Skip to main content

Migrating to v3.0.x panos_nat_rule

Release 2.10.0 of the PAN-OS Collection brought network resource module support, and with it a requirement to bring a brand new module for NAT to be supported in this approach. The panos_nat_rule2 module was released in 2.10.0, and will become panos_nat_rule in the upcoming 3.0.0 release, with the old panos_nat_rule being deprecated.

This article provides a comparison between the parameters of the two modules, in order to aid migration from the old to the new.

Unchanged Parameters

The following parameter names are unchanged when moving from the old module to the new (some default values change, see bold text in the table below):

ParameterDescription
audit_commentAdd an audit comment to the rule being defined.
This is only applied if there was a change to the rule.
descriptionThe description.
device_group(Panorama only) The device group the operation should target.
existing_ruleIf location=before or location=after, this option specifiesan existing rule name. The rule being managed by this module will be positioned relative to the value of this parameter.
Required if location=before or location=after.
group_tagFor PAN-OS 9.0 and above.
The group tag.
locationPosition to place the rule in.
nat_typeType of NAT.
negate_targetApplicable for Panorama only.
Negate the value for target.
providerA dict object containing connection details.
api_keyThe API key to use instead of generating it using username / password.
ip_addressThe IP address or hostname of the PAN-OS device being configured.
passwordThe password to use for authentication. This is ignored if api_key is specified.
portThe port number to connect to the PAN-OS device on.
serial_numberThe serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
usernameThe username to use for authentication. This is ignored if api_key is specified.
rulebaseThe rulebase in which the rule is to exist. If left unspecified, this defaults to pre-rulebase for Panorama. For NGFW, this is always set to be rulebase.
serviceThe service. NOTE: Default value changes from "any" to null
targetApplicable for Panorama only.
Apply this rule exclusively to the listed firewall serial numbers.
to_interfaceEgress interface from route lookup. NOTE: Default value changes from "any" to null
uuidThe rule UUID.
Note that this is currently more of a read-only field.
Usage of the UUID cannot currently take the place of using the rule name as the primary identifier.
vsysThe vsys this object belongs to.

Deprecated Parameters

When moving from the old module to the new, the following parameters are deprecated, and alternative parameters or approaches are listed:

ParameterAlternative Approach
api_keyUse provider to specify PAN-OS connectivity instead
commitUse panos_commit_firewall, panos_commit_panorama, panos_commit_push instead
devicegroupUse device_group instead
ip_addressUse provider to specify PAN-OS connectivity instead
operationUse state instead.
passwordUse provider to specify PAN-OS connectivity instead
portUse provider to specify PAN-OS connectivity instead
tag_nameUse tag instead
usernameUse provider to specify PAN-OS connectivity instead

Changed Parameters

The following parameters have changed when comparing the new module to the old module. Both old and new parameter names are listed for comparison and migration purposes (some default values change, see bold text in the table below):

Old Parameter NameNew Parameter NameDescription
destination_ipdestination_addressesDestination addresses.
destination_zoneto_zonesTo zones.
Note that there should only be one element in this list.
dnat_addressdestination_translated_addressStatic translated destination IP address.
dnat_dynamic_addressdestination_dynamic_translated_addressDynamic destination translated address.
dnat_dynamic_distributiondestination_dynamic_translated_distributionDynamic destination translated distribution.
dnat_dynamic_portdestination_dynamic_translated_portDynamic destination translated port.
dnat_portdestination_translated_portStatic translated destination port number.
rule_namenameName of the rule.
snat_address_typesource_translation_address_typeFor source_translation_type=dynamic-ip-and-port or or source_translation_type=dynamic-ip.
Address type.
Choices:
"interface-address"
"translated-address" NOTE: Default value changes from "interface-address" to null
snat_bidirectionalsource_translation_static_bi_directionalFor source_translation_type=static-ip.
Allow reverse translation from translated address to original address.
Choices:
false
true
snat_dynamic_addresssource_translation_translated_addressesFor source_translation_address_type=translated-address.
Translated addresses of the source address translation.
snat_interfacesource_translation_interfaceFor source_translation_address_type=interface-address.
Interface of the source address.
snat_interface_addresssource_translation_ip_addressFor source_translation_address_type=interface-address.
IP address of the source address translation.
snat_static_addresssource_translation_static_translated_addressFor source_translation_type=static-ip.
The IP address for the static source translation.
snat_typesource_translation_typeType of source address translation.
Choices:
"dynamic-ip-and-port"
"dynamic-ip"
"static-ip"
source_ipsource_addressesSource addresses.
source_zonefrom_zonesFrom zones.
statestateThe state. This parameter's choices have changed. enable and disable are removed, replaced, merged, deleted and gathered are added.
Choices:
"present" ← (default)
"absent"
"replaced"
"merged"
"deleted"
"gathered"
tagtagsAdministrative tags.

New Parameters

The following parameters were introduced in the new module:

Parameter NameDescription
disabledRule is disabled or not.
Choices:
false
true
gathered_filterWhen state=gathered.
An advanced filtering option to filter results returned from PAN-OS.
Refer to the guide discussing gathered_filter for more information.
ha_bindingDevice binding configuration in HA Active-Active mode.
Choices:
"primary"
"both"
"0"
"1"
source_translation_fallback_interfaceFor source_translation_fallback_type=interface-address.
The interface for the fallback source translation.
source_translation_fallback_ip_addressFor source_translation_fallback_type=interface-address.
The IP address of the fallback source translation.
source_translation_fallback_ip_typeFor source_translation_fallback_type=interface-address.
The type of the IP address for the fallback source translation IP address.
Choices:
"ip"
"floating-ip"
source_translation_fallback_translated_addressesFor source_translation_fallback_type=translated-address.
Addresses for translated address types of fallback source translation.
source_translation_fallback_typeFor source_translation_type=dynamic-ip.
Type of fallback for dynamic IP source translation.
Choices:
"translated-address"
"interface-address"