Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as panos from "@pulumi/panos";
const example = new panos.DeviceGroup("example", {
location: {
panorama: {},
},
name: "example-device-group",
});
// Manage a group of Policy Based Forwarding rules with positioning
//# Place the rule group at the top of the pre-rulebase
const priorityRouting = new panos.PbfPolicyRules("priority_routing", {
location: {
deviceGroup: {
name: example.name,
rulebase: "pre-rulebase",
},
},
position: {
where: "first",
},
rules: [{
name: "route-voip-traffic",
description: "Route VoIP traffic through low-latency path",
sourceAddresses: ["corporate-network"],
destinationAddresses: ["voip-servers"],
services: [
"sip",
"rtp",
],
applications: [
"sip",
"voip",
],
from: {
zones: ["trust"],
},
action: {
forward: {
egressInterface: "ethernet1/2",
nexthop: {
ipAddress: "10.10.0.1",
},
monitor: {
ipAddress: "10.10.0.1",
profile: "high-availability",
disableIfUnreachable: true,
},
},
},
enforceSymmetricReturn: {
enabled: true,
},
tags: [
"voip",
"priority",
],
}],
});
//# Place the rule group after a specific rule with forward action using FQDN
const applicationRouting = new panos.PbfPolicyRules("application_routing", {
location: {
deviceGroup: {
name: example.name,
rulebase: "pre-rulebase",
},
},
position: {
where: "after",
directly: true,
pivot: "route-voip-traffic",
},
rules: [
{
name: "route-backup-traffic",
description: "Route backup traffic through dedicated backup link",
sourceAddresses: ["backup-servers"],
destinationAddresses: ["backup-storage"],
services: ["any"],
applications: ["backup"],
from: {
zones: ["dmz"],
},
action: {
forward: {
egressInterface: "ethernet1/4",
nexthop: {
fqdn: "backup-gateway.example.com",
},
monitor: {
ipAddress: "10.30.0.1",
disableIfUnreachable: false,
},
},
},
schedule: "backup-window",
tags: [
"backup",
"scheduled",
],
},
{
name: "block-suspicious-traffic",
description: "Discard traffic from untrusted sources",
sourceAddresses: ["suspicious-network"],
destinationAddresses: ["any"],
services: ["any"],
applications: ["any"],
from: {
zones: ["untrust"],
},
action: {
discard: {},
},
disabled: false,
tags: [
"security",
"block",
],
},
],
});
//# Advanced rule with interface-based source and specific target devices
const interfaceRouting = new panos.PbfPolicyRules("interface_routing", {
location: {
deviceGroup: {
name: example.name,
rulebase: "post-rulebase",
},
},
position: {
where: "last",
},
rules: [
{
name: "route-iot-devices",
description: "Route IoT device traffic through isolated network segment",
sourceAddresses: ["iot-network"],
destinationAddresses: ["cloud-services"],
negateDestination: false,
services: ["service-https"],
applications: ["any"],
sourceUsers: ["any"],
from: {
interfaces: [
"ethernet1/5",
"ethernet1/6",
],
},
action: {
forward: {
egressInterface: "ethernet1/7",
nexthop: {
ipAddress: "10.40.0.1",
},
},
},
activeActiveDeviceBinding: "both",
target: {
devices: [{
name: "fw-branch-01",
vsys: [{
name: "vsys1",
}],
}],
negate: false,
tags: ["branch-office"],
},
tags: [
"iot",
"isolated",
],
},
{
name: "route-to-virtual-system",
description: "Route traffic to a different virtual system for processing",
sourceAddresses: ["cross-vsys-network"],
destinationAddresses: ["shared-resources"],
services: ["any"],
applications: ["any"],
from: {
zones: ["trust"],
},
action: {
forwardToVsys: "vsys2",
},
tags: ["cross-vsys"],
},
],
});
import pulumi
import pulumi_panos as panos
example = panos.DeviceGroup("example",
location={
"panorama": {},
},
name="example-device-group")
# Manage a group of Policy Based Forwarding rules with positioning
## Place the rule group at the top of the pre-rulebase
priority_routing = panos.PbfPolicyRules("priority_routing",
location={
"device_group": {
"name": example.name,
"rulebase": "pre-rulebase",
},
},
position={
"where": "first",
},
rules=[{
"name": "route-voip-traffic",
"description": "Route VoIP traffic through low-latency path",
"source_addresses": ["corporate-network"],
"destination_addresses": ["voip-servers"],
"services": [
"sip",
"rtp",
],
"applications": [
"sip",
"voip",
],
"from_": {
"zones": ["trust"],
},
"action": {
"forward": {
"egress_interface": "ethernet1/2",
"nexthop": {
"ip_address": "10.10.0.1",
},
"monitor": {
"ip_address": "10.10.0.1",
"profile": "high-availability",
"disable_if_unreachable": True,
},
},
},
"enforce_symmetric_return": {
"enabled": True,
},
"tags": [
"voip",
"priority",
],
}])
## Place the rule group after a specific rule with forward action using FQDN
application_routing = panos.PbfPolicyRules("application_routing",
location={
"device_group": {
"name": example.name,
"rulebase": "pre-rulebase",
},
},
position={
"where": "after",
"directly": True,
"pivot": "route-voip-traffic",
},
rules=[
{
"name": "route-backup-traffic",
"description": "Route backup traffic through dedicated backup link",
"source_addresses": ["backup-servers"],
"destination_addresses": ["backup-storage"],
"services": ["any"],
"applications": ["backup"],
"from_": {
"zones": ["dmz"],
},
"action": {
"forward": {
"egress_interface": "ethernet1/4",
"nexthop": {
"fqdn": "backup-gateway.example.com",
},
"monitor": {
"ip_address": "10.30.0.1",
"disable_if_unreachable": False,
},
},
},
"schedule": "backup-window",
"tags": [
"backup",
"scheduled",
],
},
{
"name": "block-suspicious-traffic",
"description": "Discard traffic from untrusted sources",
"source_addresses": ["suspicious-network"],
"destination_addresses": ["any"],
"services": ["any"],
"applications": ["any"],
"from_": {
"zones": ["untrust"],
},
"action": {
"discard": {},
},
"disabled": False,
"tags": [
"security",
"block",
],
},
])
## Advanced rule with interface-based source and specific target devices
interface_routing = panos.PbfPolicyRules("interface_routing",
location={
"device_group": {
"name": example.name,
"rulebase": "post-rulebase",
},
},
position={
"where": "last",
},
rules=[
{
"name": "route-iot-devices",
"description": "Route IoT device traffic through isolated network segment",
"source_addresses": ["iot-network"],
"destination_addresses": ["cloud-services"],
"negate_destination": False,
"services": ["service-https"],
"applications": ["any"],
"source_users": ["any"],
"from_": {
"interfaces": [
"ethernet1/5",
"ethernet1/6",
],
},
"action": {
"forward": {
"egress_interface": "ethernet1/7",
"nexthop": {
"ip_address": "10.40.0.1",
},
},
},
"active_active_device_binding": "both",
"target": {
"devices": [{
"name": "fw-branch-01",
"vsys": [{
"name": "vsys1",
}],
}],
"negate": False,
"tags": ["branch-office"],
},
"tags": [
"iot",
"isolated",
],
},
{
"name": "route-to-virtual-system",
"description": "Route traffic to a different virtual system for processing",
"source_addresses": ["cross-vsys-network"],
"destination_addresses": ["shared-resources"],
"services": ["any"],
"applications": ["any"],
"from_": {
"zones": ["trust"],
},
"action": {
"forward_to_vsys": "vsys2",
},
"tags": ["cross-vsys"],
},
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/panos/v2/panos"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := panos.NewDeviceGroup(ctx, "example", &panos.DeviceGroupArgs{
Location: &panos.DeviceGroupLocationArgs{
Panorama: &panos.DeviceGroupLocationPanoramaArgs{},
},
Name: pulumi.String("example-device-group"),
})
if err != nil {
return err
}
// Manage a group of Policy Based Forwarding rules with positioning
// # Place the rule group at the top of the pre-rulebase
_, err = panos.NewPbfPolicyRules(ctx, "priority_routing", &panos.PbfPolicyRulesArgs{
Location: &panos.PbfPolicyRulesLocationArgs{
DeviceGroup: &panos.PbfPolicyRulesLocationDeviceGroupArgs{
Name: example.Name,
Rulebase: pulumi.String("pre-rulebase"),
},
},
Position: &panos.PbfPolicyRulesPositionArgs{
Where: pulumi.String("first"),
},
Rules: panos.PbfPolicyRulesRuleArray{
&panos.PbfPolicyRulesRuleArgs{
Name: pulumi.String("route-voip-traffic"),
Description: pulumi.String("Route VoIP traffic through low-latency path"),
SourceAddresses: pulumi.StringArray{
pulumi.String("corporate-network"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("voip-servers"),
},
Services: pulumi.StringArray{
pulumi.String("sip"),
pulumi.String("rtp"),
},
Applications: pulumi.StringArray{
pulumi.String("sip"),
pulumi.String("voip"),
},
From: &panos.PbfPolicyRulesRuleFromArgs{
Zones: pulumi.StringArray{
pulumi.String("trust"),
},
},
Action: &panos.PbfPolicyRulesRuleActionArgs{
Forward: &panos.PbfPolicyRulesRuleActionForwardArgs{
EgressInterface: pulumi.String("ethernet1/2"),
Nexthop: &panos.PbfPolicyRulesRuleActionForwardNexthopArgs{
IpAddress: pulumi.String("10.10.0.1"),
},
Monitor: &panos.PbfPolicyRulesRuleActionForwardMonitorArgs{
IpAddress: pulumi.String("10.10.0.1"),
Profile: pulumi.String("high-availability"),
DisableIfUnreachable: pulumi.Bool(true),
},
},
},
EnforceSymmetricReturn: &panos.PbfPolicyRulesRuleEnforceSymmetricReturnArgs{
Enabled: pulumi.Bool(true),
},
Tags: pulumi.StringArray{
pulumi.String("voip"),
pulumi.String("priority"),
},
},
},
})
if err != nil {
return err
}
// # Place the rule group after a specific rule with forward action using FQDN
_, err = panos.NewPbfPolicyRules(ctx, "application_routing", &panos.PbfPolicyRulesArgs{
Location: &panos.PbfPolicyRulesLocationArgs{
DeviceGroup: &panos.PbfPolicyRulesLocationDeviceGroupArgs{
Name: example.Name,
Rulebase: pulumi.String("pre-rulebase"),
},
},
Position: &panos.PbfPolicyRulesPositionArgs{
Where: pulumi.String("after"),
Directly: pulumi.Bool(true),
Pivot: pulumi.String("route-voip-traffic"),
},
Rules: panos.PbfPolicyRulesRuleArray{
&panos.PbfPolicyRulesRuleArgs{
Name: pulumi.String("route-backup-traffic"),
Description: pulumi.String("Route backup traffic through dedicated backup link"),
SourceAddresses: pulumi.StringArray{
pulumi.String("backup-servers"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("backup-storage"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("backup"),
},
From: &panos.PbfPolicyRulesRuleFromArgs{
Zones: pulumi.StringArray{
pulumi.String("dmz"),
},
},
Action: &panos.PbfPolicyRulesRuleActionArgs{
Forward: &panos.PbfPolicyRulesRuleActionForwardArgs{
EgressInterface: pulumi.String("ethernet1/4"),
Nexthop: &panos.PbfPolicyRulesRuleActionForwardNexthopArgs{
Fqdn: pulumi.String("backup-gateway.example.com"),
},
Monitor: &panos.PbfPolicyRulesRuleActionForwardMonitorArgs{
IpAddress: pulumi.String("10.30.0.1"),
DisableIfUnreachable: pulumi.Bool(false),
},
},
},
Schedule: pulumi.String("backup-window"),
Tags: pulumi.StringArray{
pulumi.String("backup"),
pulumi.String("scheduled"),
},
},
&panos.PbfPolicyRulesRuleArgs{
Name: pulumi.String("block-suspicious-traffic"),
Description: pulumi.String("Discard traffic from untrusted sources"),
SourceAddresses: pulumi.StringArray{
pulumi.String("suspicious-network"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("any"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("any"),
},
From: &panos.PbfPolicyRulesRuleFromArgs{
Zones: pulumi.StringArray{
pulumi.String("untrust"),
},
},
Action: &panos.PbfPolicyRulesRuleActionArgs{
Discard: &panos.PbfPolicyRulesRuleActionDiscardArgs{},
},
Disabled: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("security"),
pulumi.String("block"),
},
},
},
})
if err != nil {
return err
}
// # Advanced rule with interface-based source and specific target devices
_, err = panos.NewPbfPolicyRules(ctx, "interface_routing", &panos.PbfPolicyRulesArgs{
Location: &panos.PbfPolicyRulesLocationArgs{
DeviceGroup: &panos.PbfPolicyRulesLocationDeviceGroupArgs{
Name: example.Name,
Rulebase: pulumi.String("post-rulebase"),
},
},
Position: &panos.PbfPolicyRulesPositionArgs{
Where: pulumi.String("last"),
},
Rules: panos.PbfPolicyRulesRuleArray{
&panos.PbfPolicyRulesRuleArgs{
Name: pulumi.String("route-iot-devices"),
Description: pulumi.String("Route IoT device traffic through isolated network segment"),
SourceAddresses: pulumi.StringArray{
pulumi.String("iot-network"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("cloud-services"),
},
NegateDestination: pulumi.Bool(false),
Services: pulumi.StringArray{
pulumi.String("service-https"),
},
Applications: pulumi.StringArray{
pulumi.String("any"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("any"),
},
From: &panos.PbfPolicyRulesRuleFromArgs{
Interfaces: pulumi.StringArray{
pulumi.String("ethernet1/5"),
pulumi.String("ethernet1/6"),
},
},
Action: &panos.PbfPolicyRulesRuleActionArgs{
Forward: &panos.PbfPolicyRulesRuleActionForwardArgs{
EgressInterface: pulumi.String("ethernet1/7"),
Nexthop: &panos.PbfPolicyRulesRuleActionForwardNexthopArgs{
IpAddress: pulumi.String("10.40.0.1"),
},
},
},
ActiveActiveDeviceBinding: pulumi.String("both"),
Target: &panos.PbfPolicyRulesRuleTargetArgs{
Devices: panos.PbfPolicyRulesRuleTargetDeviceArray{
&panos.PbfPolicyRulesRuleTargetDeviceArgs{
Name: pulumi.String("fw-branch-01"),
Vsys: panos.PbfPolicyRulesRuleTargetDeviceVsyArray{
&panos.PbfPolicyRulesRuleTargetDeviceVsyArgs{
Name: pulumi.String("vsys1"),
},
},
},
},
Negate: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("branch-office"),
},
},
Tags: pulumi.StringArray{
pulumi.String("iot"),
pulumi.String("isolated"),
},
},
&panos.PbfPolicyRulesRuleArgs{
Name: pulumi.String("route-to-virtual-system"),
Description: pulumi.String("Route traffic to a different virtual system for processing"),
SourceAddresses: pulumi.StringArray{
pulumi.String("cross-vsys-network"),
},
DestinationAddresses: pulumi.StringArray{
pulumi.String("shared-resources"),
},
Services: pulumi.StringArray{
pulumi.String("any"),
},
Applications: pulumi.StringArray{
pulumi.String("any"),
},
From: &panos.PbfPolicyRulesRuleFromArgs{
Zones: pulumi.StringArray{
pulumi.String("trust"),
},
},
Action: &panos.PbfPolicyRulesRuleActionArgs{
ForwardToVsys: pulumi.String("vsys2"),
},
Tags: pulumi.StringArray{
pulumi.String("cross-vsys"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Panos = Pulumi.Panos;
return await Deployment.RunAsync(() =>
{
var example = new Panos.DeviceGroup("example", new()
{
Location = new Panos.Inputs.DeviceGroupLocationArgs
{
Panorama = null,
},
Name = "example-device-group",
});
// Manage a group of Policy Based Forwarding rules with positioning
//# Place the rule group at the top of the pre-rulebase
var priorityRouting = new Panos.PbfPolicyRules("priority_routing", new()
{
Location = new Panos.Inputs.PbfPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.PbfPolicyRulesLocationDeviceGroupArgs
{
Name = example.Name,
Rulebase = "pre-rulebase",
},
},
Position = new Panos.Inputs.PbfPolicyRulesPositionArgs
{
Where = "first",
},
Rules = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleArgs
{
Name = "route-voip-traffic",
Description = "Route VoIP traffic through low-latency path",
SourceAddresses = new[]
{
"corporate-network",
},
DestinationAddresses = new[]
{
"voip-servers",
},
Services = new[]
{
"sip",
"rtp",
},
Applications = new[]
{
"sip",
"voip",
},
From = new Panos.Inputs.PbfPolicyRulesRuleFromArgs
{
Zones = new[]
{
"trust",
},
},
Action = new Panos.Inputs.PbfPolicyRulesRuleActionArgs
{
Forward = new Panos.Inputs.PbfPolicyRulesRuleActionForwardArgs
{
EgressInterface = "ethernet1/2",
Nexthop = new Panos.Inputs.PbfPolicyRulesRuleActionForwardNexthopArgs
{
IpAddress = "10.10.0.1",
},
Monitor = new Panos.Inputs.PbfPolicyRulesRuleActionForwardMonitorArgs
{
IpAddress = "10.10.0.1",
Profile = "high-availability",
DisableIfUnreachable = true,
},
},
},
EnforceSymmetricReturn = new Panos.Inputs.PbfPolicyRulesRuleEnforceSymmetricReturnArgs
{
Enabled = true,
},
Tags = new[]
{
"voip",
"priority",
},
},
},
});
//# Place the rule group after a specific rule with forward action using FQDN
var applicationRouting = new Panos.PbfPolicyRules("application_routing", new()
{
Location = new Panos.Inputs.PbfPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.PbfPolicyRulesLocationDeviceGroupArgs
{
Name = example.Name,
Rulebase = "pre-rulebase",
},
},
Position = new Panos.Inputs.PbfPolicyRulesPositionArgs
{
Where = "after",
Directly = true,
Pivot = "route-voip-traffic",
},
Rules = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleArgs
{
Name = "route-backup-traffic",
Description = "Route backup traffic through dedicated backup link",
SourceAddresses = new[]
{
"backup-servers",
},
DestinationAddresses = new[]
{
"backup-storage",
},
Services = new[]
{
"any",
},
Applications = new[]
{
"backup",
},
From = new Panos.Inputs.PbfPolicyRulesRuleFromArgs
{
Zones = new[]
{
"dmz",
},
},
Action = new Panos.Inputs.PbfPolicyRulesRuleActionArgs
{
Forward = new Panos.Inputs.PbfPolicyRulesRuleActionForwardArgs
{
EgressInterface = "ethernet1/4",
Nexthop = new Panos.Inputs.PbfPolicyRulesRuleActionForwardNexthopArgs
{
Fqdn = "backup-gateway.example.com",
},
Monitor = new Panos.Inputs.PbfPolicyRulesRuleActionForwardMonitorArgs
{
IpAddress = "10.30.0.1",
DisableIfUnreachable = false,
},
},
},
Schedule = "backup-window",
Tags = new[]
{
"backup",
"scheduled",
},
},
new Panos.Inputs.PbfPolicyRulesRuleArgs
{
Name = "block-suspicious-traffic",
Description = "Discard traffic from untrusted sources",
SourceAddresses = new[]
{
"suspicious-network",
},
DestinationAddresses = new[]
{
"any",
},
Services = new[]
{
"any",
},
Applications = new[]
{
"any",
},
From = new Panos.Inputs.PbfPolicyRulesRuleFromArgs
{
Zones = new[]
{
"untrust",
},
},
Action = new Panos.Inputs.PbfPolicyRulesRuleActionArgs
{
Discard = null,
},
Disabled = false,
Tags = new[]
{
"security",
"block",
},
},
},
});
//# Advanced rule with interface-based source and specific target devices
var interfaceRouting = new Panos.PbfPolicyRules("interface_routing", new()
{
Location = new Panos.Inputs.PbfPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.PbfPolicyRulesLocationDeviceGroupArgs
{
Name = example.Name,
Rulebase = "post-rulebase",
},
},
Position = new Panos.Inputs.PbfPolicyRulesPositionArgs
{
Where = "last",
},
Rules = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleArgs
{
Name = "route-iot-devices",
Description = "Route IoT device traffic through isolated network segment",
SourceAddresses = new[]
{
"iot-network",
},
DestinationAddresses = new[]
{
"cloud-services",
},
NegateDestination = false,
Services = new[]
{
"service-https",
},
Applications = new[]
{
"any",
},
SourceUsers = new[]
{
"any",
},
From = new Panos.Inputs.PbfPolicyRulesRuleFromArgs
{
Interfaces = new[]
{
"ethernet1/5",
"ethernet1/6",
},
},
Action = new Panos.Inputs.PbfPolicyRulesRuleActionArgs
{
Forward = new Panos.Inputs.PbfPolicyRulesRuleActionForwardArgs
{
EgressInterface = "ethernet1/7",
Nexthop = new Panos.Inputs.PbfPolicyRulesRuleActionForwardNexthopArgs
{
IpAddress = "10.40.0.1",
},
},
},
ActiveActiveDeviceBinding = "both",
Target = new Panos.Inputs.PbfPolicyRulesRuleTargetArgs
{
Devices = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleTargetDeviceArgs
{
Name = "fw-branch-01",
Vsys = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleTargetDeviceVsyArgs
{
Name = "vsys1",
},
},
},
},
Negate = false,
Tags = new[]
{
"branch-office",
},
},
Tags = new[]
{
"iot",
"isolated",
},
},
new Panos.Inputs.PbfPolicyRulesRuleArgs
{
Name = "route-to-virtual-system",
Description = "Route traffic to a different virtual system for processing",
SourceAddresses = new[]
{
"cross-vsys-network",
},
DestinationAddresses = new[]
{
"shared-resources",
},
Services = new[]
{
"any",
},
Applications = new[]
{
"any",
},
From = new Panos.Inputs.PbfPolicyRulesRuleFromArgs
{
Zones = new[]
{
"trust",
},
},
Action = new Panos.Inputs.PbfPolicyRulesRuleActionArgs
{
ForwardToVsys = "vsys2",
},
Tags = new[]
{
"cross-vsys",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.panos.DeviceGroup;
import com.pulumi.panos.DeviceGroupArgs;
import com.pulumi.panos.inputs.DeviceGroupLocationArgs;
import com.pulumi.panos.inputs.DeviceGroupLocationPanoramaArgs;
import com.pulumi.panos.PbfPolicyRules;
import com.pulumi.panos.PbfPolicyRulesArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesLocationArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesLocationDeviceGroupArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesPositionArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleFromArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleActionArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleActionForwardArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleActionForwardNexthopArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleActionForwardMonitorArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleEnforceSymmetricReturnArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleActionDiscardArgs;
import com.pulumi.panos.inputs.PbfPolicyRulesRuleTargetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DeviceGroup("example", DeviceGroupArgs.builder()
.location(DeviceGroupLocationArgs.builder()
.panorama(DeviceGroupLocationPanoramaArgs.builder()
.build())
.build())
.name("example-device-group")
.build());
// Manage a group of Policy Based Forwarding rules with positioning
//# Place the rule group at the top of the pre-rulebase
var priorityRouting = new PbfPolicyRules("priorityRouting", PbfPolicyRulesArgs.builder()
.location(PbfPolicyRulesLocationArgs.builder()
.deviceGroup(PbfPolicyRulesLocationDeviceGroupArgs.builder()
.name(example.name())
.rulebase("pre-rulebase")
.build())
.build())
.position(PbfPolicyRulesPositionArgs.builder()
.where("first")
.build())
.rules(PbfPolicyRulesRuleArgs.builder()
.name("route-voip-traffic")
.description("Route VoIP traffic through low-latency path")
.sourceAddresses("corporate-network")
.destinationAddresses("voip-servers")
.services(
"sip",
"rtp")
.applications(
"sip",
"voip")
.from(PbfPolicyRulesRuleFromArgs.builder()
.zones("trust")
.build())
.action(PbfPolicyRulesRuleActionArgs.builder()
.forward(PbfPolicyRulesRuleActionForwardArgs.builder()
.egressInterface("ethernet1/2")
.nexthop(PbfPolicyRulesRuleActionForwardNexthopArgs.builder()
.ipAddress("10.10.0.1")
.build())
.monitor(PbfPolicyRulesRuleActionForwardMonitorArgs.builder()
.ipAddress("10.10.0.1")
.profile("high-availability")
.disableIfUnreachable(true)
.build())
.build())
.build())
.enforceSymmetricReturn(PbfPolicyRulesRuleEnforceSymmetricReturnArgs.builder()
.enabled(true)
.build())
.tags(
"voip",
"priority")
.build())
.build());
//# Place the rule group after a specific rule with forward action using FQDN
var applicationRouting = new PbfPolicyRules("applicationRouting", PbfPolicyRulesArgs.builder()
.location(PbfPolicyRulesLocationArgs.builder()
.deviceGroup(PbfPolicyRulesLocationDeviceGroupArgs.builder()
.name(example.name())
.rulebase("pre-rulebase")
.build())
.build())
.position(PbfPolicyRulesPositionArgs.builder()
.where("after")
.directly(true)
.pivot("route-voip-traffic")
.build())
.rules(
PbfPolicyRulesRuleArgs.builder()
.name("route-backup-traffic")
.description("Route backup traffic through dedicated backup link")
.sourceAddresses("backup-servers")
.destinationAddresses("backup-storage")
.services("any")
.applications("backup")
.from(PbfPolicyRulesRuleFromArgs.builder()
.zones("dmz")
.build())
.action(PbfPolicyRulesRuleActionArgs.builder()
.forward(PbfPolicyRulesRuleActionForwardArgs.builder()
.egressInterface("ethernet1/4")
.nexthop(PbfPolicyRulesRuleActionForwardNexthopArgs.builder()
.fqdn("backup-gateway.example.com")
.build())
.monitor(PbfPolicyRulesRuleActionForwardMonitorArgs.builder()
.ipAddress("10.30.0.1")
.disableIfUnreachable(false)
.build())
.build())
.build())
.schedule("backup-window")
.tags(
"backup",
"scheduled")
.build(),
PbfPolicyRulesRuleArgs.builder()
.name("block-suspicious-traffic")
.description("Discard traffic from untrusted sources")
.sourceAddresses("suspicious-network")
.destinationAddresses("any")
.services("any")
.applications("any")
.from(PbfPolicyRulesRuleFromArgs.builder()
.zones("untrust")
.build())
.action(PbfPolicyRulesRuleActionArgs.builder()
.discard(PbfPolicyRulesRuleActionDiscardArgs.builder()
.build())
.build())
.disabled(false)
.tags(
"security",
"block")
.build())
.build());
//# Advanced rule with interface-based source and specific target devices
var interfaceRouting = new PbfPolicyRules("interfaceRouting", PbfPolicyRulesArgs.builder()
.location(PbfPolicyRulesLocationArgs.builder()
.deviceGroup(PbfPolicyRulesLocationDeviceGroupArgs.builder()
.name(example.name())
.rulebase("post-rulebase")
.build())
.build())
.position(PbfPolicyRulesPositionArgs.builder()
.where("last")
.build())
.rules(
PbfPolicyRulesRuleArgs.builder()
.name("route-iot-devices")
.description("Route IoT device traffic through isolated network segment")
.sourceAddresses("iot-network")
.destinationAddresses("cloud-services")
.negateDestination(false)
.services("service-https")
.applications("any")
.sourceUsers("any")
.from(PbfPolicyRulesRuleFromArgs.builder()
.interfaces(
"ethernet1/5",
"ethernet1/6")
.build())
.action(PbfPolicyRulesRuleActionArgs.builder()
.forward(PbfPolicyRulesRuleActionForwardArgs.builder()
.egressInterface("ethernet1/7")
.nexthop(PbfPolicyRulesRuleActionForwardNexthopArgs.builder()
.ipAddress("10.40.0.1")
.build())
.build())
.build())
.activeActiveDeviceBinding("both")
.target(PbfPolicyRulesRuleTargetArgs.builder()
.devices(PbfPolicyRulesRuleTargetDeviceArgs.builder()
.name("fw-branch-01")
.vsys(PbfPolicyRulesRuleTargetDeviceVsyArgs.builder()
.name("vsys1")
.build())
.build())
.negate(false)
.tags("branch-office")
.build())
.tags(
"iot",
"isolated")
.build(),
PbfPolicyRulesRuleArgs.builder()
.name("route-to-virtual-system")
.description("Route traffic to a different virtual system for processing")
.sourceAddresses("cross-vsys-network")
.destinationAddresses("shared-resources")
.services("any")
.applications("any")
.from(PbfPolicyRulesRuleFromArgs.builder()
.zones("trust")
.build())
.action(PbfPolicyRulesRuleActionArgs.builder()
.forwardToVsys("vsys2")
.build())
.tags("cross-vsys")
.build())
.build());
}
}
resources:
# Manage a group of Policy Based Forwarding rules with positioning
## Place the rule group at the top of the pre-rulebase
priorityRouting:
type: panos:PbfPolicyRules
name: priority_routing
properties:
location:
deviceGroup:
name: ${example.name}
rulebase: pre-rulebase
position:
where: first
rules:
- name: route-voip-traffic
description: Route VoIP traffic through low-latency path
sourceAddresses:
- corporate-network
destinationAddresses:
- voip-servers
services:
- sip
- rtp
applications:
- sip
- voip
from:
zones:
- trust
action:
forward:
egressInterface: ethernet1/2
nexthop:
ipAddress: 10.10.0.1
monitor:
ipAddress: 10.10.0.1
profile: high-availability
disableIfUnreachable: true
enforceSymmetricReturn:
enabled: true
tags:
- voip
- priority
## Place the rule group after a specific rule with forward action using FQDN
applicationRouting:
type: panos:PbfPolicyRules
name: application_routing
properties:
location:
deviceGroup:
name: ${example.name}
rulebase: pre-rulebase
position:
where: after
directly: true
pivot: route-voip-traffic
rules:
- name: route-backup-traffic
description: Route backup traffic through dedicated backup link
sourceAddresses:
- backup-servers
destinationAddresses:
- backup-storage
services:
- any
applications:
- backup
from:
zones:
- dmz
action:
forward:
egressInterface: ethernet1/4
nexthop:
fqdn: backup-gateway.example.com
monitor:
ipAddress: 10.30.0.1
disableIfUnreachable: false
schedule: backup-window
tags:
- backup
- scheduled
- name: block-suspicious-traffic
description: Discard traffic from untrusted sources
sourceAddresses:
- suspicious-network
destinationAddresses:
- any
services:
- any
applications:
- any
from:
zones:
- untrust
action:
discard: {}
disabled: false
tags:
- security
- block
## Advanced rule with interface-based source and specific target devices
interfaceRouting:
type: panos:PbfPolicyRules
name: interface_routing
properties:
location:
deviceGroup:
name: ${example.name}
rulebase: post-rulebase
position:
where: last
rules:
- name: route-iot-devices
description: Route IoT device traffic through isolated network segment
sourceAddresses:
- iot-network
destinationAddresses:
- cloud-services
negateDestination: false
services:
- service-https
applications:
- any
sourceUsers:
- any
from:
interfaces:
- ethernet1/5
- ethernet1/6
action:
forward:
egressInterface: ethernet1/7
nexthop:
ipAddress: 10.40.0.1
activeActiveDeviceBinding: both
target:
devices:
- name: fw-branch-01
vsys:
- name: vsys1
negate: false
tags:
- branch-office
tags:
- iot
- isolated
- name: route-to-virtual-system
description: Route traffic to a different virtual system for processing
sourceAddresses:
- cross-vsys-network
destinationAddresses:
- shared-resources
services:
- any
applications:
- any
from:
zones:
- trust
action:
forwardToVsys: vsys2
tags:
- cross-vsys
example:
type: panos:DeviceGroup
properties:
location:
panorama: {}
name: example-device-group
Create PbfPolicyRules Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PbfPolicyRules(name: string, args: PbfPolicyRulesArgs, opts?: CustomResourceOptions);@overload
def PbfPolicyRules(resource_name: str,
args: PbfPolicyRulesArgs,
opts: Optional[ResourceOptions] = None)
@overload
def PbfPolicyRules(resource_name: str,
opts: Optional[ResourceOptions] = None,
location: Optional[PbfPolicyRulesLocationArgs] = None,
position: Optional[PbfPolicyRulesPositionArgs] = None,
rules: Optional[Sequence[PbfPolicyRulesRuleArgs]] = None)func NewPbfPolicyRules(ctx *Context, name string, args PbfPolicyRulesArgs, opts ...ResourceOption) (*PbfPolicyRules, error)public PbfPolicyRules(string name, PbfPolicyRulesArgs args, CustomResourceOptions? opts = null)
public PbfPolicyRules(String name, PbfPolicyRulesArgs args)
public PbfPolicyRules(String name, PbfPolicyRulesArgs args, CustomResourceOptions options)
type: panos:PbfPolicyRules
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PbfPolicyRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PbfPolicyRulesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PbfPolicyRulesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PbfPolicyRulesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PbfPolicyRulesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var pbfPolicyRulesResource = new Panos.PbfPolicyRules("pbfPolicyRulesResource", new()
{
Location = new Panos.Inputs.PbfPolicyRulesLocationArgs
{
DeviceGroup = new Panos.Inputs.PbfPolicyRulesLocationDeviceGroupArgs
{
Name = "string",
PanoramaDevice = "string",
Rulebase = "string",
},
Shared = new Panos.Inputs.PbfPolicyRulesLocationSharedArgs
{
Rulebase = "string",
},
Vsys = new Panos.Inputs.PbfPolicyRulesLocationVsysArgs
{
Name = "string",
NgfwDevice = "string",
},
},
Position = new Panos.Inputs.PbfPolicyRulesPositionArgs
{
Where = "string",
Directly = false,
Pivot = "string",
},
Rules = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleArgs
{
Name = "string",
GroupTag = "string",
ActiveActiveDeviceBinding = "string",
AuditCommentVersion = "string",
Action = new Panos.Inputs.PbfPolicyRulesRuleActionArgs
{
Discard = null,
Forward = new Panos.Inputs.PbfPolicyRulesRuleActionForwardArgs
{
EgressInterface = "string",
Monitor = new Panos.Inputs.PbfPolicyRulesRuleActionForwardMonitorArgs
{
DisableIfUnreachable = false,
IpAddress = "string",
Profile = "string",
},
Nexthop = new Panos.Inputs.PbfPolicyRulesRuleActionForwardNexthopArgs
{
Fqdn = "string",
IpAddress = "string",
},
},
ForwardToVsys = "string",
NoPbf = null,
},
Description = "string",
DestinationAddresses = new[]
{
"string",
},
Disabled = false,
EnforceSymmetricReturn = new Panos.Inputs.PbfPolicyRulesRuleEnforceSymmetricReturnArgs
{
Enabled = false,
NexthopAddressLists = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleEnforceSymmetricReturnNexthopAddressListArgs
{
Name = "string",
},
},
},
Applications = new[]
{
"string",
},
From = new Panos.Inputs.PbfPolicyRulesRuleFromArgs
{
Interfaces = new[]
{
"string",
},
Zones = new[]
{
"string",
},
},
AuditCommentWo = "string",
NegateDestination = false,
NegateSource = false,
Schedule = "string",
Services = new[]
{
"string",
},
SourceAddresses = new[]
{
"string",
},
SourceUsers = new[]
{
"string",
},
Tags = new[]
{
"string",
},
Target = new Panos.Inputs.PbfPolicyRulesRuleTargetArgs
{
Devices = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleTargetDeviceArgs
{
Name = "string",
Vsys = new[]
{
new Panos.Inputs.PbfPolicyRulesRuleTargetDeviceVsyArgs
{
Name = "string",
},
},
},
},
Negate = false,
Tags = new[]
{
"string",
},
},
},
},
});
example, err := panos.NewPbfPolicyRules(ctx, "pbfPolicyRulesResource", &panos.PbfPolicyRulesArgs{
Location: &panos.PbfPolicyRulesLocationArgs{
DeviceGroup: &panos.PbfPolicyRulesLocationDeviceGroupArgs{
Name: pulumi.String("string"),
PanoramaDevice: pulumi.String("string"),
Rulebase: pulumi.String("string"),
},
Shared: &panos.PbfPolicyRulesLocationSharedArgs{
Rulebase: pulumi.String("string"),
},
Vsys: &panos.PbfPolicyRulesLocationVsysArgs{
Name: pulumi.String("string"),
NgfwDevice: pulumi.String("string"),
},
},
Position: &panos.PbfPolicyRulesPositionArgs{
Where: pulumi.String("string"),
Directly: pulumi.Bool(false),
Pivot: pulumi.String("string"),
},
Rules: panos.PbfPolicyRulesRuleArray{
&panos.PbfPolicyRulesRuleArgs{
Name: pulumi.String("string"),
GroupTag: pulumi.String("string"),
ActiveActiveDeviceBinding: pulumi.String("string"),
AuditCommentVersion: pulumi.String("string"),
Action: &panos.PbfPolicyRulesRuleActionArgs{
Discard: &panos.PbfPolicyRulesRuleActionDiscardArgs{},
Forward: &panos.PbfPolicyRulesRuleActionForwardArgs{
EgressInterface: pulumi.String("string"),
Monitor: &panos.PbfPolicyRulesRuleActionForwardMonitorArgs{
DisableIfUnreachable: pulumi.Bool(false),
IpAddress: pulumi.String("string"),
Profile: pulumi.String("string"),
},
Nexthop: &panos.PbfPolicyRulesRuleActionForwardNexthopArgs{
Fqdn: pulumi.String("string"),
IpAddress: pulumi.String("string"),
},
},
ForwardToVsys: pulumi.String("string"),
NoPbf: &panos.PbfPolicyRulesRuleActionNoPbfArgs{},
},
Description: pulumi.String("string"),
DestinationAddresses: pulumi.StringArray{
pulumi.String("string"),
},
Disabled: pulumi.Bool(false),
EnforceSymmetricReturn: &panos.PbfPolicyRulesRuleEnforceSymmetricReturnArgs{
Enabled: pulumi.Bool(false),
NexthopAddressLists: panos.PbfPolicyRulesRuleEnforceSymmetricReturnNexthopAddressListArray{
&panos.PbfPolicyRulesRuleEnforceSymmetricReturnNexthopAddressListArgs{
Name: pulumi.String("string"),
},
},
},
Applications: pulumi.StringArray{
pulumi.String("string"),
},
From: &panos.PbfPolicyRulesRuleFromArgs{
Interfaces: pulumi.StringArray{
pulumi.String("string"),
},
Zones: pulumi.StringArray{
pulumi.String("string"),
},
},
AuditCommentWo: pulumi.String("string"),
NegateDestination: pulumi.Bool(false),
NegateSource: pulumi.Bool(false),
Schedule: pulumi.String("string"),
Services: pulumi.StringArray{
pulumi.String("string"),
},
SourceAddresses: pulumi.StringArray{
pulumi.String("string"),
},
SourceUsers: pulumi.StringArray{
pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
Target: &panos.PbfPolicyRulesRuleTargetArgs{
Devices: panos.PbfPolicyRulesRuleTargetDeviceArray{
&panos.PbfPolicyRulesRuleTargetDeviceArgs{
Name: pulumi.String("string"),
Vsys: panos.PbfPolicyRulesRuleTargetDeviceVsyArray{
&panos.PbfPolicyRulesRuleTargetDeviceVsyArgs{
Name: pulumi.String("string"),
},
},
},
},
Negate: pulumi.Bool(false),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
})
var pbfPolicyRulesResource = new PbfPolicyRules("pbfPolicyRulesResource", PbfPolicyRulesArgs.builder()
.location(PbfPolicyRulesLocationArgs.builder()
.deviceGroup(PbfPolicyRulesLocationDeviceGroupArgs.builder()
.name("string")
.panoramaDevice("string")
.rulebase("string")
.build())
.shared(PbfPolicyRulesLocationSharedArgs.builder()
.rulebase("string")
.build())
.vsys(PbfPolicyRulesLocationVsysArgs.builder()
.name("string")
.ngfwDevice("string")
.build())
.build())
.position(PbfPolicyRulesPositionArgs.builder()
.where("string")
.directly(false)
.pivot("string")
.build())
.rules(PbfPolicyRulesRuleArgs.builder()
.name("string")
.groupTag("string")
.activeActiveDeviceBinding("string")
.auditCommentVersion("string")
.action(PbfPolicyRulesRuleActionArgs.builder()
.discard(PbfPolicyRulesRuleActionDiscardArgs.builder()
.build())
.forward(PbfPolicyRulesRuleActionForwardArgs.builder()
.egressInterface("string")
.monitor(PbfPolicyRulesRuleActionForwardMonitorArgs.builder()
.disableIfUnreachable(false)
.ipAddress("string")
.profile("string")
.build())
.nexthop(PbfPolicyRulesRuleActionForwardNexthopArgs.builder()
.fqdn("string")
.ipAddress("string")
.build())
.build())
.forwardToVsys("string")
.noPbf(PbfPolicyRulesRuleActionNoPbfArgs.builder()
.build())
.build())
.description("string")
.destinationAddresses("string")
.disabled(false)
.enforceSymmetricReturn(PbfPolicyRulesRuleEnforceSymmetricReturnArgs.builder()
.enabled(false)
.nexthopAddressLists(PbfPolicyRulesRuleEnforceSymmetricReturnNexthopAddressListArgs.builder()
.name("string")
.build())
.build())
.applications("string")
.from(PbfPolicyRulesRuleFromArgs.builder()
.interfaces("string")
.zones("string")
.build())
.auditCommentWo("string")
.negateDestination(false)
.negateSource(false)
.schedule("string")
.services("string")
.sourceAddresses("string")
.sourceUsers("string")
.tags("string")
.target(PbfPolicyRulesRuleTargetArgs.builder()
.devices(PbfPolicyRulesRuleTargetDeviceArgs.builder()
.name("string")
.vsys(PbfPolicyRulesRuleTargetDeviceVsyArgs.builder()
.name("string")
.build())
.build())
.negate(false)
.tags("string")
.build())
.build())
.build());
pbf_policy_rules_resource = panos.PbfPolicyRules("pbfPolicyRulesResource",
location={
"device_group": {
"name": "string",
"panorama_device": "string",
"rulebase": "string",
},
"shared": {
"rulebase": "string",
},
"vsys": {
"name": "string",
"ngfw_device": "string",
},
},
position={
"where": "string",
"directly": False,
"pivot": "string",
},
rules=[{
"name": "string",
"group_tag": "string",
"active_active_device_binding": "string",
"audit_comment_version": "string",
"action": {
"discard": {},
"forward": {
"egress_interface": "string",
"monitor": {
"disable_if_unreachable": False,
"ip_address": "string",
"profile": "string",
},
"nexthop": {
"fqdn": "string",
"ip_address": "string",
},
},
"forward_to_vsys": "string",
"no_pbf": {},
},
"description": "string",
"destination_addresses": ["string"],
"disabled": False,
"enforce_symmetric_return": {
"enabled": False,
"nexthop_address_lists": [{
"name": "string",
}],
},
"applications": ["string"],
"from_": {
"interfaces": ["string"],
"zones": ["string"],
},
"audit_comment_wo": "string",
"negate_destination": False,
"negate_source": False,
"schedule": "string",
"services": ["string"],
"source_addresses": ["string"],
"source_users": ["string"],
"tags": ["string"],
"target": {
"devices": [{
"name": "string",
"vsys": [{
"name": "string",
}],
}],
"negate": False,
"tags": ["string"],
},
}])
const pbfPolicyRulesResource = new panos.PbfPolicyRules("pbfPolicyRulesResource", {
location: {
deviceGroup: {
name: "string",
panoramaDevice: "string",
rulebase: "string",
},
shared: {
rulebase: "string",
},
vsys: {
name: "string",
ngfwDevice: "string",
},
},
position: {
where: "string",
directly: false,
pivot: "string",
},
rules: [{
name: "string",
groupTag: "string",
activeActiveDeviceBinding: "string",
auditCommentVersion: "string",
action: {
discard: {},
forward: {
egressInterface: "string",
monitor: {
disableIfUnreachable: false,
ipAddress: "string",
profile: "string",
},
nexthop: {
fqdn: "string",
ipAddress: "string",
},
},
forwardToVsys: "string",
noPbf: {},
},
description: "string",
destinationAddresses: ["string"],
disabled: false,
enforceSymmetricReturn: {
enabled: false,
nexthopAddressLists: [{
name: "string",
}],
},
applications: ["string"],
from: {
interfaces: ["string"],
zones: ["string"],
},
auditCommentWo: "string",
negateDestination: false,
negateSource: false,
schedule: "string",
services: ["string"],
sourceAddresses: ["string"],
sourceUsers: ["string"],
tags: ["string"],
target: {
devices: [{
name: "string",
vsys: [{
name: "string",
}],
}],
negate: false,
tags: ["string"],
},
}],
});
type: panos:PbfPolicyRules
properties:
location:
deviceGroup:
name: string
panoramaDevice: string
rulebase: string
shared:
rulebase: string
vsys:
name: string
ngfwDevice: string
position:
directly: false
pivot: string
where: string
rules:
- action:
discard: {}
forward:
egressInterface: string
monitor:
disableIfUnreachable: false
ipAddress: string
profile: string
nexthop:
fqdn: string
ipAddress: string
forwardToVsys: string
noPbf: {}
activeActiveDeviceBinding: string
applications:
- string
auditCommentVersion: string
auditCommentWo: string
description: string
destinationAddresses:
- string
disabled: false
enforceSymmetricReturn:
enabled: false
nexthopAddressLists:
- name: string
from:
interfaces:
- string
zones:
- string
groupTag: string
name: string
negateDestination: false
negateSource: false
schedule: string
services:
- string
sourceAddresses:
- string
sourceUsers:
- string
tags:
- string
target:
devices:
- name: string
vsys:
- name: string
negate: false
tags:
- string
PbfPolicyRules Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PbfPolicyRules resource accepts the following input properties:
- Location
Pbf
Policy Rules Location - The location of this object.
- Position
Pbf
Policy Rules Position - Rules
List<Pbf
Policy Rules Rule>
- Location
Pbf
Policy Rules Location Args - The location of this object.
- Position
Pbf
Policy Rules Position Args - Rules
[]Pbf
Policy Rules Rule Args
- location
Pbf
Policy Rules Location - The location of this object.
- position
Pbf
Policy Rules Position - rules
List<Pbf
Policy Rules Rule>
- location
Pbf
Policy Rules Location - The location of this object.
- position
Pbf
Policy Rules Position - rules
Pbf
Policy Rules Rule[]
- location
Pbf
Policy Rules Location Args - The location of this object.
- position
Pbf
Policy Rules Position Args - rules
Sequence[Pbf
Policy Rules Rule Args]
- location Property Map
- The location of this object.
- position Property Map
- rules List<Property Map>
Outputs
All input properties are implicitly available as output properties. Additionally, the PbfPolicyRules resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing PbfPolicyRules Resource
Get an existing PbfPolicyRules resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PbfPolicyRulesState, opts?: CustomResourceOptions): PbfPolicyRules@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
location: Optional[PbfPolicyRulesLocationArgs] = None,
position: Optional[PbfPolicyRulesPositionArgs] = None,
rules: Optional[Sequence[PbfPolicyRulesRuleArgs]] = None) -> PbfPolicyRulesfunc GetPbfPolicyRules(ctx *Context, name string, id IDInput, state *PbfPolicyRulesState, opts ...ResourceOption) (*PbfPolicyRules, error)public static PbfPolicyRules Get(string name, Input<string> id, PbfPolicyRulesState? state, CustomResourceOptions? opts = null)public static PbfPolicyRules get(String name, Output<String> id, PbfPolicyRulesState state, CustomResourceOptions options)resources: _: type: panos:PbfPolicyRules get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Location
Pbf
Policy Rules Location - The location of this object.
- Position
Pbf
Policy Rules Position - Rules
List<Pbf
Policy Rules Rule>
- Location
Pbf
Policy Rules Location Args - The location of this object.
- Position
Pbf
Policy Rules Position Args - Rules
[]Pbf
Policy Rules Rule Args
- location
Pbf
Policy Rules Location - The location of this object.
- position
Pbf
Policy Rules Position - rules
List<Pbf
Policy Rules Rule>
- location
Pbf
Policy Rules Location - The location of this object.
- position
Pbf
Policy Rules Position - rules
Pbf
Policy Rules Rule[]
- location
Pbf
Policy Rules Location Args - The location of this object.
- position
Pbf
Policy Rules Position Args - rules
Sequence[Pbf
Policy Rules Rule Args]
- location Property Map
- The location of this object.
- position Property Map
- rules List<Property Map>
Supporting Types
PbfPolicyRulesLocation, PbfPolicyRulesLocationArgs
- Device
Group PbfPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Rules Location Shared - Located in a shared rulebase
- Vsys
Pbf
Policy Rules Location Vsys - Located in a specific vsys rulebase
- Device
Group PbfPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Rules Location Shared - Located in a shared rulebase
- Vsys
Pbf
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device
Group PbfPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Rules Location Shared - Located in a shared rulebase
- vsys
Pbf
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device
Group PbfPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Rules Location Shared - Located in a shared rulebase
- vsys
Pbf
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device_
group PbfPolicy Rules Location Device Group - Located in a specific device group rulebase
-
Pbf
Policy Rules Location Shared - Located in a shared rulebase
- vsys
Pbf
Policy Rules Location Vsys - Located in a specific vsys rulebase
- device
Group Property Map - Located in a specific device group rulebase
- Property Map
- Located in a shared rulebase
- vsys Property Map
- Located in a specific vsys rulebase
PbfPolicyRulesLocationDeviceGroup, PbfPolicyRulesLocationDeviceGroupArgs
- Name string
- The device group name
- Panorama
Device string - The panorama device
- Rulebase string
- The rulebase
- Name string
- The device group name
- Panorama
Device string - The panorama device
- Rulebase string
- The rulebase
- name String
- The device group name
- panorama
Device String - The panorama device
- rulebase String
- The rulebase
- name string
- The device group name
- panorama
Device string - The panorama device
- rulebase string
- The rulebase
- name str
- The device group name
- panorama_
device str - The panorama device
- rulebase str
- The rulebase
- name String
- The device group name
- panorama
Device String - The panorama device
- rulebase String
- The rulebase
PbfPolicyRulesLocationShared, PbfPolicyRulesLocationSharedArgs
- Rulebase string
- Rulebase name
- Rulebase string
- Rulebase name
- rulebase String
- Rulebase name
- rulebase string
- Rulebase name
- rulebase str
- Rulebase name
- rulebase String
- Rulebase name
PbfPolicyRulesLocationVsys, PbfPolicyRulesLocationVsysArgs
- Name string
- The vsys name
- Ngfw
Device string - The NGFW device
- Name string
- The vsys name
- Ngfw
Device string - The NGFW device
- name String
- The vsys name
- ngfw
Device String - The NGFW device
- name string
- The vsys name
- ngfw
Device string - The NGFW device
- name str
- The vsys name
- ngfw_
device str - The NGFW device
- name String
- The vsys name
- ngfw
Device String - The NGFW device
PbfPolicyRulesPosition, PbfPolicyRulesPositionArgs
PbfPolicyRulesRule, PbfPolicyRulesRuleArgs
- Name string
- Action
Pbf
Policy Rules Rule Action - Active
Active stringDevice Binding - Device binding configuration in HA Active-Active mode
- Applications List<string>
- Audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- Audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- Description string
- Destination
Addresses List<string> - Disabled bool
- Disable the rule
- Enforce
Symmetric PbfReturn Policy Rules Rule Enforce Symmetric Return - From
Pbf
Policy Rules Rule From - Group
Tag string - Negate
Destination bool - Negate
Source bool - Schedule string
- Services List<string>
- Source
Addresses List<string> - Source
Users List<string> - List<string>
- Target
Pbf
Policy Rules Rule Target
- Name string
- Action
Pbf
Policy Rules Rule Action - Active
Active stringDevice Binding - Device binding configuration in HA Active-Active mode
- Applications []string
- Audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- Audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- Description string
- Destination
Addresses []string - Disabled bool
- Disable the rule
- Enforce
Symmetric PbfReturn Policy Rules Rule Enforce Symmetric Return - From
Pbf
Policy Rules Rule From - Group
Tag string - Negate
Destination bool - Negate
Source bool - Schedule string
- Services []string
- Source
Addresses []string - Source
Users []string - []string
- Target
Pbf
Policy Rules Rule Target
- name String
- action
Pbf
Policy Rules Rule Action - active
Active StringDevice Binding - Device binding configuration in HA Active-Active mode
- applications List<String>
- audit
Comment StringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment StringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description String
- destination
Addresses List<String> - disabled Boolean
- Disable the rule
- enforce
Symmetric PbfReturn Policy Rules Rule Enforce Symmetric Return - from
Pbf
Policy Rules Rule From - group
Tag String - negate
Destination Boolean - negate
Source Boolean - schedule String
- services List<String>
- source
Addresses List<String> - source
Users List<String> - List<String>
- target
Pbf
Policy Rules Rule Target
- name string
- action
Pbf
Policy Rules Rule Action - active
Active stringDevice Binding - Device binding configuration in HA Active-Active mode
- applications string[]
- audit
Comment stringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment stringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description string
- destination
Addresses string[] - disabled boolean
- Disable the rule
- enforce
Symmetric PbfReturn Policy Rules Rule Enforce Symmetric Return - from
Pbf
Policy Rules Rule From - group
Tag string - negate
Destination boolean - negate
Source boolean - schedule string
- services string[]
- source
Addresses string[] - source
Users string[] - string[]
- target
Pbf
Policy Rules Rule Target
- name str
- action
Pbf
Policy Rules Rule Action - active_
active_ strdevice_ binding - Device binding configuration in HA Active-Active mode
- applications Sequence[str]
- audit_
comment_ strversion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit_
comment_ strwo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description str
- destination_
addresses Sequence[str] - disabled bool
- Disable the rule
- enforce_
symmetric_ Pbfreturn Policy Rules Rule Enforce Symmetric Return - from_
Pbf
Policy Rules Rule From - group_
tag str - negate_
destination bool - negate_
source bool - schedule str
- services Sequence[str]
- source_
addresses Sequence[str] - source_
users Sequence[str] - Sequence[str]
- target
Pbf
Policy Rules Rule Target
- name String
- action Property Map
- active
Active StringDevice Binding - Device binding configuration in HA Active-Active mode
- applications List<String>
- audit
Comment StringVersion - Version trigger for audit comments. Change this value to send the auditcommentwo to PAN-OS. This attribute is not sent to PAN-OS itself, but serves as a trigger to detect when the audit comment should be updated.
- audit
Comment StringWo - Write-only audit comment for this rule. This value is sent to PAN-OS but not read back. Changes are only sent when auditcommentversion is modified. Each time auditcommentversion changes, this comment is added to the audit history with a timestamp.
- description String
- destination
Addresses List<String> - disabled Boolean
- Disable the rule
- enforce
Symmetric Property MapReturn - from Property Map
- group
Tag String - negate
Destination Boolean - negate
Source Boolean - schedule String
- services List<String>
- source
Addresses List<String> - source
Users List<String> - List<String>
- target Property Map
PbfPolicyRulesRuleAction, PbfPolicyRulesRuleActionArgs
- Discard
Pbf
Policy Rules Rule Action Discard - Forward
Pbf
Policy Rules Rule Action Forward - Forward
To stringVsys - Virtual system/Shared gateway to route packet to
- No
Pbf PbfPolicy Rules Rule Action No Pbf
- Discard
Pbf
Policy Rules Rule Action Discard - Forward
Pbf
Policy Rules Rule Action Forward - Forward
To stringVsys - Virtual system/Shared gateway to route packet to
- No
Pbf PbfPolicy Rules Rule Action No Pbf
- discard
Pbf
Policy Rules Rule Action Discard - forward
Pbf
Policy Rules Rule Action Forward - forward
To StringVsys - Virtual system/Shared gateway to route packet to
- no
Pbf PbfPolicy Rules Rule Action No Pbf
- discard
Pbf
Policy Rules Rule Action Discard - forward
Pbf
Policy Rules Rule Action Forward - forward
To stringVsys - Virtual system/Shared gateway to route packet to
- no
Pbf PbfPolicy Rules Rule Action No Pbf
- discard
Pbf
Policy Rules Rule Action Discard - forward
Pbf
Policy Rules Rule Action Forward - forward_
to_ strvsys - Virtual system/Shared gateway to route packet to
- no_
pbf PbfPolicy Rules Rule Action No Pbf
- discard Property Map
- forward Property Map
- forward
To StringVsys - Virtual system/Shared gateway to route packet to
- no
Pbf Property Map
PbfPolicyRulesRuleActionForward, PbfPolicyRulesRuleActionForwardArgs
- Egress
Interface string - Interface to route packet to
- Monitor
Pbf
Policy Rules Rule Action Forward Monitor - Nexthop
Pbf
Policy Rules Rule Action Forward Nexthop
- Egress
Interface string - Interface to route packet to
- Monitor
Pbf
Policy Rules Rule Action Forward Monitor - Nexthop
Pbf
Policy Rules Rule Action Forward Nexthop
- egress
Interface String - Interface to route packet to
- monitor
Pbf
Policy Rules Rule Action Forward Monitor - nexthop
Pbf
Policy Rules Rule Action Forward Nexthop
- egress
Interface string - Interface to route packet to
- monitor
Pbf
Policy Rules Rule Action Forward Monitor - nexthop
Pbf
Policy Rules Rule Action Forward Nexthop
- egress_
interface str - Interface to route packet to
- monitor
Pbf
Policy Rules Rule Action Forward Monitor - nexthop
Pbf
Policy Rules Rule Action Forward Nexthop
- egress
Interface String - Interface to route packet to
- monitor Property Map
- nexthop Property Map
PbfPolicyRulesRuleActionForwardMonitor, PbfPolicyRulesRuleActionForwardMonitorArgs
- Disable
If boolUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- Ip
Address string - Monitor IP address
- Profile string
- Monitoring profile associated with this rule
- Disable
If boolUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- Ip
Address string - Monitor IP address
- Profile string
- Monitoring profile associated with this rule
- disable
If BooleanUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip
Address String - Monitor IP address
- profile String
- Monitoring profile associated with this rule
- disable
If booleanUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip
Address string - Monitor IP address
- profile string
- Monitoring profile associated with this rule
- disable_
if_ boolunreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip_
address str - Monitor IP address
- profile str
- Monitoring profile associated with this rule
- disable
If BooleanUnreachable - Disable this rule if nexthop/monitor ip is unreachable
- ip
Address String - Monitor IP address
- profile String
- Monitoring profile associated with this rule
PbfPolicyRulesRuleActionForwardNexthop, PbfPolicyRulesRuleActionForwardNexthopArgs
- fqdn str
- nexthop address FQDN name configuration
- ip_
address str - Next hop IP address
PbfPolicyRulesRuleEnforceSymmetricReturn, PbfPolicyRulesRuleEnforceSymmetricReturnArgs
- Enabled bool
- Enable symmetric return
- Nexthop
Address List<PbfLists Policy Rules Rule Enforce Symmetric Return Nexthop Address List>
- Enabled bool
- Enable symmetric return
- Nexthop
Address []PbfLists Policy Rules Rule Enforce Symmetric Return Nexthop Address List
- enabled Boolean
- Enable symmetric return
- nexthop
Address List<PbfLists Policy Rules Rule Enforce Symmetric Return Nexthop Address List>
- enabled boolean
- Enable symmetric return
- nexthop
Address PbfLists Policy Rules Rule Enforce Symmetric Return Nexthop Address List[]
- enabled bool
- Enable symmetric return
- nexthop_
address_ Sequence[Pbflists Policy Rules Rule Enforce Symmetric Return Nexthop Address List]
- enabled Boolean
- Enable symmetric return
- nexthop
Address List<Property Map>Lists
PbfPolicyRulesRuleEnforceSymmetricReturnNexthopAddressList, PbfPolicyRulesRuleEnforceSymmetricReturnNexthopAddressListArgs
- Name string
- Name string
- name String
- name string
- name str
- name String
PbfPolicyRulesRuleFrom, PbfPolicyRulesRuleFromArgs
- Interfaces List<string>
- Zones List<string>
- Interfaces []string
- Zones []string
- interfaces List<String>
- zones List<String>
- interfaces string[]
- zones string[]
- interfaces Sequence[str]
- zones Sequence[str]
- interfaces List<String>
- zones List<String>
PbfPolicyRulesRuleTarget, PbfPolicyRulesRuleTargetArgs
- Devices
List<Pbf
Policy Rules Rule Target Device> - Negate bool
- Target to all but these specified devices and tags
- List<string>
- Devices
[]Pbf
Policy Rules Rule Target Device - Negate bool
- Target to all but these specified devices and tags
- []string
- devices
List<Pbf
Policy Rules Rule Target Device> - negate Boolean
- Target to all but these specified devices and tags
- List<String>
- devices
Pbf
Policy Rules Rule Target Device[] - negate boolean
- Target to all but these specified devices and tags
- string[]
- devices
Sequence[Pbf
Policy Rules Rule Target Device] - negate bool
- Target to all but these specified devices and tags
- Sequence[str]
- devices List<Property Map>
- negate Boolean
- Target to all but these specified devices and tags
- List<String>
PbfPolicyRulesRuleTargetDevice, PbfPolicyRulesRuleTargetDeviceArgs
- name String
- vsys List<Property Map>
PbfPolicyRulesRuleTargetDeviceVsy, PbfPolicyRulesRuleTargetDeviceVsyArgs
- Name string
- Name string
- name String
- name string
- name str
- name String
Import
#!/bin/bash
A set of PBF policy rules can be imported by providing the following base64 encoded object as the ID
{
location = {
device_group = {
name = "example-device-group"
rulebase = "pre-rulebase"
panorama_device = "localhost.localdomain"
}
}
position = { where = "after", directly = true, pivot = "route-voip-traffic" }
names = [
"route-backup-traffic",
"block-suspicious-traffic"
]
}
$ pulumi import panos:index/pbfPolicyRules:PbfPolicyRules application_routing $(echo '{"location":{"device_group":{"name":"example-device-group","panorama_device":"localhost.localdomain","rulebase":"pre-rulebase"}},"names":["route-backup-traffic","block-suspicious-traffic"],"position":{"directly":true,"pivot":"route-voip-traffic","where":"after"}}' | base64)
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- panos paloaltonetworks/terraform-provider-panos
- License
- Notes
- This Pulumi package is based on the
panosTerraform Provider.
Viewing docs for panos 2.0.11
published on Tuesday, Apr 28, 2026 by paloaltonetworks
published on Tuesday, Apr 28, 2026 by paloaltonetworks
