From 47d69c0c04c59c781cd9b7f359b8c6e1ef20fe06 Mon Sep 17 00:00:00 2001
From: Rob Cameron <rwcameron@gmail.com>
Date: Wed, 25 Mar 2015 16:26:39 -0700
Subject: [PATCH] validated ansible steps working correctly, verified idp tools

---
 ansible/playbooks/appfw_policies.yml                 | 12 ++++++------
 ansible/playbooks/basic_firewall_policies.yml        |  4 ++--
 ansible/playbooks/templates/appfw_policy.set.j2      |  1 +
 .../{appfw_to_policy.j2 => appfw_to_policy.set.j2}   |  2 +-
 4 files changed, 10 insertions(+), 9 deletions(-)
 rename ansible/playbooks/templates/{appfw_to_policy.j2 => appfw_to_policy.set.j2} (97%)

diff --git a/ansible/playbooks/appfw_policies.yml b/ansible/playbooks/appfw_policies.yml
index 86e0841..2f1daa7 100644
--- a/ansible/playbooks/appfw_policies.yml
+++ b/ansible/playbooks/appfw_policies.yml
@@ -7,20 +7,20 @@
     junos_user: "root"
     junos_password: "Juniper"
     build_dir: "/tmp/"
-    appfw_to_policy_info: [{"src_zone":"trust","dst_zone":"untrust","policy_name":"door","appfw_rule_set":"ruleset1"}] #determine policy name
-    appfw_policy_info: [{"rule_set":"ruleset1","rule_set_default_action":"permit","rules":{"name":"rule1","dynapps":["junos:GOOGLE", "junos:GOOGLE-ACCOUNTS", "junos:GOOGLE-ACCOUNTS-SSL","junos:GOOGLE-ADS", "junos:GOOGLE-ANALYTICS-TRACKING", "junos:GOOGLE-APPENGINE", "junos:GOOGLE-CACHE", "junos:GOOGLE-DESKTOP", "junos:GOOGLE-DOCS", "junos:GOOGLE-DOCS-DRAWING", "junos:GOOGLE-DOCS-FORM", "junos:GOOGLE-DOCS-PRESENTATION", "junos:GOOGLE-DOCS-SPREADSHEET", "junos:GOOGLE-DOCS-WORD-DOCUMENT", "junos:GOOGLE-DRIVE", "junos:GOOGLE-EARTH", "junos:GOOGLE-GROUPS-POST", "junos:GOOGLE-MAPS", "junos:GOOGLE-MOBILE-MAPS-APP", "junos:GOOGLE-PICASA", "junos:GOOGLE-PLUS", "junos:GOOGLE-PLUS-SSL", "junos:GOOGLE-SAFEBROWSE-SUB", "junos:GOOGLE-SAFEBROWSE-UPDATE", "junos:GOOGLE-SKYMAP", "junos:GOOGLE-STATIC", "junos:GOOGLE-SYNDICATION", "junos:GOOGLE-TOOLBAR", "junos:GOOGLE-TRANSLATE", "junos:GOOGLE-UPDATE", "junos:GOOGLE-VIDEOS", "junos:GOOGLE-WEBCHAT", "junos:GOOGLETALK"]}}]
+    appfw_to_policy_info: [{"src_zone":"trust","dst_zone":"untrust","policy_name":"Allow_Policy","appfw_rule_set":"ruleset1"}]
+    appfw_policy_info: [{"rule_set":"ruleset1","rule_set_default_action":"permit","rules":[{"name":"rule1","action":"deny","dynapps":["junos:GOOGLE", "junos:GOOGLE-ACCOUNTS", "junos:GOOGLE-ACCOUNTS-SSL","junos:GOOGLE-ADS", "junos:GOOGLE-ANALYTICS-TRACKING", "junos:GOOGLE-APPENGINE", "junos:GOOGLE-CACHE", "junos:GOOGLE-DESKTOP", "junos:GOOGLE-DOCS", "junos:GOOGLE-DOCS-DRAWING", "junos:GOOGLE-DOCS-FORM", "junos:GOOGLE-DOCS-PRESENTATION", "junos:GOOGLE-DOCS-SPREADSHEET", "junos:GOOGLE-DOCS-WORD-DOCUMENT", "junos:GOOGLE-DRIVE", "junos:GOOGLE-EARTH", "junos:GOOGLE-GROUPS-POST", "junos:GOOGLE-MAPS", "junos:GOOGLE-MOBILE-MAPS-APP", "junos:GOOGLE-PICASA", "junos:GOOGLE-PLUS", "junos:GOOGLE-PLUS-SSL", "junos:GOOGLE-SAFEBROWSE-SUB", "junos:GOOGLE-SAFEBROWSE-UPDATE", "junos:GOOGLE-SKYMAP", "junos:GOOGLE-STATIC", "junos:GOOGLE-SYNDICATION", "junos:GOOGLE-TOOLBAR", "junos:GOOGLE-TRANSLATE", "junos:GOOGLE-UPDATE", "junos:GOOGLE-VIDEOS", "junos:GOOGLE-WEBCHAT", "junos:GOOGLETALK"]}]}]
 
   tasks:
     - name: Build app firewall policies
-      template: src=templates/appfw_policy.set.js dest={{build_dir}}/appfw_policy.set
+      template: src=templates/appfw_policy.set.j2 dest={{build_dir}}/appfw_policy.set
       with_items: appfw_policy_info
 
-    - name: Apply address book entries
+    - name: Apply app firewall policies
       junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/appfw_policy.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
 
     - name: Apply app firewall rules to policy
-      template: src=templates/appfw_to_policy.set.js dest={{build_dir}}/appfw_to_policy.set
-      with_items: appfw_policy_info
+      template: src=templates/appfw_to_policy.set.j2 dest={{build_dir}}/appfw_to_policy.set
+      with_items: appfw_to_policy_info
 
     - name: Apply firewall policies
       junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/appfw_to_policy.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
diff --git a/ansible/playbooks/basic_firewall_policies.yml b/ansible/playbooks/basic_firewall_policies.yml
index 3b259c2..25afbc8 100644
--- a/ansible/playbooks/basic_firewall_policies.yml
+++ b/ansible/playbooks/basic_firewall_policies.yml
@@ -12,11 +12,11 @@
 
   tasks:
     - name: Build address book entries
-      template: src=templates/fw_address_book.set.j2 dest={{build_dir}}/fw_address_book.set
+      template: src=templates/fw_address_book_global.set.j2 dest={{build_dir}}/fw_address_book_global.set
       with_items: address_entries
 
     - name: Apply address book entries
-      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/fw_address_book.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
+      junos_install_config: host={{ inventory_hostname }} user={{ junos_user }} passwd={{ junos_password }} file={{ build_dir }}/fw_address_book_global.set overwrite=no logfile=logs/{{ inventory_hostname }}.log
 
 
     - name: Build firewall policies config template
diff --git a/ansible/playbooks/templates/appfw_policy.set.j2 b/ansible/playbooks/templates/appfw_policy.set.j2
index 4a6ba39..c0a0f4c 100644
--- a/ansible/playbooks/templates/appfw_policy.set.j2
+++ b/ansible/playbooks/templates/appfw_policy.set.j2
@@ -3,6 +3,7 @@
         {% for app in i.dynapps %}
 set security application-firewall rule-sets {{ item.rule_set }} rule {{ i.name }} match dynamic-application {{ app }}
         {% endfor %}
+set security application-firewall rule-sets {{ item.rule_set }} rule {{ i.name }} then {{ i.action }}
     {% endfor %}
 set security application-firewall rule-sets {{ item.rule_set }} default-rule {{ item.rule_set_default_action }}
 {% endfor %}
diff --git a/ansible/playbooks/templates/appfw_to_policy.j2 b/ansible/playbooks/templates/appfw_to_policy.set.j2
similarity index 97%
rename from ansible/playbooks/templates/appfw_to_policy.j2
rename to ansible/playbooks/templates/appfw_to_policy.set.j2
index 2887a1e..6ef88bd 100644
--- a/ansible/playbooks/templates/appfw_to_policy.j2
+++ b/ansible/playbooks/templates/appfw_to_policy.set.j2
@@ -1,3 +1,3 @@
 {% for item in appfw_to_policy_info %}
-set security policies from-zone {{ item.src_zone }} to-zone {{ item.dst_zone }} policy {{ item.policy_name }} then permit application-services application-firewall rule-set {{ item.appfw_rule_set }
+set security policies from-zone {{ item.src_zone }} to-zone {{ item.dst_zone }} policy {{ item.policy_name }} then permit application-services application-firewall rule-set {{ item.appfw_rule_set }}
 {% endfor %}