/ home / ansible / ansible.builtin / v2.9.27 / module / fortios_vpn_certificate_setting

ansible.builtin.fortios_vpn_certificate_setting (v2.9.27) — module

VPN certificate setting in Fortinet's FortiOS and FortiGate.

| "added in version" 2.9 of ansible.builtin"

Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)

preview | supported by community

Install Ansible via `pip`

Install with pip install ansible==2.9.27

Description

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

fortiosapi>=0.9.8

Usage examples

Scanned by Steampunk Spotter

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: VPN certificate setting.
    fortios_vpn_certificate_setting:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      vpn_certificate_setting:
        certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)"
        certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)"
        certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)"
        certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)"
        certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)"
        certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)"
        check_ca_cert: "enable"
        check_ca_chain: "enable"
        cmp_save_extra_certs: "enable"
        cn_match: "substring"
        ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)"
        ocsp_status: "enable"
        ssl_min_proto_version: "default"
        ssl_ocsp_option: "certificate"
        ssl_ocsp_status: "enable"
        strict_crl_check: "enable"
        strict_ocsp_check: "enable"
        subject_match: "substring"

Inputs

    
host:
    description:
    - FortiOS or FortiGate IP address.
    required: false
    type: str

vdom:
    default: root
    description:
    - Virtual domain, among those defined previously. A vdom is a virtual instance of
      the FortiGate that can be configured and used as a different unit.
    type: str

https:
    default: true
    description:
    - Indicates if the requests towards FortiGate must use HTTPS protocol.
    type: bool

password:
    default: ''
    description:
    - FortiOS or FortiGate password.
    type: str

username:
    description:
    - FortiOS or FortiGate username.
    required: false
    type: str

ssl_verify:
    default: true
    description:
    - Ensures FortiGate certificate must be verified by a proper CA.
    type: bool

vpn_certificate_setting:
    default: null
    description:
    - VPN certificate setting.
    suboptions:
      certname_dsa1024:
        description:
        - 1024 bit DSA key certificate for re-signing server certificates for SSL inspection.
          Source vpn.certificate.local.name.
        type: str
      certname_dsa2048:
        description:
        - 2048 bit DSA key certificate for re-signing server certificates for SSL inspection.
          Source vpn.certificate.local.name.
        type: str
      certname_ecdsa256:
        description:
        - 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.
          Source vpn.certificate.local.name.
        type: str
      certname_ecdsa384:
        description:
        - 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.
          Source vpn.certificate.local.name.
        type: str
      certname_rsa1024:
        description:
        - 1024 bit RSA key certificate for re-signing server certificates for SSL inspection.
          Source vpn.certificate.local.name.
        type: str
      certname_rsa2048:
        description:
        - 2048 bit RSA key certificate for re-signing server certificates for SSL inspection.
          Source vpn.certificate.local.name.
        type: str
      check_ca_cert:
        choices:
        - enable
        - disable
        description:
        - Enable/disable verification of the user certificate and pass authentication
          if any CA in the chain is trusted .
        type: str
      check_ca_chain:
        choices:
        - enable
        - disable
        description:
        - Enable/disable verification of the entire certificate chain and pass authentication
          only if the chain is complete and all of the CAs in the chain are trusted .
        type: str
      cmp_save_extra_certs:
        choices:
        - enable
        - disable
        description:
        - Enable/disable saving extra certificates in CMP mode.
        type: str
      cn_match:
        choices:
        - substring
        - value
        description:
        - When searching for a matching certificate, control how to find matches in the
          cn attribute of the certificate subject name.
        type: str
      ocsp_default_server:
        description:
        - Default OCSP server. Source vpn.certificate.ocsp-server.name.
        type: str
      ocsp_status:
        choices:
        - enable
        - disable
        description:
        - Enable/disable receiving certificates using the OCSP.
        type: str
      ssl_min_proto_version:
        choices:
        - default
        - SSLv3
        - TLSv1
        - TLSv1-1
        - TLSv1-2
        description:
        - Minimum supported protocol version for SSL/TLS connections .
        type: str
      ssl_ocsp_option:
        choices:
        - certificate
        - server
        description:
        - Specify whether the OCSP URL is from the certificate or the default OCSP server.
        type: str
      ssl_ocsp_status:
        choices:
        - enable
        - disable
        description:
        - Enable/disable SSL OCSP.
        type: str
      strict_crl_check:
        choices:
        - enable
        - disable
        description:
        - Enable/disable strict mode CRL checking.
        type: str
      strict_ocsp_check:
        choices:
        - enable
        - disable
        description:
        - Enable/disable strict mode OCSP checking.
        type: str
      subject_match:
        choices:
        - substring
        - value
        description:
        - When searching for a matching certificate, control how to find matches in the
          certificate subject name.
        type: str
    type: dict

Outputs

build:
  description: Build number of the fortigate image
  returned: always
  sample: '1547'
  type: str
http_method:
  description: Last method used to provision the content into FortiGate
  returned: always
  sample: PUT
  type: str
http_status:
  description: Last result given by FortiGate on last operation applied
  returned: always
  sample: '200'
  type: str
mkey:
  description: Master key (id) used in the last call to FortiGate
  returned: success
  sample: id
  type: str
name:
  description: Name of the table used to fulfill the request
  returned: always
  sample: urlfilter
  type: str
path:
  description: Path of the table used to fulfill the request
  returned: always
  sample: webfilter
  type: str
revision:
  description: Internal revision number
  returned: always
  sample: 17.0.2.10658
  type: str
serial:
  description: Serial number of the unit
  returned: always
  sample: FGVMEVYYQT3AB5352
  type: str
status:
  description: Indication of the operation's result
  returned: always
  sample: success
  type: str
vdom:
  description: Virtual domain used
  returned: always
  sample: root
  type: str
version:
  description: Version of the FortiGate
  returned: always
  sample: v5.6.3
  type: str

Install Ansible via pip