Try SpotterManage application control security profiles
Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Manage application control security profiles within FortiManager
- name: DELETE Profile
fmgr_secprof_appctrl:
name: "Ansible_Application_Control_Profile"
comment: "Created by Ansible Module TEST"
mode: "delete"
- name: CREATE Profile
fmgr_secprof_appctrl:
name: "Ansible_Application_Control_Profile"
comment: "Created by Ansible Module TEST"
mode: "set"
entries: [{
action: "block",
log: "enable",
log-packet: "enable",
protocols: ["1"],
quarantine: "attacker",
quarantine-log: "enable",
},
{action: "pass",
category: ["2","3","4"]},
]
adom:
default: root
description:
- The ADOM the configuration should belong to.
required: false
mode:
choices:
- add
- set
- delete
- update
default: add
description:
- Sets one of three modes for managing the object.
- Allows use of soft-adds instead of overwriting existing values
required: false
name:
description:
- List name.
required: false
comment:
description:
- comments
required: false
entries:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY
EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, OMIT THE USE OF THIS PARAMETER
- AND USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
required: false
options:
choices:
- allow-dns
- allow-icmp
- allow-http
- allow-ssl
- allow-quic
description:
- NO DESCRIPTION PARSED ENTER MANUALLY
- FLAG Based Options. Specify multiple in list form.
- flag | allow-dns | Allow DNS.
- flag | allow-icmp | Allow ICMP.
- flag | allow-http | Allow generic HTTP web browsing.
- flag | allow-ssl | Allow generic SSL communication.
- flag | allow-quic | Allow QUIC.
required: false
entries_log:
choices:
- disable
- enable
description:
- Enable/disable logging for this application list.
- choice | disable | Disable logging.
- choice | enable | Enable logging.
required: false
entries_risk:
description:
- Risk, or impact, of allowing traffic from this application to occur 1 - 5;
- (Low, Elevated, Medium, High, and Critical).
required: false
extended_log:
choices:
- disable
- enable
description:
- Enable/disable extended logging.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
app_replacemsg:
choices:
- disable
- enable
description:
- Enable/disable replacement messages for blocked applications.
- choice | disable | Disable replacement messages for blocked applications.
- choice | enable | Enable replacement messages for blocked applications.
required: false
entries_action:
choices:
- pass
- block
- reset
description:
- Pass or block traffic, or reset connection for traffic from this application.
- choice | pass | Pass or allow matching traffic.
- choice | block | Block or drop matching traffic.
- choice | reset | Reset sessions for matching traffic.
required: false
entries_shaper:
description:
- Traffic shaper.
required: false
entries_vendor:
description:
- Application vendor filter.
required: false
p2p_black_list:
choices:
- skype
- edonkey
- bittorrent
description:
- NO DESCRIPTION PARSED ENTER MANUALLY
- FLAG Based Options. Specify multiple in list form.
- flag | skype | Skype.
- flag | edonkey | Edonkey.
- flag | bittorrent | Bit torrent.
required: false
entries_behavior:
description:
- Application behavior filter.
required: false
entries_category:
description:
- Category ID list.
required: false
replacemsg_group:
description:
- Replacement message group.
required: false
entries_protocols:
description:
- Application protocol filter.
required: false
entries_rate_mode:
choices:
- periodical
- continuous
description:
- Rate limit mode.
- choice | periodical | Allow configured number of packets every rate-duration.
- choice | continuous | Block packets once the rate is reached.
required: false
entries_log_packet:
choices:
- disable
- enable
description:
- Enable/disable packet logging.
- choice | disable | Disable packet logging.
- choice | enable | Enable packet logging.
required: false
entries_popularity:
choices:
- '1'
- '2'
- '3'
- '4'
- '5'
description:
- Application popularity filter (1 - 5, from least to most popular).
- FLAG Based Options. Specify multiple in list form.
- flag | 1 | Popularity level 1.
- flag | 2 | Popularity level 2.
- flag | 3 | Popularity level 3.
- flag | 4 | Popularity level 4.
- flag | 5 | Popularity level 5.
required: false
entries_quarantine:
choices:
- none
- attacker
description:
- Quarantine method.
- choice | none | Quarantine is disabled.
- choice | attacker | Block all traffic sent from attacker's IP address.
- The attacker's IP address is also added to the banned user list. The target's address
is not affected.
required: false
entries_rate_count:
description:
- Count of the rate.
required: false
entries_rate_track:
choices:
- none
- src-ip
- dest-ip
- dhcp-client-mac
- dns-domain
description:
- Track the packet protocol field.
- choice | none |
- choice | src-ip | Source IP.
- choice | dest-ip | Destination IP.
- choice | dhcp-client-mac | DHCP client.
- choice | dns-domain | DNS domain.
required: false
entries_technology:
description:
- Application technology filter.
required: false
deep_app_inspection:
choices:
- disable
- enable
description:
- Enable/disable deep application inspection.
- choice | disable | Disable deep application inspection.
- choice | enable | Enable deep application inspection.
required: false
entries_application:
description:
- ID of allowed applications.
required: false
entries_session_ttl:
description:
- Session TTL (0 = default).
required: false
entries_sub_category:
description:
- Application Sub-category ID list.
required: false
entries_per_ip_shaper:
description:
- Per-IP traffic shaper.
required: false
entries_rate_duration:
description:
- Duration (sec) of the rate.
required: false
other_application_log:
choices:
- disable
- enable
description:
- Enable/disable logging for other applications.
- choice | disable | Disable logging for other applications.
- choice | enable | Enable logging for other applications.
required: false
entries_quarantine_log:
choices:
- disable
- enable
description:
- Enable/disable quarantine logging.
- choice | disable | Disable quarantine logging.
- choice | enable | Enable quarantine logging.
required: false
entries_shaper_reverse:
description:
- Reverse traffic shaper.
required: false
unknown_application_log:
choices:
- disable
- enable
description:
- Enable/disable logging for unknown applications.
- choice | disable | Disable logging for unknown applications.
- choice | enable | Enable logging for unknown applications.
required: false
entries_parameters_value:
description:
- Parameter value.
required: false
other_application_action:
choices:
- pass
- block
description:
- Action for other applications.
- choice | pass | Allow sessions matching an application in this application list.
- choice | block | Block sessions matching an application in this application list.
required: false
entries_quarantine_expiry:
description:
- Duration of quarantine. (Format
- Requires quarantine set to attacker.
required: false
unknown_application_action:
choices:
- pass
- block
description:
- Pass or block traffic from unknown applications.
- choice | pass | Pass or allow unknown applications.
- choice | block | Drop or block unknown applications.
required: false
api_result: description: full API response, includes status code and message returned: always type: str