stormshield.sns.sns_policy role – Policy configuration

Note

This role is part of the stormshield.sns collection (version 1.0.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install stormshield.sns.

To use it in a playbook, specify: stormshield.sns.sns_policy.

Entry point main – Policy configuration

Synopsis

• This role configures filter and NAT policies of Stormshield Network Security appliances.

Parameters

Parameter	Comments
activate boolean	Activate the slot Choices: false true ← (default)
comment string	Slot comment
filter list / elements=dictionary	Filter rules
ackqosid string	ACK QID name
action string	Rule action Choices: "pass" "block" "deleg" "reset" "log" "decrypt" "nat"
antispam string	Use antispam analysis Choices: "on" "off"
antivirus string	Use Antivirus analysis Choices: "on" "off"
beforevpn string	Apply before VPN Choices: "on" "off"
comment string	Rule comment
count string	Choices: "on" "off"
dstgeo string	Destination geo object(<objectgeo[|objectgeo[|…]]])
dsthostrep integer	Destination host reputation (<0-65535>)
dsthostrepop string	Destination host reputation operator Choices: "lt" "gt"
dstif string	Destination interface (any|<interface name>)
dstiprep string	Destination IP reputation (<objectiprep[|objectiprep[|…]]])]
dstport string	Destination port (any|<objectservice>[,<objectservice>[,<objectservice>[,…]]])
dstportop string	Destination port operator Choices: "eq" "ne" "gt" "lt"
dsttarget string	Destination target (any|[!]<objectname>[,<objectname>[,<objectname>[,…]]])
enforceipsecforward string	Enforce IPsec forward Choices: "on" "off"
enforceipsecreverse string	Enforce IPsec reverse routing Choices: "on" "off"
ftpfiltering string	Use FTP filtering Choices: "on" "off"
fwservice string	Service Choices: "" "httpproxy" "webportal"
icmpcode string	ICMP code (“”|<0-255>)
icmptype string	ICMP type (“”|<0-255>)
inbound string	Inbound Choices: "" "sip_udp"
inspection string	Inspection level Choices: "firewall" "ids" "ips"
ipproto string	IP protocol(any|<IP protocol name>)
ipstate string	IP state Choices: "on" "off"
loglevel string	Rule log level Choices: "none" "log" "minor" "major"
mailfiltering string	Mail policy index (“”|<0-9>)
name string	Rule name
natdstarp string	NAT destination ARP Choices: "on" "off"
natdstlb string	Load balancing algorithm on NAT destination IP Choices: "none" "roundrobin" "srchash" "connhash" "random"
natdstport string	NAT destination port (original|<objectservice>|<port range>)
natdstportlb string	Load balancing algorithm on nat destination port Choices: "none" "roundrobin" "srchash" "connhash" "random"
natdstportop string	NAT destination port operator Choices: "eq" "ne" "gt" "lt"
natdsttarget string	NAT destination target (“”|original|<object name>)
natsrcarp string	NAT source ARP Choices: "on" "off"
natsrclb string	NAT source load balancing algorithm Choices: "none" "roundrobin" "srchash" "connhash" "random"
natsrcport string	NAT source port (original|<objectservice>|<port range>)
natsrcportlb string	NAT source port loadbalancing algorithm Choices: "none" "random"
natsrcportop string	NAT source port operator Choices: "eq" "ne" "gt" "lt"
natsrctarget string	NAT source target (“”|original|<object name>)
noconnlog string	Don’t log the connection all|([disk],[syslog],[ipfix])
position integer	Insert at line N
proto string	Application protocol (auto|none|<app protocol name>)
proxycache string	Use cache proxy Choices: "on" "off"
qosfairness string	QoS fairness Choices: "state" "user" "host"
qosid string	QID name
rate string	(“”|<tcp>,<udp>,<icmp>,<request>)
route string	Use route (“”|\<objrouter\>|<hostname>|<ipaddr>)
rulename string	Rule name
sandboxing string	Use sandboxing analysis Choices: "on" "off"
schedule string	Rule scheduling (anytime|<time object>)
securityinspection string	Security inspection index (“”|<0-9>)
settos string	Set TOS Field (“”|1-254)
srcgeo string	Source geo object (<objectgeo[|\<objectgeo\>[|…]]])
srchostrep integer	Source host reputation filter (<0-65535>)
srchostrepop string	Source host reputation operator Choices: "lt" "gt"
srcif string	Source interface (any|<interface name>)
srciprep string	=(<objectiprep[|\<objectiprep\>[|…]]])]
srcport string	Source port (any|<objectservice>[,<objectservice>[,<objectservice>[,…]]])
srcportop string	Source port operator Choices: "eq" "ne" "gt" "lt"
srctarget string	Source target (any|[!]<objectname>[,<objectname>[,<objectname>[,…]]])
srcuser string	Source user (“”|any|unknown|[!]<user>|[!]<usergroup>)
srcuserdomain string	Source user domain (“”|<domain name>)
srcusermethod string	Source user authentication method Choices: "" "plain" "spnego" "ssl" "radius" "kerberos" "agent-ad" "openvpn" "ipsec" "guest" "agent-guard"
srcusertype string	Source user type (“”|user|group)
sslfiltering string	SSL policy index (|<0-9>)
state string	Rule state Choices: "on" "off"
synproxy string	SYN proxy Choices: "on" "off"
tos string	Filter TOS field (“”|<1-254>)
urlfiltering string	URL policy index (“”|<0-9>)
via string	Via Choices: "any" "sslvpn" "httpproxy" "ipsec" "sslproxy" "none"
webportalexcept string	Web portal exception (“”|urlgroup[,urlgroup[,urlgroup[,…]]])
mode string	Rule add mode Choices: "add" "reset" ← (default) "del"
nat list / elements=dictionary	NAT rules
ackqosid string	ACK QID name
action string	Rule action Choices: "pass" "block" "deleg" "reset" "log" "decrypt" "nat"
antispam string	Use antispam analysis Choices: "on" "off"
antivirus string	Use Antivirus analysis Choices: "on" "off"
beforevpn string	Apply before VPN Choices: "on" "off"
comment string	Rule comment
count string	Choices: "on" "off"
dstgeo string	Destination geo object(<objectgeo[|objectgeo[|…]]])
dsthostrep integer	Destination host reputation (<0-65535>)
dsthostrepop string	Destination host reputation operator Choices: "lt" "gt"
dstif string	Destination interface (any|<interface name>)
dstiprep string	Destination IP reputation (<objectiprep[|objectiprep[|…]]])]
dstport string	Destination port (any|<objectservice>[,<objectservice>[,<objectservice>[,…]]])
dstportop string	Destination port operator Choices: "eq" "ne" "gt" "lt"
dsttarget string	Destination target (any|[!]<objectname>[,<objectname>[,<objectname>[,…]]])
enforceipsecforward string	Enforce IPsec forward Choices: "on" "off"
enforceipsecreverse string	Enforce IPsec reverse routing Choices: "on" "off"
ftpfiltering string	Use FTP filtering Choices: "on" "off"
fwservice string	Service Choices: "" "httpproxy" "webportal"
icmpcode string	ICMP code (“”|<0-255>)
icmptype string	ICMP type (“”|<0-255>)
inbound string	Inbound Choices: "" "sip_udp"
inspection string	Inspection level Choices: "firewall" "ids" "ips"
ipproto string	IP protocol(any|<IP protocol name>)
ipstate string	IP state Choices: "on" "off"
loglevel string	Rule log level Choices: "none" "log" "minor" "major"
mailfiltering string	Mail policy index (“”|<0-9>)
name string	Rule name
natdstarp string	NAT destination ARP Choices: "on" "off"
natdstlb string	Load balancing algorithm on NAT destination IP Choices: "none" "roundrobin" "srchash" "connhash" "random"
natdstport string	NAT destination port (original|<objectservice>|<port range>)
natdstportlb string	Load balancing algorithm on nat destination port Choices: "none" "roundrobin" "srchash" "connhash" "random"
natdstportop string	NAT destination port operator Choices: "eq" "ne" "gt" "lt"
natdsttarget string	NAT destination target (“”|original|<object name>)
natsrcarp string	NAT source ARP Choices: "on" "off"
natsrclb string	NAT source load balancing algorithm Choices: "none" "roundrobin" "srchash" "connhash" "random"
natsrcport string	NAT source port (original|<objectservice>|<port range>)
natsrcportlb string	NAT source port loadbalancing algorithm Choices: "none" "random"
natsrcportop string	NAT source port operator Choices: "eq" "ne" "gt" "lt"
natsrctarget string	NAT source target (“”|original|<object name>)
noconnlog string	Don’t log the connection all|([disk],[syslog],[ipfix])
position integer	Insert at line N
proto string	Application protocol (auto|none|<app protocol name>)
proxycache string	Use cache proxy Choices: "on" "off"
qosfairness string	QoS fairness Choices: "state" "user" "host"
qosid string	QID name
rate string	(“”|<tcp>,<udp>,<icmp>,<request>)
route string	Use route (“”|\<objrouter\>|<hostname>|<ipaddr>)
rulename string	Rule name
sandboxing string	Use sandboxing analysis Choices: "on" "off"
schedule string	Rule scheduling (anytime|<time object>)
securityinspection string	Security inspection index (“”|<0-9>)
settos string	Set TOS Field (“”|1-254)
srcgeo string	Source geo object (<objectgeo[|\<objectgeo\>[|…]]])
srchostrep integer	Source host reputation filter (<0-65535>)
srchostrepop string	Source host reputation operator Choices: "lt" "gt"
srcif string	Source interface (any|<interface name>)
srciprep string	=(<objectiprep[|\<objectiprep\>[|…]]])]
srcport string	Source port (any|<objectservice>[,<objectservice>[,<objectservice>[,…]]])
srcportop string	Source port operator Choices: "eq" "ne" "gt" "lt"
srctarget string	Source target (any|[!]<objectname>[,<objectname>[,<objectname>[,…]]])
srcuser string	Source user (“”|any|unknown|[!]<user>|[!]<usergroup>)
srcuserdomain string	Source user domain (“”|<domain name>)
srcusermethod string	Source user authentication method Choices: "" "plain" "spnego" "ssl" "radius" "kerberos" "agent-ad" "openvpn" "ipsec" "guest" "agent-guard"
srcusertype string	Source user type (“”|user|group)
sslfiltering string	SSL policy index (|<0-9>)
state string	Rule state Choices: "on" "off"
synproxy string	SYN proxy Choices: "on" "off"
tos string	Filter TOS field (“”|<1-254>)
urlfiltering string	URL policy index (“”|<0-9>)
via string	Via Choices: "any" "sslvpn" "httpproxy" "ipsec" "sslproxy" "none"
webportalexcept string	Web portal exception (“”|urlgroup[,urlgroup[,urlgroup[,…]]])
scope string	Use local or global slot Choices: "local" ← (default) "global"
slot integer / required	Slot number
slotname string	Name of the slot

Collection links

• Issue Tracker
• Repository (Sources)