Try SpotterConfigure SSL VPN in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ssl_settings:
auth-timeout: "3"
authentication-rule:
-
auth: "any"
cipher: "any"
client-cert: "enable"
groups:
-
name: "default_name_9 (source user.group.name)"
id: "10"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source-address:
-
name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
source-address-negate: "enable"
source-address6:
-
name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
source-address6-negate: "enable"
source-interface:
-
name: "default_name_20 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_22 (source user.local.name)"
auto-tunnel-static-route: "enable"
banned-cipher: "RSA"
check-referer: "enable"
default-portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate-compression-level: "27"
deflate-min-data-size: "28"
dns-server1: "<your_own_value>"
dns-server2: "<your_own_value>"
dns-suffix: "<your_own_value>"
dtls-hello-timeout: "32"
dtls-tunnel: "enable"
force-two-factor-auth: "enable"
header-x-forwarded-for: "pass"
http-compression: "enable"
http-only-cookie: "enable"
http-request-body-timeout: "38"
http-request-header-timeout: "39"
https-redirect: "enable"
idle-timeout: "41"
ipv6-dns-server1: "<your_own_value>"
ipv6-dns-server2: "<your_own_value>"
ipv6-wins-server1: "<your_own_value>"
ipv6-wins-server2: "<your_own_value>"
login-attempt-limit: "46"
login-block-time: "47"
login-timeout: "48"
port: "49"
port-precedence: "enable"
reqclientcert: "enable"
route-source-interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source-address:
-
name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
source-address-negate: "enable"
source-address6:
-
name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
source-address6-negate: "enable"
source-interface:
-
name: "default_name_61 (source system.interface.name system.zone.name)"
ssl-client-renegotiation: "disable"
ssl-insert-empty-fragment: "enable"
tlsv1-0: "enable"
tlsv1-1: "enable"
tlsv1-2: "enable"
tunnel-ip-pools:
-
name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
tunnel-ipv6-pools:
-
name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe-legacy-renegotiation: "enable"
url-obscuration: "enable"
wins-server1: "<your_own_value>"
wins-server2: "<your_own_value>"
x-content-type-options: "enable"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
vpn_ssl_settings:
default: null
description:
- Configure SSL VPN.
suboptions:
auth-timeout:
description:
- SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
authentication-rule:
description:
- Authentication rule for SSL VPN.
suboptions:
auth:
choices:
- any
- local
- radius
- tacacs+
- ldap
description:
- SSL VPN authentication method restriction.
cipher:
choices:
- any
- high
- medium
description:
- SSL VPN cipher strength.
client-cert:
choices:
- enable
- disable
description:
- Enable/disable SSL VPN client certificate restrictive.
groups:
description:
- User groups.
suboptions:
name:
description:
- Group name. Source user.group.name.
required: true
id:
description:
- ID (0 - 4294967295).
required: true
portal:
description:
- SSL VPN portal. Source vpn.ssl.web.portal.name.
realm:
description:
- SSL VPN realm. Source vpn.ssl.web.realm.url-path.
source-address:
description:
- Source address of incoming traffic.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name.
required: true
source-address-negate:
choices:
- enable
- disable
description:
- Enable/disable negated source address match.
source-address6:
description:
- IPv6 source address of incoming traffic.
suboptions:
name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
source-address6-negate:
choices:
- enable
- disable
description:
- Enable/disable negated source IPv6 address match.
source-interface:
description:
- SSL VPN source interface of incoming traffic.
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
users:
description:
- User name.
suboptions:
name:
description:
- User name. Source user.local.name.
required: true
auto-tunnel-static-route:
choices:
- enable
- disable
description:
- Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
banned-cipher:
choices:
- RSA
- DH
- DHE
- ECDH
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
description:
- Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
check-referer:
choices:
- enable
- disable
description:
- Enable/disable verification of referer field in HTTP request header.
default-portal:
description:
- Default SSL VPN portal. Source vpn.ssl.web.portal.name.
deflate-compression-level:
description:
- Compression level (0~9).
deflate-min-data-size:
description:
- Minimum amount of data that triggers compression (200 - 65535 bytes).
dns-server1:
description:
- DNS server 1.
dns-server2:
description:
- DNS server 2.
dns-suffix:
description:
- DNS suffix used for SSL-VPN clients.
dtls-hello-timeout:
description:
- SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-tunnel:
choices:
- enable
- disable
description:
- Enable DTLS to prevent eavesdropping, tampering, or message forgery.
force-two-factor-auth:
choices:
- enable
- disable
description:
- Enable to force two-factor authentication for all SSL-VPNs.
header-x-forwarded-for:
choices:
- pass
- add
- remove
description:
- Forward the same, add, or remove HTTP header.
http-compression:
choices:
- enable
- disable
description:
- Enable to allow HTTP compression over SSL-VPN tunnels.
http-only-cookie:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN support for HttpOnly cookies.
http-request-body-timeout:
description:
- SSL-VPN session is disconnected if an HTTP request body is not received within
this time (1 - 60 sec, default = 20).
http-request-header-timeout:
description:
- SSL-VPN session is disconnected if an HTTP request header is not received within
this time (1 - 60 sec, default = 20).
https-redirect:
choices:
- enable
- disable
description:
- Enable/disable redirect of port 80 to SSL-VPN port.
idle-timeout:
description:
- SSL VPN disconnects if idle for specified time in seconds.
ipv6-dns-server1:
description:
- IPv6 DNS server 1.
ipv6-dns-server2:
description:
- IPv6 DNS server 2.
ipv6-wins-server1:
description:
- IPv6 WINS server 1.
ipv6-wins-server2:
description:
- IPv6 WINS server 2.
login-attempt-limit:
description:
- SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no
limit).
login-block-time:
description:
- Time for which a user is blocked from logging in after too many failed login
attempts (0 - 86400 sec, default = 60).
login-timeout:
description:
- SSLVPN maximum login timeout (10 - 180 sec, default = 30).
port:
description:
- SSL-VPN access port (1 - 65535).
port-precedence:
choices:
- enable
- disable
description:
- Enable means that if SSL-VPN connections are allowed on an interface admin GUI
connections are blocked on that interface.
reqclientcert:
choices:
- enable
- disable
description:
- Enable to require client certificates for all SSL-VPN users.
route-source-interface:
choices:
- enable
- disable
description:
- Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming
interface.
servercert:
description:
- Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
source-address:
description:
- Source address of incoming traffic.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name.
required: true
source-address-negate:
choices:
- enable
- disable
description:
- Enable/disable negated source address match.
source-address6:
description:
- IPv6 source address of incoming traffic.
suboptions:
name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
source-address6-negate:
choices:
- enable
- disable
description:
- Enable/disable negated source IPv6 address match.
source-interface:
description:
- SSL VPN source interface of incoming traffic.
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
ssl-client-renegotiation:
choices:
- disable
- enable
description:
- Enable to allow client renegotiation by the server if the tunnel goes down.
ssl-insert-empty-fragment:
choices:
- enable
- disable
description:
- Enable/disable insertion of empty fragment.
tlsv1-0:
choices:
- enable
- disable
description:
- Enable/disable TLSv1.0.
tlsv1-1:
choices:
- enable
- disable
description:
- Enable/disable TLSv1.1.
tlsv1-2:
choices:
- enable
- disable
description:
- Enable/disable TLSv1.2.
tunnel-ip-pools:
description:
- Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved
for remote clients.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name.
required: true
tunnel-ipv6-pools:
description:
- Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved
for remote clients.
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
unsafe-legacy-renegotiation:
choices:
- enable
- disable
description:
- Enable/disable unsafe legacy re-negotiation.
url-obscuration:
choices:
- enable
- disable
description:
- Enable to obscure the host name of the URL of the web browser display.
wins-server1:
description:
- WINS server 1.
wins-server2:
description:
- WINS server 2.
x-content-type-options:
choices:
- enable
- disable
description:
- Add HTTP X-Content-Type-Options header.
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str