Try SpotterAllows the add/delete of Firewall Policies on Packages in FortiManager.
Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Allows the add/delete of Firewall Policies on Packages in FortiManager.
- name: ADD VERY BASIC IPV4 POLICY WITH NO NAT (WIDE OPEN)
fmgr_fwpol_ipv4:
mode: "set"
adom: "ansible"
package_name: "default"
name: "Basic_IPv4_Policy"
comments: "Created by Ansible"
action: "accept"
dstaddr: "all"
srcaddr: "all"
dstintf: "any"
srcintf: "any"
logtraffic: "utm"
service: "ALL"
schedule: "always"
- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES
fmgr_fwpol_ipv4:
mode: "set"
adom: "ansible"
package_name: "default"
name: "Basic_IPv4_Policy_2"
comments: "Created by Ansible"
action: "accept"
dstaddr: "google-play"
srcaddr: "all"
dstintf: "any"
srcintf: "any"
logtraffic: "utm"
service: "HTTP, HTTPS"
schedule: "always"
nat: "enable"
users: "karen, kevin"
- name: ADD VERY BASIC IPV4 POLICY WITH NAT AND MULTIPLE ENTRIES AND SEC PROFILES
fmgr_fwpol_ipv4:
mode: "set"
adom: "ansible"
package_name: "default"
name: "Basic_IPv4_Policy_3"
comments: "Created by Ansible"
action: "accept"
dstaddr: "google-play, autoupdate.opera.com"
srcaddr: "corp_internal"
dstintf: "zone_wan1, zone_wan2"
srcintf: "zone_int1"
logtraffic: "utm"
service: "HTTP, HTTPS"
schedule: "always"
nat: "enable"
users: "karen, kevin"
av_profile: "sniffer-profile"
ips_sensor: "default"
nat:
choices:
- disable
- enable
description:
- Enable/disable source NAT.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
adom:
default: root
description:
- The ADOM the configuration should belong to.
required: false
dsri:
choices:
- disable
- enable
description:
- Enable DSRI to ignore HTTP server responses.
- choice | disable | Disable DSRI.
- choice | enable | Enable DSRI.
required: false
fsso:
choices:
- disable
- enable
description:
- Enable/disable Fortinet Single Sign-On.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
mode:
choices:
- add
- set
- delete
- update
default: add
description:
- Sets one of three modes for managing the object.
- Allows use of soft-adds instead of overwriting existing values
required: false
name:
description:
- Policy name.
required: false
ntlm:
choices:
- disable
- enable
description:
- Enable/disable NTLM authentication.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
rsso:
choices:
- disable
- enable
description:
- Enable/disable RADIUS single sign-on (RSSO).
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
wccp:
choices:
- disable
- enable
description:
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- choice | disable | Disable WCCP setting.
- choice | enable | Enable WCCP setting.
required: false
wsso:
choices:
- disable
- enable
description:
- Enable/disable WiFi Single Sign On (WSSO).
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
label:
description:
- Label for the policy that appears when the GUI is in Section View mode.
required: false
natip:
description:
- Policy-based IPsec VPN | source NAT IP address for outgoing traffic.
required: false
users:
description:
- Names of individual users that can authenticate with this policy.
required: false
action:
choices:
- deny
- accept
- ipsec
description:
- Policy action (allow/deny/ipsec).
- choice | deny | Blocks sessions that match the firewall policy.
- choice | accept | Allows session that match the firewall policy.
- choice | ipsec | Firewall policy becomes a policy-based IPsec VPN policy.
required: false
groups:
description:
- Names of user groups that can authenticate with this policy.
required: false
ippool:
choices:
- disable
- enable
description:
- Enable to use IP Pools for source NAT.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
status:
choices:
- disable
- enable
description:
- Enable or disable this policy.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
wanopt:
choices:
- disable
- enable
description:
- Enable/disable WAN optimization.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
devices:
description:
- Names of devices or device groups that can be matched by the policy.
required: false
dstaddr:
description:
- Destination address and address group names.
required: false
dstintf:
description:
- Outgoing (egress) interface.
required: false
inbound:
choices:
- disable
- enable
description:
- Policy-based IPsec VPN | only traffic from the remote network can initiate a VPN.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
rtp_nat:
choices:
- disable
- enable
description:
- Enable Real Time Protocol (RTP) NAT.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
service:
description:
- Service and service group names.
required: false
srcaddr:
description:
- Source address and address group names.
required: false
srcintf:
description:
- Incoming (ingress) interface.
required: false
comments:
description:
- Comment.
required: false
outbound:
choices:
- disable
- enable
description:
- Policy-based IPsec VPN | only traffic from the internal network can initiate a
VPN.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
policyid:
description:
- Policy ID.
required: false
poolname:
description:
- IP Pool names.
required: false
rtp_addr:
description:
- Address names if this is an RTP NAT policy.
required: false
schedule:
description:
- Schedule name.
required: false
webcache:
choices:
- disable
- enable
description:
- Enable/disable web cache.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
app_group:
description:
- Application group names.
required: false
auth_cert:
description:
- HTTPS server certificate for policy authentication.
required: false
auth_path:
choices:
- disable
- enable
description:
- Enable/disable authentication-based routing.
- choice | disable | Disable authentication-based routing.
- choice | enable | Enable authentication-based routing.
required: false
fixedport:
choices:
- disable
- enable
description:
- Enable to prevent source NAT from changing a session's source port.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
match_vip:
choices:
- disable
- enable
description:
- Enable to match packets that have had their destination addresses changed by a VIP.
- choice | disable | Do not match DNATed packet.
- choice | enable | Match DNATed packet.
required: false
vpntunnel:
description:
- Policy-based IPsec VPN | name of the IPsec VPN Phase 1.
required: false
av_profile:
description:
- Name of an existing Antivirus profile.
required: false
disclaimer:
choices:
- disable
- enable
description:
- Enable/disable user authentication disclaimer.
- choice | disable | Disable user authentication disclaimer.
- choice | enable | Enable user authentication disclaimer.
required: false
dlp_sensor:
description:
- Name of an existing DLP sensor.
required: false
dscp_match:
choices:
- disable
- enable
description:
- Enable DSCP check.
- choice | disable | Disable DSCP check.
- choice | enable | Enable DSCP check.
required: false
dscp_value:
description:
- DSCP value.
required: false
ips_sensor:
description:
- Name of an existing IPS sensor.
required: false
logtraffic:
choices:
- disable
- all
- utm
description:
- Enable or disable logging. Log all sessions or security profile sessions.
- choice | disable | Disable all logging for this policy.
- choice | all | Log all sessions accepted or denied by this policy.
- choice | utm | Log traffic that has a security profile applied to it.
required: false
natinbound:
choices:
- disable
- enable
description:
- Policy-based IPsec VPN | apply destination NAT to inbound traffic.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ntlm_guest:
choices:
- disable
- enable
description:
- Enable/disable NTLM guest user access.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ssl_mirror:
choices:
- disable
- enable
description:
- Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- choice | disable | Disable SSL mirror.
- choice | enable | Enable SSL mirror.
required: false
utm_status:
choices:
- disable
- enable
description:
- Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
application:
description:
- Application ID list.
required: false
dscp_negate:
choices:
- disable
- enable
description:
- Enable negated DSCP match.
- choice | disable | Disable DSCP negate.
- choice | enable | Enable DSCP negate.
required: false
gtp_profile:
description:
- GTP profile.
required: false
mms_profile:
description:
- Name of an existing MMS profile.
required: false
natoutbound:
choices:
- disable
- enable
description:
- Policy-based IPsec VPN | apply source NAT to outbound traffic.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
session_ttl:
description:
- TTL in seconds for sessions accepted by this policy (0 means use the system default
session TTL).
required: false
vlan_filter:
description:
- Set VLAN filters.
required: false
waf_profile:
description:
- Name of an existing Web application firewall profile.
required: false
wanopt_peer:
description:
- WAN optimization peer.
required: false
app_category:
description:
- Application category ID list.
required: false
global_label:
description:
- Label for the policy that appears when the GUI is in Global View mode.
required: false
icap_profile:
description:
- Name of an existing ICAP profile.
required: false
package_name:
default: default
description:
- The policy package you want to modify
required: false
profile_type:
choices:
- single
- group
description:
- Determine whether the firewall policy allows security profile groups or single profiles
only.
- choice | single | Do not allow security profile groups.
- choice | group | Allow security profile groups.
required: false
redirect_url:
description:
- URL users are directed to after seeing and accepting the disclaimer or authenticating.
required: false
url_category:
description:
- URL category ID list.
required: false
vlan_cos_fwd:
description:
- VLAN forward direction user priority | 255 passthrough, 0 lowest, 7 highest.
required: false
vlan_cos_rev:
description:
- VLAN reverse direction user priority | 255 passthrough, 0 lowest, 7 highest..
required: false
voip_profile:
description:
- Name of an existing VoIP profile.
required: false
vpn_dst_node:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY
EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
required: false
vpn_src_node:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY
EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
required: false
learning_mode:
choices:
- disable
- enable
description:
- Enable to allow everything, but log all of the meaningful data for security information
gathering.
- choice | disable | Disable learning mode in firewall policy.
- choice | enable | Enable learning mode in firewall policy.
required: false
per_ip_shaper:
description:
- Per-IP traffic shaper.
required: false
profile_group:
description:
- Name of profile group.
required: false
capture_packet:
choices:
- disable
- enable
description:
- Enable/disable capture packets.
- choice | disable | Disable capture packets.
- choice | enable | Enable capture packets.
required: false
dstaddr_negate:
choices:
- disable
- enable
description:
- When enabled dstaddr specifies what the destination address must NOT be.
- choice | disable | Disable destination address negate.
- choice | enable | Enable destination address negate.
required: false
service_negate:
choices:
- disable
- enable
description:
- When enabled service specifies what the service must NOT be.
- choice | disable | Disable negated service match.
- choice | enable | Enable negated service match.
required: false
srcaddr_negate:
choices:
- disable
- enable
description:
- When enabled srcaddr specifies what the source address must NOT be.
- choice | disable | Disable source address negate.
- choice | enable | Enable source address negate.
required: false
tcp_mss_sender:
description:
- Sender TCP maximum segment size (MSS).
required: false
traffic_shaper:
description:
- Traffic shaper.
required: false
wanopt_profile:
description:
- WAN optimization profile.
required: false
webcache_https:
choices:
- disable
- enable
description:
- Enable/disable web cache for HTTPS.
- choice | disable | Disable web cache for HTTPS.
- choice | enable | Enable web cache for HTTPS.
required: false
np_acceleration:
choices:
- disable
- enable
description:
- Enable/disable UTM Network Processor acceleration.
- choice | disable | Disable UTM Network Processor acceleration.
- choice | enable | Enable UTM Network Processor acceleration.
required: false
permit_any_host:
choices:
- disable
- enable
description:
- Accept UDP packets from any host.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ssl_mirror_intf:
description:
- SSL mirror interface name.
required: false
ssl_ssh_profile:
description:
- Name of an existing SSL SSH profile.
required: false
application_list:
description:
- Name of an existing Application list.
required: false
diffserv_forward:
choices:
- disable
- enable
description:
- Enable to change packet's DiffServ values to the specified diffservcode-forward
value.
- choice | disable | Disable WAN optimization.
- choice | enable | Enable WAN optimization.
required: false
diffserv_reverse:
choices:
- disable
- enable
description:
- Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev
value.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
diffservcode_rev:
description:
- Change packet's reverse (reply) DiffServ to this value.
required: false
internet_service:
choices:
- disable
- enable
description:
- Enable/disable use of Internet Services for this policy. If enabled, dstaddr and
service are not used.
- choice | disable | Disable use of Internet Services in policy.
- choice | enable | Enable use of Internet Services in policy.
required: false
logtraffic_start:
choices:
- disable
- enable
description:
- Record logs when a session starts and ends.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
permit_stun_host:
choices:
- disable
- enable
description:
- Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
schedule_timeout:
choices:
- disable
- enable
description:
- Enable to force current sessions to end when the schedule object times out.
- choice | disable | Disable schedule timeout.
- choice | enable | Enable schedule timeout.
required: false
send_deny_packet:
choices:
- disable
- enable
description:
- Enable to send a reply when a session is denied or blocked by a firewall policy.
- choice | disable | Disable deny-packet sending.
- choice | enable | Enable deny-packet sending.
required: false
tcp_mss_receiver:
description:
- Receiver TCP maximum segment size (MSS).
required: false
timeout_send_rst:
choices:
- disable
- enable
description:
- Enable/disable sending RST packets when TCP sessions expire.
- choice | disable | Disable sending of RST packet upon TCP session expiration.
- choice | enable | Enable sending of RST packet upon TCP session expiration.
required: false
vpn_dst_node_seq:
description:
- VPN Destination Node Seq.
required: false
vpn_src_node_seq:
description:
- VPN Source Node Seq.
required: false
wanopt_detection:
choices:
- active
- passive
- 'off'
description:
- WAN optimization auto-detection mode.
- choice | active | Active WAN optimization peer auto-detection.
- choice | passive | Passive WAN optimization peer auto-detection.
- choice | off | Turn off WAN optimization peer auto-detection.
required: false
auto_asic_offload:
choices:
- disable
- enable
description:
- Enable/disable offloading security profile processing to CP processors.
- choice | disable | Disable ASIC offloading.
- choice | enable | Enable auto ASIC offloading.
required: false
custom_log_fields:
description:
- Custom fields to append to log messages for this policy.
required: false
dnsfilter_profile:
description:
- Name of an existing DNS filter profile.
required: false
vpn_dst_node_host:
description:
- VPN Destination Node Host.
required: false
vpn_src_node_host:
description:
- VPN Source Node Host.
required: false
webfilter_profile:
description:
- Name of an existing Web filter profile.
required: false
auth_redirect_addr:
description:
- HTTP-to-HTTPS redirect address for firewall authentication.
required: false
block_notification:
choices:
- disable
- enable
description:
- Enable/disable block notification.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
spamfilter_profile:
description:
- Name of an existing Spam filter profile.
required: false
ssh_filter_profile:
description:
- Name of an existing SSH filter profile.
required: false
wanopt_passive_opt:
choices:
- default
- transparent
- non-transparent
description:
- WAN optimization passive mode options. This option decides what IP address will
be used to connect server.
- choice | default | Allow client side WAN opt peer to decide.
- choice | transparent | Use address of client to connect to server.
- choice | non-transparent | Use local FortiGate address to connect to server.
required: false
fsso_agent_for_ntlm:
description:
- FSSO agent to use for NTLM authentication.
required: false
internet_service_id:
description:
- Internet Service ID.
required: false
vpn_dst_node_subnet:
description:
- VPN Destination Node Seq.
required: false
vpn_src_node_subnet:
description:
- VPN Source Node.
required: false
diffservcode_forward:
description:
- Change packet's DiffServ to this value.
required: false
identity_based_route:
description:
- Name of identity-based routing rule.
required: false
internet_service_src:
choices:
- disable
- enable
description:
- Enable/disable use of Internet Services in source for this policy. If enabled, source
address is not used.
- choice | disable | Disable use of Internet Services source in policy.
- choice | enable | Enable use of Internet Services source in policy.
required: false
captive_portal_exempt:
choices:
- disable
- enable
description:
- Enable to exempt some users from the captive portal.
- choice | disable | Disable exemption of captive portal.
- choice | enable | Enable exemption of captive portal.
required: false
delay_tcp_npu_session:
choices:
- disable
- enable
description:
- Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- choice | disable | Disable TCP NPU session delay in order to guarantee packet order
of 3-way handshake.
- choice | enable | Enable TCP NPU session delay in order to guarantee packet order
of 3-way handshake.
required: false
ntlm_enabled_browsers:
description:
- HTTP-User-Agent value of supported browsers.
required: false
firewall_session_dirty:
choices:
- check-all
- check-new
description:
- How to handle sessions if the configuration of this firewall policy changes.
- choice | check-all | Flush all current sessions accepted by this policy.
- choice | check-new | Continue to allow sessions already accepted by this policy.
required: false
radius_mac_auth_bypass:
choices:
- disable
- enable
description:
- Enable MAC authentication bypass. The bypassed MAC address must be received from
RADIUS server.
- choice | disable | Disable MAC authentication bypass.
- choice | enable | Enable MAC authentication bypass.
required: false
traffic_shaper_reverse:
description:
- Reverse traffic shaper.
required: false
internet_service_custom:
description:
- Custom Internet Service name.
required: false
internet_service_negate:
choices:
- disable
- enable
description:
- When enabled internet-service specifies what the service must NOT be.
- choice | disable | Disable negated Internet Service match.
- choice | enable | Enable negated Internet Service match.
required: false
internet_service_src_id:
description:
- Internet Service source ID.
required: false
scan_botnet_connections:
choices:
- disable
- block
- monitor
description:
- Block or monitor connections to Botnet servers or disable Botnet scanning.
- choice | disable | Do not scan connections to botnet servers.
- choice | block | Block connections to botnet servers.
- choice | monitor | Log connections to botnet servers.
required: false
tcp_session_without_syn:
choices:
- all
- data-only
- disable
description:
- Enable/disable creation of TCP session without SYN flag.
- choice | all | Enable TCP session without SYN.
- choice | data-only | Enable TCP session data only.
- choice | disable | Disable TCP session without SYN.
required: false
profile_protocol_options:
description:
- Name of an existing Protocol options profile.
required: false
replacemsg_override_group:
description:
- Override the default replacement message group for this policy.
required: false
fail_on_missing_dependency:
choices:
- enable
- disable
default: disable
description:
- Normal behavior is to "skip" tasks that fail dependency checks, so other tasks can
run.
- If set to "enabled" if a failed dependency check happeens, Ansible will exit as
with failure instead of skip.
required: false
internet_service_src_custom:
description:
- Custom Internet Service source name.
required: false
internet_service_src_negate:
choices:
- disable
- enable
description:
- When enabled internet-service-src specifies what the service must NOT be.
- choice | disable | Disable negated Internet Service source match.
- choice | enable | Enable negated Internet Service source match.
required: false
api_result: description: full API response, includes status code and message returned: always type: str