Last updated on: 2024-04-01 03:24:20.
bigip_sslo_config_policy – Manage an SSL Orchestrator security policy¶
New in version 1.7.0.
Parameters¶
| Parameter | Choices/Defaults | Configuration | Comments | |||
|---|---|---|---|---|---|---|
|
default_rule
dictionary
added in 1.8.0 |
Specifies the settings for the default
All Traffic security policy rule.When creating a new policy, the rule is created with default values.
When modifying existing policy, all values should be defined or they are replaced by default values (see below).
|
|||||
|
allow_block
string
|
|
Defines the behavior for the default All Traffic rule.
If not specified, the
allow option is set. |
||||
|
service_chain
string
|
Defines the service chain to attach to the default All Traffic rule.
If not specified, the
'' value is set. |
|||||
|
tls_intercept
string
|
|
Defines the TLS behavior for the default All Traffic rule.
If not specified, the
bypass option is set. |
||||
|
dump_json
boolean
|
|
Sets the module to output a JSON blob for further consumption.
When
true does not make any changes on the device and always returns changed=False.The output provided is idempotent in nature, meaning if there are no changes made during
MODIFY on an existing service, no JSON output is generated. |
||||
|
name
string
/ required
|
Specifies the name of the security policy.
Configuration auto-prepends "ssloP_" to the policy.
The policy name should be less than 14 characters and not contain dashes "-".
|
|||||
|
policy_consumer
string
|
|
Specifies the type of policy.
|
||||
|
policy_rules
list
/ elements=dictionary
|
Defines the policy rules to apply to the security policy, in defined order.
|
|||||
|
conditions
list
/ elements=dictionary
|
Defines the list of conditions within this rule.
|
|||||
|
condition_option_category
list
/ elements=string
|
A list of URL categories (ex. "Financial and Data Services").
Use when c(condition_type) matches c(category_lookup_all) or c(category_lookup_sni).
|
|||||
|
condition_option_portrange
dictionary
|
Defines a port-range with using keys c(port_from) and c(port_to).
Use when c(condition_type) matches c(client_port_match) or c(server_port_match).
|
|||||
|
port_from
string
|
Starting port number in the port range.
|
|||||
|
port_to
string
|
Ending port number in the port range.
|
|||||
|
condition_option_ports
list
/ elements=string
|
Defines a list of ports.
Use when c(condition_type) matches c(client_port_match) or c(server_port_match).
|
|||||
|
condition_option_subnet
list
/ elements=string
|
Defines a list of IP subnets.
Use when c(condition_type) matches c(client_ip_subnet_match) or c(server_ip_subnet_match).
|
|||||
|
condition_type
string
|
|
Defines the name of the policy rule.
|
||||
|
geolocations
list
/ elements=dictionary
|
A list of 'type' and 'value' keys, where type can be 'countryCode', 'countryName', 'continent', or 'state'.
Use when c(condition_type) matches c(client_ip_geolocation) or c(server_ip_geolocation).
|
|||||
|
option_tcp_protocol
list
/ elements=string
|
Defines a list of TCP protocols to be used with
tcp_l7_protocol_lookup. |
|||||
|
option_udp_protocol
list
/ elements=string
|
Defines a list of UDP protocols you want used with
udp_l7_protocol_lookup. |
|||||
|
match_type
string
|
|
Defines the match type when multiple conditions are applied to a single rule.
|
||||
|
name
string
|
Defines the name of the policy rule.
|
|||||
|
policy_action
string
|
|
Defines the policy action applied for this rule.
|
||||
|
service_chain
string
|
Defines the service chain to attach to this rule.
|
|||||
|
ssl_action
string
|
|
Defines the TLS intercept/bypass behavior for this rule.
|
||||
|
proxy_connect
dictionary
|
Specifies the proxy-connect settings, as required, to establish an upstream proxy chain egress.
|
|||||
|
password
string
|
Defines the password pool for the proxy connection.
|
|||||
|
pool_members
list
/ elements=dictionary
|
Defines pool members which we want to associate for the new pool.
Mutually exclusive with the
pool_name parameter. |
|||||
|
ip
string
/ required
|
IP address of the pool member you want to add.
|
|||||
|
port
integer
|
Port number to be associated with the pool member IP address.
|
|||||
|
pool_name
string
|
Defines an existing pool name for the proxy connection. Specify with a partition.
Mutually exclusive with
pool_members. |
|||||
|
username
string
|
Defines the username for the proxy connection.
|
|||||
|
server_cert_check
boolean
|
|
Enables or disables server certificate validation.
|
||||
|
state
string
|
|
When
state is present, ensures the policy is created or modified.When
state is absent, ensures the policy is removed. |
||||
|
timeout
integer
|
Default: 300
|
The amount of time, to wait for the
CREATE or MODIFY task to complete, in seconds.The accepted value range is between
10 and 1800 seconds. |
||||
Examples¶
- name: SSLO config policy
bigip_sslo_config_policy:
name: "testpolicy"
server_cert_check: true
proxy_connect:
username: "testuser"
password: ""
pool_members:
- ip: "192.168.30.10"
port: 100
policy_rules:
- name: "testrule"
match_type: "match_any"
policy_action: "reject"
conditions:
- condition_type: "category_lookup_all"
condition_option_category:
- "Financial Data and Services"
- "General Email"
- condition_type: "client_port_match"
condition_option_ports:
- "80"
- "90"
- condition_type: "client_ip_geolocation"
geolocations:
- type: "countryCode"
value: "US"
- type: "countryCode"
value: "UK"
- name: "testrule2"
match_type: "match_all"
policy_action: "reject"
conditions:
- condition_type: "category_lookup_all"
condition_option_category:
- "Financial Data and Services"
- "General Email"
- condition_type: "client_port_match"
condition_option_ports:
- "80"
- "90"