Try SpotterConfigure proxy policies in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to configure firewall feature and proxy_policy category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure proxy policies.
fortios_firewall_proxy_policy:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
firewall_proxy_policy:
state: "present"
action: "accept"
application-list: "<your_own_value> (source application.list.name)"
av-profile: "<your_own_value> (source antivirus.profile.name)"
comments: "<your_own_value>"
disclaimer: "disable"
dlp-sensor: "<your_own_value> (source dlp.sensor.name)"
dstaddr:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip
.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name)"
dstaddr-negate: "enable"
dstaddr6:
-
name: "default_name_13 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall
.vipgrp64.name system.external-resource.name)"
dstintf:
-
name: "default_name_15 (source system.interface.name system.zone.name)"
global-label: "<your_own_value>"
groups:
-
name: "default_name_18 (source user.group.name)"
http-tunnel-auth: "enable"
icap-profile: "<your_own_value> (source icap.profile.name)"
internet-service: "enable"
internet-service-custom:
-
name: "default_name_23 (source firewall.internet-service-custom.name)"
internet-service-id:
-
id: "25 (source firewall.internet-service.id)"
internet-service-negate: "enable"
ips-sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic-start: "enable"
policyid: "31"
poolname:
-
name: "default_name_33 (source firewall.ippool.name)"
profile-group: "<your_own_value> (source firewall.profile-group.name)"
profile-protocol-options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile-type: "single"
proxy: "explicit-web"
redirect-url: "<your_own_value>"
replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
scan-botnet-connections: "disable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
service:
-
name: "default_name_43 (source firewall.service.custom.name firewall.service.group.name)"
service-negate: "enable"
session-ttl: "45"
spamfilter-profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_48 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system
.external-resource.name)"
srcaddr-negate: "enable"
srcaddr6:
-
name: "default_name_51 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
srcintf:
-
name: "default_name_53 (source system.interface.name system.zone.name)"
ssh-filter-profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
transparent: "enable"
users:
-
name: "default_name_59 (source user.local.name)"
utm-status: "enable"
uuid: "<your_own_value>"
waf-profile: "<your_own_value> (source waf.profile.name)"
webcache: "enable"
webcache-https: "disable"
webfilter-profile: "<your_own_value> (source webfilter.profile.name)"
webproxy-forward-server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
webproxy-profile: "<your_own_value> (source web-proxy.profile.name)"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
firewall_proxy_policy:
default: null
description:
- Configure proxy policies.
suboptions:
action:
choices:
- accept
- deny
- redirect
description:
- Accept or deny traffic matching the policy parameters.
application-list:
description:
- Name of an existing Application list. Source application.list.name.
av-profile:
description:
- Name of an existing Antivirus profile. Source antivirus.profile.name.
comments:
description:
- Optional comments.
disclaimer:
choices:
- disable
- domain
- policy
- user
description:
- 'Web proxy disclaimer setting: by domain, policy, or user.'
dlp-sensor:
description:
- Name of an existing DLP sensor. Source dlp.sensor.name.
dstaddr:
description:
- Destination address objects.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name
firewall.proxy-addrgrp.name firewall.vip.name firewall.vipgrp.name firewall.vip46.name
firewall.vipgrp46.name system.external-resource.name.
required: true
dstaddr-negate:
choices:
- enable
- disable
description:
- When enabled, destination addresses match against any address EXCEPT the specified
destination addresses.
dstaddr6:
description:
- IPv6 destination address objects.
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name
firewall.vipgrp6.name firewall.vip64.name firewall.vipgrp64.name system.external-resource.name.
required: true
dstintf:
description:
- Destination interface names.
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
global-label:
description:
- Global web-based manager visible label.
groups:
description:
- Names of group objects.
suboptions:
name:
description:
- Group name. Source user.group.name.
required: true
http-tunnel-auth:
choices:
- enable
- disable
description:
- Enable/disable HTTP tunnel authentication.
icap-profile:
description:
- Name of an existing ICAP profile. Source icap.profile.name.
internet-service:
choices:
- enable
- disable
description:
- Enable/disable use of Internet Services for this policy. If enabled, destination
address and service are not used.
internet-service-custom:
description:
- Custom Internet Service name.
suboptions:
name:
description:
- Custom name. Source firewall.internet-service-custom.name.
required: true
internet-service-id:
description:
- Internet Service ID.
suboptions:
id:
description:
- Internet Service ID. Source firewall.internet-service.id.
required: true
internet-service-negate:
choices:
- enable
- disable
description:
- When enabled, Internet Services match against any internet service EXCEPT the
selected Internet Service.
ips-sensor:
description:
- Name of an existing IPS sensor. Source ips.sensor.name.
label:
description:
- VDOM-specific GUI visible label.
logtraffic:
choices:
- all
- utm
- disable
description:
- Enable/disable logging traffic through the policy.
logtraffic-start:
choices:
- enable
- disable
description:
- Enable/disable policy log traffic start.
policyid:
description:
- Policy ID.
required: true
poolname:
description:
- Name of IP pool object.
suboptions:
name:
description:
- IP pool name. Source firewall.ippool.name.
required: true
profile-group:
description:
- Name of profile group. Source firewall.profile-group.name.
profile-protocol-options:
description:
- Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
profile-type:
choices:
- single
- group
description:
- Determine whether the firewall policy allows security profile groups or single
profiles only.
proxy:
choices:
- explicit-web
- transparent-web
- ftp
- ssh
- ssh-tunnel
- wanopt
description:
- Type of explicit proxy.
redirect-url:
description:
- Redirect URL for further explicit web proxy processing.
replacemsg-override-group:
description:
- Authentication replacement message override group. Source system.replacemsg-group.name.
scan-botnet-connections:
choices:
- disable
- block
- monitor
description:
- Enable/disable scanning of connections to Botnet servers.
schedule:
description:
- Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name
firewall.schedule.group.name.
service:
description:
- Name of service objects.
suboptions:
name:
description:
- Service name. Source firewall.service.custom.name firewall.service.group.name.
required: true
service-negate:
choices:
- enable
- disable
description:
- When enabled, services match against any service EXCEPT the specified destination
services.
session-ttl:
description:
- TTL in seconds for sessions accepted by this policy (0 means use the system
default session TTL).
spamfilter-profile:
description:
- Name of an existing Spam filter profile. Source spamfilter.profile.name.
srcaddr:
description:
- Source address objects (must be set when using Web proxy).
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name
firewall.proxy-addrgrp.name system .external-resource.name.
required: true
srcaddr-negate:
choices:
- enable
- disable
description:
- When enabled, source addresses match against any address EXCEPT the specified
source addresses.
srcaddr6:
description:
- IPv6 source address objects.
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name.
required: true
srcintf:
description:
- Source interface names.
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
ssh-filter-profile:
description:
- Name of an existing SSH filter profile. Source ssh-filter.profile.name.
ssl-ssh-profile:
description:
- Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of the policy.
transparent:
choices:
- enable
- disable
description:
- Enable to use the IP address of the client to connect to the server.
users:
description:
- Names of user objects.
suboptions:
name:
description:
- Group name. Source user.local.name.
required: true
utm-status:
choices:
- enable
- disable
description:
- Enable the use of UTM profiles/sensors/lists.
uuid:
description:
- Universally Unique Identifier (UUID; automatically assigned but can be manually
reset).
waf-profile:
description:
- Name of an existing Web application firewall profile. Source waf.profile.name.
webcache:
choices:
- enable
- disable
description:
- Enable/disable web caching.
webcache-https:
choices:
- disable
- enable
description:
- Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
webfilter-profile:
description:
- Name of an existing Web filter profile. Source webfilter.profile.name.
webproxy-forward-server:
description:
- Name of web proxy forward server. Source web-proxy.forward-server.name web-proxy.forward-server-group.name.
webproxy-profile:
description:
- Name of web proxy profile. Source web-proxy.profile.name.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str