bigip_sslo_config_topology – Manage an SSL Orchestrator Topology

New in version 1.7.0.

Synopsis

  • Manage an SSL Orchestrator topology

Parameters

Parameter Choices/Defaults Configuration Comments
access_profile
string
Defines a custom access profile to use.
When not specified, a topology-defined access profile is created.
This parameter is mandatory when topology_type is outbound_explicit or when security_policy is set.
additional_protocols
list / elements=string
Defines a list of additional protocols to create listeners for.
This parameter is only valid when protocol is set to tcp.
Accepted values of this list are: ftp, imap, pop3, smtps.
auth_profile
string
Defines an access profile to use for explicit proxy authentication.
dest
string
Defines the destination address filter and optional route domain for the topology listener.
The address must be specified in CIDR notation, with subnet mask not exceeding 32 bits.
When creating a new topology object, if dest is not specified, a value of 0.0.0.0%0/0 is assumed.
dns_resolver
string
Defines a per-topology DNS resolver configuration object.
This parameter is available in SSLO version 9.0 and above.
dump_json
boolean
    Choices:
  • no ←
  • yes
Sets the module to output a JSON blob for further consumption.
When yes does not make any changes on the device and always returns changed=False.
The output provided is idempotent in nature, meaning if there are no changes to be made during MODIFY on an existing service, no JSON output is generated.
gateway
string
    Choices:
  • system
  • pool
  • iplist
Defines the type of egress gateway to use for egress traffic.
When system is set, a system-defined gateway route is used. This is the default choice when a creating topology object if the parameter is not provided.
When topology_type is either set to l2_outbound or l2_inbound, a gateway is automatically set to system.
When pool, the gateway configuration points to an existing gateway pool defined by the gateway_pool parameter.
When iplist, a new gateway pool is created from the provided gateway_list.
gateway_list
list / elements=dictionary
Defines a list of IP addresses to use in a gateway pool configuration.
This parameter is required when gateway is set to iplist.
ip
string / required
The IP address of the gateway in pool.
ratio
integer
The ratio used for load balancing egress traffic in the gateway pool.
When creating a new topology object, if ratio is not specified, a value of 1 is assumed.
Valid value range is from 1 to 65535.
gateway_pool
string
Defines an existing gateway pool to use for egress traffic.
This parameter is required when gateway is set to pool.
ip_family
string
    Choices:
  • ipv4
  • ipv6
Defines the IP family for the topology.
When creating a new topology object, if ip_family is not specified, a value of ipv4 is assumed.
l7_profile
string
Defines the specific HTTP profile if the l7_profile_type is set to http.
When creating a new topology object, if l7_profile is not specified, a value of /Common/http is assumed.
l7_profile_type
string
    Choices:
  • none
  • http
Defines the L7 protocol type, and can either be none for all protocols, or http.
When creating a new topology object, if l7_profile_type is not specified, a value of http is assumed.
logging
dictionary
Defines the setting of logging characteristics for an SSL Orchestrator topology.
ftp
string
    Choices:
  • emergency
  • alert
  • critical
  • warning
  • error
  • notice
  • information
  • debug
Defines the logging facility used for the SSL Orchestrator FTP listener logging.
imap
string
    Choices:
  • emergency
  • alert
  • critical
  • warning
  • error
  • notice
  • information
  • debug
Defines the logging facility used for the SSL Orchestrator IMAP listener logging.
per_request_policy
string
    Choices:
  • emergency
  • alert
  • critical
  • warning
  • error
  • notice
  • information
  • debug
Defines the logging facility used for the SSL Orchestrator security policy logging.
pop3
string
    Choices:
  • emergency
  • alert
  • critical
  • warning
  • error
  • notice
  • information
  • debug
Defines the logging facility used for the SSL Orchestrator POP3 listener logging.
smtps
string
    Choices:
  • emergency
  • alert
  • critical
  • warning
  • error
  • notice
  • information
  • debug
Defines the logging facility used for the SSL Orchestrator SMTPS listener logging.
sslo
string
    Choices:
  • emergency
  • alert
  • critical
  • warning
  • error
  • notice
  • information
  • debug
Defines the logging facility used for the SSL Orchestrator summary logging.
name
string / required
Specifies the name of the topology.
Configuration auto-prepends "sslo_" to the topology.
Topology name should be less than 14 characters and not contain dashes "-".
ocsp_auth
string
This setting defines an OCSP Authentication profile.
This parameter is available in SSLO version 9.0 and later.
pool
string
Defines a server pool to use in an application mode inbound topology.
port
integer
Defines the port filter for the topology listener.
When creating a new topology object, if port is not specified, a value of 0 is assumed.
Valid value range is from 0 to 65535.
primary_auth_uri
string
Defines the authentication service (ie. captive portal) to redirect new users to.
This setting should contain a fully-qualified domain name (ex. https://auth.f5labs.com).
This parameter applies to SSLO version 8.2 and later.
Required when the profile_scope option is named.
profile_scope
string
    Choices:
  • public
  • named
Defines the access profile scope.
This parameter applies to SSLO version 8.2 and later.
profile_scope_value
string
Defines a string name shared between the transparent proxy SSL Orchestrator profile and the captive portal authentication access profile.
This parameter applies to SSLO version 8.2 and later.
Required when the profile_scope option is named.
protocol
string
    Choices:
  • tcp
  • udp
  • other
Defines the topology protocol, either TCP, UDP, or other (non-tcp/non-udp).
When creating a new topology object, if protocol is not specified, a value of tcp is assumed.
proxy_ip
string
Defines the explicit proxy listener IP address.
This parameter is required when topology_type is is outbound_explicit.
This parameter is mutually exclusive with dest and port.
This parameter must be specified together with proxy_port.
proxy_port
integer
Defines the explicit proxy listener port.
This parameter is required when topology_type is is outbound_explicit.
This parameter is mutually exclusive with dest and port.
This parameter must be specified together with proxy_ip.
security_policy
string
Defines the name of the security policy object already created.
Configuration auto-prepends "ssloP_" to provided name if not present.
This parameter is mandatory when proxy_type is outbound_explicit.
snat
string
    Choices:
  • none
  • automap
  • snatpool
  • snatlist
Defines the type egress source NAT used.
When none, no outbound SNAT configuration is configured. This is the default choice when creating a topology object if the parameter is not provided.
When topology_type is either set to l2_outbound or l2_inbound, a snat is automatically set to none.
When automap, SNAT auto map is configured.
When snatpool, the SNAT configuration points to an existing SNAT pool defined by the snatpool parameter.
When snatlist, a new SNAT pool is created from the provided snatlist.
snat_list
list / elements=string
Defines a list of IP addresses to use in a SNAT pool configuration.
This parameter is required when snat is set to snatlist.
snat_pool
string
Defines an existing SNAT pool.
This parameter required when snat is set to snatpool.
source
string
Defines the source address filter and optional route domain for the topology listener.
The address must be specified in CIDR notation, with subnet mask not exceeding 32 bits.
When creating a new topology object, if source is not specified, a value of 0.0.0.0%0/0 is assumed.
ssl_settings
string
Defines the name of the SSL settings object already created.
Configuration auto-prepends "ssloT_" to provided name if not present.
state
string
    Choices:
  • present ←
  • absent
When state is present, ensures the object is created or modified.
When state is absent, ensures the object is removed.
tcp_settings_client
string
Defines a custom client side TCP profile to use.
This parameter is ignored when topology_type is set to outbound_explicit.
When not specified, the default creation value is set depending on the topology_type. If topology_type is either set to l2_inbound or l3_inbound, the value is set to /Common/f5-tcp-wan. If topology_type is either set to l2_outbound or C(l3_outbound, the value is set to /Common/f5-tcp-lan.
tcp_settings_server
string
Defines a custom server side TCP profile to use.
This parameter is ignored when topology_type is set to outbound_explicit.
When not specified, the default creation value is set depending on the topology_type. If topology_type is either set to l2_inbound or l3_inbound the value is set to /Common/f5-tcp-lan. If topology_type is either set to l2_outbound or C(l3_outbound the value is set to /Common/f5-tcp-wan.
timeout
integer
Default:
300
The amount of time to wait for the CREATE, MODIFY or DELETE task to complete, in seconds.
The accepted value range is between 10 and 1800 seconds.
topology_type
string / required
    Choices:
  • outbound_l3
  • inbound_l3
  • outbound_explicit
  • outbound_l2
  • inbound_l2
Defines the type of topology to create.
verify_accept
boolean
    Choices:
  • no
  • yes
Enables TCP Verify Accept proxy through an outbound topology.
This parameter is available in SSLO version 9.0 and later.
vlans
list / elements=string
Defines the list of listening VLANs for the topology listener.
This parameter is required when creating new topology object.

Examples

- hosts: all
  collections:
    - f5networks.f5_bigip
  connection: httpapi

  vars:
    ansible_host: "lb.mydomain.com"
    ansible_user: "admin"
    ansible_httpapi_password: "secret"
    ansible_network_os: f5networks.f5_bigip.bigip
    ansible_httpapi_use_ssl: yes

  tasks:
    - name: Create SSLO Topology
      bigip_sslo_topology:
        name: "l3_topo_out"
        topology_type: "outbound_l3"
        dest: "192.168.1.4%0/32"
        port: 8080
        ip_family: "ipv4"
        ssl_settings: "foobar"
        vlans:
          - "/Common/fake1"

    - name: Delete SSLO Topology
      bigip_sslo_topology:
        name: "l3_topo_out"
        topology_type: "outbound_l3"
        state: "absent"

Status

Authors

  • Wojciech Wypior (@wojtek0806)
  • Kevin Stewart (@kevingstewart)