Try SpotterConfigure FortiClient endpoint control profiles in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to configure endpoint_control feature and profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure FortiClient endpoint control profiles.
fortios_endpoint_control_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
endpoint_control_profile:
state: "present"
description: "<your_own_value>"
device-groups:
-
name: "default_name_5 (source user.device-group.name user.device-category.name)"
forticlient-android-settings:
disable-wf-when-protected: "enable"
forticlient-advanced-vpn: "enable"
forticlient-advanced-vpn-buffer: "<your_own_value>"
forticlient-vpn-provisioning: "enable"
forticlient-vpn-settings:
-
auth-method: "psk"
name: "default_name_13"
preshared-key: "<your_own_value>"
remote-gw: "<your_own_value>"
sslvpn-access-port: "16"
sslvpn-require-certificate: "enable"
type: "ipsec"
forticlient-wf: "enable"
forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
forticlient-ios-settings:
client-vpn-provisioning: "enable"
client-vpn-settings:
-
auth-method: "psk"
name: "default_name_25"
preshared-key: "<your_own_value>"
remote-gw: "<your_own_value>"
sslvpn-access-port: "28"
sslvpn-require-certificate: "enable"
type: "ipsec"
vpn-configuration-content: "<your_own_value>"
vpn-configuration-name: "<your_own_value>"
configuration-content: "<your_own_value>"
configuration-name: "<your_own_value>"
disable-wf-when-protected: "enable"
distribute-configuration-profile: "enable"
forticlient-wf: "enable"
forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
forticlient-winmac-settings:
av-realtime-protection: "enable"
av-signature-up-to-date: "enable"
forticlient-application-firewall: "enable"
forticlient-application-firewall-list: "<your_own_value> (source application.list.name)"
forticlient-av: "enable"
forticlient-ems-compliance: "enable"
forticlient-ems-compliance-action: "block"
forticlient-ems-entries:
-
name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
forticlient-linux-ver: "<your_own_value>"
forticlient-log-upload: "enable"
forticlient-log-upload-level: "traffic"
forticlient-log-upload-server: "<your_own_value>"
forticlient-mac-ver: "<your_own_value>"
forticlient-minimum-software-version: "enable"
forticlient-operating-system:
-
id: "56"
os-name: "<your_own_value>"
os-type: "custom"
forticlient-own-file:
-
file: "<your_own_value>"
id: "61"
forticlient-registration-compliance-action: "block"
forticlient-registry-entry:
-
id: "64"
registry-entry: "<your_own_value>"
forticlient-running-app:
-
app-name: "<your_own_value>"
app-sha256-signature: "<your_own_value>"
app-sha256-signature2: "<your_own_value>"
app-sha256-signature3: "<your_own_value>"
app-sha256-signature4: "<your_own_value>"
application-check-rule: "present"
id: "73"
process-name: "<your_own_value>"
process-name2: "<your_own_value>"
process-name3: "<your_own_value>"
process-name4: "<your_own_value>"
forticlient-security-posture: "enable"
forticlient-security-posture-compliance-action: "block"
forticlient-system-compliance: "enable"
forticlient-system-compliance-action: "block"
forticlient-vuln-scan: "enable"
forticlient-vuln-scan-compliance-action: "block"
forticlient-vuln-scan-enforce: "critical"
forticlient-vuln-scan-enforce-grace: "85"
forticlient-vuln-scan-exempt: "enable"
forticlient-wf: "enable"
forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
forticlient-win-ver: "<your_own_value>"
os-av-software-installed: "enable"
sandbox-address: "<your_own_value>"
sandbox-analysis: "enable"
on-net-addr:
-
name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
profile-name: "<your_own_value>"
replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
src-addr:
-
name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
user-groups:
-
name: "default_name_100 (source user.group.name)"
users:
-
name: "default_name_102 (source user.local.name)"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: false
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
endpoint_control_profile:
default: null
description:
- Configure FortiClient endpoint control profiles.
suboptions:
description:
description:
- Description.
device-groups:
description:
- Device groups.
suboptions:
name:
description:
- Device group object from available options. Source user.device-group.name
user.device-category.name.
required: true
forticlient-android-settings:
description:
- FortiClient settings for Android platform.
suboptions:
disable-wf-when-protected:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web category filtering when protected by FortiGate.
forticlient-advanced-vpn:
choices:
- enable
- disable
description:
- Enable/disable advanced FortiClient VPN configuration.
forticlient-advanced-vpn-buffer:
description:
- Advanced FortiClient VPN configuration.
forticlient-vpn-provisioning:
choices:
- enable
- disable
description:
- Enable/disable FortiClient VPN provisioning.
forticlient-vpn-settings:
description:
- FortiClient VPN settings.
suboptions:
auth-method:
choices:
- psk
- certificate
description:
- Authentication method.
name:
description:
- VPN name.
required: true
preshared-key:
description:
- Pre-shared secret for PSK authentication.
remote-gw:
description:
- IP address or FQDN of the remote VPN gateway.
sslvpn-access-port:
description:
- SSL VPN access port (1 - 65535).
sslvpn-require-certificate:
choices:
- enable
- disable
description:
- Enable/disable requiring SSL VPN client certificate.
type:
choices:
- ipsec
- ssl
description:
- VPN type (IPsec or SSL VPN).
forticlient-wf:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web filtering.
forticlient-wf-profile:
description:
- The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient-ios-settings:
description:
- FortiClient settings for iOS platform.
suboptions:
client-vpn-provisioning:
choices:
- enable
- disable
description:
- FortiClient VPN provisioning.
client-vpn-settings:
description:
- FortiClient VPN settings.
suboptions:
auth-method:
choices:
- psk
- certificate
description:
- Authentication method.
name:
description:
- VPN name.
required: true
preshared-key:
description:
- Pre-shared secret for PSK authentication.
remote-gw:
description:
- IP address or FQDN of the remote VPN gateway.
sslvpn-access-port:
description:
- SSL VPN access port (1 - 65535).
sslvpn-require-certificate:
choices:
- enable
- disable
description:
- Enable/disable requiring SSL VPN client certificate.
type:
choices:
- ipsec
- ssl
description:
- VPN type (IPsec or SSL VPN).
vpn-configuration-content:
description:
- Content of VPN configuration.
vpn-configuration-name:
description:
- Name of VPN configuration.
configuration-content:
description:
- Content of configuration profile.
configuration-name:
description:
- Name of configuration profile.
disable-wf-when-protected:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web category filtering when protected by FortiGate.
distribute-configuration-profile:
choices:
- enable
- disable
description:
- Enable/disable configuration profile (.mobileconfig file) distribution.
forticlient-wf:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web filtering.
forticlient-wf-profile:
description:
- The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient-winmac-settings:
description:
- FortiClient settings for Windows/Mac platform.
suboptions:
av-realtime-protection:
choices:
- enable
- disable
description:
- Enable/disable FortiClient AntiVirus real-time protection.
av-signature-up-to-date:
choices:
- enable
- disable
description:
- Enable/disable FortiClient AV signature updates.
forticlient-application-firewall:
choices:
- enable
- disable
description:
- Enable/disable the FortiClient application firewall.
forticlient-application-firewall-list:
description:
- FortiClient application firewall rule list. Source application.list.name.
forticlient-av:
choices:
- enable
- disable
description:
- Enable/disable FortiClient AntiVirus scanning.
forticlient-ems-compliance:
choices:
- enable
- disable
description:
- Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
forticlient-ems-compliance-action:
choices:
- block
- warning
description:
- FortiClient EMS compliance action.
forticlient-ems-entries:
description:
- FortiClient EMS entries.
suboptions:
name:
description:
- FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
required: true
forticlient-linux-ver:
description:
- Minimum FortiClient Linux version.
forticlient-log-upload:
choices:
- enable
- disable
description:
- Enable/disable uploading FortiClient logs.
forticlient-log-upload-level:
choices:
- traffic
- vulnerability
- event
description:
- Select the FortiClient logs to upload.
forticlient-log-upload-server:
description:
- IP address or FQDN of the server to which to upload FortiClient logs.
forticlient-mac-ver:
description:
- Minimum FortiClient Mac OS version.
forticlient-minimum-software-version:
choices:
- enable
- disable
description:
- Enable/disable requiring clients to run FortiClient with a minimum software
version number.
forticlient-operating-system:
description:
- FortiClient operating system.
suboptions:
id:
description:
- Operating system entry ID.
required: true
os-name:
description:
- Customize operating system name or Mac OS format:x.x.x
os-type:
choices:
- custom
- mac-os
- win-7
- win-80
- win-81
- win-10
- win-2000
- win-home-svr
- win-svr-10
- win-svr-2003
- win-svr-2003-r2
- win-svr-2008
- win-svr-2008-r2
- win-svr-2012
- win-svr-2012-r2
- win-sto-svr-2003
- win-vista
- win-xp
- ubuntu-linux
- centos-linux
- redhat-linux
- fedora-linux
description:
- Operating system type.
forticlient-own-file:
description:
- Checking the path and filename of the FortiClient application.
suboptions:
file:
description:
- File path and name.
id:
description:
- File ID.
required: true
forticlient-registration-compliance-action:
choices:
- block
- warning
description:
- FortiClient registration compliance action.
forticlient-registry-entry:
description:
- FortiClient registry entry.
suboptions:
id:
description:
- Registry entry ID.
required: true
registry-entry:
description:
- Registry entry.
forticlient-running-app:
description:
- Use FortiClient to verify if the listed applications are running on the
client.
suboptions:
app-name:
description:
- Application name.
app-sha256-signature:
description:
- App's SHA256 signature.
app-sha256-signature2:
description:
- App's SHA256 Signature.
app-sha256-signature3:
description:
- App's SHA256 Signature.
app-sha256-signature4:
description:
- App's SHA256 Signature.
application-check-rule:
choices:
- present
- absent
description:
- Application check rule.
id:
description:
- Application ID.
required: true
process-name:
description:
- Process name.
process-name2:
description:
- Process name.
process-name3:
description:
- Process name.
process-name4:
description:
- Process name.
forticlient-security-posture:
choices:
- enable
- disable
description:
- Enable/disable FortiClient security posture check options.
forticlient-security-posture-compliance-action:
choices:
- block
- warning
description:
- FortiClient security posture compliance action.
forticlient-system-compliance:
choices:
- enable
- disable
description:
- Enable/disable enforcement of FortiClient system compliance.
forticlient-system-compliance-action:
choices:
- block
- warning
description:
- Block or warn clients not compliant with FortiClient requirements.
forticlient-vuln-scan:
choices:
- enable
- disable
description:
- Enable/disable FortiClient vulnerability scanning.
forticlient-vuln-scan-compliance-action:
choices:
- block
- warning
description:
- FortiClient vulnerability compliance action.
forticlient-vuln-scan-enforce:
choices:
- critical
- high
- medium
- low
- info
description:
- Configure the level of the vulnerability found that causes a FortiClient
vulnerability compliance action.
forticlient-vuln-scan-enforce-grace:
description:
- FortiClient vulnerability scan enforcement grace period (0 - 30 days, default
= 1).
forticlient-vuln-scan-exempt:
choices:
- enable
- disable
description:
- Enable/disable compliance exemption for vulnerabilities that cannot be patched
automatically.
forticlient-wf:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web filtering.
forticlient-wf-profile:
description:
- The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient-win-ver:
description:
- Minimum FortiClient Windows version.
os-av-software-installed:
choices:
- enable
- disable
description:
- Enable/disable checking for OS recognized AntiVirus software.
sandbox-address:
description:
- FortiSandbox address.
sandbox-analysis:
choices:
- enable
- disable
description:
- Enable/disable sending files to FortiSandbox for analysis.
on-net-addr:
description:
- Addresses for on-net detection.
suboptions:
name:
description:
- Address object from available options. Source firewall.address.name firewall.addrgrp.name.
required: true
profile-name:
description:
- Profile name.
required: true
replacemsg-override-group:
description:
- Select an endpoint control replacement message override group from available
options. Source system.replacemsg-group.name.
src-addr:
description:
- Source addresses.
suboptions:
name:
description:
- Address object from available options. Source firewall.address.name firewall.addrgrp.name.
required: true
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object
user-groups:
description:
- User groups.
suboptions:
name:
description:
- User group name. Source user.group.name.
required: true
users:
description:
- Users.
suboptions:
name:
description:
- User name. Source user.local.name.
required: true
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str