bigip_sslo_config_policy – Manage an SSL Orchestrator security policy

New in version 1.7.0.

Synopsis

  • Manage an SSL Orchestrator security policy

Parameters

Parameter Choices/Defaults Configuration Comments
default_rule
dictionary
added in 1.8.0
Specifies the settings for the default All Traffic security policy rule.
When creating a new policy, the rule is created with default values.
When modifying existing policy, all values should be defined or they are replaced by defaults (see below).
allow_block
string
    Choices:
  • allow
  • block
Defines the behavior for the default All Traffic rule.
If not specified, the allow option is set.
service_chain
string
Defines the service chain to attach to the default All Traffic rule.
If not specified, the '' value is set.
tls_intercept
string
    Choices:
  • bypass
  • intercept
Defines the TLS behavior for the default All Traffic rule.
If not specified, the bypass option is set.
dump_json
boolean
    Choices:
  • no ←
  • yes
Sets the module to output a JSON blob for further consumption.
When yes does not make any changes on the device and always returns changed=False.
The output provided is idempotent in nature, meaning if there are no changes to be made during MODIFY on an existing service, no JSON output will be generated.
name
string / required
Specifies the name of the security policy.
Configuration auto-prepends "ssloP_" to the policy.
The policy name should be less than 14 characters and not contain dashes "-".
policy_consumer
string
    Choices:
  • outbound
  • inbound
Specifies the type of policy.
policy_rules
list / elements=dictionary
Defines the policy rules to apply to the security policy, in defined order.
conditions
list / elements=dictionary
Defines the list of conditions within this rule.
condition_option_category
list / elements=string
A list of URL categories (ex. "Financial and Data Services").
Should be used when c(condition_type) matches c(category_lookup_all) or c(category_lookup_sni).
condition_option_portrange
dictionary
Defines a port-range with using keys c(port_from) and c(port_to).
Should be used when c(condition_type) matches c(client_port_match) or c(server_port_match).
condition_option_ports
list / elements=string
Defines a list of ports.
Should be used when c(condition_type) matches c(client_port_match) or c(server_port_match).
condition_option_subnet
list / elements=string
Defines a list of IP subnets.
Should be used when c(condition_type) matches c(client_ip_subnet_match) or c(server_ip_subnet_match).
condition_type
string
    Choices:
  • category_lookup_all
  • category_lookup_sni
  • category_lookup_httpconnect
  • ssl_check
  • client_port_match
  • server_port_match
  • client_ip_subnet_match
  • server_ip_subnet_match
  • tcp_l7_protocol_lookup
  • udp_l7_protocol_lookup
  • client_ip_geolocation
  • server_ip_geolocation
Defines the name of the policy rule.
geolocations
list / elements=dictionary
A list of 'type' and 'value' keys, where type can be 'countryCode', 'countryName', 'continent', or 'state'.
Should be used when c(condition_type) matches c(client_ip_geolocation) or c(server_ip_geolocation).
option_tcp_protocol
list / elements=string
Defines a list of TCP protocols to be used with tcp_l7_protocol_lookup.
option_udp_protocol
list / elements=string
Defines a list of UDP protocols to be used with udp_l7_protocol_lookup.
match_type
string
    Choices:
  • match_any
  • match_all
Defines the match type when multiple conditions are applied to a single rule.
name
string
Defines the name of the policy rule.
policy_action
string
    Choices:
  • allow
  • reject
  • abort
Defines the policy action to be applied for this rule.
service_chain
string
Defines the service chain to attach to this rule.
ssl_action
string
    Choices:
  • bypass
  • intercept
Defines the TLS intercept/bypass behavior for this rule.
proxy_connect
dictionary
Specifies the proxy-connect settings, as required, to establish an upstream proxy chain egress.
password
string
Defines the password pool for the proxy connection.
pool_members
list / elements=dictionary
Defines pool members which we want to associate for the new pool.
Mutually exclusive with the pool_name parameter.
ip
string / required
IP address of the pool member you want to add.
port
integer
Port number to be associated with the pool member IP address.
pool_name
string
Defines an existing pool name for the proxy connection. It should be specified with a partition.
Mutually exclusive with pool_members.
username
string
Defines the username for the proxy connection.
server_cert_check
boolean
    Choices:
  • no
  • yes
Enables or disables server certificate validation.
state
string
    Choices:
  • present ←
  • absent
When state is present, ensures the policy is created or modified.
When state is absent, ensures the policy is removed.
timeout
integer
Default:
300
The amount of time, to wait for the CREATE or MODIFY task to complete, in seconds.
The accepted value range is between 10 and 1800 seconds.

Examples

- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_host: "lb.mydomain.com"
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes

  tasks:
    - name: SSLO config policy
      bigip_sslo_config_policy:
        name: "testpolicy"
        server_cert_check: true
        proxy_connect:
          username: "testuser"
          password: ""
          pool_members:
            - ip: "192.168.30.10"
              port: 100
        policy_rules:
          - name: "testrule"
            match_type: "match_any"
            policy_action: "reject"
            conditions:
              - condition_type: "category_lookup_all"
                condition_option_category:
                  - "Financial Data and Services"
                  - "General Email"
              - condition_type: "client_port_match"
                condition_option_ports:
                  - "80"
                  - "90"
              - condition_type: "client_ip_geolocation"
                geolocations:
                  - type: "countryCode"
                    value: "US"
                  - type: "countryCode"
                    value: "UK"
          - name: "testrule2"
            match_type: "match_all"
            policy_action: "reject"
            conditions:
              - condition_type: "category_lookup_all"
                condition_option_category:
                  - "Financial Data and Services"
                  - "General Email"
              - condition_type: "client_port_match"
                condition_option_ports:
                  - "80"
                  - "90"
      delegate_to: localhost

Status

Authors

  • Ravinder Reddy(@chinthalapalli)
  • Kevin Stewart (@kevingstewart)