» panos_panorama_security_policy

This resource allows you to manage the full security posture.

This resource manages the full set of security rules, enforcing both the contents of individual rules as well as their ordering. Rules are defined in a rule config block. As this manages the full set of security rules for a given rulebase, any extraneous rules are removed on terraform apply.

For each security rule, there are three styles of profile settings:

The Profile Setting is implicitly chosen based on what params are configured for the security rule. If you want a Profile Setting of Group, then the group param should be set to the desired Group Profile. If you want a Profile Setting of Profiles, then you will need to specify one or more of the following params:

If the group param and none of the Profiles params are specified, then the Profile Setting is set to None.

» Example Usage

resource "panos_panorama_security_policy" "example" {
    rule {
        name = "allow bizdev to dmz"
        source_zones = ["bizdev"]
        source_addresses = ["any"]
        source_users = ["any"]
        hip_profiles = ["any"]
        destination_zones = ["dmz"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["application-default"]
        categories = ["any"]
        action = "allow"
    rule {
        name = "deny sales to eng"
        source_zones = ["sales"]
        source_addresses = ["any"]
        source_users = ["any"]
        hip_profiles = ["any"]
        destination_zones = ["eng"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["application-default"]
        categories = ["any"]
        action = "deny"
        target {
            serial = "01234"
        target {
            serial = "56789"
            vsys_list = ["vsys1", "vsys3"]

» Argument Reference

The following arguments are supported:

  • device_group - (Optional) The device group to put the security policy into (default: shared).
  • rulebase - (Optional) The rulebase. This can be pre-rulebase (default), post-rulebase, or rulebase.
  • rule - The security rule definition (see below). The security rule ordering will match how they appear in the terraform plan file.

The following arguments are valid for each rule section:

  • name - (Required) The security rule name.
  • type - (Optional) Rule type. This can be universal (default), interzone, or intrazone.
  • description - (Optional) The description.
  • tags - (Optional) List of tags for this security rule.
  • source_zones - (Required) List of source zones.
  • source_addresses - (Required) List of source addresses.
  • negate_source - (Optional, bool) If the source should be negated.
  • source_users - (Required) List of source users.
  • hip_profiles - (Required) List of HIP profiles.
  • destination_zones - (Required) List of destination zones.
  • destination_addresses - (Required) List of destination addresses.
  • negate_destination - (Optional, bool) If the destination should be negated.
  • applications - (Required) List of applications.
  • services - (Required) List of services.
  • categories - (Required) List of categories.
  • action - (Optional) Action for the matched traffic. This can be allow (default), deny, drop, reset-client, reset-server, or reset-both.
  • log_setting - (Optional) Log forwarding profile.
  • log_start - (Optional, bool) Log the start of the traffic flow.
  • log_end - (Optional, bool) Log the end of the traffic flow (default: true).
  • disabled - (Optional, bool) Set to true to disable this rule.
  • schedule - (Optional) The security rule schedule.
  • icmp_unreachable - (Optional) Set to true to enable ICMP unreachable.
  • disable_server_response_inspection - (Optional) Set to true to disable server response inspection.
  • group - (Optional) Profile Setting: Group - The group profile name.
  • virus - (Optional) Profile Setting: Profiles - The antivirus setting.
  • spyware - (Optional) Profile Setting: Profiles - The anti-spyware setting.
  • vulnerability - (Optional) Profile Setting: Profiles - The Vulnerability Protection setting.
  • url_filtering - (Optional) Profile Setting: Profiles - The URL filtering setting.
  • file_blocking - (Optional) Profile Setting: Profiles - The file blocking setting.
  • wildfire_analysis - (Optional) Profile Setting: Profiles - The WildFire Analysis setting.
  • data_filtering - (Optional) Profile Setting: Profiles - The Data Filtering setting.
  • target - (Optional) A target definition (see below). If there are no target sections, then the rule will apply to every vsys of every device in the device group.
  • negate_target - (Optional, bool) Instead of applying the rule for the given serial numbers, apply it to everything except them.

The following arguments are valid for each target section:

  • serial - (Required) The serial number of the firewall.
  • vsys_list - (Optional) A subset of all available vsys on the firewall that should be in this device group. If the firewall is a virtual firewall, then this parameter should just be omitted.