ENHANCEMENTS:
- Added new
ssl_certificatesparameter to all data sources and resources concerning Decryption Rules.
FIXES:
- PAN-OS 10.1.5 and above removed usage of
" or "in the XPATH, which broke the provider's ability to delete multiple items in resources such aspanos_security_rule_grouporpanos_address_objects. If the provider sees PAN-OS 10.1.5 or later, then deletes happen one at a time, which will of course negatively affect plan deployment speed. If the provider sees PAN-OS <= 10.1.4, since it still supports" or "in the XPATH, delete performance and implementation is unchanged. panos_certificate_importnow works against Panorama (#329)
DOCUMENTATION:
- Added
Provider v2documentation section to the main documentation page. - Updated the build instructions for the firewall commit script.
- Other docs fixes.
NEW DATA SOURCES:
panos_authentication_profilespanos_globalprotect_ipsec_crypto_profile/panos_globalprotect_ipsec_crypto_profilespanos_kerberos_profilespanos_ldap_profilespanos_radius_profilespanos_saml_profile/panos_saml_profilespanos_ssl_tls_service_profile/panos_ssl_tls_service_profilespanos_tacacs_plus_profiles
NEW RESOURCES:
panos_authentication_profilepanos_globalprotect_ipsec_crypto_profilepanos_kerberos_profilepanos_ldap_profilepanos_radius_profilepanos_saml_profilepanos_ssl_decrypt_exclude_certificate_entrypanos_ssl_tls_service_profilepanos_tacacs_plus_profile
FIXES:
panos_dhcp_interface_infowon't crash when using this NGFW data source against Panorama (#357)
FIXES:
panos_ssl_decrypt.ssl_decrypt_exclude_certificateparam is not properly configured (#341)
FIXES:
-
Global fix for Panorama
targetanddevicespecs in data sources and resources where you can specify theserialandvsys_list(#340) -
Fix for device group
deviceparam
- Various bug fixes
- Numerous documentation fixes
NEW UNIVERSAL RESOURCES:
panos_address_objects
FIXES:
panos_ike_crypto_profile/panos_panorama_ike_crypto_profile: Fix for importing this resource. (#316)
FIXES:
- Allow pre/post rulebase with "shared" for all Panorama policy resources (#314)
NEW UNIVERSAL DATA SOURCES:
panos_application_object/panos_application_objectspanos_audit_comment_historypanos_certificate_profile/panos_certificate_profilespanos_custom_url_category/panos_custom_url_categoriespanos_decryption_rule/panos_decryption_rulespanos_edl/panos_edlspanos_local_user_db_group/panos_local_user_db_groupspanos_nat_rule/panos_nat_rulespanos_pbf_rule/panos_pbf_rulespanos_security_profile_group/panos_security_profile_groupspanos_security_rule/panos_security_rulespanos_ssl_decryptpanos_tech_support_filepanos_virtual_router/panos_virtual_routerspanos_zone/panos_zones
NEW PANORAMA DATA SOURCES:
panos_device_group/panos_device_groups(#284)
NEW UNIVERSAL RESOURCES:
panos_certificate_import(#252, #4)panos_certificate_profilepanos_custom_url_category/panos_custom_url_category_entry(#157)panos_decryption_rule_grouppanos_local_user_db_group(#310)panos_local_user_db_user(#310)panos_security_profile_group(#299)panos_ssl_decryptpanos_ssl_decrypt_trusted_root_ca_entrypanos_vm_information_source(#281)
NEW FIREWALL SPECIFIC RESOURCES:
panos_aws_cloud_watch(#300)
PROVIDER BLOCK ENHANCEMENTS:
- Additional HTTP headers can be configured in API calls sent to PAN-OS (#273)
- New logging options added:
log,export,import,osx_curl, andcurl_with_personal_data
POLICY SPECIFIC ENHANCEMENTS:
- Added
rule.audit_commentto all policy resources. - Added
rule.group_tagto all Policies resources exceptpanos_nat_rule/panos_panorama_nat_rule. (#243, #247) - Added the attribute
rule.uuidto all Policies rule resources exceptpanos_nat_rule/panos_panorama_nat_rule. - Changing positioning or membership no longer deletes all of the rules. This change was necessary to preserve the opstate for various policy rules (e.g. - hit count and audit comments)
- All Policies resource timeouts for create/update operations set to 10min. (#289)
ENHANCEMENTS:
panos_edl: Performance improvementspanos_edl:value=predefined-urlhas been addedpanos_email_server_profile: Performance improvementspanos_http_server_profile: Performance improvementspanos_ike_crypto_profile/panos_panorama_ike_crypto_profile: Added new GCM encryptions added in PAN-OS 10.0. (#304)panos_log_forwarding_profile/panos_panorama_log_forwarding_profile:log_type=decryptionhas been added (#305)panos_panorama_email_server_profile: This can now be configured on Panoramapanos_snmptrap_server_profile: Performance improvementspanos_syslog_server_profile: Performance improvements- Added checking in all Panorama Policy resources and data sources for invalid combinations of
device_groupandrulebase. (#275)
FIXES:
panos_application_object/panos_panorama_application_object:ip_protocol.valueis now a string instead of an intpanos_edl:value=predefinedis nowvalue=predefined-ippanos_ipsec_crypto_profile/panos_panorama_ipsec_crypto_profile: Removed the validation function to allowdh_group=no-pfs. (#307)panos_virtual_router/panos_panorama_virtual_router: Importing a virtual router that has been configured via the GUI now reflects administrative distances left as their default values (#306)- The
rule.hip_profilesparameter in all security rule resources is now Optional instead of Required. (#293) - Fixed the parsing of the
rule.targetparameter for all Policy resources and data sources. (#242, #290, #298) - Fixed detecting when a policy rule group is misplaced in certain circumstances.
panos_vlan_entry/panos_panorama_vlan_entry: Fixed removal of this resource.- Various documentation fixes.
ENHANCEMENTS:
panos_ip_tagnow works on Panorama (#277)
ENHANCEMENTS:
- Try to restore the previous security policy if
panos_security_policy/panos_panorama_security_policyhas an error applying the new one. (#272) - Add additional architecture support (update to go 1.16).
BUG FIXES:
- Importing an address object into state should not result in
terraform planshowing differences.
DOCUMENTATION:
- Updating the commit script to add support for a configurable timeout.
- Minor fixes.
NEW DATA SOURCES:
panos_api_key
BUG FIXES:
- Fixing
panos_address_objectwanting to redeploy existing address objects.
Newly added resources and data sources now work with both NGFW and Panorama; there
is no separate panos_panorama_ for Panorama. If a data source or resource only
works with one, it will say as much in the documentation. Additionally, the subheading
for the documentation will now be just "Objects" or "Network" for any of these new
style data sources/resources.
NEW DATA SOURCES:
panos_address_object/panos_address_objectspanos_anti_spyware_security_profile/panos_anti_spyware_security_profilespanos_antivirus_security_profile/panos_antivirus_security_profilespanos_arp/panos_arpspanos_custom_data_pattern_object/panos_custom_data_pattern_objectspanos_data_filtering_security_profile/panos_data_filtering_security_profilespanos_device_group_parentpanos_dos_protection_profile/panos_dos_protection_profilespanos_dynamic_user_group/panos_dynamic_user_groupspanos_file_blocking_security_profile/panos_file_blocking_security_profilespanos_ospfpanos_ospf_area/panos_ospf_areaspanos_ospf_area_interface/panos_ospf_area_interfacespanos_ospf_area_virtual_link/panos_ospf_area_virtual_linkspanos_ospf_auth_profilespanos_ospf_export/panos_ospf_exportspanos_predefined_dlp_file_typepanos_predefined_tdb_file_typepanos_predefined_threatpanos_url_filtering_security_profile/panos_url_filtering_security_profilespanos_vulnerability_security_profile/panos_vulnerability_security_profilespanos_wildfire_analysis_security_profile/panos_wildfire_analysis_security_profilespanos_ip_tagpanos_user_tagpanos_vm_auth_key
NEW RESOURCES:
panos_anti_spyware_security_profilepanos_antivirus_security_profilepanos_arppanos_custom_data_pattern_objectpanos_data_filtering_security_profilepanos_dos_protection_profilepanos_dynamic_user_grouppanos_file_blocking_security_profilepanos_ip_tagpanos_ospfpanos_ospf_areapanos_ospf_area_interfacepanos_ospf_area_virtual_linkpanos_ospf_auth_profilepanos_ospf_exportpanos_url_filtering_security_profilepanos_user_tagpanos_vulnerability_security_profilepanos_wildfire_analysis_security_profilepanos_device_group_parentpanos_vm_auth_key
UPDATES:
- ECMP options added to
panos_virtual_router/panos_panorama_virtual_router - LACP, HA, and LLDP options added to both ethernet interfaces and aggregate interfaces
panos_panorama_pluginhas been renamed topanos_pluginand now also works with NGFW now.panos_panorama_pluginstill exists as an alias but will be removed in a future release, so please update your plan files accordingly.panos_panorama_address_objecthas been remade into the new "shared" style for data sources and resources as a kind of beta before touching any other existing resources. This will cause extra unused params to exist in resources, but should not affect functionality. Please let us know (GitHub issue) if this causes problems for you. Otherwise the intent is to slowly retrofit resources into this new style.
- Release for Terraform Registry
UPDATES:
- Updated the provider to use the Terraform Plugin SDK (#220)
UPDATES:
- The provider can now manage XFR PAN-OS releases (#216)
- New optional provider param:
verify_certificate(#218)
NEW DATA SOURCES:
panos_panorama_plugin(#178)
NEW RESOURCES:
panos_gre_tunnel/panos_panorama_gre_tunnel(#162)panos_monitor_profile/panos_panorama_monitor_profile(#182)panos_panorama_gcp_account(#179)panos_panorama_gke_cluster(#181)panos_panorama_gke_cluster_group(#180)panos_pbf_rule_group/panos_panorama_pbf_rule_group(#152)panos_vlan/panos_panorama_vlan(#145)panos_aggregate_interface/panos_panorama_aggregate_interface(#169)panos_vlan_entry/panos_panorama_vlan_entry(#146)panos_layer3_subinterface/panos_panorama_layer3_subinterface(#195)panos_layer2_subinterface/panos_panorama_layer2_subinterface(#82)panos_application_object/panos_panorama_application_object(#197)panos_application_group/panos_panorama_application_group(#198)panos_application_signature/panos_panorama_application_signature(#201)panos_snmptrap_server_profile/panos_panorama_snmptrap_server_profile(#203)panos_syslog_server_profile/panos_panorama_syslog_server_profile(#83)panos_email_server_profile/panos_panorama_email_server_profile(#206)panos_http_server_profile/panos_panorama_http_server_profile(#207)panos_log_forwarding_profile/panos_panorama_log_forwarding_profile(#84)
NEW PARAMS ADDED TO:
panos_address_object/panos_panorama_address_object(#174)panos_ethernet_interface/panos_panorama_ethernet_interface(#173)panos_service_object/panos_panorama_service_object(#175)
BUG FIXES:
- The ordering for administrative tags on objects (such as address objects or address groups) is now preserved (#161)
- The ordering for various list params in
panos_nat_rule_group/panos_panorama_nat_rule_groupis now ignored (#143) - New params added to
panos_nat_rule_group/panos_panorama_nat_rule_groupto to replacestaticanddynamicasdynamicis now a recursively reserved keyword in Terraform 0.12 (#167)
panos_ike_gateway/panos_panorama_ike_gateway-floating-ipis now an accepted value forlocal_ip_address_type(#158)panos_ike_gateway/panos_panorama_ike_gateway- Updated documentation fornat_traversal_keep_alive(#97)- Fixed the acctest for
panos_panorama_nat_rule(#147) - Properly handle when a list of strings is sent an empty string (#153)
- Updated the commit script given on the main documentation page to include more ways to specify auth credentials (#160)
- Updated to github.com/hashicorp/terraform@v0.12.0-rc1 (#158)
The following resources can no longer be imported, as they have encrypted fields (thus there is no way to verify the plain text version of those fields) [#139]:
panos_bgp_auth_profile/panos_panorama_bgp_auth_profilepanos_edl/panos_panorama_edlpanos_ike_gateway/panos_panorama_ike_gatewaypanos_ipsec_tunnel/panos_panorama_ipsec_tunnel
NEW RESOURCES:
panos_bfd_profile/panos_panorama_bfd_profile(#107)panos_bgp/panos_panorama_bgp(#73)panos_bgp_aggregate/panos_panorama_bgp_aggregate(#124)panos_bgp_aggregate_advertise_filter/panos_panorama_bgp_aggregate_advertise_filter(#126)panos_bgp_aggregate_suppress_filter/panos_panorama_bgp_aggregate_suppress_filter(#128)panos_bgp_auth_profile/panos_panorama_bgp_auth_profile(#110)panos_bgp_conditional_adv/panos_panorama_bgp_conditional_adv,panos_bgp_conditional_adv_advertise_filter/panos_panorama_bgp_conditional_adv_advertise_filter, andpanos_bgp_conditional_adv_non_exist_filter/panos_panorama_bgp_conditional_adv_non_exist_filter(#122)panos_bgp_dampening_profile/panos_panorama_bgp_dampening_profile(#111)panos_bgp_export_rule_group/panos_panorama_bgp_export_rule_group(#120)panos_bgp_import_rule_group/panos_panorama_bgp_import_rule_group(#118)panos_bgp_peer/panos_panorama_bgp_peer(#116)panos_bgp_peer_group/panos_panorama_bgp_peer_group(#114)panos_bgp_redist_rule/panos_panorama_bgp_redist_rule(#130)panos_nat_rule_group/panos_panorama_nat_rule_group(#78)panos_redistribution_profile_ivp4/panos_panorama_redistribution_profile_ipv4(#92)
ENHANCEMENTS:
DEPRECATED RESOURCES:
panos_nat_rule/panos_panorama_nat_ruleare both deprecated. Please usepanos_nat_rule_group/panos_panorama_nat_rule_groupinstead.
NEW RESOURCES:
panos_virtual_router_entryandpanos_panorama_virtual_router_entry(#71)panos_zone_entryandpanos_panorama_zone_entry(#74)
BUG FIXES:
- Panorama device groups no longer require a description. (#81)
- Panorama template stacks can now define a
default_vsys(#85)
NEW FEATURES:
- Support for both templates and template stacks has been added to the provider. When defining your resource, use either the
templatevariable if you want to attach it to a template, ortemplate_stackif you want to attach it to a template stack.
NEW DATA SOURCES:
panos_dhcp_interface_info(#35)
NEW RESOURCES:
panos_ike_crypto_profileandpanos_panorama_ike_crypto_profile(#37)panos_ipsec_crypto_profileandpanos_panorama_ipsec_crypto_profile(#38)panos_tunnel_interfaceandpanos_panorama_tunnel_interface(#42)panos_ike_gatewayandpanos_panorama_ike_gateway(#39)panos_ipsec_tunnel,panos_ipsec_tunnel_proxy_id_ipv4,panos_panorama_ipsec_tunnel, andpanos_panorama_ipsec_tunnel_proxy_id_ipv4(#28)panos_edlandpanos_panorama_edl(#27)panos_loopback_interfaceandpanos_panorama_loopback_interface(#41)panos_vlan_interfaceandpanos_panorama_vlan_interface(#40)panos_static_route_ipv4andpanos_panorama_static_route_ipv4(#30)panos_panorama_template,panos_panorama_template_entry,panos_panorama_template_stack,panos_panorama_template_stack_entry, andpanos_panorama_template_variable(#43)panos_license_api_keyandpanos_licensing(#24)panos_panorama_management_profile(#58)panos_panorama_ethernet_interface(#60)panos_panorama_zone(#62)panos_panorama_virtual_router(#64)
RENAMED RESOURCES:
The following resources have been renamed for clarity from their original names. Both the old name and the new name will work right now, but please update your plans to use the new names as the original names may be removed / repurposed in the future.
panos_nat_policyis nowpanos_nat_rule(#34)panos_security_policiesis nowpanos_security_policy(#34)panos_security_policy_groupis nowpanos_security_rule_group(#34)panos_panorama_nat_policyis nowpanos_panorama_nat_rule(#34)panos_panorama_security_policiesis nowpanos_panorama_security_policy(#34)panos_panorama_security_policy_groupis nowpanos_panorama_security_rule_group(#34)
FEATURES:
- New Resource:
panos_telemetry(#31) - New Resource:
panos_security_policy_group(#20] [#32) - New Resource:
panos_panorama_security_policy_group(#20] [#32)
NOTES:
- The new
DatTypeparam is now required if you are doing destination address translation in your NAT policies. This applies to bothpanos_nat_policyandpanos_panorama_nat_policy. Please update your plan files accordingly.
ENHANCEMENTS:
panos_nat_policyandpanos_panorama_nat_policynow support PAN-OS 8.1's dynamic destination NAT address type (#25] [#33)
FIXES:
FEATURES:
- New Feature: Added Panorama support (#3)
- New Feature: Added support for credentials file for provider config (#5)
- New Resource:
panos_panorama_address_group - New Resource:
panos_panorama_address_object - New Resource:
panos_panorama_administrative_tag - New Resource:
panos_panorama_device_group - New Resource:
panos_panorama_device_group_entry - New Resource:
panos_panorama_nat_policy - New Resource:
panos_panorama_security_policies - New Resource:
panos_panorama_service_group - New Resource:
panos_panorama_service_object
ENHANCEMENTS:
panos_nat_policy: Therulebaseparameter has been deprecated. You can safely remove this from your plan files.panos_security_policies: Therulebaseparameter has been deprecated. You can safely remove this from your plan files.
FEATURES:
- New Data Source:
panos_system_info - New Resource:
panos_address_group - New Resource:
panos_address_object - New Resource:
panos_administrative_tag - New Resource:
panos_dag_tags - New Resource:
panos_ethernet_interface - New Resource:
panos_general_settings - New Resource:
panos_management_profile - New Resource:
panos_nat_policy - New Resource:
panos_security_policies - New Resource:
panos_service_group - New Resource:
panos_service_object - New Resource:
panos_virtual_router - New Resource:
panos_zone