Try SpotterManage IPv4 policy objects on Fortinet FortiOS firewall devices
| "added in version" 2.3 of ansible.builtin"
Authors: Benjamin Jolivot (@bjolivot)
preview | supported by community
pipInstall with pip install ansible==2.9.23
This module provides management of firewall IPv4 policies on FortiOS devices.
- name: Allow external DNS call
fortios_ipv4_policy:
host: 192.168.0.254
username: admin
password: password
id: 42
src_addr: internal_network
dst_addr: all
service: dns
nat: True
state: present
policy_action: accept
logtraffic: disable
- name: Public Web
fortios_ipv4_policy:
host: 192.168.0.254
username: admin
password: password
id: 42
src_addr: all
dst_addr: webservers
services:
- http
- https
state: present
policy_action: accept
- name: Some Policy
fortios_ipv4_policy:
host: 192.168.0.254
username: admin
password: password
id: 42
comment: "no comment (created by ansible)"
src_intf: vl1000
src_addr:
- some_serverA
- some_serverB
dst_intf:
- vl2000
- vl3000
dst_addr: all
services:
- HTTP
- HTTPS
nat: True
state: present
policy_action: accept
logtraffic: disable
tags:
- policy
id:
description:
- 'Policy ID. Warning: policy ID number is different than Policy sequence number.
The policy ID is the number assigned at policy creation. The sequence number represents
the order in which the Fortigate will evaluate the rule for policy enforcement,
and also the order in which rules are listed in the GUI and CLI. These two numbers
do not necessarily correlate: this module is based off policy ID. TIP: policy ID
can be viewed in the GUI by adding ''ID'' to the display columns'
required: true
nat:
default: false
description:
- Enable or disable Nat.
type: bool
host:
description:
- Specifies the DNS hostname or IP address for connecting to the remote fortios device.
Required when I(file_mode) is False.
type: str
vdom:
description:
- Specifies on which vdom to apply configuration
type: str
state:
choices:
- present
- absent
default: present
description:
- Specifies if policy I(id) need to be added or deleted.
backup:
default: false
description:
- This argument will cause the module to create a backup of the current C(running-config)
from the remote device before any changes are made. The backup file is written
to the i(backup) folder.
type: bool
comment:
description:
- free text to describe policy.
service:
aliases:
- services
description:
- 'Specifies policy service(s), could be a list (ex: [''MAIL'',''DNS'']). Required
when I(state=present).'
timeout:
default: 60
description:
- Timeout in seconds for connecting to the remote device.
type: int
dst_addr:
description:
- Specifies destination address (or group) object name(s). Required when I(state=present).
dst_intf:
default: any
description:
- Specifies destination interface name(s).
password:
description:
- Specifies the password used to authenticate to the remote device. Required when
I(file_mode) is True.
type: str
poolname:
description:
- Specifies NAT pool name.
schedule:
default: always
description:
- defines policy schedule.
src_addr:
description:
- Specifies source address (or group) object name(s). Required when I(state=present).
src_intf:
default: any
description:
- Specifies source interface name(s).
username:
description:
- Configures the username used to authenticate to the remote device. Required when
I(file_mode) is True.
type: str
file_mode:
default: false
description:
- Don't connect to any device, only use I(config_file) as input and Output.
type: bool
version_added: '2.4'
version_added_collection: fortinet.fortios
fixedport:
default: false
description:
- Use fixed port for nat.
type: bool
av_profile:
description:
- Specifies Antivirus profile name.
ips_sensor:
description:
- Specifies IPS Sensor profile name.
logtraffic:
choices:
- disable
- utm
- all
default: utm
description:
- Logs sessions that matched policy.
version_added: '2.4'
version_added_collection: ansible.builtin
backup_path:
description:
- Specifies where to store backup files. Required if I(backup=yes).
type: path
config_file:
description:
- Path to configuration file. Required when I(file_mode) is True.
type: path
version_added: '2.4'
version_added_collection: fortinet.fortios
policy_action:
aliases:
- action
choices:
- accept
- deny
description:
- Specifies accept or deny action policy. Required when I(state=present).
service_negate:
default: false
description:
- Negate policy service(s) defined in service value.
type: bool
backup_filename:
description:
- Specifies the backup filename. If omitted filename will be formatted like HOST_config.YYYY-MM-DD@HH:MM:SS
type: str
dst_addr_negate:
default: false
description:
- Negate destination address param.
type: bool
src_addr_negate:
default: false
description:
- Negate source address param.
type: bool
application_list:
description:
- Specifies Application Control name.
logtraffic_start:
default: false
description:
- Logs beginning of session as well.
type: bool
version_added: '2.4'
version_added_collection: ansible.builtin
webfilter_profile:
description:
- Specifies Webfilter profile name.
change_string: description: The commands executed by the module returned: only if config changed type: str firewall_address_config: description: full firewall addresses config string returned: always type: str msg_error_list: description: List of errors returned by CLI (use -vvv for better readability). returned: only when error type: str