Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as panos from "@pulumi/panos";
const example = new panos.DeviceGroup("example", {
location: {
panorama: {},
},
name: "example-device-group",
});
// Manage a group of authentication policy rules with positioning
//# Place the rule group at the top of the pre-rulebase
const guestNetwork = new panos.AuthenticationPolicyRules("guest_network", {
location: {
deviceGroup: {
name: example.name,
rulebase: "pre-rulebase",
},
},
position: {
where: "first",
},
rules: [{
name: "guest-wifi-auth",
description: "Require authentication for guest WiFi users",
sourceZones: ["guest-zone"],
sourceAddresses: ["guest-network"],
destinationZones: ["untrust"],
destinationAddresses: ["any"],
services: ["any"],
authenticationEnforcement: "guest-captive-portal",
timeout: 480,
logAuthenticationTimeout: true,
logSetting: "authentication-log-profile",
}],
});
//# Place the rule group after a specific rule
const corporateUsers = new panos.AuthenticationPolicyRules("corporate_users", {
location: {
deviceGroup: {
name: example.name,
rulebase: "pre-rulebase",
},
},
position: {
where: "after",
directly: true,
pivot: "guest-wifi-auth",
},
rules: [
{
name: "employee-byod-auth",
description: "Authentication for employee BYOD devices",
sourceZones: ["byod-zone"],
sourceAddresses: ["byod-subnet"],
sourceUsers: ["any"],
destinationZones: [
"internal",
"dmz",
],
destinationAddresses: ["corporate-apps"],
services: ["any"],
categories: [
"business-and-economy",
"computer-and-internet-info",
],
authenticationEnforcement: "corporate-auth-profile",
timeout: 1440,
logAuthenticationTimeout: false,
tags: [
"byod",
"corporate",
],
},
{
name: "contractor-limited-access",
description: "Authentication for contractors with restricted access",
sourceZones: ["contractor-zone"],
sourceAddresses: ["contractor-subnet"],
sourceUsers: ["contractor-group"],
destinationZones: ["dmz"],
destinationAddresses: ["contractor-apps"],
services: ["service-https"],
authenticationEnforcement: "contractor-auth-profile",
timeout: 240,
logAuthenticationTimeout: true,
logSetting: "authentication-log-profile",
tags: [
"contractor",
"restricted",
],
},
],
});
//# Advanced rule with HIP checks and target restrictions
const hipBasedAuth = new panos.AuthenticationPolicyRules("hip_based_auth", {
location: {
deviceGroup: {
name: example.name,
rulebase: "post-rulebase",
},
},
position: {
where: "last",
},
rules: [
{
name: "hip-compliant-devices",
description: "Allow authenticated access only for HIP-compliant devices",
sourceZones: ["trust"],
sourceAddresses: ["corporate-subnets"],
sourceHips: ["compliant-hip-profile"],
destinationZones: [
"dmz",
"internal",
],
destinationAddresses: ["sensitive-servers"],
destinationHips: ["any"],
services: ["any"],
sourceUsers: ["domain\\authenticated-users"],
authenticationEnforcement: "mfa-auth-profile",
timeout: 720,
logAuthenticationTimeout: true,
logSetting: "security-log-profile",
target: {
devices: [
{
name: "fw-datacenter-01",
vsys: [{
name: "vsys1",
}],
},
{
name: "fw-datacenter-02",
vsys: [
{
name: "vsys1",
},
{
name: "vsys2",
},
],
},
],
negate: false,
tags: ["production"],
},
tags: [
"hip-required",
"production",
"authenticated",
],
},
{
name: "non-compliant-redirect",
description: "Redirect non-compliant devices to remediation portal",
sourceZones: ["trust"],
sourceAddresses: ["corporate-subnets"],
negateSource: false,
destinationZones: ["remediation"],
destinationAddresses: ["remediation-portal"],
negateDestination: false,
services: [
"service-http",
"service-https",
],
authenticationEnforcement: "remediation-auth-profile",
timeout: 60,
logAuthenticationTimeout: true,
disabled: false,
tags: ["remediation"],
},
],
});
import pulumi
import pulumi_panos as panos
example = panos.DeviceGroup("example",
location={
"panorama": {},
},
name="example-device-group")
# Manage a group of authentication policy rules with positioning
## Place the rule group at the top of the pre-rulebase
guest_network = panos.AuthenticationPolicyRules("guest_network",
location={
"device_group": {
"name": example.name,
"rulebase": "pre-rulebase",
},
},
position={
"where": "first",
},
rules=[{
"name": "guest-wifi-auth",
"description": "Require authentication for guest WiFi users",
"source_zones": ["guest-zone"],
"source_addresses": ["guest-network"],
"destination_zones": ["untrust"],
"destination_addresses": ["any"],
"services": ["any"],
"authentication_enforcement": "guest-captive-portal",
"timeout": 480,
"log_authentication_timeout": True,
"log_setting": "authentication-log-profile",
}])
## Place the rule group after a specific rule
corporate_users = panos.AuthenticationPolicyRules("corporate_users",
location={
"device_group": {
"name": example.name,
"rulebase": "pre-rulebase",
},
},
position={
"where": "after",
"directly": True,
"pivot": "guest-wifi-auth",
},
rules=[
{
"name": "employee-byod-auth",
"description": "Authentication for employee BYOD devices",
"source_zones": ["byod-zone"],
"source_addresses": ["byod-subnet"],
"source_users": ["any"],
"destination_zones": [
"internal",
"dmz",
],
"destination_addresses": ["corporate-apps"],
"services": ["any"],
"categories": [
"business-and-economy",
"computer-and-internet-info",
],
"authentication_enforcement": "corporate-auth-profile",
"timeout": 1440,
"log_authentication_timeout": False,
"tags": [
"byod",
"corporate",
],
},
{
"name": "contractor-limited-access",
"description": "Authentication for contractors with restricted access",
"source_zones": ["contractor-zone"],
"source_addresses": ["contractor-subnet"],
"source_users": ["contractor-group"],
"destination_zones": ["dmz"],
"destination_addresses": ["contractor-apps"],
"services": ["service-https"],
"authentication_enforcement": "contractor-auth-profile",
"timeout": 240,
"log_authentication_timeout": True,
"log_setting": "authentication-log-profile",
"tags": [
"contractor",
"restricted",
],
},
])
## Advanced rule with HIP checks and target restrictions
hip_based_auth = panos.AuthenticationPolicyRules("hip_based_auth",
location={
"device_group": {
"name": example.name,
"rulebase": "post-rulebase",
},
},
position={
"where": "last",
},
rules=[
{
"name": "hip-compliant-devices",
"description": "Allow authenticated access only for HIP-compliant devices",
"source_zones": ["trust"],
"source_addresses": ["corporate-subnets"],
"source_hips": ["compliant-hip-profile"],
"destination_zones": [
"dmz",
"internal",
],
"destination_addresses": ["sensitive-servers"],
"destination_hips": ["any"],
"services": ["any"],
"source_users": ["domain\\authenticated-users"],
"authentication_enforcement": "mfa-auth-profile",
"timeout": 720,
"log_authentication_timeout": True,
"log_setting": "security-log-profile",
"target": {
"devices": [
{
"name": "fw-datacenter-01",
"vsys": [{
"name": "vsys1",
}],
},
{
"name": "fw-datacenter-02",
"vsys": [
{
"name": "vsys1",
},
{
"name": "vsys2",
},
],
},
],
"negate": False,
"tags": ["production"],
},
"tags": [
"hip-required",
"production",
"authenticated",
],
},
{
"name": "non-compliant-redirect",
"description": "Redirect non-compliant devices to remediation portal",
"source_zones": ["trust"],
"source_addresses": ["corporate-subnets"],
"negate_source": False,
"destination_zones": ["remediation"],
"destination_addresses": ["remediation-portal"],
"negate_destination": False,
"services": [
"service-http",
"service-https",
],
"authentication_enforcement": "remediation-auth-profile",
"timeout": 60,
"log_authentication_timeout": True,
"disabled": False,
"tags": ["remediation"],
},
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/panos/v2/panos"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := panos.NewDeviceGroup(ctx, "example", &panos.DeviceGroupArgs{
Location: &panos.DeviceGroupLocationArgs{
Panorama: &panos.DeviceGroupLocationPanoramaArgs{},
},
Name: pulumi.String("example-device-group"),
})
if err != nil {
return err
}
// Manage a group of authentication policy rules with positioning
// # Place the rule group at the top of the pre-rulebase
_, err = panos.NewAuthenticationPolicyRules(ctx, "guest_network", &panos.AuthenticationPolicyRulesArgs{
Location: &panos.AuthenticationPolicyRulesLocationArgs{
DeviceGroup: &panos.AuthenticationPolicyRulesLocationDeviceGroupArgs{
Name: example.Name,
Rulebase: pulumi.String("pre-rulebase"),
},
},
Position: &panos.AuthenticationPolicyRulesPositionArgs{
Where: pulumi.String("first"),
},
Rules: panos.AuthenticationPolicyRulesRuleArray{
&panos.AuthenticationPolicyRulesRuleArgs{
Name: pulumi.String("guest-wifi-auth"),
Description: pulumi.String("Require authentication for guest WiFi users"),
SourceZones: pulumi.StringArray{
pulumi.String("guest-zone"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("guest-network"),
},
DestinationZones: pulumi.StringArray{
pulumi.String("untrust"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("any"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
AuthenticationEnforcement: pulumi.String("guest-captive-portal"),
Timeout: pulumi.Float64(480),
LogAuthenticationTimeout: pulumi.Bool(true),
LogSetting: pulumi.String("authentication-log-profile"),
},
},
})
if err != nil {
return err
}
// # Place the rule group after a specific rule
_, err = panos.NewAuthenticationPolicyRules(ctx, "corporate_users", &panos.AuthenticationPolicyRulesArgs{
Location: &panos.AuthenticationPolicyRulesLocationArgs{
DeviceGroup: &panos.AuthenticationPolicyRulesLocationDeviceGroupArgs{
Name: example.Name,
Rulebase: pulumi.String("pre-rulebase"),
},
},
Position: &panos.AuthenticationPolicyRulesPositionArgs{
Where: pulumi.String("after"),
Directly: pulumi.Bool(true),
Pivot: pulumi.String("guest-wifi-auth"),
},
Rules: panos.AuthenticationPolicyRulesRuleArray{
&panos.AuthenticationPolicyRulesRuleArgs{
Name: pulumi.String("employee-byod-auth"),
Description: pulumi.String("Authentication for employee BYOD devices"),
SourceZones: pulumi.StringArray{
pulumi.String("byod-zone"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("byod-subnet"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
DestinationZones: pulumi.StringArray{
pulumi.String("internal"),
pulumi.String("dmz"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("corporate-apps"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
Categories: pulumi.StringArray{
pulumi.String("business-and-economy"),
pulumi.String("computer-and-internet-info"),
},
AuthenticationEnforcement: pulumi.String("corporate-auth-profile"),
Timeout: pulumi.Float64(1440),
LogAuthenticationTimeout: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("byod"),
pulumi.String("corporate"),
},
},
&panos.AuthenticationPolicyRulesRuleArgs{
Name: pulumi.String("contractor-limited-access"),
Description: pulumi.String("Authentication for contractors with restricted access"),
SourceZones: pulumi.StringArray{
pulumi.String("contractor-zone"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("contractor-subnet"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("contractor-group"),
},
DestinationZones: pulumi.StringArray{
pulumi.String("dmz"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("contractor-apps"),
},
Services: pulumi.StringArray{
pulumi.String("service-https"),
},
AuthenticationEnforcement: pulumi.String("contractor-auth-profile"),
Timeout: pulumi.Float64(240),
LogAuthenticationTimeout: pulumi.Bool(true),
LogSetting: pulumi.String("authentication-log-profile"),
Tags: pulumi.StringArray{
pulumi.String("contractor"),
pulumi.String("restricted"),
},
},
},
})
if err != nil {
return err
}
// # Advanced rule with HIP checks and target restrictions
_, err = panos.NewAuthenticationPolicyRules(ctx, "hip_based_auth", &panos.AuthenticationPolicyRulesArgs{
Location: &panos.AuthenticationPolicyRulesLocationArgs{
DeviceGroup: &panos.AuthenticationPolicyRulesLocationDeviceGroupArgs{
Name: example.Name,
Rulebase: pulumi.String("post-rulebase"),
},
},
Position: &panos.AuthenticationPolicyRulesPositionArgs{
Where: pulumi.String("last"),
},
Rules: panos.AuthenticationPolicyRulesRuleArray{
&panos.AuthenticationPolicyRulesRuleArgs{
Name: pulumi.String("hip-compliant-devices"),
Description: pulumi.String("Allow authenticated access only for HIP-compliant devices"),
SourceZones: pulumi.StringArray{
pulumi.String("trust"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("corporate-subnets"),
},
SourceHips: pulumi.StringArray{
pulumi.String("compliant-hip-profile"),
},
DestinationZones: pulumi.StringArray{
pulumi.String("dmz"),
pulumi.String("internal"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("sensitive-servers"),
},
DestinationHips: pulumi.StringArray{
pulumi.String("any"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("domain\\authenticated-users"),
},
AuthenticationEnforcement: pulumi.String("mfa-auth-profile"),
Timeout: pulumi.Float64(720),
LogAuthenticationTimeout: pulumi.Bool(true),
LogSetting: pulumi.String("security-log-profile"),
Target: &panos.AuthenticationPolicyRulesRuleTargetArgs{
Devices: panos.AuthenticationPolicyRulesRuleTargetDeviceArray{
&panos.AuthenticationPolicyRulesRuleTargetDeviceArgs{
Name: pulumi.String("fw-datacenter-01"),
Vsys: panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArray{
&panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs{
Name: pulumi.String("vsys1"),
},
},
},
&panos.AuthenticationPolicyRulesRuleTargetDeviceArgs{
Name: pulumi.String("fw-datacenter-02"),
Vsys: panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArray{
&panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs{
Name: pulumi.String("vsys1"),
},
&panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs{
Name: pulumi.String("vsys2"),
},
},
},
},
Negate: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("production"),
},
},
Tags: pulumi.StringArray{
pulumi.String("hip-required"),
pulumi.String("production"),
pulumi.String("authenticated"),
},
},
&panos.AuthenticationPolicyRulesRuleArgs{
Name: pulumi.String("non-compliant-redirect"),
Description: pulumi.String("Redirect non-compliant devices to remediation portal"),
SourceZones: pulumi.StringArray{
pulumi.String("trust"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("corporate-subnets"),
},
NegateSource: pulumi.Bool(false),
DestinationZones: pulumi.StringArray{
pulumi.String("remediation"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("remediation-portal"),
},
NegateDestination: pulumi.Bool(false),
Services: pulumi.StringArray{
pulumi.String("service-http"),
pulumi.String("service-https"),
},
AuthenticationEnforcement: pulumi.String("remediation-auth-profile"),
Timeout: pulumi.Float64(60),
LogAuthenticationTimeout: pulumi.Bool(true),
Disabled: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("remediation"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Panos = Pulumi.Panos;
return await Deployment.RunAsync(() =>
{
var example = new Panos.DeviceGroup("example", new()
{
Location = new Panos.Inputs.DeviceGroupLocationArgs
{
Panorama = null,
},
Name = "example-device-group",
});
// Manage a group of authentication policy rules with positioning
//# Place the rule group at the top of the pre-rulebase
var guestNetwork = new Panos.AuthenticationPolicyRules("guest_network", new()
{
Location = new Panos.Inputs.AuthenticationPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.AuthenticationPolicyRulesLocationDeviceGroupArgs
{
Name = example.Name,
Rulebase = "pre-rulebase",
},
},
Position = new Panos.Inputs.AuthenticationPolicyRulesPositionArgs
{
Where = "first",
},
Rules = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleArgs
{
Name = "guest-wifi-auth",
Description = "Require authentication for guest WiFi users",
SourceZones = new[]
{
"guest-zone",
},
SourceAddresses = new[]
{
"guest-network",
},
DestinationZones = new[]
{
"untrust",
},
DestinationAddresses = new[]
{
"any",
},
Services = new[]
{
"any",
},
AuthenticationEnforcement = "guest-captive-portal",
Timeout = 480,
LogAuthenticationTimeout = true,
LogSetting = "authentication-log-profile",
},
},
});
//# Place the rule group after a specific rule
var corporateUsers = new Panos.AuthenticationPolicyRules("corporate_users", new()
{
Location = new Panos.Inputs.AuthenticationPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.AuthenticationPolicyRulesLocationDeviceGroupArgs
{
Name = example.Name,
Rulebase = "pre-rulebase",
},
},
Position = new Panos.Inputs.AuthenticationPolicyRulesPositionArgs
{
Where = "after",
Directly = true,
Pivot = "guest-wifi-auth",
},
Rules = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleArgs
{
Name = "employee-byod-auth",
Description = "Authentication for employee BYOD devices",
SourceZones = new[]
{
"byod-zone",
},
SourceAddresses = new[]
{
"byod-subnet",
},
SourceUsers = new[]
{
"any",
},
DestinationZones = new[]
{
"internal",
"dmz",
},
DestinationAddresses = new[]
{
"corporate-apps",
},
Services = new[]
{
"any",
},
Categories = new[]
{
"business-and-economy",
"computer-and-internet-info",
},
AuthenticationEnforcement = "corporate-auth-profile",
Timeout = 1440,
LogAuthenticationTimeout = false,
Tags = new[]
{
"byod",
"corporate",
},
},
new Panos.Inputs.AuthenticationPolicyRulesRuleArgs
{
Name = "contractor-limited-access",
Description = "Authentication for contractors with restricted access",
SourceZones = new[]
{
"contractor-zone",
},
SourceAddresses = new[]
{
"contractor-subnet",
},
SourceUsers = new[]
{
"contractor-group",
},
DestinationZones = new[]
{
"dmz",
},
DestinationAddresses = new[]
{
"contractor-apps",
},
Services = new[]
{
"service-https",
},
AuthenticationEnforcement = "contractor-auth-profile",
Timeout = 240,
LogAuthenticationTimeout = true,
LogSetting = "authentication-log-profile",
Tags = new[]
{
"contractor",
"restricted",
},
},
},
});
//# Advanced rule with HIP checks and target restrictions
var hipBasedAuth = new Panos.AuthenticationPolicyRules("hip_based_auth", new()
{
Location = new Panos.Inputs.AuthenticationPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.AuthenticationPolicyRulesLocationDeviceGroupArgs
{
Name = example.Name,
Rulebase = "post-rulebase",
},
},
Position = new Panos.Inputs.AuthenticationPolicyRulesPositionArgs
{
Where = "last",
},
Rules = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleArgs
{
Name = "hip-compliant-devices",
Description = "Allow authenticated access only for HIP-compliant devices",
SourceZones = new[]
{
"trust",
},
SourceAddresses = new[]
{
"corporate-subnets",
},
SourceHips = new[]
{
"compliant-hip-profile",
},
DestinationZones = new[]
{
"dmz",
"internal",
},
DestinationAddresses = new[]
{
"sensitive-servers",
},
DestinationHips = new[]
{
"any",
},
Services = new[]
{
"any",
},
SourceUsers = new[]
{
"domain\\authenticated-users",
},
AuthenticationEnforcement = "mfa-auth-profile",
Timeout = 720,
LogAuthenticationTimeout = true,
LogSetting = "security-log-profile",
Target = new Panos.Inputs.AuthenticationPolicyRulesRuleTargetArgs
{
Devices = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceArgs
{
Name = "fw-datacenter-01",
Vsys = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs
{
Name = "vsys1",
},
},
},
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceArgs
{
Name = "fw-datacenter-02",
Vsys = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs
{
Name = "vsys1",
},
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs
{
Name = "vsys2",
},
},
},
},
Negate = false,
Tags = new[]
{
"production",
},
},
Tags = new[]
{
"hip-required",
"production",
"authenticated",
},
},
new Panos.Inputs.AuthenticationPolicyRulesRuleArgs
{
Name = "non-compliant-redirect",
Description = "Redirect non-compliant devices to remediation portal",
SourceZones = new[]
{
"trust",
},
SourceAddresses = new[]
{
"corporate-subnets",
},
NegateSource = false,
DestinationZones = new[]
{
"remediation",
},
DestinationAddresses = new[]
{
"remediation-portal",
},
NegateDestination = false,
Services = new[]
{
"service-http",
"service-https",
},
AuthenticationEnforcement = "remediation-auth-profile",
Timeout = 60,
LogAuthenticationTimeout = true,
Disabled = false,
Tags = new[]
{
"remediation",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.panos.DeviceGroup;
import com.pulumi.panos.DeviceGroupArgs;
import com.pulumi.panos.inputs.DeviceGroupLocationArgs;
import com.pulumi.panos.inputs.DeviceGroupLocationPanoramaArgs;
import com.pulumi.panos.AuthenticationPolicyRules;
import com.pulumi.panos.AuthenticationPolicyRulesArgs;
import com.pulumi.panos.inputs.AuthenticationPolicyRulesLocationArgs;
import com.pulumi.panos.inputs.AuthenticationPolicyRulesLocationDeviceGroupArgs;
import com.pulumi.panos.inputs.AuthenticationPolicyRulesPositionArgs;
import com.pulumi.panos.inputs.AuthenticationPolicyRulesRuleArgs;
import com.pulumi.panos.inputs.AuthenticationPolicyRulesRuleTargetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DeviceGroup("example", DeviceGroupArgs.builder()
.location(DeviceGroupLocationArgs.builder()
.panorama(DeviceGroupLocationPanoramaArgs.builder()
.build())
.build())
.name("example-device-group")
.build());
// Manage a group of authentication policy rules with positioning
//# Place the rule group at the top of the pre-rulebase
var guestNetwork = new AuthenticationPolicyRules("guestNetwork", AuthenticationPolicyRulesArgs.builder()
.location(AuthenticationPolicyRulesLocationArgs.builder()
.deviceGroup(AuthenticationPolicyRulesLocationDeviceGroupArgs.builder()
.name(example.name())
.rulebase("pre-rulebase")
.build())
.build())
.position(AuthenticationPolicyRulesPositionArgs.builder()
.where("first")
.build())
.rules(AuthenticationPolicyRulesRuleArgs.builder()
.name("guest-wifi-auth")
.description("Require authentication for guest WiFi users")
.sourceZones("guest-zone")
.sourceAddresses("guest-network")
.destinationZones("untrust")
.destinationAddresses("any")
.services("any")
.authenticationEnforcement("guest-captive-portal")
.timeout(480.0)
.logAuthenticationTimeout(true)
.logSetting("authentication-log-profile")
.build())
.build());
//# Place the rule group after a specific rule
var corporateUsers = new AuthenticationPolicyRules("corporateUsers", AuthenticationPolicyRulesArgs.builder()
.location(AuthenticationPolicyRulesLocationArgs.builder()
.deviceGroup(AuthenticationPolicyRulesLocationDeviceGroupArgs.builder()
.name(example.name())
.rulebase("pre-rulebase")
.build())
.build())
.position(AuthenticationPolicyRulesPositionArgs.builder()
.where("after")
.directly(true)
.pivot("guest-wifi-auth")
.build())
.rules(
AuthenticationPolicyRulesRuleArgs.builder()
.name("employee-byod-auth")
.description("Authentication for employee BYOD devices")
.sourceZones("byod-zone")
.sourceAddresses("byod-subnet")
.sourceUsers("any")
.destinationZones(
"internal",
"dmz")
.destinationAddresses("corporate-apps")
.services("any")
.categories(
"business-and-economy",
"computer-and-internet-info")
.authenticationEnforcement("corporate-auth-profile")
.timeout(1440.0)
.logAuthenticationTimeout(false)
.tags(
"byod",
"corporate")
.build(),
AuthenticationPolicyRulesRuleArgs.builder()
.name("contractor-limited-access")
.description("Authentication for contractors with restricted access")
.sourceZones("contractor-zone")
.sourceAddresses("contractor-subnet")
.sourceUsers("contractor-group")
.destinationZones("dmz")
.destinationAddresses("contractor-apps")
.services("service-https")
.authenticationEnforcement("contractor-auth-profile")
.timeout(240.0)
.logAuthenticationTimeout(true)
.logSetting("authentication-log-profile")
.tags(
"contractor",
"restricted")
.build())
.build());
//# Advanced rule with HIP checks and target restrictions
var hipBasedAuth = new AuthenticationPolicyRules("hipBasedAuth", AuthenticationPolicyRulesArgs.builder()
.location(AuthenticationPolicyRulesLocationArgs.builder()
.deviceGroup(AuthenticationPolicyRulesLocationDeviceGroupArgs.builder()
.name(example.name())
.rulebase("post-rulebase")
.build())
.build())
.position(AuthenticationPolicyRulesPositionArgs.builder()
.where("last")
.build())
.rules(
AuthenticationPolicyRulesRuleArgs.builder()
.name("hip-compliant-devices")
.description("Allow authenticated access only for HIP-compliant devices")
.sourceZones("trust")
.sourceAddresses("corporate-subnets")
.sourceHips("compliant-hip-profile")
.destinationZones(
"dmz",
"internal")
.destinationAddresses("sensitive-servers")
.destinationHips("any")
.services("any")
.sourceUsers("domain\\authenticated-users")
.authenticationEnforcement("mfa-auth-profile")
.timeout(720.0)
.logAuthenticationTimeout(true)
.logSetting("security-log-profile")
.target(AuthenticationPolicyRulesRuleTargetArgs.builder()
.devices(
AuthenticationPolicyRulesRuleTargetDeviceArgs.builder()
.name("fw-datacenter-01")
.vsys(AuthenticationPolicyRulesRuleTargetDeviceVsyArgs.builder()
.name("vsys1")
.build())
.build(),
AuthenticationPolicyRulesRuleTargetDeviceArgs.builder()
.name("fw-datacenter-02")
.vsys(
AuthenticationPolicyRulesRuleTargetDeviceVsyArgs.builder()
.name("vsys1")
.build(),
AuthenticationPolicyRulesRuleTargetDeviceVsyArgs.builder()
.name("vsys2")
.build())
.build())
.negate(false)
.tags("production")
.build())
.tags(
"hip-required",
"production",
"authenticated")
.build(),
AuthenticationPolicyRulesRuleArgs.builder()
.name("non-compliant-redirect")
.description("Redirect non-compliant devices to remediation portal")
.sourceZones("trust")
.sourceAddresses("corporate-subnets")
.negateSource(false)
.destinationZones("remediation")
.destinationAddresses("remediation-portal")
.negateDestination(false)
.services(
"service-http",
"service-https")
.authenticationEnforcement("remediation-auth-profile")
.timeout(60.0)
.logAuthenticationTimeout(true)
.disabled(false)
.tags("remediation")
.build())
.build());
}
}
resources:
# Manage a group of authentication policy rules with positioning
## Place the rule group at the top of the pre-rulebase
guestNetwork:
type: panos:AuthenticationPolicyRules
name: guest_network
properties:
location:
deviceGroup:
name: ${example.name}
rulebase: pre-rulebase
position:
where: first
rules:
- name: guest-wifi-auth
description: Require authentication for guest WiFi users
sourceZones:
- guest-zone
sourceAddresses:
- guest-network
destinationZones:
- untrust
destinationAddresses:
- any
services:
- any
authenticationEnforcement: guest-captive-portal
timeout: 480
logAuthenticationTimeout: true
logSetting: authentication-log-profile
## Place the rule group after a specific rule
corporateUsers:
type: panos:AuthenticationPolicyRules
name: corporate_users
properties:
location:
deviceGroup:
name: ${example.name}
rulebase: pre-rulebase
position:
where: after
directly: true
pivot: guest-wifi-auth
rules:
- name: employee-byod-auth
description: Authentication for employee BYOD devices
sourceZones:
- byod-zone
sourceAddresses:
- byod-subnet
sourceUsers:
- any
destinationZones:
- internal
- dmz
destinationAddresses:
- corporate-apps
services:
- any
categories:
- business-and-economy
- computer-and-internet-info
authenticationEnforcement: corporate-auth-profile
timeout: 1440
logAuthenticationTimeout: false
tags:
- byod
- corporate
- name: contractor-limited-access
description: Authentication for contractors with restricted access
sourceZones:
- contractor-zone
sourceAddresses:
- contractor-subnet
sourceUsers:
- contractor-group
destinationZones:
- dmz
destinationAddresses:
- contractor-apps
services:
- service-https
authenticationEnforcement: contractor-auth-profile
timeout: 240
logAuthenticationTimeout: true
logSetting: authentication-log-profile
tags:
- contractor
- restricted
## Advanced rule with HIP checks and target restrictions
hipBasedAuth:
type: panos:AuthenticationPolicyRules
name: hip_based_auth
properties:
location:
deviceGroup:
name: ${example.name}
rulebase: post-rulebase
position:
where: last
rules:
- name: hip-compliant-devices
description: Allow authenticated access only for HIP-compliant devices
sourceZones:
- trust
sourceAddresses:
- corporate-subnets
sourceHips:
- compliant-hip-profile
destinationZones:
- dmz
- internal
destinationAddresses:
- sensitive-servers
destinationHips:
- any
services:
- any
sourceUsers:
- domain\authenticated-users
authenticationEnforcement: mfa-auth-profile
timeout: 720
logAuthenticationTimeout: true
logSetting: security-log-profile
target:
devices:
- name: fw-datacenter-01
vsys:
- name: vsys1
- name: fw-datacenter-02
vsys:
- name: vsys1
- name: vsys2
negate: false
tags:
- production
tags:
- hip-required
- production
- authenticated
- name: non-compliant-redirect
description: Redirect non-compliant devices to remediation portal
sourceZones:
- trust
sourceAddresses:
- corporate-subnets
negateSource: false
destinationZones:
- remediation
destinationAddresses:
- remediation-portal
negateDestination: false
services:
- service-http
- service-https
authenticationEnforcement: remediation-auth-profile
timeout: 60
logAuthenticationTimeout: true
disabled: false
tags:
- remediation
example:
type: panos:DeviceGroup
properties:
location:
panorama: {}
name: example-device-group
Create AuthenticationPolicyRules Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AuthenticationPolicyRules(name: string, args: AuthenticationPolicyRulesArgs, opts?: CustomResourceOptions);@overload
def AuthenticationPolicyRules(resource_name: str,
args: AuthenticationPolicyRulesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AuthenticationPolicyRules(resource_name: str,
opts: Optional[ResourceOptions] = None,
location: Optional[AuthenticationPolicyRulesLocationArgs] = None,
position: Optional[AuthenticationPolicyRulesPositionArgs] = None,
rules: Optional[Sequence[AuthenticationPolicyRulesRuleArgs]] = None)func NewAuthenticationPolicyRules(ctx *Context, name string, args AuthenticationPolicyRulesArgs, opts ...ResourceOption) (*AuthenticationPolicyRules, error)public AuthenticationPolicyRules(string name, AuthenticationPolicyRulesArgs args, CustomResourceOptions? opts = null)
public AuthenticationPolicyRules(String name, AuthenticationPolicyRulesArgs args)
public AuthenticationPolicyRules(String name, AuthenticationPolicyRulesArgs args, CustomResourceOptions options)
type: panos:AuthenticationPolicyRules
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthenticationPolicyRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthenticationPolicyRulesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthenticationPolicyRulesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthenticationPolicyRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthenticationPolicyRulesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var authenticationPolicyRulesResource = new Panos.AuthenticationPolicyRules("authenticationPolicyRulesResource", new()
{
Location = new Panos.Inputs.AuthenticationPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.AuthenticationPolicyRulesLocationDeviceGroupArgs
{
Name = "string",
PanoramaDevice = "string",
Rulebase = "string",
},
Shared = new Panos.Inputs.AuthenticationPolicyRulesLocationSharedArgs
{
Rulebase = "string",
},
Vsys = new Panos.Inputs.AuthenticationPolicyRulesLocationVsysArgs
{
Name = "string",
NgfwDevice = "string",
},
},
Position = new Panos.Inputs.AuthenticationPolicyRulesPositionArgs
{
Where = "string",
Directly = false,
Pivot = "string",
},
Rules = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleArgs
{
Name = "string",
LogAuthenticationTimeout = false,
AuditCommentWo = "string",
Categories = new[]
{
"string",
},
Description = "string",
DestinationAddresses = new[]
{
"string",
},
DestinationHips = new[]
{
"string",
},
DestinationZones = new[]
{
"string",
},
Disabled = false,
GroupTag = "string",
NegateDestination = false,
AuthenticationEnforcement = "string",
LogSetting = "string",
AuditCommentVersion = "string",
NegateSource = false,
Services = new[]
{
"string",
},
SourceAddresses = new[]
{
"string",
},
SourceHips = new[]
{
"string",
},
SourceUsers = new[]
{
"string",
},
SourceZones = new[]
{
"string",
},
Tags = new[]
{
"string",
},
Target = new Panos.Inputs.AuthenticationPolicyRulesRuleTargetArgs
{
Devices = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceArgs
{
Name = "string",
Vsys = new[]
{
new Panos.Inputs.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs
{
Name = "string",
},
},
},
},
Negate = false,
Tags = new[]
{
"string",
},
},
Timeout = 0,
},
},
});
example, err := panos.NewAuthenticationPolicyRules(ctx, "authenticationPolicyRulesResource", &panos.AuthenticationPolicyRulesArgs{
Location: &panos.AuthenticationPolicyRulesLocationArgs{
DeviceGroup: &panos.AuthenticationPolicyRulesLocationDeviceGroupArgs{
Name: pulumi.String("string"),
PanoramaDevice: pulumi.String("string"),
Rulebase: pulumi.String("string"),
},
Shared: &panos.AuthenticationPolicyRulesLocationSharedArgs{
Rulebase: pulumi.String("string"),
},
Vsys: &panos.AuthenticationPolicyRulesLocationVsysArgs{
Name: pulumi.String("string"),
NgfwDevice: pulumi.String("string"),
},
},
Position: &panos.AuthenticationPolicyRulesPositionArgs{
Where: pulumi.String("string"),
Directly: pulumi.Bool(false),
Pivot: pulumi.String("string"),
},
Rules: panos.AuthenticationPolicyRulesRuleArray{
&panos.AuthenticationPolicyRulesRuleArgs{
Name: pulumi.String("string"),
LogAuthenticationTimeout: pulumi.Bool(false),
AuditCommentWo: pulumi.String("string"),
Categories: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("string"),
},
DestinationHips: pulumi.StringArray{
pulumi.String("string"),
},
DestinationZones: pulumi.StringArray{
pulumi.String("string"),
},
Disabled: pulumi.Bool(false),
GroupTag: pulumi.String("string"),
NegateDestination: pulumi.Bool(false),
AuthenticationEnforcement: pulumi.String("string"),
LogSetting: pulumi.String("string"),
AuditCommentVersion: pulumi.String("string"),
NegateSource: pulumi.Bool(false),
Services: pulumi.StringArray{
pulumi.String("string"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("string"),
},
SourceHips: pulumi.StringArray{
pulumi.String("string"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("string"),
},
SourceZones: pulumi.StringArray{
pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
Target: &panos.AuthenticationPolicyRulesRuleTargetArgs{
Devices: panos.AuthenticationPolicyRulesRuleTargetDeviceArray{
&panos.AuthenticationPolicyRulesRuleTargetDeviceArgs{
Name: pulumi.String("string"),
Vsys: panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArray{
&panos.AuthenticationPolicyRulesRuleTargetDeviceVsyArgs{
Name: pulumi.String("string"),
},
},
},
},
Negate: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
},
Timeout: pulumi.Float64(0),
},
},
})
var authenticationPolicyRulesResource = new AuthenticationPolicyRules("authenticationPolicyRulesResource", AuthenticationPolicyRulesArgs.builder()
.location(AuthenticationPolicyRulesLocationArgs.builder()
.deviceGroup(AuthenticationPolicyRulesLocationDeviceGroupArgs.builder()
.name("string")
.panoramaDevice("string")
.rulebase("string")
.build())
.shared(AuthenticationPolicyRulesLocationSharedArgs.builder()
.rulebase("string")
.build())
.vsys(AuthenticationPolicyRulesLocationVsysArgs.builder()
.name("string")
.ngfwDevice("string")
.build())
.build())
.position(AuthenticationPolicyRulesPositionArgs.builder()
.where("string")
.directly(false)
.pivot("string")
.build())
.rules(AuthenticationPolicyRulesRuleArgs.builder()
.name("string")
.logAuthenticationTimeout(false)
.auditCommentWo("string")
.categories("string")
.description("string")
.destinationAddresses("string")
.destinationHips("string")
.destinationZones("string")
.disabled(false)
.groupTag("string")
.negateDestination(false)
.authenticationEnforcement("string")
.logSetting("string")
.auditCommentVersion("string")
.negateSource(false)
.services("string")
.sourceAddresses("string")
.sourceHips("string")
.sourceUsers("string")
.sourceZones("string")
.tags("string")
.target(AuthenticationPolicyRulesRuleTargetArgs.builder()
.devices(AuthenticationPolicyRulesRuleTargetDeviceArgs.builder()
.name("string")
.vsys(AuthenticationPolicyRulesRuleTargetDeviceVsyArgs.builder()
.name("string")
.build())
.build())
.negate(false)
.tags("string")
.build())
.timeout(0.0)
.build())
.build());
authentication_policy_rules_resource = panos.AuthenticationPolicyRules("authenticationPolicyRulesResource",
location={
"device_group": {
"name": "string",
"panorama_device": "string",
"rulebase": "string",
},
"shared": {
"rulebase": "string",
},
"vsys": {
"name": "string",
"ngfw_device": "string",
},
},
position={
"where": "string",
"directly": False,
"pivot": "string",
},
rules=[{
"name": "string",
"log_authentication_timeout": False,
"audit_comment_wo": "string",
"categories": ["string"],
"description": "string",
"destination_addresses": ["string"],
"destination_hips": ["string"],
"destination_zones": ["string"],
"disabled": False,
"group_tag": "string",
"negate_destination": False,
"authentication_enforcement": "string",
"log_setting": "string",
"audit_comment_version": "string",
"negate_source": False,
"services": ["string"],
"source_addresses": ["string"],
"source_hips": ["string"],
"source_users": ["string"],
"source_zones": ["string"],
"tags": ["string"],
"target": {
"devices": [{
"name": "string",
"vsys": [{
"name": "string",
}],
}],
"negate": False,
"tags": ["string"],
},
"timeout": float(0),
}])
const authenticationPolicyRulesResource = new panos.AuthenticationPolicyRules("authenticationPolicyRulesResource", {
location: {
deviceGroup: {
name: "string",
panoramaDevice: "string",
rulebase: "string",
},
shared: {
rulebase: "string",
},
vsys: {
name: "string",
ngfwDevice: "string",
},
},
position: {
where: "string",
directly: false,
pivot: "string",
},
rules: [{
name: "string",
logAuthenticationTimeout: false,
auditCommentWo: "string",
categories: ["string"],
description: "string",
destinationAddresses: ["string"],
destinationHips: ["string"],
destinationZones: ["string"],
disabled: false,
groupTag: "string",
negateDestination: false,
authenticationEnforcement: "string",
logSetting: "string",
auditCommentVersion: "string",
negateSource: false,
services: ["string"],
sourceAddresses: ["string"],
sourceHips: ["string"],
sourceUsers: ["string"],
sourceZones: ["string"],
tags: ["string"],
target: {
devices: [{
name: "string",
vsys: [{
name: "string",
}],
}],
negate: false,
tags: ["string"],
},
timeout: 0,
}],
});
type: panos:AuthenticationPolicyRules
properties:
location:
deviceGroup:
name: string
panoramaDevice: string
rulebase: string
shared:
rulebase: string
vsys:
name: string
ngfwDevice: string
position:
directly: false
pivot: string
where: string
rules:
- auditCommentVersion: string
auditCommentWo: string
authenticationEnforcement: string
categories:
- string
description: string
destinationAddresses:
- string
destinationHips:
- string
destinationZones:
- string
disabled: false
groupTag: string
logAuthenticationTimeout: false
logSetting: string
name: string
negateDestination: false
negateSource: false
services:
- string
sourceAddresses:
- string
sourceHips:
- string
sourceUsers:
- string
sourceZones:
- string
tags:
- string
target:
devices:
- name: string
vsys:
- name: string
negate: false
tags:
- string
timeout: 0
AuthenticationPolicyRules Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AuthenticationPolicyRules resource accepts the following input properties:
- Location
Authentication
Policy Rules Location - The location of this object.
- Position
Authentication
Policy Rules Position - Rules
List<Authentication
Policy Rules Rule>
- location
Authentication
Policy Rules Location - The location of this object.
- position
Authentication
Policy Rules Position - rules
List<Authentication
Policy Rules Rule>
- location
Authentication
Policy Rules Location - The location of this object.
- position
Authentication
Policy Rules Position - rules
Authentication
Policy Rules Rule[]
- location Property Map
- The location of this object.
- position Property Map
- rules List<Property Map>
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthenticationPolicyRules resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AuthenticationPolicyRules Resource
Get an existing AuthenticationPolicyRules resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthenticationPolicyRulesState, opts?: CustomResourceOptions): AuthenticationPolicyRules@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
location: Optional[AuthenticationPolicyRulesLocationArgs] = None,
position: Optional[AuthenticationPolicyRulesPositionArgs] = None,
rules: Optional[Sequence[AuthenticationPolicyRulesRuleArgs]] = None) -> AuthenticationPolicyRulesfunc GetAuthenticationPolicyRules(ctx *Context, name string, id IDInput, state *AuthenticationPolicyRulesState, opts ...ResourceOption) (*AuthenticationPolicyRules, error)public static AuthenticationPolicyRules Get(string name, Input<string> id, AuthenticationPolicyRulesState? state, CustomResourceOptions? opts = null)public static AuthenticationPolicyRules get(String name, Output<String> id, AuthenticationPolicyRulesState state, CustomResourceOptions options)resources: _: type: panos:AuthenticationPolicyRules get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Location
Authentication
Policy Rules Location - The location of this object.
- Position
Authentication
Policy Rules Position - Rules
List<Authentication
Policy Rules Rule>
- location
Authentication
Policy Rules Location - The location of this object.
- position
Authentication
Policy Rules Position - rules
List<Authentication
Policy Rules Rule>
- location
Authentication
Policy Rules Location - The location of this object.
- position
Authentication
Policy Rules Position - rules
Authentication
Policy Rules Rule[]
- location Property Map
- The location of this object.
- position Property Map
- rules List<Property Map>
Supporting Types
AuthenticationPolicyRulesLocation, AuthenticationPolicyRulesLocationArgs
- Device
Group AuthenticationPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Authentication
Policy Rules Location Shared - Located in a shared rulebase
- Vsys
Authentication
Policy Rules Location Vsys - Located in a specific vsys rulebase
- Device
Group AuthenticationPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Authentication
Policy Rules Location Shared - Located in a shared rulebase
- Vsys
Authentication
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device
Group AuthenticationPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Authentication
Policy Rules Location Shared - Located in a shared rulebase
- vsys
Authentication
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device
Group AuthenticationPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Authentication
Policy Rules Location Shared - Located in a shared rulebase
- vsys
Authentication
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device_
group AuthenticationPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Authentication
Policy Rules Location Shared - Located in a shared rulebase
- vsys
Authentication
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device
Group Property Map - Located in a specific device group rulebase
- Property Map
- Located in a shared rulebase
- vsys Property Map
- Located in a specific vsys rulebase
AuthenticationPolicyRulesLocationDeviceGroup, AuthenticationPolicyRulesLocationDeviceGroupArgs
- Name string
- The device group name
- Panorama
Device string - The panorama device
- Rulebase string
- The rulebase
- Name string
- The device group name
- Panorama
Device string - The panorama device
- Rulebase string
- The rulebase
- name String
- The device group name
- panorama
Device String - The panorama device
- rulebase String
- The rulebase
- name string
- The device group name
- panorama
Device string - The panorama device
- rulebase string
- The rulebase
- name str
- The device group name
- panorama_
device str - The panorama device
- rulebase str
- The rulebase
- name String
- The device group name
- panorama
Device String - The panorama device
- rulebase String
- The rulebase
AuthenticationPolicyRulesLocationShared, AuthenticationPolicyRulesLocationSharedArgs
- Rulebase string
- Rulebase name
- Rulebase string
- Rulebase name
- rulebase String
- Rulebase name
- rulebase string
- Rulebase name
- rulebase str
- Rulebase name
- rulebase String
- Rulebase name
AuthenticationPolicyRulesLocationVsys, AuthenticationPolicyRulesLocationVsysArgs
- Name string
- The vsys name
- Ngfw
Device string - The NGFW device
- Name string
- The vsys name
- Ngfw
Device string - The NGFW device
- name String
- The vsys name
- ngfw
Device String - The NGFW device
- name string
- The vsys name
- ngfw
Device string - The NGFW device
- name str
- The vsys name
- ngfw_
device str - The NGFW device
- name String
- The vsys name
- ngfw
Device String - The NGFW device
AuthenticationPolicyRulesPosition, AuthenticationPolicyRulesPositionArgs
AuthenticationPolicyRulesRule, AuthenticationPolicyRulesRuleArgs
- Name string
- Audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- Audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- Authentication
Enforcement string - Authentication enforcement object to use for authentication.
- Categories List<string>
- Description string
- Destination
Addresses List<string> - Destination
Hips List<string> - Destination
Zones List<string> - Disabled bool
- Disable the rule
- Group
Tag string - Log
Authentication boolTimeout - Log
Setting string - Log setting for forwarding authentication logs
- Negate
Destination bool - Negate
Source bool - Services List<string>
- Source
Addresses List<string> - Source
Hips List<string> - Source
Users List<string> - Source
Zones List<string> - List<string>
- Target
Authentication
Policy Rules Rule Target - Timeout double
- expiration timer (minutes)
- Name string
- Audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- Audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- Authentication
Enforcement string - Authentication enforcement object to use for authentication.
- Categories []string
- Description string
- Destination
Addresses []string - Destination
Hips []string - Destination
Zones []string - Disabled bool
- Disable the rule
- Group
Tag string - Log
Authentication boolTimeout - Log
Setting string - Log setting for forwarding authentication logs
- Negate
Destination bool - Negate
Source bool - Services []string
- Source
Addresses []string - Source
Hips []string - Source
Users []string - Source
Zones []string - []string
- Target
Authentication
Policy Rules Rule Target - Timeout float64
- expiration timer (minutes)
- name String
- audit
Comment StringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment StringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- authentication
Enforcement String - Authentication enforcement object to use for authentication.
- categories List<String>
- description String
- destination
Addresses List<String> - destination
Hips List<String> - destination
Zones List<String> - disabled Boolean
- Disable the rule
- group
Tag String - log
Authentication BooleanTimeout - log
Setting String - Log setting for forwarding authentication logs
- negate
Destination Boolean - negate
Source Boolean - services List<String>
- source
Addresses List<String> - source
Hips List<String> - source
Users List<String> - source
Zones List<String> - List<String>
- target
Authentication
Policy Rules Rule Target - timeout Double
- expiration timer (minutes)
- name string
- audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- authentication
Enforcement string - Authentication enforcement object to use for authentication.
- categories string[]
- description string
- destination
Addresses string[] - destination
Hips string[] - destination
Zones string[] - disabled boolean
- Disable the rule
- group
Tag string - log
Authentication booleanTimeout - log
Setting string - Log setting for forwarding authentication logs
- negate
Destination boolean - negate
Source boolean - services string[]
- source
Addresses string[] - source
Hips string[] - source
Users string[] - source
Zones string[] - string[]
- target
Authentication
Policy Rules Rule Target - timeout number
- expiration timer (minutes)
- name str
- audit_
comment_ strversion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit_
comment_ strwo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- authentication_
enforcement str - Authentication enforcement object to use for authentication.
- categories Sequence[str]
- description str
- destination_
addresses Sequence[str] - destination_
hips Sequence[str] - destination_
zones Sequence[str] - disabled bool
- Disable the rule
- group_
tag str - log_
authentication_ booltimeout - log_
setting str - Log setting for forwarding authentication logs
- negate_
destination bool - negate_
source bool - services Sequence[str]
- source_
addresses Sequence[str] - source_
hips Sequence[str] - source_
users Sequence[str] - source_
zones Sequence[str] - Sequence[str]
- target
Authentication
Policy Rules Rule Target - timeout float
- expiration timer (minutes)
- name String
- audit
Comment StringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment StringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- authentication
Enforcement String - Authentication enforcement object to use for authentication.
- categories List<String>
- description String
- destination
Addresses List<String> - destination
Hips List<String> - destination
Zones List<String> - disabled Boolean
- Disable the rule
- group
Tag String - log
Authentication BooleanTimeout - log
Setting String - Log setting for forwarding authentication logs
- negate
Destination Boolean - negate
Source Boolean - services List<String>
- source
Addresses List<String> - source
Hips List<String> - source
Users List<String> - source
Zones List<String> - List<String>
- target Property Map
- timeout Number
- expiration timer (minutes)
AuthenticationPolicyRulesRuleTarget, AuthenticationPolicyRulesRuleTargetArgs
- Devices
List<Authentication
Policy Rules Rule Target Device> - Negate bool
- Target to all but these specified devices and tags
- List<string>
- Devices
[]Authentication
Policy Rules Rule Target Device - Negate bool
- Target to all but these specified devices and tags
- []string
- devices
List<Authentication
Policy Rules Rule Target Device> - negate Boolean
- Target to all but these specified devices and tags
- List<String>
- devices
Authentication
Policy Rules Rule Target Device[] - negate boolean
- Target to all but these specified devices and tags
- string[]
- devices
Sequence[Authentication
Policy Rules Rule Target Device] - negate bool
- Target to all but these specified devices and tags
- Sequence[str]
- devices List<Property Map>
- negate Boolean
- Target to all but these specified devices and tags
- List<String>
AuthenticationPolicyRulesRuleTargetDevice, AuthenticationPolicyRulesRuleTargetDeviceArgs
- name String
- vsys List<Property Map>
AuthenticationPolicyRulesRuleTargetDeviceVsy, AuthenticationPolicyRulesRuleTargetDeviceVsyArgs
- Name string
- Name string
- name String
- name string
- name str
- name String
Import
#!/bin/bash
A set of authentication policy rules can be imported by providing the following base64 encoded object as the ID
{
location = {
device_group = {
name = "example-device-group"
rulebase = "pre-rulebase"
panorama_device = "localhost.localdomain"
}
}
position = { where = "after", directly = true, pivot = "guest-wifi-auth" }
names = [
"employee-byod-auth",
"contractor-limited-access"
]
}
$ pulumi import panos:index/authenticationPolicyRules:AuthenticationPolicyRules corporate_users $(echo '{"location":{"device_group":{"name":"example-device-group","panorama_device":"localhost.localdomain","rulebase":"pre-rulebase"}},"names":["employee-byod-auth","contractor-limited-access"],"position":{"directly":true,"pivot":"guest-wifi-auth","where":"after"}}' | base64)
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- panos paloaltonetworks/terraform-provider-panos
- License
- Notes
- This Pulumi package is based on the
panosTerraform Provider.
Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
