ansible / ansible.builtin / v2.8.15 / module / fortios_firewall_proxy_policy Configure proxy policies in Fortinet's FortiOS and FortiGate. | "added in version" 2.8 of ansible.builtin" Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityansible.builtin.fortios_firewall_proxy_policy (v2.8.15) — module
pip
Install with pip install ansible==2.8.15
This module is able to configure a FortiGate or FortiOS by allowing the user to configure firewall feature and proxy_policy category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost vars: host: "192.168.122.40" username: "admin" password: "" vdom: "root" tasks: - name: Configure proxy policies. fortios_firewall_proxy_policy: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" https: "False" firewall_proxy_policy: state: "present" action: "accept" application-list: "<your_own_value> (source application.list.name)" av-profile: "<your_own_value> (source antivirus.profile.name)" comments: "<your_own_value>" disclaimer: "disable" dlp-sensor: "<your_own_value> (source dlp.sensor.name)" dstaddr: - name: "default_name_10 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip .name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name)" dstaddr-negate: "enable" dstaddr6: - name: "default_name_13 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall .vipgrp64.name system.external-resource.name)" dstintf: - name: "default_name_15 (source system.interface.name system.zone.name)" global-label: "<your_own_value>" groups: - name: "default_name_18 (source user.group.name)" http-tunnel-auth: "enable" icap-profile: "<your_own_value> (source icap.profile.name)" internet-service: "enable" internet-service-custom: - name: "default_name_23 (source firewall.internet-service-custom.name)" internet-service-id: - id: "25 (source firewall.internet-service.id)" internet-service-negate: "enable" ips-sensor: "<your_own_value> (source ips.sensor.name)" label: "<your_own_value>" logtraffic: "all" logtraffic-start: "enable" policyid: "31" poolname: - name: "default_name_33 (source firewall.ippool.name)" profile-group: "<your_own_value> (source firewall.profile-group.name)" profile-protocol-options: "<your_own_value> (source firewall.profile-protocol-options.name)" profile-type: "single" proxy: "explicit-web" redirect-url: "<your_own_value>" replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)" scan-botnet-connections: "disable" schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)" service: - name: "default_name_43 (source firewall.service.custom.name firewall.service.group.name)" service-negate: "enable" session-ttl: "45" spamfilter-profile: "<your_own_value> (source spamfilter.profile.name)" srcaddr: - name: "default_name_48 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system .external-resource.name)" srcaddr-negate: "enable" srcaddr6: - name: "default_name_51 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)" srcintf: - name: "default_name_53 (source system.interface.name system.zone.name)" ssh-filter-profile: "<your_own_value> (source ssh-filter.profile.name)" ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)" status: "enable" transparent: "enable" users: - name: "default_name_59 (source user.local.name)" utm-status: "enable" uuid: "<your_own_value>" waf-profile: "<your_own_value> (source waf.profile.name)" webcache: "enable" webcache-https: "disable" webfilter-profile: "<your_own_value> (source webfilter.profile.name)" webproxy-forward-server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)" webproxy-profile: "<your_own_value> (source web-proxy.profile.name)"
host: description: - FortiOS or FortiGate ip address. required: true vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. https: default: true description: - Indicates if the requests towards FortiGate must use HTTPS protocol type: bool password: default: '' description: - FortiOS or FortiGate password. username: description: - FortiOS or FortiGate username. required: true firewall_proxy_policy: default: null description: - Configure proxy policies. suboptions: action: choices: - accept - deny - redirect description: - Accept or deny traffic matching the policy parameters. application-list: description: - Name of an existing Application list. Source application.list.name. av-profile: description: - Name of an existing Antivirus profile. Source antivirus.profile.name. comments: description: - Optional comments. disclaimer: choices: - disable - domain - policy - user description: - 'Web proxy disclaimer setting: by domain, policy, or user.' dlp-sensor: description: - Name of an existing DLP sensor. Source dlp.sensor.name. dstaddr: description: - Destination address objects. suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name. required: true dstaddr-negate: choices: - enable - disable description: - When enabled, destination addresses match against any address EXCEPT the specified destination addresses. dstaddr6: description: - IPv6 destination address objects. suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall.vipgrp64.name system.external-resource.name. required: true dstintf: description: - Destination interface names. suboptions: name: description: - Interface name. Source system.interface.name system.zone.name. required: true global-label: description: - Global web-based manager visible label. groups: description: - Names of group objects. suboptions: name: description: - Group name. Source user.group.name. required: true http-tunnel-auth: choices: - enable - disable description: - Enable/disable HTTP tunnel authentication. icap-profile: description: - Name of an existing ICAP profile. Source icap.profile.name. internet-service: choices: - enable - disable description: - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. internet-service-custom: description: - Custom Internet Service name. suboptions: name: description: - Custom name. Source firewall.internet-service-custom.name. required: true internet-service-id: description: - Internet Service ID. suboptions: id: description: - Internet Service ID. Source firewall.internet-service.id. required: true internet-service-negate: choices: - enable - disable description: - When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. ips-sensor: description: - Name of an existing IPS sensor. Source ips.sensor.name. label: description: - VDOM-specific GUI visible label. logtraffic: choices: - all - utm - disable description: - Enable/disable logging traffic through the policy. logtraffic-start: choices: - enable - disable description: - Enable/disable policy log traffic start. policyid: description: - Policy ID. required: true poolname: description: - Name of IP pool object. suboptions: name: description: - IP pool name. Source firewall.ippool.name. required: true profile-group: description: - Name of profile group. Source firewall.profile-group.name. profile-protocol-options: description: - Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. profile-type: choices: - single - group description: - Determine whether the firewall policy allows security profile groups or single profiles only. proxy: choices: - explicit-web - transparent-web - ftp - ssh - ssh-tunnel - wanopt description: - Type of explicit proxy. redirect-url: description: - Redirect URL for further explicit web proxy processing. replacemsg-override-group: description: - Authentication replacement message override group. Source system.replacemsg-group.name. scan-botnet-connections: choices: - disable - block - monitor description: - Enable/disable scanning of connections to Botnet servers. schedule: description: - Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. service: description: - Name of service objects. suboptions: name: description: - Service name. Source firewall.service.custom.name firewall.service.group.name. required: true service-negate: choices: - enable - disable description: - When enabled, services match against any service EXCEPT the specified destination services. session-ttl: description: - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). spamfilter-profile: description: - Name of an existing Spam filter profile. Source spamfilter.profile.name. srcaddr: description: - Source address objects (must be set when using Web proxy). suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system .external-resource.name. required: true srcaddr-negate: choices: - enable - disable description: - When enabled, source addresses match against any address EXCEPT the specified source addresses. srcaddr6: description: - IPv6 source address objects. suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. required: true srcintf: description: - Source interface names. suboptions: name: description: - Interface name. Source system.interface.name system.zone.name. required: true ssh-filter-profile: description: - Name of an existing SSH filter profile. Source ssh-filter.profile.name. ssl-ssh-profile: description: - Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. state: choices: - present - absent description: - Indicates whether to create or remove the object status: choices: - enable - disable description: - Enable/disable the active status of the policy. transparent: choices: - enable - disable description: - Enable to use the IP address of the client to connect to the server. users: description: - Names of user objects. suboptions: name: description: - Group name. Source user.local.name. required: true utm-status: choices: - enable - disable description: - Enable the use of UTM profiles/sensors/lists. uuid: description: - Universally Unique Identifier (UUID; automatically assigned but can be manually reset). waf-profile: description: - Name of an existing Web application firewall profile. Source waf.profile.name. webcache: choices: - enable - disable description: - Enable/disable web caching. webcache-https: choices: - disable - enable description: - Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile). webfilter-profile: description: - Name of an existing Web filter profile. Source webfilter.profile.name. webproxy-forward-server: description: - Name of web proxy forward server. Source web-proxy.forward-server.name web-proxy.forward-server-group.name. webproxy-profile: description: - Name of web proxy profile. Source web-proxy.profile.name.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str