sophos.sophos_firewall.sfos_firewall_rule module – Manage Firewall Rules (Protect > Rules & policies)

Note

This module is part of the sophos.sophos_firewall collection (version 2.3.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install sophos.sophos_firewall. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: sophos.sophos_firewall.sfos_firewall_rule.

New in sophos.sophos_firewall 1.0.0

Synopsis

• Creates, updates or removes firewall rules (Protect > Rules & policies) on Sophos Firewall

Requirements

The below requirements are needed on the host that executes this module.

• sophosfirewall-python

• Beginning in version 2.0.0, this module requires use of an httpapi connection plugin. See the HTTPAPI example for details.

Parameters

Parameter	Comments
action string / required	The rule action. Choices: "accept" "drop" "reject"
after_rulename string	Name of the rule to insert this rule after.
application_base_qos_policy string	Name of the application base QoS policy to apply.
application_control string	Specify application control policy.
before_rulename string	Name of the rule to insert this rule before.
block_quic string	Enable/Disable QUIC blocking. Choices: "Enable" "Disable"
decrypt_https string	Enable/Disable HTTPS decryption. Choices: "Enable" "Disable"
description string / required	Rule description.
dest_security_heartbeat string	Enable/Disable destination security heartbeat. Choices: "Enable" "Disable"
dscp_marking string	DSCP marking value.
dst_networks list / elements=string	Destination network(s).
dst_zones list / elements=string / required	Destination zone(s).
intrusion_prevention string	Specify intrusion prevention policy.
log string / required	Enable or disable logging. Choices: "enable" "disable"
minimum_dest_hb_permitted string	Minimum destination heartbeat permitted.
minimum_source_hb_permitted string	Minimum source heartbeat permitted.
name string / required	Name of the firewall rule to create, update, or delete
position string	Indicates where the rule should be inserted. Choices: "top" "bottom" ← (default) "after" "before"
proxy_mode string	Enable/Disable proxy mode. Choices: "Enable" "Disable"
qos_policy string	Name of the QoS traffic shaping policy to apply.
scan_imap string	Enable/Disable IMAP scanning. Choices: "Enable" "Disable"
scan_imaps string	Enable/Disable IMAPS scanning. Choices: "Enable" "Disable"
scan_pop3 string	Enable/Disable POP3 scanning. Choices: "Enable" "Disable"
scan_pop3s string	Enable/Disable POP3S scanning. Choices: "Enable" "Disable"
scan_smtp string	Enable/Disable SMTP scanning. Choices: "Enable" "Disable"
scan_smtps string	Enable/Disable SMTPS scanning. Choices: "Enable" "Disable"
scan_virus string	Enable/Disable virus scanning. Choices: "Enable" "Disable"
service_list list / elements=string	Name of service(s).
source_security_heartbeat string	Enable/Disable source security heartbeat. Choices: "Enable" "Disable"
src_networks list / elements=string / required	Source network(s).
src_zones list / elements=string / required	Source zone(s).
state string / required	Use query to retrieve, present to create, absent to remove, or updated to modify Choices: "present" "absent" "updated" "query"
status string	Enabled or Disabled state of the rule Choices: "enable" "disable"
web_category_traffic_shaping string	Name of the web category traffic shaping policy to apply.
web_filter string	Name of the web filter policy to apply.

Examples

- name: Create Firewall Rule
  sophos.sophos_firewall.sfos_firewall_rule:
    name: TEST RULE 100
    after_rulename: TEST RULE 99
    action: accept
    description: Test rule created by Ansible
    log: enable
    status: enable
    position: bottom
    src_zones:
      - LAN
    dst_zones:
      - WAN
    src_networks:
      - SRCNET1
      - SRCNET2
    dst_networks:
      - DSTNET1
      - DSTNET2
    service_list:
      - HTTPS
      - SSH
    state: present

- name: Create Enhanced Firewall Rule with Security Features
  sophos.sophos_firewall.sfos_firewall_rule:
    name: SECURE RULE 200
    action: accept
    description: Enhanced security rule with scanning and filtering
    log: enable
    status: enable
    position: bottom
    src_zones:
      - LAN
    dst_zones:
      - WAN
    src_networks:
      - Any
    dst_networks:
      - Any
    service_list:
      - HTTP
      - HTTPS
    web_filter: WebFilterPolicy1
    web_category_traffic_shaping: WebCategoryPolicy1
    block_quic: Enable
    scan_virus: Enable
    proxy_mode: Enable
    decrypt_https: Enable
    application_control: Allow All
    application_base_qos_policy: AppQoSPolicy1
    intrusion_prevention: generalpolicy
    qos_policy: TrafficShapingPolicy1
    dscp_marking: "46"
    scan_smtp: Enable
    scan_smtps: Enable
    scan_imap: Enable
    scan_imaps: Enable
    scan_pop3: Enable
    scan_pop3s: Enable
    source_security_heartbeat: Enable
    minimum_source_hb_permitted: "Green"
    dest_security_heartbeat: Enable
    minimum_dest_hb_permitted: "Green"
    state: present

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
api_response dictionary	Serialized object containing the API response. Returned: always

Authors

• Matt Mullen (@mamullen13316)

Collection links

• Issue Tracker
• Repository (Sources)

Warning

If the firewall is a member of a group in Central, the changes made by Ansible will override the settings of the group. The actual configuration on the firewall may then differ from what is displayed for the same setting in the Central group.