ansible / ansible.builtin / v2.8.18 / module / fortios_endpoint_control_profile Configure FortiClient endpoint control profiles in Fortinet's FortiOS and FortiGate. | "added in version" 2.8 of ansible.builtin" Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityansible.builtin.fortios_endpoint_control_profile (v2.8.18) — module
pip
Install with pip install ansible==2.8.18
This module is able to configure a FortiGate or FortiOS by allowing the user to configure endpoint_control feature and profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost vars: host: "192.168.122.40" username: "admin" password: "" vdom: "root" tasks: - name: Configure FortiClient endpoint control profiles. fortios_endpoint_control_profile: host: "{{ host }}" username: "{{ username }}" password: "{{ password }}" vdom: "{{ vdom }}" endpoint_control_profile: state: "present" description: "<your_own_value>" device-groups: - name: "default_name_5 (source user.device-group.name user.device-category.name)" forticlient-android-settings: disable-wf-when-protected: "enable" forticlient-advanced-vpn: "enable" forticlient-advanced-vpn-buffer: "<your_own_value>" forticlient-vpn-provisioning: "enable" forticlient-vpn-settings: - auth-method: "psk" name: "default_name_13" preshared-key: "<your_own_value>" remote-gw: "<your_own_value>" sslvpn-access-port: "16" sslvpn-require-certificate: "enable" type: "ipsec" forticlient-wf: "enable" forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)" forticlient-ios-settings: client-vpn-provisioning: "enable" client-vpn-settings: - auth-method: "psk" name: "default_name_25" preshared-key: "<your_own_value>" remote-gw: "<your_own_value>" sslvpn-access-port: "28" sslvpn-require-certificate: "enable" type: "ipsec" vpn-configuration-content: "<your_own_value>" vpn-configuration-name: "<your_own_value>" configuration-content: "<your_own_value>" configuration-name: "<your_own_value>" disable-wf-when-protected: "enable" distribute-configuration-profile: "enable" forticlient-wf: "enable" forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)" forticlient-winmac-settings: av-realtime-protection: "enable" av-signature-up-to-date: "enable" forticlient-application-firewall: "enable" forticlient-application-firewall-list: "<your_own_value> (source application.list.name)" forticlient-av: "enable" forticlient-ems-compliance: "enable" forticlient-ems-compliance-action: "block" forticlient-ems-entries: - name: "default_name_48 (source endpoint-control.forticlient-ems.name)" forticlient-linux-ver: "<your_own_value>" forticlient-log-upload: "enable" forticlient-log-upload-level: "traffic" forticlient-log-upload-server: "<your_own_value>" forticlient-mac-ver: "<your_own_value>" forticlient-minimum-software-version: "enable" forticlient-operating-system: - id: "56" os-name: "<your_own_value>" os-type: "custom" forticlient-own-file: - file: "<your_own_value>" id: "61" forticlient-registration-compliance-action: "block" forticlient-registry-entry: - id: "64" registry-entry: "<your_own_value>" forticlient-running-app: - app-name: "<your_own_value>" app-sha256-signature: "<your_own_value>" app-sha256-signature2: "<your_own_value>" app-sha256-signature3: "<your_own_value>" app-sha256-signature4: "<your_own_value>" application-check-rule: "present" id: "73" process-name: "<your_own_value>" process-name2: "<your_own_value>" process-name3: "<your_own_value>" process-name4: "<your_own_value>" forticlient-security-posture: "enable" forticlient-security-posture-compliance-action: "block" forticlient-system-compliance: "enable" forticlient-system-compliance-action: "block" forticlient-vuln-scan: "enable" forticlient-vuln-scan-compliance-action: "block" forticlient-vuln-scan-enforce: "critical" forticlient-vuln-scan-enforce-grace: "85" forticlient-vuln-scan-exempt: "enable" forticlient-wf: "enable" forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)" forticlient-win-ver: "<your_own_value>" os-av-software-installed: "enable" sandbox-address: "<your_own_value>" sandbox-analysis: "enable" on-net-addr: - name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)" profile-name: "<your_own_value>" replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)" src-addr: - name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)" user-groups: - name: "default_name_100 (source user.group.name)" users: - name: "default_name_102 (source user.local.name)"
host: description: - FortiOS or FortiGate ip address. required: true vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. https: default: false description: - Indicates if the requests towards FortiGate must use HTTPS protocol type: bool password: default: '' description: - FortiOS or FortiGate password. username: description: - FortiOS or FortiGate username. required: true endpoint_control_profile: default: null description: - Configure FortiClient endpoint control profiles. suboptions: description: description: - Description. device-groups: description: - Device groups. suboptions: name: description: - Device group object from available options. Source user.device-group.name user.device-category.name. required: true forticlient-android-settings: description: - FortiClient settings for Android platform. suboptions: disable-wf-when-protected: choices: - enable - disable description: - Enable/disable FortiClient web category filtering when protected by FortiGate. forticlient-advanced-vpn: choices: - enable - disable description: - Enable/disable advanced FortiClient VPN configuration. forticlient-advanced-vpn-buffer: description: - Advanced FortiClient VPN configuration. forticlient-vpn-provisioning: choices: - enable - disable description: - Enable/disable FortiClient VPN provisioning. forticlient-vpn-settings: description: - FortiClient VPN settings. suboptions: auth-method: choices: - psk - certificate description: - Authentication method. name: description: - VPN name. required: true preshared-key: description: - Pre-shared secret for PSK authentication. remote-gw: description: - IP address or FQDN of the remote VPN gateway. sslvpn-access-port: description: - SSL VPN access port (1 - 65535). sslvpn-require-certificate: choices: - enable - disable description: - Enable/disable requiring SSL VPN client certificate. type: choices: - ipsec - ssl description: - VPN type (IPsec or SSL VPN). forticlient-wf: choices: - enable - disable description: - Enable/disable FortiClient web filtering. forticlient-wf-profile: description: - The FortiClient web filter profile to apply. Source webfilter.profile.name. forticlient-ios-settings: description: - FortiClient settings for iOS platform. suboptions: client-vpn-provisioning: choices: - enable - disable description: - FortiClient VPN provisioning. client-vpn-settings: description: - FortiClient VPN settings. suboptions: auth-method: choices: - psk - certificate description: - Authentication method. name: description: - VPN name. required: true preshared-key: description: - Pre-shared secret for PSK authentication. remote-gw: description: - IP address or FQDN of the remote VPN gateway. sslvpn-access-port: description: - SSL VPN access port (1 - 65535). sslvpn-require-certificate: choices: - enable - disable description: - Enable/disable requiring SSL VPN client certificate. type: choices: - ipsec - ssl description: - VPN type (IPsec or SSL VPN). vpn-configuration-content: description: - Content of VPN configuration. vpn-configuration-name: description: - Name of VPN configuration. configuration-content: description: - Content of configuration profile. configuration-name: description: - Name of configuration profile. disable-wf-when-protected: choices: - enable - disable description: - Enable/disable FortiClient web category filtering when protected by FortiGate. distribute-configuration-profile: choices: - enable - disable description: - Enable/disable configuration profile (.mobileconfig file) distribution. forticlient-wf: choices: - enable - disable description: - Enable/disable FortiClient web filtering. forticlient-wf-profile: description: - The FortiClient web filter profile to apply. Source webfilter.profile.name. forticlient-winmac-settings: description: - FortiClient settings for Windows/Mac platform. suboptions: av-realtime-protection: choices: - enable - disable description: - Enable/disable FortiClient AntiVirus real-time protection. av-signature-up-to-date: choices: - enable - disable description: - Enable/disable FortiClient AV signature updates. forticlient-application-firewall: choices: - enable - disable description: - Enable/disable the FortiClient application firewall. forticlient-application-firewall-list: description: - FortiClient application firewall rule list. Source application.list.name. forticlient-av: choices: - enable - disable description: - Enable/disable FortiClient AntiVirus scanning. forticlient-ems-compliance: choices: - enable - disable description: - Enable/disable FortiClient Enterprise Management Server (EMS) compliance. forticlient-ems-compliance-action: choices: - block - warning description: - FortiClient EMS compliance action. forticlient-ems-entries: description: - FortiClient EMS entries. suboptions: name: description: - FortiClient EMS name. Source endpoint-control.forticlient-ems.name. required: true forticlient-linux-ver: description: - Minimum FortiClient Linux version. forticlient-log-upload: choices: - enable - disable description: - Enable/disable uploading FortiClient logs. forticlient-log-upload-level: choices: - traffic - vulnerability - event description: - Select the FortiClient logs to upload. forticlient-log-upload-server: description: - IP address or FQDN of the server to which to upload FortiClient logs. forticlient-mac-ver: description: - Minimum FortiClient Mac OS version. forticlient-minimum-software-version: choices: - enable - disable description: - Enable/disable requiring clients to run FortiClient with a minimum software version number. forticlient-operating-system: description: - FortiClient operating system. suboptions: id: description: - Operating system entry ID. required: true os-name: description: - Customize operating system name or Mac OS format:x.x.x os-type: choices: - custom - mac-os - win-7 - win-80 - win-81 - win-10 - win-2000 - win-home-svr - win-svr-10 - win-svr-2003 - win-svr-2003-r2 - win-svr-2008 - win-svr-2008-r2 - win-svr-2012 - win-svr-2012-r2 - win-sto-svr-2003 - win-vista - win-xp - ubuntu-linux - centos-linux - redhat-linux - fedora-linux description: - Operating system type. forticlient-own-file: description: - Checking the path and filename of the FortiClient application. suboptions: file: description: - File path and name. id: description: - File ID. required: true forticlient-registration-compliance-action: choices: - block - warning description: - FortiClient registration compliance action. forticlient-registry-entry: description: - FortiClient registry entry. suboptions: id: description: - Registry entry ID. required: true registry-entry: description: - Registry entry. forticlient-running-app: description: - Use FortiClient to verify if the listed applications are running on the client. suboptions: app-name: description: - Application name. app-sha256-signature: description: - App's SHA256 signature. app-sha256-signature2: description: - App's SHA256 Signature. app-sha256-signature3: description: - App's SHA256 Signature. app-sha256-signature4: description: - App's SHA256 Signature. application-check-rule: choices: - present - absent description: - Application check rule. id: description: - Application ID. required: true process-name: description: - Process name. process-name2: description: - Process name. process-name3: description: - Process name. process-name4: description: - Process name. forticlient-security-posture: choices: - enable - disable description: - Enable/disable FortiClient security posture check options. forticlient-security-posture-compliance-action: choices: - block - warning description: - FortiClient security posture compliance action. forticlient-system-compliance: choices: - enable - disable description: - Enable/disable enforcement of FortiClient system compliance. forticlient-system-compliance-action: choices: - block - warning description: - Block or warn clients not compliant with FortiClient requirements. forticlient-vuln-scan: choices: - enable - disable description: - Enable/disable FortiClient vulnerability scanning. forticlient-vuln-scan-compliance-action: choices: - block - warning description: - FortiClient vulnerability compliance action. forticlient-vuln-scan-enforce: choices: - critical - high - medium - low - info description: - Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action. forticlient-vuln-scan-enforce-grace: description: - FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1). forticlient-vuln-scan-exempt: choices: - enable - disable description: - Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically. forticlient-wf: choices: - enable - disable description: - Enable/disable FortiClient web filtering. forticlient-wf-profile: description: - The FortiClient web filter profile to apply. Source webfilter.profile.name. forticlient-win-ver: description: - Minimum FortiClient Windows version. os-av-software-installed: choices: - enable - disable description: - Enable/disable checking for OS recognized AntiVirus software. sandbox-address: description: - FortiSandbox address. sandbox-analysis: choices: - enable - disable description: - Enable/disable sending files to FortiSandbox for analysis. on-net-addr: description: - Addresses for on-net detection. suboptions: name: description: - Address object from available options. Source firewall.address.name firewall.addrgrp.name. required: true profile-name: description: - Profile name. required: true replacemsg-override-group: description: - Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name. src-addr: description: - Source addresses. suboptions: name: description: - Address object from available options. Source firewall.address.name firewall.addrgrp.name. required: true state: choices: - present - absent description: - Indicates whether to create or remove the object user-groups: description: - User groups. suboptions: name: description: - User group name. Source user.group.name. required: true users: description: - Users. suboptions: name: description: - User name. Source user.local.name. required: true
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str