firewall_authentication:
push_to_identity_management: true
web_authentication:
- FWClient1
tcp_options:
initial_tcp_mss: 64
window_scale: true
global:
policies:
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any_ipv6: true
name: test_glob_1
then:
deny: true
- match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any_ipv6: true
name: test_glob_2
then:
deny: true
state: merged
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies>
# <nc:policy>
# <nc:from-zone-name>one</nc:from-zone-name>
# <nc:to-zone-name>two</nc:to-zone-name>
# <nc:policy>
# <nc:name>test_policy_1</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:source-address>a3</nc:source-address>
# <nc:source-address-excluded/>
# <nc:destination-address>a2</nc:destination-address>
# <nc:destination-address>a4</nc:destination-address>
# <nc:destination-address-excluded/>
# <nc:application>junos-dhcp-relay</nc:application>
# <nc:application>junos-finger</nc:application>
# <nc:source-end-user-profile>test_end_user_profile</nc:source-end-user-profile>
# <nc:source-identity>unknown-user</nc:source-identity>
# <nc:url-category>Enhanced_Web_Chat</nc:url-category>
# <nc:dynamic-application>any</nc:dynamic-application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# <nc:count></nc:count>
# <nc:log>
# <nc:session-close/>
# </nc:log>
# </nc:then>
# </nc:policy>
# <nc:policy>
# <nc:name>test_policy_2</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:reject>
# <nc:profile>test_dyn_app</nc:profile>
# <nc:ssl-proxy>
# <nc:profile-name>SECURITY-SSL-PROXY</nc:profile-name>
# </nc:ssl-proxy>
# </nc:reject>
# </nc:then>
# </nc:policy>
# </nc:policy>
# <nc:policy>
# <nc:from-zone-name>one</nc:from-zone-name>
# <nc:to-zone-name>three</nc:to-zone-name>
# <nc:policy>
# <nc:name>test_policy_3</nc:name>
# <nc:match>
# <nc:source-address>a1</nc:source-address>
# <nc:destination-address>a2</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:permit>
# <nc:application-services>
# <nc:application-traffic-control>
# <nc:rule-set>test_traffic_control</nc:rule-set>
# </nc:application-traffic-control>
# <nc:gprs-gtp-profile>gtp1</nc:gprs-gtp-profile>
# <nc:icap-redirect>test_icap</nc:icap-redirect>
# <nc:reverse-redirect-wx/>
# <nc:uac-policy></nc:uac-policy>
# </nc:application-services>
# <nc:firewall-authentication>
# <nc:push-to-identity-management/>
# <nc:web-authentication>
# <nc:client-match>FWClient1</nc:client-match>
# </nc:web-authentication>
# </nc:firewall-authentication>
# <nc:tcp-options>
# <nc:initial-tcp-mss>64</nc:initial-tcp-mss>
# <nc:window-scale/>
# </nc:tcp-options>
# </nc:permit>
# </nc:then>
# </nc:policy>
# </nc:policy>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_1</nc:name>
# <nc:match>
# <nc:source-address>any-ipv6</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# <nc:policy>
# <nc:name>test_glob_2</nc:name>
# <nc:match>
# <nc:source-address>any-ipv6</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>
# "
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using Replaced
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: replaced
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/>
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using overridden
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv4
# Destination addresses: any-ipv4
# Applications: any
# Action: deny
# Policy: test_glob_1, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 3
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: overridden
#
# -------------------------
# Module Execution Result
# -------------------------
# "after": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "before": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv4": true
# },
# "source_address": {
# "any_ipv4": true
# }
# },
# "name": "test_glob",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/>
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
# }
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Using deleted
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Global policies:
# Policy: test_glob_3, State: enabled, Index: 10, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
config:
state: deleted
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "after": {},
# "before": {
# "global": {
# "policies": [
# {
# "description": "test update",
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any": true
# }
# },
# "name": "test_glob_3",
# "then": {
# "deny": true
# }
# }
# ]
# }
# },
# "changed": true,
# "commands": "<nc:security xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies delete="delete"/></nc:security>"
#
# After state
# -----------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# Using parsed
# parsed.cfg
# ------------
# <?xml version="1.0" encoding="UTF-8"?>
# <rpc-reply>
# <configuration>
# <version>18.4R1-S3.1</version>
# <services>
# <ssl>
# <termination>
# <profile>
# <name>test_ssl_term</name>
# <server-certificate>SECURITY-cert</server-certificate>
# </profile>
# </termination>
# <proxy>
# <profile>
# <name>SECURITY-SSL-PROXY</name>
# <root-ca>SECURITY-cert</root-ca>
# </profile>
# </proxy>
# </ssl>
# <icap-redirect>
# <profile>
# <name>test_icap</name>
# <server>
# <name>test_icap_server</name>
# <host>10.10.10.11</host>
# </server>
# </profile>
# </icap-redirect>
# <user-identification>
# <device-information>
# <end-user-profile>
# <profile-name>
# <name>test_end_user_profile</name>
# <domain-name>test_domain</domain-name>
# <attribute>
# <name>device-identity</name>
# <string>Windows</string>
# </attribute>
# </profile-name>
# </end-user-profile>
# </device-information>
# </user-identification>
# </services>
# <security>
# <address-book>
# <name>global</name>
# <address>
# <name>a1</name>
# <ip-prefix>200.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a2</name>
# <ip-prefix>201.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a3</name>
# <ip-prefix>202.0.113.0/24</ip-prefix>
# </address>
# <address>
# <name>a4</name>
# <ip-prefix>203.0.113.0/24</ip-prefix>
# </address>
# </address-book>
# <dynamic-application>
# <profile>
# <name>test_dyn_app</name>
# <redirect-message>
# <type>
# <custom-text>
# <content>hello_world</content>
# </custom-text>
# </type>
# </redirect-message>
# </profile>
# </dynamic-application>
# <policies>
# <policy>
# <from-zone-name>one</from-zone-name>
# <to-zone-name>two</to-zone-name>
# <policy>
# <name>test_policy_1</name>
# <match>
# <source-address>a1</source-address>
# <source-address>a3</source-address>
# <destination-address>a2</destination-address>
# <destination-address>a4</destination-address>
# <source-address-excluded />
# <destination-address-excluded />
# <application>junos-dhcp-relay</application>
# <application>junos-finger</application>
# <source-identity>authenticated-user</source-identity>
# <source-identity>unknown-user</source-identity>
# <source-end-user-profile>
# <source-end-user-profile-name>test_end_user_profile</source-end-user-profile-name>
# </source-end-user-profile>
# <dynamic-application>any</dynamic-application>
# <url-category>Enhanced_Web_Chat</url-category>
# </match>
# <then>
# <deny />
# <log>
# <session-close />
# </log>
# <count></count>
# </then>
# </policy>
# <policy>
# <name>test_policy_2</name>
# <match>
# <source-address>a1</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <reject>
# <profile>test_dyn_app</profile>
# <ssl-proxy>
# <profile-name>SECURITY-SSL-PROXY</profile-name>
# </ssl-proxy>
# </reject>
# </then>
# </policy>
# </policy>
# <policy>
# <from-zone-name>one</from-zone-name>
# <to-zone-name>three</to-zone-name>
# <policy>
# <name>test_policy_3</name>
# <match>
# <source-address>a1</source-address>
# <destination-address>a2</destination-address>
# <application>any</application>
# </match>
# <then>
# <permit>
# <firewall-authentication>
# <web-authentication>
# <client-match>FWClient1</client-match>
# </web-authentication>
# <push-to-identity-management />
# </firewall-authentication>
# <destination-address>
# <drop-untranslated />
# </destination-address>
# <application-services>
# <gprs-gtp-profile>gtp1</gprs-gtp-profile>
# <uac-policy></uac-policy>
# <icap-redirect>test_icap</icap-redirect>
# <application-traffic-control>
# <rule-set>test_traffic_control</rule-set>
# </application-traffic-control>
# <reverse-redirect-wx />
# </application-services>
# <tcp-options>
# <initial-tcp-mss>64</initial-tcp-mss>
# <window-scale />
# </tcp-options>
# </permit>
# </then>
# </policy>
# </policy>
# <global>
# <policy>
# <name>test_glob_1</name>
# <match>
# <source-address>any-ipv6</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <deny />
# </then>
# </policy>
# <policy>
# <name>test_glob_2</name>
# <match>
# <source-address>any-ipv6</source-address>
# <destination-address>any-ipv6</destination-address>
# <application>any</application>
# </match>
# <then>
# <deny />
# </then>
# </policy>
# </global>
# </policies>
# <zones>
# <security-zone>
# <name>one</name>
# <interfaces>
# <name>ge-0/0/0.0</name>
# </interfaces>
# </security-zone>
# <security-zone>
# <name>two</name>
# <interfaces>
# <name>ge-0/0/1.0</name>
# </interfaces>
# </security-zone>
# <security-zone>
# <name>three</name>
# <interfaces>
# <name>ge-0/0/2.0</name>
# </interfaces>
# </security-zone>
# </zones>
# <gprs>
# <gtp>
# <profile>
# <name>gtp1</name>
# </profile>
# </gtp>
# </gprs>
# </security>
# <interfaces>
# <interface>
# <name>ge-0/0/0</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>200.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>ge-0/0/1</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>201.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>ge-0/0/2</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <address>
# <name>202.0.113.1/24</name>
# </address>
# </inet>
# </family>
# </unit>
# </interface>
# <interface>
# <name>fxp0</name>
# <unit>
# <name>0</name>
# <family>
# <inet>
# <dhcp></dhcp>
# </inet>
# </family>
# </unit>
# </interface>
# </interfaces>
# <class-of-service>
# <application-traffic-control>
# <rule-sets>
# <name>test_traffic_control</name>
# <rule>
# <name>test_rule</name>
# <match>
# <application-known />
# </match>
# <then>
# <log />
# </then>
# </rule>
# </rule-sets>
# </application-traffic-control>
# </class-of-service>
# <access>
# <profile>
# <name>WEBAUTH</name>
# <client>
# <name>FWClient1</name>
# <firewall-user>
# <password>$9$kq5Ftu1cSe</password>
# </firewall-user>
# </client>
# </profile>
# <firewall-authentication>
# <web-authentication>
# <default-profile>WEBAUTH</default-profile>
# </web-authentication>
# </firewall-authentication>
# </access>
# </configuration>
# <database-status-information></database-status-information>
# </rpc-reply>
#
- name: Parse NTP global running config
junipernetworks.junos.junos_security_policies:
running_config: "{{ lookup('file', './parsed.cfg') }}"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "parsed": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# }
# Using gathered
#
# Before state
# ------------
#
# vagrant@vsrx> show security policies
# Default policy: deny-all
# Pre ID default policy: permit-all
# From zone: one, To zone: two
# Policy: test_policy_1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
# Source addresses(excluded): a1, a3
# Destination addresses(excluded): a2, a4
# Source-end-user-profile: test_end_user_profile(1)
# Applications: junos-dhcp-relay, junos-finger
# Dynamic Applications: any
# Url-category: Enhanced_Web_Chat
# Source identities: authenticated-user, unknown-user
# Action: deny, log, count
# Policy: test_policy_2, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 2
# Source addresses: a1
# Destination addresses: any-ipv6
# Applications: any
# Action: reject
# dynapp-redir-profile: test_dyn_app(1)
# From zone: one, To zone: three
# Policy: test_policy_3, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
# Source addresses: a1
# Destination addresses: a2
# Applications: any
# Action: permit, drop-untranslated, firewall authentication, application services, unified access control
# Application traffic control: test_traffic_control
# Global policies:
# Policy: test_glob_1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
# Policy: test_glob_2, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2
# From zones: any
# To zones: any
# Source addresses: any-ipv6
# Destination addresses: any-ipv6
# Applications: any
# Action: deny
#
- junipernetworks.junos.junos_security_policies:
state: gathered
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "changed": false,
# "gathered": {
# "from_zones": [
# {
# "name": "one",
# "to_zones": [
# {
# "name": "two",
# "policies": [
# {
# "match": {
# "application": {
# "names": [
# "junos-dhcp-relay",
# "junos-finger"
# ]
# },
# "destination_address": {
# "addresses": [
# "a2",
# "a4"
# ]
# },
# "destination_address_excluded": true,
# "dynamic_application": {
# "names": [
# "any"
# ]
# },
# "source_address": {
# "addresses": [
# "a1",
# "a3"
# ]
# },
# "source_address_excluded": true,
# "source_end_user_profile": "test_end_user_profile",
# "source_identity": {
# "unknown_user": true
# },
# "url_category": {
# "names": [
# "Enhanced_Web_Chat"
# ]
# }
# },
# "name": "test_policy_1",
# "then": {
# "count": true,
# "deny": true,
# "log": "session-close"
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_2",
# "then": {
# "reject": {
# "enable": true,
# "profile": "test_dyn_app",
# "ssl_proxy": {
# "enable": true,
# "profile_name": "SECURITY-SSL-PROXY"
# }
# }
# }
# }
# ]
# },
# {
# "name": "three",
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "addresses": [
# "a2"
# ]
# },
# "source_address": {
# "addresses": [
# "a1"
# ]
# }
# },
# "name": "test_policy_3",
# "then": {
# "permit": {
# "application_services": {
# "application_traffic_control_rule_set": "test_traffic_control",
# "gprs_gtp_profile": "gtp1",
# "icap_redirect": "test_icap",
# "reverse_redirect_wx": "True",
# "uac_policy": {
# "enable": true
# }
# },
# "firewall_authentication": {
# "push_to_identity_management": true,
# "web_authentication": [
# "FWClient1"
# ]
# },
# "tcp_options": {
# "initial_tcp_mss": 64,
# "window_scale": true
# }
# }
# }
# }
# ]
# }
# ]
# }
# ],
# "global": {
# "policies": [
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_1",
# "then": {
# "deny": true
# }
# },
# {
# "match": {
# "application": {
# "any": true
# },
# "destination_address": {
# "any_ipv6": true
# },
# "source_address": {
# "any_ipv6": true
# }
# },
# "name": "test_glob_2",
# "then": {
# "deny": true
# }
# }
# ]
# }
# }
# }
# Using rendered
#
# Before state
# ------------
#
- junipernetworks.junos.junos_security_policies:
config:
global:
policies:
- description: test update
match:
application:
any: true
destination_address:
any_ipv6: true
source_address:
any: true
name: test_glob_3
then:
deny: true
state: rendered
#
# -------------------------
# Module Execution Result
# -------------------------
# "rendered": "<nc:security
# xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
# <nc:policies>
# <nc:global>
# <nc:policy>
# <nc:name>test_glob_3</nc:name>
# <nc:description>test update</nc:description>
# <nc:match>
# <nc:source-address>any</nc:source-address>
# <nc:destination-address>any-ipv6</nc:destination-address>
# <nc:application>any</nc:application>
# </nc:match>
# <nc:then>
# <nc:deny/>
# </nc:then>
# </nc:policy>
# </nc:global>
# </nc:policies>
# </nc:security>"
返回值
常见的返回值已在此处记录 此处,以下是此模块特有的字段。
键 |
描述 |
|---|---|
模块执行后的结果配置。 返回:发生更改时 示例: |
|
模块执行之前的配置。 返回:状态为 *merged*、*replaced*、*overridden* 或 *deleted* 时 示例: |
|
推送到远程设备的命令集。 返回:状态为 *merged*、*replaced*、*overridden* 或 *deleted* 时 示例: |
|
从远程设备收集的关于网络资源的事实,作为结构化数据。 返回:状态为 *gathered* 时 示例: |
|
根据模块argspec将*running_config*选项中提供的设备原生配置解析为结构化数据。 返回:状态为 *parsed* 时 示例: |
|
以设备原生格式(离线)呈现的任务中提供的配置。 返回:状态为 *rendered* 时 示例: |