ansible / ansible.builtin / v2.9.3 / module / fmgr_fwpol_ipv4 Allows the add/delete of Firewall Policies on Packages in FortiManager. | "added in version" 2.8 of ansible.builtin" Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng) preview | supported by communityansible.builtin.fmgr_fwpol_ipv4 (v2.9.3) — module
pip
Install with pip install ansible==2.9.3
Allows the add/delete of Firewall Policies on Packages in FortiManager.
- name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN) fmgr_fwpol_ipv4: mode: "set" adom: "ansible" package_name: "default" name: "Basic_IPv4_Policy" comments: "Created by Ansible" action: "accept" dstaddr: "all" srcaddr: "all" dstintf: "any" srcintf: "any" logtraffic: "utm" service: "ALL" schedule: "always"
- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES fmgr_fwpol_ipv4: mode: "set" adom: "ansible" package_name: "default" name: "Basic_IPv4_Policy_2" comments: "Created by Ansible" action: "accept" dstaddr: "google-play" srcaddr: "all" dstintf: "any" srcintf: "any" logtraffic: "utm" service: "HTTP, HTTPS" schedule: "always" nat: "enable" users: "karen, kevin"
- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES fmgr_fwpol_ipv4: mode: "set" adom: "ansible" package_name: "default" name: "Basic_IPv4_Policy_3" comments: "Created by Ansible" action: "accept" dstaddr: "google-play, autoupdate.opera.com" srcaddr: "corp_internal" dstintf: "zone_wan1, zone_wan2" srcintf: "zone_int1" logtraffic: "utm" service: "HTTP, HTTPS" schedule: "always" nat: "enable" users: "karen, kevin" av_profile: "sniffer-profile" ips_sensor: "default"
nat: choices: - disable - enable description: - Enable/disable source NAT. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false adom: default: root description: - The ADOM the configuration should belong to. required: false dsri: choices: - disable - enable description: - Enable DSRI to ignore HTTP server responses. - choice | disable | Disable DSRI. - choice | enable | Enable DSRI. required: false fsso: choices: - disable - enable description: - Enable/disable Fortinet Single Sign-On. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false mode: choices: - add - set - delete - update default: add description: - Sets one of three modes for managing the object. - Allows use of soft-adds instead of overwriting existing values required: false name: description: - Policy name. required: false ntlm: choices: - disable - enable description: - Enable/disable NTLM authentication. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false rsso: choices: - disable - enable description: - Enable/disable RADIUS single sign-on (RSSO). - choice | disable | Disable setting. - choice | enable | Enable setting. required: false wccp: choices: - disable - enable description: - Enable/disable forwarding traffic matching this policy to a configured WCCP server. - choice | disable | Disable WCCP setting. - choice | enable | Enable WCCP setting. required: false wsso: choices: - disable - enable description: - Enable/disable WiFi Single Sign On (WSSO). - choice | disable | Disable setting. - choice | enable | Enable setting. required: false label: description: - Label for the policy that appears when the GUI is in Section View mode. required: false natip: description: - Policy-based IPsec VPN | source NAT IP address for outgoing traffic. required: false users: description: - Names of individual users that can authenticate with this policy. required: false action: choices: - deny - accept - ipsec description: - Policy action (allow/deny/ipsec). - choice | deny | Blocks sessions that match the firewall policy. - choice | accept | Allows session that match the firewall policy. - choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy. required: false groups: description: - Names of user groups that can authenticate with this policy. required: false ippool: choices: - disable - enable description: - Enable to use IP Pools for source NAT. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false status: choices: - disable - enable description: - Enable or disable this policy. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false wanopt: choices: - disable - enable description: - Enable/disable WAN optimization. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false devices: description: - Names of devices or device groups that can be matched by the policy. required: false dstaddr: description: - Destination address and address group names. required: false dstintf: description: - Outgoing (egress) interface. required: false inbound: choices: - disable - enable description: - Policy-based IPsec VPN | only traffic from the remote network can initiate a VPN. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false rtp_nat: choices: - disable - enable description: - Enable Real Time Protocol (RTP) NAT. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false service: description: - Service and service group names. required: false srcaddr: description: - Source address and address group names. required: false srcintf: description: - Incoming (ingress) interface. required: false comments: description: - Comment. required: false outbound: choices: - disable - enable description: - Policy-based IPsec VPN | only traffic from the internal network can initiate a VPN. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false policyid: description: - Policy ID. required: false poolname: description: - IP Pool names. required: false rtp_addr: description: - Address names if this is an RTP NAT policy. required: false schedule: description: - Schedule name. required: false webcache: choices: - disable - enable description: - Enable/disable web cache. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false app_group: description: - Application group names. required: false auth_cert: description: - HTTPS server certificate for policy authentication. required: false auth_path: choices: - disable - enable description: - Enable/disable authentication-based routing. - choice | disable | Disable authentication-based routing. - choice | enable | Enable authentication-based routing. required: false fixedport: choices: - disable - enable description: - Enable to prevent source NAT from changing a session's source port. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false match_vip: choices: - disable - enable description: - Enable to match packets that have had their destination addresses changed by a VIP. - choice | disable | Do not match DNATed packet. - choice | enable | Match DNATed packet. required: false vpntunnel: description: - Policy-based IPsec VPN | name of the IPsec VPN Phase 1. required: false av_profile: description: - Name of an existing Antivirus profile. required: false disclaimer: choices: - disable - enable description: - Enable/disable user authentication disclaimer. - choice | disable | Disable user authentication disclaimer. - choice | enable | Enable user authentication disclaimer. required: false dlp_sensor: description: - Name of an existing DLP sensor. required: false dscp_match: choices: - disable - enable description: - Enable DSCP check. - choice | disable | Disable DSCP check. - choice | enable | Enable DSCP check. required: false dscp_value: description: - DSCP value. required: false ips_sensor: description: - Name of an existing IPS sensor. required: false logtraffic: choices: - disable - all - utm description: - Enable or disable logging. Log all sessions or security profile sessions. - choice | disable | Disable all logging for this policy. - choice | all | Log all sessions accepted or denied by this policy. - choice | utm | Log traffic that has a security profile applied to it. required: false natinbound: choices: - disable - enable description: - Policy-based IPsec VPN | apply destination NAT to inbound traffic. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ntlm_guest: choices: - disable - enable description: - Enable/disable NTLM guest user access. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ssl_mirror: choices: - disable - enable description: - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). - choice | disable | Disable SSL mirror. - choice | enable | Enable SSL mirror. required: false utm_status: choices: - disable - enable description: - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false application: description: - Application ID list. required: false dscp_negate: choices: - disable - enable description: - Enable negated DSCP match. - choice | disable | Disable DSCP negate. - choice | enable | Enable DSCP negate. required: false gtp_profile: description: - GTP profile. required: false mms_profile: description: - Name of an existing MMS profile. required: false natoutbound: choices: - disable - enable description: - Policy-based IPsec VPN | apply source NAT to outbound traffic. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false session_ttl: description: - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). required: false vlan_filter: description: - Set VLAN filters. required: false waf_profile: description: - Name of an existing Web application firewall profile. required: false wanopt_peer: description: - WAN optimization peer. required: false app_category: description: - Application category ID list. required: false global_label: description: - Label for the policy that appears when the GUI is in Global View mode. required: false icap_profile: description: - Name of an existing ICAP profile. required: false package_name: default: default description: - The policy package you want to modify required: false profile_type: choices: - single - group description: - Determine whether the firewall policy allows security profile groups or single profiles only. - choice | single | Do not allow security profile groups. - choice | group | Allow security profile groups. required: false redirect_url: description: - URL users are directed to after seeing and accepting the disclaimer or authenticating. required: false url_category: description: - URL category ID list. required: false vlan_cos_fwd: description: - VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest. required: false vlan_cos_rev: description: - VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest.. required: false voip_profile: description: - Name of an existing VoIP profile. required: false vpn_dst_node: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. required: false vpn_src_node: description: - EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! - List of multiple child objects to be added. Expects a list of dictionaries. - Dictionaries must use FortiManager API parameters, not the ansible ones listed below. - If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. - We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. required: false learning_mode: choices: - disable - enable description: - Enable to allow everything, but log all of the meaningful data for security information gathering. - choice | disable | Disable learning mode in firewall policy. - choice | enable | Enable learning mode in firewall policy. required: false per_ip_shaper: description: - Per-IP traffic shaper. required: false profile_group: description: - Name of profile group. required: false capture_packet: choices: - disable - enable description: - Enable/disable capture packets. - choice | disable | Disable capture packets. - choice | enable | Enable capture packets. required: false dstaddr_negate: choices: - disable - enable description: - When enabled dstaddr specifies what the destination address must NOT be. - choice | disable | Disable destination address negate. - choice | enable | Enable destination address negate. required: false service_negate: choices: - disable - enable description: - When enabled service specifies what the service must NOT be. - choice | disable | Disable negated service match. - choice | enable | Enable negated service match. required: false srcaddr_negate: choices: - disable - enable description: - When enabled srcaddr specifies what the source address must NOT be. - choice | disable | Disable source address negate. - choice | enable | Enable source address negate. required: false tcp_mss_sender: description: - Sender TCP maximum segment size (MSS). required: false traffic_shaper: description: - Traffic shaper. required: false wanopt_profile: description: - WAN optimization profile. required: false webcache_https: choices: - disable - enable description: - Enable/disable web cache for HTTPS. - choice | disable | Disable web cache for HTTPS. - choice | enable | Enable web cache for HTTPS. required: false np_acceleration: choices: - disable - enable description: - Enable/disable UTM Network Processor acceleration. - choice | disable | Disable UTM Network Processor acceleration. - choice | enable | Enable UTM Network Processor acceleration. required: false permit_any_host: choices: - disable - enable description: - Accept UDP packets from any host. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false ssl_mirror_intf: description: - SSL mirror interface name. required: false ssl_ssh_profile: description: - Name of an existing SSL SSH profile. required: false application_list: description: - Name of an existing Application list. required: false diffserv_forward: choices: - disable - enable description: - Enable to change packet's DiffServ values to the specified diffservcode-forward value. - choice | disable | Disable WAN optimization. - choice | enable | Enable WAN optimization. required: false diffserv_reverse: choices: - disable - enable description: - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false diffservcode_rev: description: - Change packet's reverse (reply) DiffServ to this value. required: false internet_service: choices: - disable - enable description: - Enable/disable use of Internet Services for this policy. If enabled, dstaddr and service are not used. - choice | disable | Disable use of Internet Services in policy. - choice | enable | Enable use of Internet Services in policy. required: false logtraffic_start: choices: - disable - enable description: - Record logs when a session starts and ends. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false permit_stun_host: choices: - disable - enable description: - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false schedule_timeout: choices: - disable - enable description: - Enable to force current sessions to end when the schedule object times out. - choice | disable | Disable schedule timeout. - choice | enable | Enable schedule timeout. required: false send_deny_packet: choices: - disable - enable description: - Enable to send a reply when a session is denied or blocked by a firewall policy. - choice | disable | Disable deny-packet sending. - choice | enable | Enable deny-packet sending. required: false tcp_mss_receiver: description: - Receiver TCP maximum segment size (MSS). required: false timeout_send_rst: choices: - disable - enable description: - Enable/disable sending RST packets when TCP sessions expire. - choice | disable | Disable sending of RST packet upon TCP session expiration. - choice | enable | Enable sending of RST packet upon TCP session expiration. required: false vpn_dst_node_seq: description: - VPN Destination Node Seq. required: false vpn_src_node_seq: description: - VPN Source Node Seq. required: false wanopt_detection: choices: - active - passive - 'off' description: - WAN optimization auto-detection mode. - choice | active | Active WAN optimization peer auto-detection. - choice | passive | Passive WAN optimization peer auto-detection. - choice | off | Turn off WAN optimization peer auto-detection. required: false auto_asic_offload: choices: - disable - enable description: - Enable/disable offloading security profile processing to CP processors. - choice | disable | Disable ASIC offloading. - choice | enable | Enable auto ASIC offloading. required: false custom_log_fields: description: - Custom fields to append to log messages for this policy. required: false dnsfilter_profile: description: - Name of an existing DNS filter profile. required: false vpn_dst_node_host: description: - VPN Destination Node Host. required: false vpn_src_node_host: description: - VPN Source Node Host. required: false webfilter_profile: description: - Name of an existing Web filter profile. required: false auth_redirect_addr: description: - HTTP-to-HTTPS redirect address for firewall authentication. required: false block_notification: choices: - disable - enable description: - Enable/disable block notification. - choice | disable | Disable setting. - choice | enable | Enable setting. required: false spamfilter_profile: description: - Name of an existing Spam filter profile. required: false ssh_filter_profile: description: - Name of an existing SSH filter profile. required: false wanopt_passive_opt: choices: - default - transparent - non-transparent description: - WAN optimization passive mode options. This option decides what IP address will be used to connect server. - choice | default | Allow client side WAN opt peer to decide. - choice | transparent | Use address of client to connect to server. - choice | non-transparent | Use local FortiGate address to connect to server. required: false fsso_agent_for_ntlm: description: - FSSO agent to use for NTLM authentication. required: false internet_service_id: description: - Internet Service ID. required: false vpn_dst_node_subnet: description: - VPN Destination Node Seq. required: false vpn_src_node_subnet: description: - VPN Source Node. required: false diffservcode_forward: description: - Change packet's DiffServ to this value. required: false identity_based_route: description: - Name of identity-based routing rule. required: false internet_service_src: choices: - disable - enable description: - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. - choice | disable | Disable use of Internet Services source in policy. - choice | enable | Enable use of Internet Services source in policy. required: false captive_portal_exempt: choices: - disable - enable description: - Enable to exempt some users from the captive portal. - choice | disable | Disable exemption of captive portal. - choice | enable | Enable exemption of captive portal. required: false delay_tcp_npu_session: choices: - disable - enable description: - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. - choice | disable | Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake. - choice | enable | Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. required: false ntlm_enabled_browsers: description: - HTTP-User-Agent value of supported browsers. required: false firewall_session_dirty: choices: - check-all - check-new description: - How to handle sessions if the configuration of this firewall policy changes. - choice | check-all | Flush all current sessions accepted by this policy. - choice | check-new | Continue to allow sessions already accepted by this policy. required: false radius_mac_auth_bypass: choices: - disable - enable description: - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. - choice | disable | Disable MAC authentication bypass. - choice | enable | Enable MAC authentication bypass. required: false traffic_shaper_reverse: description: - Reverse traffic shaper. required: false internet_service_custom: description: - Custom Internet Service name. required: false internet_service_negate: choices: - disable - enable description: - When enabled internet-service specifies what the service must NOT be. - choice | disable | Disable negated Internet Service match. - choice | enable | Enable negated Internet Service match. required: false internet_service_src_id: description: - Internet Service source ID. required: false scan_botnet_connections: choices: - disable - block - monitor description: - Block or monitor connections to Botnet servers or disable Botnet scanning. - choice | disable | Do not scan connections to botnet servers. - choice | block | Block connections to botnet servers. - choice | monitor | Log connections to botnet servers. required: false tcp_session_without_syn: choices: - all - data-only - disable description: - Enable/disable creation of TCP session without SYN flag. - choice | all | Enable TCP session without SYN. - choice | data-only | Enable TCP session data only. - choice | disable | Disable TCP session without SYN. required: false profile_protocol_options: description: - Name of an existing Protocol options profile. required: false replacemsg_override_group: description: - Override the default replacement message group for this policy. required: false fail_on_missing_dependency: choices: - enable - disable default: disable description: - Normal behavior is to "skip" tasks that fail dependency checks, so other tasks can run. - If set to "enabled" if a failed dependency check happeens, Ansible will exit as with failure instead of skip. required: false version_added: '2.9' version_added_collection: ansible.builtin internet_service_src_custom: description: - Custom Internet Service source name. required: false internet_service_src_negate: choices: - disable - enable description: - When enabled internet-service-src specifies what the service must NOT be. - choice | disable | Disable negated Internet Service source match. - choice | enable | Enable negated Internet Service source match. required: false
api_result: description: full API response, includes status code and message returned: always type: str