ansible / ansible.builtin / v2.9.0 / module / fmgr_secprof_ssl_ssh Manage SSL and SSH security profiles in FortiManager | "added in version" 2.8 of ansible.builtin" Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng) preview | supported by communityansible.builtin.fmgr_secprof_ssl_ssh (v2.9.0) — module
pip
Install with pip install ansible==2.9.0
Manage SSL and SSH security profiles in FortiManager via the FMG API
- name: DELETE Profile fmgr_secprof_ssl_ssh: name: Ansible_SSL_SSH_Profile mode: delete
- name: CREATE Profile fmgr_secprof_ssl_ssh: name: Ansible_SSL_SSH_Profile comment: "Created by Ansible Module TEST" mode: set mapi_over_https: enable rpc_over_https: enable server_cert_mode: replace ssl_anomalies_log: enable ssl_exemptions_log: enable use_ssl_server: enable whitelist: enable
ssh: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false ssl: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false adom: default: root description: - The ADOM the configuration should belong to. required: false ftps: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false mode: choices: - add - set - delete - update default: add description: - Sets one of three modes for managing the object. - Allows use of soft-adds instead of overwriting existing values required: false name: description: - Name. required: false https: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false imaps: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false pop3s: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false smtps: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false caname: description: - CA certificate used by SSL Inspection. required: false comment: description: - Optional comments. required: false ssh_ports: description: - Ports to use for scanning (1 - 65535, default = 443). required: false whitelist: choices: - disable - enable description: - Enable/disable exempting servers by FortiGuard whitelist. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ftps_ports: description: - Ports to use for scanning (1 - 65535, default = 443). required: false ssh_status: choices: - disable - deep-inspection description: - Configure protocol inspection status. - choice | disable | Disable. - choice | deep-inspection | Full SSL inspection. required: false ssl_exempt: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false ssl_server: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. - This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. - WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS required: false ftps_status: choices: - disable - deep-inspection description: - Configure protocol inspection status. - choice | disable | Disable. - choice | deep-inspection | Full SSL inspection. required: false https_ports: description: - Ports to use for scanning (1 - 65535, default = 443). required: false imaps_ports: description: - Ports to use for scanning (1 - 65535, default = 443). required: false pop3s_ports: description: - Ports to use for scanning (1 - 65535, default = 443). required: false server_cert: description: - Certificate used by SSL Inspection to replace server certificate. required: false smtps_ports: description: - Ports to use for scanning (1 - 65535, default = 443). required: false https_status: choices: - disable - certificate-inspection - deep-inspection description: - Configure protocol inspection status. - choice | disable | Disable. - choice | certificate-inspection | Inspect SSL handshake only. - choice | deep-inspection | Full SSL inspection. required: false imaps_status: choices: - disable - deep-inspection description: - Configure protocol inspection status. - choice | disable | Disable. - choice | deep-inspection | Full SSL inspection. required: false pop3s_status: choices: - disable - deep-inspection description: - Configure protocol inspection status. - choice | disable | Disable. - choice | deep-inspection | Full SSL inspection. required: false smtps_status: choices: - disable - deep-inspection description: - Configure protocol inspection status. - choice | disable | Disable. - choice | deep-inspection | Full SSL inspection. required: false ssl_server_ip: description: - IPv4 address of the SSL server. required: false rpc_over_https: choices: - disable - enable description: - Enable/disable inspection of RPC over HTTPS. - choice | disable | Disable inspection of RPC over HTTPS. - choice | enable | Enable inspection of RPC over HTTPS. required: false use_ssl_server: choices: - disable - enable description: - Enable/disable the use of SSL server table for SSL offloading. - choice | disable | Don't use SSL server configuration. - choice | enable | Use SSL server configuration. required: false mapi_over_https: choices: - disable - enable description: - Enable/disable inspection of MAPI over HTTPS. - choice | disable | Disable inspection of MAPI over HTTPS. - choice | enable | Enable inspection of MAPI over HTTPS. required: false ssh_inspect_all: choices: - disable - deep-inspection description: - Level of SSL inspection. - choice | disable | Disable. - choice | deep-inspection | Full SSL inspection. required: false ssl_exempt_type: choices: - fortiguard-category - address - address6 - wildcard-fqdn - regex description: - Type of address object (IPv4 or IPv6) or FortiGuard category. - choice | fortiguard-category | FortiGuard category. - choice | address | Firewall IPv4 address. - choice | address6 | Firewall IPv6 address. - choice | wildcard-fqdn | Fully Qualified Domain Name with wildcard characters. - choice | regex | Regular expression FQDN. required: false ssl_inspect_all: choices: - disable - certificate-inspection - deep-inspection description: - Level of SSL inspection. - choice | disable | Disable. - choice | certificate-inspection | Inspect SSL handshake only. - choice | deep-inspection | Full SSL inspection. required: false server_cert_mode: choices: - re-sign - replace description: - Re-sign or replace the server's certificate. - choice | re-sign | Multiple clients connecting to multiple servers. - choice | replace | Protect an SSL server. required: false ssl_exempt_regex: description: - Exempt servers by regular expression. required: false untrusted_caname: description: - Untrusted CA certificate used by SSL Inspection. required: false ssh_ssh_algorithm: choices: - compatible - high-encryption description: - Relative strength of encryption algorithms accepted during negotiation. - choice | compatible | Allow a broader set of encryption algorithms for best compatibility. - choice | high-encryption | Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms. required: false ssl_anomalies_log: choices: - disable - enable description: - Enable/disable logging SSL anomalies. - choice | disable | Disable logging SSL anomalies. - choice | enable | Enable logging SSL anomalies. required: false ssl_exempt_address: description: - IPv4 address object. required: false ssl_exemptions_log: choices: - disable - enable description: - Enable/disable logging SSL exemptions. - choice | disable | Disable logging SSL exemptions. - choice | enable | Enable logging SSL exemptions. required: false ssl_untrusted_cert: choices: - allow - block - ignore description: - Allow, ignore, or block the untrusted SSL session server certificate. - choice | allow | Allow the untrusted server certificate. - choice | block | Block the connection when an untrusted server certificate is detected. - choice | ignore | Always take the server certificate as trusted. required: false ftps_untrusted_cert: choices: - allow - block - ignore description: - Allow, ignore, or block the untrusted SSL session server certificate. - choice | allow | Allow the untrusted server certificate. - choice | block | Block the connection when an untrusted server certificate is detected. - choice | ignore | Always take the server certificate as trusted. required: false ssl_exempt_address6: description: - IPv6 address object. required: false ssl_unsupported_ssl: choices: - bypass - inspect - block description: - Action based on the SSL encryption used being unsupported. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ftps_unsupported_ssl: choices: - bypass - inspect - block description: - Action based on the SSL encryption used being unsupported. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false https_untrusted_cert: choices: - allow - block - ignore description: - Allow, ignore, or block the untrusted SSL session server certificate. - choice | allow | Allow the untrusted server certificate. - choice | block | Block the connection when an untrusted server certificate is detected. - choice | ignore | Always take the server certificate as trusted. required: false imaps_untrusted_cert: choices: - allow - block - ignore description: - Allow, ignore, or block the untrusted SSL session server certificate. - choice | allow | Allow the untrusted server certificate. - choice | block | Block the connection when an untrusted server certificate is detected. - choice | ignore | Always take the server certificate as trusted. required: false pop3s_untrusted_cert: choices: - allow - block - ignore description: - Allow, ignore, or block the untrusted SSL session server certificate. - choice | allow | Allow the untrusted server certificate. - choice | block | Block the connection when an untrusted server certificate is detected. - choice | ignore | Always take the server certificate as trusted. required: false smtps_untrusted_cert: choices: - allow - block - ignore description: - Allow, ignore, or block the untrusted SSL session server certificate. - choice | allow | Allow the untrusted server certificate. - choice | block | Block the connection when an untrusted server certificate is detected. - choice | ignore | Always take the server certificate as trusted. required: false ssh_ssh_policy_check: choices: - disable - enable description: - Enable/disable SSH policy check. - choice | disable | Disable SSH policy check. - choice | enable | Enable SSH policy check. required: false https_unsupported_ssl: choices: - bypass - inspect - block description: - Action based on the SSL encryption used being unsupported. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false imaps_unsupported_ssl: choices: - bypass - inspect - block description: - Action based on the SSL encryption used being unsupported. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false pop3s_unsupported_ssl: choices: - bypass - inspect - block description: - Action based on the SSL encryption used being unsupported. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false smtps_unsupported_ssl: choices: - bypass - inspect - block description: - Action based on the SSL encryption used being unsupported. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssh_unsupported_version: choices: - block - bypass description: - Action based on SSH version being unsupported. - choice | block | Block. - choice | bypass | Bypass. required: false ssl_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ftps_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssh_ssh_tun_policy_check: choices: - disable - enable description: - Enable/disable SSH tunnel policy check. - choice | disable | Disable SSH tunnel policy check. - choice | enable | Enable SSH tunnel policy check. required: false ssl_exempt_wildcard_fqdn: description: - Exempt servers by wildcard FQDN. required: false https_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false imaps_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false pop3s_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false smtps_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssl_allow_invalid_server_cert: choices: - disable - enable description: - When enabled, allows SSL sessions whose server certificate validation failed. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ftps_allow_invalid_server_cert: choices: - disable - enable description: - When enabled, allows SSL sessions whose server certificate validation failed. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ssl_exempt_fortiguard_category: description: - FortiGuard category ID. required: false https_allow_invalid_server_cert: choices: - disable - enable description: - When enabled, allows SSL sessions whose server certificate validation failed. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false imaps_allow_invalid_server_cert: choices: - disable - enable description: - When enabled, allows SSL sessions whose server certificate validation failed. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false pop3s_allow_invalid_server_cert: choices: - disable - enable description: - When enabled, allows SSL sessions whose server certificate validation failed. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false smtps_allow_invalid_server_cert: choices: - disable - enable description: - When enabled, allows SSL sessions whose server certificate validation failed. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ssl_server_ftps_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure during the FTPS handshake. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssl_server_https_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure during the HTTPS handshake. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssl_server_imaps_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure during the IMAPS handshake. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssl_server_pop3s_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure during the POP3S handshake. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssl_server_smtps_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure during the SMTPS handshake. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false ssl_server_ssl_other_client_cert_request: choices: - bypass - inspect - block description: - Action based on client certificate request failure during an SSL protocol handshake. - choice | bypass | Bypass. - choice | inspect | Inspect. - choice | block | Block. required: false
api_result: description: full API response, includes status code and message returned: always type: str