Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as panos from "@pulumi/panos";
const exampleDeviceGroup = new panos.DeviceGroup("example", {
location: {
panorama: {},
},
name: "example-device-group",
});
// Manages the entire Policy Based Forwarding policy
const example = new panos.PbfPolicy("example", {
location: {
deviceGroup: {
name: exampleDeviceGroup.name,
rulebase: "pre-rulebase",
},
},
rules: [{
name: "route-guest-traffic",
description: "Route guest network traffic through dedicated gateway",
sourceAddresses: ["guest-network"],
destinationAddresses: ["any"],
services: ["any"],
applications: [
"web-browsing",
"ssl",
],
from: {
zones: ["guest"],
},
action: {
forward: {
egressInterface: "ethernet1/3",
nexthop: {
ipAddress: "10.20.0.1",
},
monitor: {
ipAddress: "10.20.0.1",
profile: "default",
disableIfUnreachable: true,
},
},
},
enforceSymmetricReturn: {
enabled: true,
nexthopAddressLists: [{
name: "10.20.0.1",
}],
},
}],
});
import pulumi
import pulumi_panos as panos
example_device_group = panos.DeviceGroup("example",
location={
"panorama": {},
},
name="example-device-group")
# Manages the entire Policy Based Forwarding policy
example = panos.PbfPolicy("example",
location={
"device_group": {
"name": example_device_group.name,
"rulebase": "pre-rulebase",
},
},
rules=[{
"name": "route-guest-traffic",
"description": "Route guest network traffic through dedicated gateway",
"source_addresses": ["guest-network"],
"destination_addresses": ["any"],
"services": ["any"],
"applications": [
"web-browsing",
"ssl",
],
"from_": {
"zones": ["guest"],
},
"action": {
"forward": {
"egress_interface": "ethernet1/3",
"nexthop": {
"ip_address": "10.20.0.1",
},
"monitor": {
"ip_address": "10.20.0.1",
"profile": "default",
"disable_if_unreachable": True,
},
},
},
"enforce_symmetric_return": {
"enabled": True,
"nexthop_address_lists": [{
"name": "10.20.0.1",
}],
},
}])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/panos/v2/panos"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleDeviceGroup, err := panos.NewDeviceGroup(ctx, "example", &panos.DeviceGroupArgs{
Location: &panos.DeviceGroupLocationArgs{
Panorama: &panos.DeviceGroupLocationPanoramaArgs{},
},
Name: pulumi.String("example-device-group"),
})
if err != nil {
return err
}
// Manages the entire Policy Based Forwarding policy
_, err = panos.NewPbfPolicy(ctx, "example", &panos.PbfPolicyArgs{
Location: &panos.PbfPolicyLocationArgs{
DeviceGroup: &panos.PbfPolicyLocationDeviceGroupArgs{
Name: exampleDeviceGroup.Name,
Rulebase: pulumi.String("pre-rulebase"),
},
},
Rules: panos.PbfPolicyRuleArray{
&panos.PbfPolicyRuleArgs{
Name: pulumi.String("route-guest-traffic"),
Description: pulumi.String("Route guest network traffic through dedicated gateway"),
SourceAddresses: pulumi.StringArray{
pulumi.String("guest-network"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("any"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("web-browsing"),
pulumi.String("ssl"),
},
From: &panos.PbfPolicyRuleFromArgs{
Zones: pulumi.StringArray{
pulumi.String("guest"),
},
},
Action: &panos.PbfPolicyRuleActionArgs{
Forward: &panos.PbfPolicyRuleActionForwardArgs{
EgressInterface: pulumi.String("ethernet1/3"),
Nexthop: &panos.PbfPolicyRuleActionForwardNexthopArgs{
IpAddress: pulumi.String("10.20.0.1"),
},
Monitor: &panos.PbfPolicyRuleActionForwardMonitorArgs{
IpAddress: pulumi.String("10.20.0.1"),
Profile: pulumi.String("default"),
DisableIfUnreachable: pulumi.Bool(true),
},
},
},
EnforceSymmetricReturn: &panos.PbfPolicyRuleEnforceSymmetricReturnArgs{
Enabled: pulumi.Bool(true),
NexthopAddressLists: panos.PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArray{
&panos.PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs{
Name: pulumi.String("10.20.0.1"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Panos = Pulumi.Panos;
return await Deployment.RunAsync(() =>
{
var exampleDeviceGroup = new Panos.DeviceGroup("example", new()
{
Location = new Panos.Inputs.DeviceGroupLocationArgs
{
Panorama = null,
},
Name = "example-device-group",
});
// Manages the entire Policy Based Forwarding policy
var example = new Panos.PbfPolicy("example", new()
{
Location = new Panos.Inputs.PbfPolicyLocationArgs
{
DeviceGroup = new Panos.Inputs.PbfPolicyLocationDeviceGroupArgs
{
Name = exampleDeviceGroup.Name,
Rulebase = "pre-rulebase",
},
},
Rules = new[]
{
new Panos.Inputs.PbfPolicyRuleArgs
{
Name = "route-guest-traffic",
Description = "Route guest network traffic through dedicated gateway",
SourceAddresses = new[]
{
"guest-network",
},
DestinationAddresses = new[]
{
"any",
},
Services = new[]
{
"any",
},
Applications = new[]
{
"web-browsing",
"ssl",
},
From = new Panos.Inputs.PbfPolicyRuleFromArgs
{
Zones = new[]
{
"guest",
},
},
Action = new Panos.Inputs.PbfPolicyRuleActionArgs
{
Forward = new Panos.Inputs.PbfPolicyRuleActionForwardArgs
{
EgressInterface = "ethernet1/3",
Nexthop = new Panos.Inputs.PbfPolicyRuleActionForwardNexthopArgs
{
IpAddress = "10.20.0.1",
},
Monitor = new Panos.Inputs.PbfPolicyRuleActionForwardMonitorArgs
{
IpAddress = "10.20.0.1",
Profile = "default",
DisableIfUnreachable = true,
},
},
},
EnforceSymmetricReturn = new Panos.Inputs.PbfPolicyRuleEnforceSymmetricReturnArgs
{
Enabled = true,
NexthopAddressLists = new[]
{
new Panos.Inputs.PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs
{
Name = "10.20.0.1",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.panos.DeviceGroup;
import com.pulumi.panos.DeviceGroupArgs;
import com.pulumi.panos.inputs.DeviceGroupLocationArgs;
import com.pulumi.panos.inputs.DeviceGroupLocationPanoramaArgs;
import com.pulumi.panos.PbfPolicy;
import com.pulumi.panos.PbfPolicyArgs;
import com.pulumi.panos.inputs.PbfPolicyLocationArgs;
import com.pulumi.panos.inputs.PbfPolicyLocationDeviceGroupArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleFromArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleActionArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleActionForwardArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleActionForwardNexthopArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleActionForwardMonitorArgs;
import com.pulumi.panos.inputs.PbfPolicyRuleEnforceSymmetricReturnArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleDeviceGroup = new DeviceGroup("exampleDeviceGroup", DeviceGroupArgs.builder()
.location(DeviceGroupLocationArgs.builder()
.panorama(DeviceGroupLocationPanoramaArgs.builder()
.build())
.build())
.name("example-device-group")
.build());
// Manages the entire Policy Based Forwarding policy
var example = new PbfPolicy("example", PbfPolicyArgs.builder()
.location(PbfPolicyLocationArgs.builder()
.deviceGroup(PbfPolicyLocationDeviceGroupArgs.builder()
.name(exampleDeviceGroup.name())
.rulebase("pre-rulebase")
.build())
.build())
.rules(PbfPolicyRuleArgs.builder()
.name("route-guest-traffic")
.description("Route guest network traffic through dedicated gateway")
.sourceAddresses("guest-network")
.destinationAddresses("any")
.services("any")
.applications(
"web-browsing",
"ssl")
.from(PbfPolicyRuleFromArgs.builder()
.zones("guest")
.build())
.action(PbfPolicyRuleActionArgs.builder()
.forward(PbfPolicyRuleActionForwardArgs.builder()
.egressInterface("ethernet1/3")
.nexthop(PbfPolicyRuleActionForwardNexthopArgs.builder()
.ipAddress("10.20.0.1")
.build())
.monitor(PbfPolicyRuleActionForwardMonitorArgs.builder()
.ipAddress("10.20.0.1")
.profile("default")
.disableIfUnreachable(true)
.build())
.build())
.build())
.enforceSymmetricReturn(PbfPolicyRuleEnforceSymmetricReturnArgs.builder()
.enabled(true)
.nexthopAddressLists(PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs.builder()
.name("10.20.0.1")
.build())
.build())
.build())
.build());
}
}
resources:
# Manages the entire Policy Based Forwarding policy
example:
type: panos:PbfPolicy
properties:
location:
deviceGroup:
name: ${exampleDeviceGroup.name}
rulebase: pre-rulebase
rules:
- name: route-guest-traffic
description: Route guest network traffic through dedicated gateway
sourceAddresses:
- guest-network
destinationAddresses:
- any
services:
- any
applications:
- web-browsing
- ssl
from:
zones:
- guest
action:
forward:
egressInterface: ethernet1/3
nexthop:
ipAddress: 10.20.0.1
monitor:
ipAddress: 10.20.0.1
profile: default
disableIfUnreachable: true
enforceSymmetricReturn:
enabled: true
nexthopAddressLists:
- name: 10.20.0.1
exampleDeviceGroup:
type: panos:DeviceGroup
name: example
properties:
location:
panorama: {}
name: example-device-group
Create PbfPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PbfPolicy(name: string, args: PbfPolicyArgs, opts?: CustomResourceOptions);@overload
def PbfPolicy(resource_name: str,
args: PbfPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def PbfPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
location: Optional[PbfPolicyLocationArgs] = None,
rules: Optional[Sequence[PbfPolicyRuleArgs]] = None)func NewPbfPolicy(ctx *Context, name string, args PbfPolicyArgs, opts ...ResourceOption) (*PbfPolicy, error)public PbfPolicy(string name, PbfPolicyArgs args, CustomResourceOptions? opts = null)
public PbfPolicy(String name, PbfPolicyArgs args)
public PbfPolicy(String name, PbfPolicyArgs args, CustomResourceOptions options)
type: panos:PbfPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PbfPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PbfPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PbfPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PbfPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PbfPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var pbfPolicyResource = new Panos.PbfPolicy("pbfPolicyResource", new()
{
Location = new Panos.Inputs.PbfPolicyLocationArgs
{
DeviceGroup = new Panos.Inputs.PbfPolicyLocationDeviceGroupArgs
{
Name = "string",
PanoramaDevice = "string",
Rulebase = "string",
},
Shared = new Panos.Inputs.PbfPolicyLocationSharedArgs
{
Rulebase = "string",
},
Vsys = new Panos.Inputs.PbfPolicyLocationVsysArgs
{
Name = "string",
NgfwDevice = "string",
},
},
Rules = new[]
{
new Panos.Inputs.PbfPolicyRuleArgs
{
Name = "string",
GroupTag = "string",
ActiveActiveDeviceBinding = "string",
AuditCommentVersion = "string",
Action = new Panos.Inputs.PbfPolicyRuleActionArgs
{
Discard = null,
Forward = new Panos.Inputs.PbfPolicyRuleActionForwardArgs
{
EgressInterface = "string",
Monitor = new Panos.Inputs.PbfPolicyRuleActionForwardMonitorArgs
{
DisableIfUnreachable = false,
IpAddress = "string",
Profile = "string",
},
Nexthop = new Panos.Inputs.PbfPolicyRuleActionForwardNexthopArgs
{
Fqdn = "string",
IpAddress = "string",
},
},
ForwardToVsys = "string",
NoPbf = null,
},
Description = "string",
DestinationAddresses = new[]
{
"string",
},
Disabled = false,
EnforceSymmetricReturn = new Panos.Inputs.PbfPolicyRuleEnforceSymmetricReturnArgs
{
Enabled = false,
NexthopAddressLists = new[]
{
new Panos.Inputs.PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs
{
Name = "string",
},
},
},
Applications = new[]
{
"string",
},
From = new Panos.Inputs.PbfPolicyRuleFromArgs
{
Interfaces = new[]
{
"string",
},
Zones = new[]
{
"string",
},
},
AuditCommentWo = "string",
NegateDestination = false,
NegateSource = false,
Schedule = "string",
Services = new[]
{
"string",
},
SourceAddresses = new[]
{
"string",
},
SourceUsers = new[]
{
"string",
},
Tags = new[]
{
"string",
},
Target = new Panos.Inputs.PbfPolicyRuleTargetArgs
{
Devices = new[]
{
new Panos.Inputs.PbfPolicyRuleTargetDeviceArgs
{
Name = "string",
Vsys = new[]
{
new Panos.Inputs.PbfPolicyRuleTargetDeviceVsyArgs
{
Name = "string",
},
},
},
},
Negate = false,
Tags = new[]
{
"string",
},
},
},
},
});
example, err := panos.NewPbfPolicy(ctx, "pbfPolicyResource", &panos.PbfPolicyArgs{
Location: &panos.PbfPolicyLocationArgs{
DeviceGroup: &panos.PbfPolicyLocationDeviceGroupArgs{
Name: pulumi.String("string"),
PanoramaDevice: pulumi.String("string"),
Rulebase: pulumi.String("string"),
},
Shared: &panos.PbfPolicyLocationSharedArgs{
Rulebase: pulumi.String("string"),
},
Vsys: &panos.PbfPolicyLocationVsysArgs{
Name: pulumi.String("string"),
NgfwDevice: pulumi.String("string"),
},
},
Rules: panos.PbfPolicyRuleArray{
&panos.PbfPolicyRuleArgs{
Name: pulumi.String("string"),
GroupTag: pulumi.String("string"),
ActiveActiveDeviceBinding: pulumi.String("string"),
AuditCommentVersion: pulumi.String("string"),
Action: &panos.PbfPolicyRuleActionArgs{
Discard: &panos.PbfPolicyRuleActionDiscardArgs{},
Forward: &panos.PbfPolicyRuleActionForwardArgs{
EgressInterface: pulumi.String("string"),
Monitor: &panos.PbfPolicyRuleActionForwardMonitorArgs{
DisableIfUnreachable: pulumi.Bool(false),
IpAddress: pulumi.String("string"),
Profile: pulumi.String("string"),
},
Nexthop: &panos.PbfPolicyRuleActionForwardNexthopArgs{
Fqdn: pulumi.String("string"),
IpAddress: pulumi.String("string"),
},
},
ForwardToVsys: pulumi.String("string"),
NoPbf: &panos.PbfPolicyRuleActionNoPbfArgs{},
},
Description: pulumi.String("string"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("string"),
},
Disabled: pulumi.Bool(false),
EnforceSymmetricReturn: &panos.PbfPolicyRuleEnforceSymmetricReturnArgs{
Enabled: pulumi.Bool(false),
NexthopAddressLists: panos.PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArray{
&panos.PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs{
Name: pulumi.String("string"),
},
},
},
Applications: pulumi.StringArray{
pulumi.String("string"),
},
From: &panos.PbfPolicyRuleFromArgs{
Interfaces: pulumi.StringArray{
pulumi.String("string"),
},
Zones: pulumi.StringArray{
pulumi.String("string"),
},
},
AuditCommentWo: pulumi.String("string"),
NegateDestination: pulumi.Bool(false),
NegateSource: pulumi.Bool(false),
Schedule: pulumi.String("string"),
Services: pulumi.StringArray{
pulumi.String("string"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("string"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
Target: &panos.PbfPolicyRuleTargetArgs{
Devices: panos.PbfPolicyRuleTargetDeviceArray{
&panos.PbfPolicyRuleTargetDeviceArgs{
Name: pulumi.String("string"),
Vsys: panos.PbfPolicyRuleTargetDeviceVsyArray{
&panos.PbfPolicyRuleTargetDeviceVsyArgs{
Name: pulumi.String("string"),
},
},
},
},
Negate: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
})
var pbfPolicyResource = new PbfPolicy("pbfPolicyResource", PbfPolicyArgs.builder()
.location(PbfPolicyLocationArgs.builder()
.deviceGroup(PbfPolicyLocationDeviceGroupArgs.builder()
.name("string")
.panoramaDevice("string")
.rulebase("string")
.build())
.shared(PbfPolicyLocationSharedArgs.builder()
.rulebase("string")
.build())
.vsys(PbfPolicyLocationVsysArgs.builder()
.name("string")
.ngfwDevice("string")
.build())
.build())
.rules(PbfPolicyRuleArgs.builder()
.name("string")
.groupTag("string")
.activeActiveDeviceBinding("string")
.auditCommentVersion("string")
.action(PbfPolicyRuleActionArgs.builder()
.discard(PbfPolicyRuleActionDiscardArgs.builder()
.build())
.forward(PbfPolicyRuleActionForwardArgs.builder()
.egressInterface("string")
.monitor(PbfPolicyRuleActionForwardMonitorArgs.builder()
.disableIfUnreachable(false)
.ipAddress("string")
.profile("string")
.build())
.nexthop(PbfPolicyRuleActionForwardNexthopArgs.builder()
.fqdn("string")
.ipAddress("string")
.build())
.build())
.forwardToVsys("string")
.noPbf(PbfPolicyRuleActionNoPbfArgs.builder()
.build())
.build())
.description("string")
.destinationAddresses("string")
.disabled(false)
.enforceSymmetricReturn(PbfPolicyRuleEnforceSymmetricReturnArgs.builder()
.enabled(false)
.nexthopAddressLists(PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs.builder()
.name("string")
.build())
.build())
.applications("string")
.from(PbfPolicyRuleFromArgs.builder()
.interfaces("string")
.zones("string")
.build())
.auditCommentWo("string")
.negateDestination(false)
.negateSource(false)
.schedule("string")
.services("string")
.sourceAddresses("string")
.sourceUsers("string")
.tags("string")
.target(PbfPolicyRuleTargetArgs.builder()
.devices(PbfPolicyRuleTargetDeviceArgs.builder()
.name("string")
.vsys(PbfPolicyRuleTargetDeviceVsyArgs.builder()
.name("string")
.build())
.build())
.negate(false)
.tags("string")
.build())
.build())
.build());
pbf_policy_resource = panos.PbfPolicy("pbfPolicyResource",
location={
"device_group": {
"name": "string",
"panorama_device": "string",
"rulebase": "string",
},
"shared": {
"rulebase": "string",
},
"vsys": {
"name": "string",
"ngfw_device": "string",
},
},
rules=[{
"name": "string",
"group_tag": "string",
"active_active_device_binding": "string",
"audit_comment_version": "string",
"action": {
"discard": {},
"forward": {
"egress_interface": "string",
"monitor": {
"disable_if_unreachable": False,
"ip_address": "string",
"profile": "string",
},
"nexthop": {
"fqdn": "string",
"ip_address": "string",
},
},
"forward_to_vsys": "string",
"no_pbf": {},
},
"description": "string",
"destination_addresses": ["string"],
"disabled": False,
"enforce_symmetric_return": {
"enabled": False,
"nexthop_address_lists": [{
"name": "string",
}],
},
"applications": ["string"],
"from_": {
"interfaces": ["string"],
"zones": ["string"],
},
"audit_comment_wo": "string",
"negate_destination": False,
"negate_source": False,
"schedule": "string",
"services": ["string"],
"source_addresses": ["string"],
"source_users": ["string"],
"tags": ["string"],
"target": {
"devices": [{
"name": "string",
"vsys": [{
"name": "string",
}],
}],
"negate": False,
"tags": ["string"],
},
}])
const pbfPolicyResource = new panos.PbfPolicy("pbfPolicyResource", {
location: {
deviceGroup: {
name: "string",
panoramaDevice: "string",
rulebase: "string",
},
shared: {
rulebase: "string",
},
vsys: {
name: "string",
ngfwDevice: "string",
},
},
rules: [{
name: "string",
groupTag: "string",
activeActiveDeviceBinding: "string",
auditCommentVersion: "string",
action: {
discard: {},
forward: {
egressInterface: "string",
monitor: {
disableIfUnreachable: false,
ipAddress: "string",
profile: "string",
},
nexthop: {
fqdn: "string",
ipAddress: "string",
},
},
forwardToVsys: "string",
noPbf: {},
},
description: "string",
destinationAddresses: ["string"],
disabled: false,
enforceSymmetricReturn: {
enabled: false,
nexthopAddressLists: [{
name: "string",
}],
},
applications: ["string"],
from: {
interfaces: ["string"],
zones: ["string"],
},
auditCommentWo: "string",
negateDestination: false,
negateSource: false,
schedule: "string",
services: ["string"],
sourceAddresses: ["string"],
sourceUsers: ["string"],
tags: ["string"],
target: {
devices: [{
name: "string",
vsys: [{
name: "string",
}],
}],
negate: false,
tags: ["string"],
},
}],
});
type: panos:PbfPolicy
properties:
location:
deviceGroup:
name: string
panoramaDevice: string
rulebase: string
shared:
rulebase: string
vsys:
name: string
ngfwDevice: string
rules:
- action:
discard: {}
forward:
egressInterface: string
monitor:
disableIfUnreachable: false
ipAddress: string
profile: string
nexthop:
fqdn: string
ipAddress: string
forwardToVsys: string
noPbf: {}
activeActiveDeviceBinding: string
applications:
- string
auditCommentVersion: string
auditCommentWo: string
description: string
destinationAddresses:
- string
disabled: false
enforceSymmetricReturn:
enabled: false
nexthopAddressLists:
- name: string
from:
interfaces:
- string
zones:
- string
groupTag: string
name: string
negateDestination: false
negateSource: false
schedule: string
services:
- string
sourceAddresses:
- string
sourceUsers:
- string
tags:
- string
target:
devices:
- name: string
vsys:
- name: string
negate: false
tags:
- string
PbfPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PbfPolicy resource accepts the following input properties:
- Location
Pbf
Policy Location - The location of this object.
- Rules
List<Pbf
Policy Rule>
- Location
Pbf
Policy Location Args - The location of this object.
- Rules
[]Pbf
Policy Rule Args
- location
Pbf
Policy Location - The location of this object.
- rules
List<Pbf
Policy Rule>
- location
Pbf
Policy Location - The location of this object.
- rules
Pbf
Policy Rule[]
- location
Pbf
Policy Location Args - The location of this object.
- rules
Sequence[Pbf
Policy Rule Args]
- location Property Map
- The location of this object.
- rules List<Property Map>
Outputs
All input properties are implicitly available as output properties. Additionally, the PbfPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing PbfPolicy Resource
Get an existing PbfPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PbfPolicyState, opts?: CustomResourceOptions): PbfPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
location: Optional[PbfPolicyLocationArgs] = None,
rules: Optional[Sequence[PbfPolicyRuleArgs]] = None) -> PbfPolicyfunc GetPbfPolicy(ctx *Context, name string, id IDInput, state *PbfPolicyState, opts ...ResourceOption) (*PbfPolicy, error)public static PbfPolicy Get(string name, Input<string> id, PbfPolicyState? state, CustomResourceOptions? opts = null)public static PbfPolicy get(String name, Output<String> id, PbfPolicyState state, CustomResourceOptions options)resources: _: type: panos:PbfPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Location
Pbf
Policy Location - The location of this object.
- Rules
List<Pbf
Policy Rule>
- Location
Pbf
Policy Location Args - The location of this object.
- Rules
[]Pbf
Policy Rule Args
- location
Pbf
Policy Location - The location of this object.
- rules
List<Pbf
Policy Rule>
- location
Pbf
Policy Location - The location of this object.
- rules
Pbf
Policy Rule[]
- location
Pbf
Policy Location Args - The location of this object.
- rules
Sequence[Pbf
Policy Rule Args]
- location Property Map
- The location of this object.
- rules List<Property Map>
Supporting Types
PbfPolicyLocation, PbfPolicyLocationArgs
- Device
Group PbfPolicy Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Location Shared - Located in a shared rulebase
- Vsys
Pbf
Policy Location Vsys - Located in a specific vsys rulebase
- Device
Group PbfPolicy Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Location Shared - Located in a shared rulebase
- Vsys
Pbf
Policy Location Vsys - Located in a specific vsys rulebase
- device
Group PbfPolicy Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Location Shared - Located in a shared rulebase
- vsys
Pbf
Policy Location Vsys - Located in a specific vsys rulebase
- device
Group PbfPolicy Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Location Shared - Located in a shared rulebase
- vsys
Pbf
Policy Location Vsys - Located in a specific vsys rulebase
- device_
group PbfPolicy Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Location Shared - Located in a shared rulebase
- vsys
Pbf
Policy Location Vsys - Located in a specific vsys rulebase
- device
Group Property Map - Located in a specific device group rulebase
- Property Map
- Located in a shared rulebase
- vsys Property Map
- Located in a specific vsys rulebase
PbfPolicyLocationDeviceGroup, PbfPolicyLocationDeviceGroupArgs
- Name string
- The device group name
- Panorama
Device string - The panorama device
- Rulebase string
- The rulebase
- Name string
- The device group name
- Panorama
Device string - The panorama device
- Rulebase string
- The rulebase
- name String
- The device group name
- panorama
Device String - The panorama device
- rulebase String
- The rulebase
- name string
- The device group name
- panorama
Device string - The panorama device
- rulebase string
- The rulebase
- name str
- The device group name
- panorama_
device str - The panorama device
- rulebase str
- The rulebase
- name String
- The device group name
- panorama
Device String - The panorama device
- rulebase String
- The rulebase
PbfPolicyLocationShared, PbfPolicyLocationSharedArgs
- Rulebase string
- Rulebase name
- Rulebase string
- Rulebase name
- rulebase String
- Rulebase name
- rulebase string
- Rulebase name
- rulebase str
- Rulebase name
- rulebase String
- Rulebase name
PbfPolicyLocationVsys, PbfPolicyLocationVsysArgs
- Name string
- The vsys name
- Ngfw
Device string - The NGFW device
- Name string
- The vsys name
- Ngfw
Device string - The NGFW device
- name String
- The vsys name
- ngfw
Device String - The NGFW device
- name string
- The vsys name
- ngfw
Device string - The NGFW device
- name str
- The vsys name
- ngfw_
device str - The NGFW device
- name String
- The vsys name
- ngfw
Device String - The NGFW device
PbfPolicyRule, PbfPolicyRuleArgs
- Name string
- Action
Pbf
Policy Rule Action - Active
Active stringDevice Binding - Device binding configuration in HA Active-Active mode
- Applications List<string>
- Audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- Audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- Description string
- Destination
Addresses List<string> - Disabled bool
- Disable the rule
- Enforce
Symmetric PbfReturn Policy Rule Enforce Symmetric Return - From
Pbf
Policy Rule From - Group
Tag string - Negate
Destination bool - Negate
Source bool - Schedule string
- Services List<string>
- Source
Addresses List<string> - Source
Users List<string> - List<string>
- Target
Pbf
Policy Rule Target
- Name string
- Action
Pbf
Policy Rule Action - Active
Active stringDevice Binding - Device binding configuration in HA Active-Active mode
- Applications []string
- Audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- Audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- Description string
- Destination
Addresses []string - Disabled bool
- Disable the rule
- Enforce
Symmetric PbfReturn Policy Rule Enforce Symmetric Return - From
Pbf
Policy Rule From - Group
Tag string - Negate
Destination bool - Negate
Source bool - Schedule string
- Services []string
- Source
Addresses []string - Source
Users []string - []string
- Target
Pbf
Policy Rule Target
- name String
- action
Pbf
Policy Rule Action - active
Active StringDevice Binding - Device binding configuration in HA Active-Active mode
- applications List<String>
- audit
Comment StringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment StringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description String
- destination
Addresses List<String> - disabled Boolean
- Disable the rule
- enforce
Symmetric PbfReturn Policy Rule Enforce Symmetric Return - from
Pbf
Policy Rule From - group
Tag String - negate
Destination Boolean - negate
Source Boolean - schedule String
- services List<String>
- source
Addresses List<String> - source
Users List<String> - List<String>
- target
Pbf
Policy Rule Target
- name string
- action
Pbf
Policy Rule Action - active
Active stringDevice Binding - Device binding configuration in HA Active-Active mode
- applications string[]
- audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description string
- destination
Addresses string[] - disabled boolean
- Disable the rule
- enforce
Symmetric PbfReturn Policy Rule Enforce Symmetric Return - from
Pbf
Policy Rule From - group
Tag string - negate
Destination boolean - negate
Source boolean - schedule string
- services string[]
- source
Addresses string[] - source
Users string[] - string[]
- target
Pbf
Policy Rule Target
- name str
- action
Pbf
Policy Rule Action - active_
active_ strdevice_ binding - Device binding configuration in HA Active-Active mode
- applications Sequence[str]
- audit_
comment_ strversion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit_
comment_ strwo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description str
- destination_
addresses Sequence[str] - disabled bool
- Disable the rule
- enforce_
symmetric_ Pbfreturn Policy Rule Enforce Symmetric Return - from_
Pbf
Policy Rule From - group_
tag str - negate_
destination bool - negate_
source bool - schedule str
- services Sequence[str]
- source_
addresses Sequence[str] - source_
users Sequence[str] - Sequence[str]
- target
Pbf
Policy Rule Target
- name String
- action Property Map
- active
Active StringDevice Binding - Device binding configuration in HA Active-Active mode
- applications List<String>
- audit
Comment StringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment StringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description String
- destination
Addresses List<String> - disabled Boolean
- Disable the rule
- enforce
Symmetric Property MapReturn - from Property Map
- group
Tag String - negate
Destination Boolean - negate
Source Boolean - schedule String
- services List<String>
- source
Addresses List<String> - source
Users List<String> - List<String>
- target Property Map
PbfPolicyRuleAction, PbfPolicyRuleActionArgs
- Discard
Pbf
Policy Rule Action Discard - Forward
Pbf
Policy Rule Action Forward - Forward
To stringVsys - Virtual system/Shared gateway to route packet to
- No
Pbf PbfPolicy Rule Action No Pbf
- Discard
Pbf
Policy Rule Action Discard - Forward
Pbf
Policy Rule Action Forward - Forward
To stringVsys - Virtual system/Shared gateway to route packet to
- No
Pbf PbfPolicy Rule Action No Pbf
- discard
Pbf
Policy Rule Action Discard - forward
Pbf
Policy Rule Action Forward - forward
To StringVsys - Virtual system/Shared gateway to route packet to
- no
Pbf PbfPolicy Rule Action No Pbf
- discard
Pbf
Policy Rule Action Discard - forward
Pbf
Policy Rule Action Forward - forward
To stringVsys - Virtual system/Shared gateway to route packet to
- no
Pbf PbfPolicy Rule Action No Pbf
- discard
Pbf
Policy Rule Action Discard - forward
Pbf
Policy Rule Action Forward - forward_
to_ strvsys - Virtual system/Shared gateway to route packet to
- no_
pbf PbfPolicy Rule Action No Pbf
- discard Property Map
- forward Property Map
- forward
To StringVsys - Virtual system/Shared gateway to route packet to
- no
Pbf Property Map
PbfPolicyRuleActionForward, PbfPolicyRuleActionForwardArgs
- Egress
Interface string - Interface to route packet to
- Monitor
Pbf
Policy Rule Action Forward Monitor - Nexthop
Pbf
Policy Rule Action Forward Nexthop
- Egress
Interface string - Interface to route packet to
- Monitor
Pbf
Policy Rule Action Forward Monitor - Nexthop
Pbf
Policy Rule Action Forward Nexthop
- egress
Interface String - Interface to route packet to
- monitor
Pbf
Policy Rule Action Forward Monitor - nexthop
Pbf
Policy Rule Action Forward Nexthop
- egress
Interface string - Interface to route packet to
- monitor
Pbf
Policy Rule Action Forward Monitor - nexthop
Pbf
Policy Rule Action Forward Nexthop
- egress_
interface str - Interface to route packet to
- monitor
Pbf
Policy Rule Action Forward Monitor - nexthop
Pbf
Policy Rule Action Forward Nexthop
- egress
Interface String - Interface to route packet to
- monitor Property Map
- nexthop Property Map
PbfPolicyRuleActionForwardMonitor, PbfPolicyRuleActionForwardMonitorArgs
- Disable
If boolUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- Ip
Address string - Monitor IP address
- Profile string
- Monitoring profile associated with this rule
- Disable
If boolUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- Ip
Address string - Monitor IP address
- Profile string
- Monitoring profile associated with this rule
- disable
If BooleanUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip
Address String - Monitor IP address
- profile String
- Monitoring profile associated with this rule
- disable
If booleanUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip
Address string - Monitor IP address
- profile string
- Monitoring profile associated with this rule
- disable_
if_ boolunreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip_
address str - Monitor IP address
- profile str
- Monitoring profile associated with this rule
- disable
If BooleanUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip
Address String - Monitor IP address
- profile String
- Monitoring profile associated with this rule
PbfPolicyRuleActionForwardNexthop, PbfPolicyRuleActionForwardNexthopArgs
- fqdn str
- nexthop address FQDN name configuration
- ip_
address str - Next hop IP address
PbfPolicyRuleEnforceSymmetricReturn, PbfPolicyRuleEnforceSymmetricReturnArgs
- Enabled bool
- Enable symmetric return
- Nexthop
Address List<PbfLists Policy Rule Enforce Symmetric Return Nexthop Address List>
- Enabled bool
- Enable symmetric return
- Nexthop
Address []PbfLists Policy Rule Enforce Symmetric Return Nexthop Address List
- enabled Boolean
- Enable symmetric return
- nexthop
Address List<PbfLists Policy Rule Enforce Symmetric Return Nexthop Address List>
- enabled boolean
- Enable symmetric return
- nexthop
Address PbfLists Policy Rule Enforce Symmetric Return Nexthop Address List[]
- enabled bool
- Enable symmetric return
- nexthop_
address_ Sequence[Pbflists Policy Rule Enforce Symmetric Return Nexthop Address List]
- enabled Boolean
- Enable symmetric return
- nexthop
Address List<Property Map>Lists
PbfPolicyRuleEnforceSymmetricReturnNexthopAddressList, PbfPolicyRuleEnforceSymmetricReturnNexthopAddressListArgs
- Name string
- Name string
- name String
- name string
- name str
- name String
PbfPolicyRuleFrom, PbfPolicyRuleFromArgs
- Interfaces List<string>
- Zones List<string>
- Interfaces []string
- Zones []string
- interfaces List<String>
- zones List<String>
- interfaces string[]
- zones string[]
- interfaces Sequence[str]
- zones Sequence[str]
- interfaces List<String>
- zones List<String>
PbfPolicyRuleTarget, PbfPolicyRuleTargetArgs
- Devices
List<Pbf
Policy Rule Target Device> - Negate bool
- Target to all but these specified devices and tags
- List<string>
- Devices
[]Pbf
Policy Rule Target Device - Negate bool
- Target to all but these specified devices and tags
- []string
- devices
List<Pbf
Policy Rule Target Device> - negate Boolean
- Target to all but these specified devices and tags
- List<String>
- devices
Pbf
Policy Rule Target Device[] - negate boolean
- Target to all but these specified devices and tags
- string[]
- devices
Sequence[Pbf
Policy Rule Target Device] - negate bool
- Target to all but these specified devices and tags
- Sequence[str]
- devices List<Property Map>
- negate Boolean
- Target to all but these specified devices and tags
- List<String>
PbfPolicyRuleTargetDevice, PbfPolicyRuleTargetDeviceArgs
- name String
- vsys List<Property Map>
PbfPolicyRuleTargetDeviceVsy, PbfPolicyRuleTargetDeviceVsyArgs
- Name string
- Name string
- name String
- name string
- name str
- name String
Import
#!/bin/bash
The entire PBF policy can be imported by providing the following base64 encoded object as the ID
{
location = {
device_group = {
name = "example-device-group"
rulebase = "pre-rulebase"
panorama_device = "localhost.localdomain"
}
}
names = [
"route-guest-traffic", <- all rule names in the policy must be listed
"route-internal-traffic",
]
}
$ pulumi import panos:index/pbfPolicy:PbfPolicy example $(echo '{"location":{"device_group":{"name":"example-device-group","panorama_device":"localhost.localdomain","rulebase":"pre-rulebase"}},"names":["route-guest-traffic","route-internal-traffic"]}' | base64)
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- panos paloaltonetworks/terraform-provider-panos
- License
- Notes
- This Pulumi package is based on the
panosTerraform Provider.
Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
