Try SpotterManage SSL and SSH security profiles in FortiManager
Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Manage SSL and SSH security profiles in FortiManager via the FMG API
- name: DELETE Profile
fmgr_secprof_ssl_ssh:
name: Ansible_SSL_SSH_Profile
mode: delete
- name: CREATE Profile
fmgr_secprof_ssl_ssh:
name: Ansible_SSL_SSH_Profile
comment: "Created by Ansible Module TEST"
mode: set
mapi_over_https: enable
rpc_over_https: enable
server_cert_mode: replace
ssl_anomalies_log: enable
ssl_exemptions_log: enable
use_ssl_server: enable
whitelist: enable
ssh:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
ssl:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
adom:
default: root
description:
- The ADOM the configuration should belong to.
required: false
ftps:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
mode:
choices:
- add
- set
- delete
- update
default: add
description:
- Sets one of three modes for managing the object.
- Allows use of soft-adds instead of overwriting existing values
required: false
name:
description:
- Name.
required: false
https:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
imaps:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
pop3s:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
smtps:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
caname:
description:
- CA certificate used by SSL Inspection.
required: false
comment:
description:
- Optional comments.
required: false
ssh_ports:
description:
- Ports to use for scanning (1 - 65535, default = 443).
required: false
whitelist:
choices:
- disable
- enable
description:
- Enable/disable exempting servers by FortiGuard whitelist.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftps_ports:
description:
- Ports to use for scanning (1 - 65535, default = 443).
required: false
ssh_status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
- choice | disable | Disable.
- choice | deep-inspection | Full SSL inspection.
required: false
ssl_exempt:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
ssl_server:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
ftps_status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
- choice | disable | Disable.
- choice | deep-inspection | Full SSL inspection.
required: false
https_ports:
description:
- Ports to use for scanning (1 - 65535, default = 443).
required: false
imaps_ports:
description:
- Ports to use for scanning (1 - 65535, default = 443).
required: false
pop3s_ports:
description:
- Ports to use for scanning (1 - 65535, default = 443).
required: false
server_cert:
description:
- Certificate used by SSL Inspection to replace server certificate.
required: false
smtps_ports:
description:
- Ports to use for scanning (1 - 65535, default = 443).
required: false
https_status:
choices:
- disable
- certificate-inspection
- deep-inspection
description:
- Configure protocol inspection status.
- choice | disable | Disable.
- choice | certificate-inspection | Inspect SSL handshake only.
- choice | deep-inspection | Full SSL inspection.
required: false
imaps_status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
- choice | disable | Disable.
- choice | deep-inspection | Full SSL inspection.
required: false
pop3s_status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
- choice | disable | Disable.
- choice | deep-inspection | Full SSL inspection.
required: false
smtps_status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
- choice | disable | Disable.
- choice | deep-inspection | Full SSL inspection.
required: false
ssl_server_ip:
description:
- IPv4 address of the SSL server.
required: false
rpc_over_https:
choices:
- disable
- enable
description:
- Enable/disable inspection of RPC over HTTPS.
- choice | disable | Disable inspection of RPC over HTTPS.
- choice | enable | Enable inspection of RPC over HTTPS.
required: false
use_ssl_server:
choices:
- disable
- enable
description:
- Enable/disable the use of SSL server table for SSL offloading.
- choice | disable | Don't use SSL server configuration.
- choice | enable | Use SSL server configuration.
required: false
mapi_over_https:
choices:
- disable
- enable
description:
- Enable/disable inspection of MAPI over HTTPS.
- choice | disable | Disable inspection of MAPI over HTTPS.
- choice | enable | Enable inspection of MAPI over HTTPS.
required: false
ssh_inspect_all:
choices:
- disable
- deep-inspection
description:
- Level of SSL inspection.
- choice | disable | Disable.
- choice | deep-inspection | Full SSL inspection.
required: false
ssl_exempt_type:
choices:
- fortiguard-category
- address
- address6
- wildcard-fqdn
- regex
description:
- Type of address object (IPv4 or IPv6) or FortiGuard category.
- choice | fortiguard-category | FortiGuard category.
- choice | address | Firewall IPv4 address.
- choice | address6 | Firewall IPv6 address.
- choice | wildcard-fqdn | Fully Qualified Domain Name with wildcard characters.
- choice | regex | Regular expression FQDN.
required: false
ssl_inspect_all:
choices:
- disable
- certificate-inspection
- deep-inspection
description:
- Level of SSL inspection.
- choice | disable | Disable.
- choice | certificate-inspection | Inspect SSL handshake only.
- choice | deep-inspection | Full SSL inspection.
required: false
server_cert_mode:
choices:
- re-sign
- replace
description:
- Re-sign or replace the server's certificate.
- choice | re-sign | Multiple clients connecting to multiple servers.
- choice | replace | Protect an SSL server.
required: false
ssl_exempt_regex:
description:
- Exempt servers by regular expression.
required: false
untrusted_caname:
description:
- Untrusted CA certificate used by SSL Inspection.
required: false
ssh_ssh_algorithm:
choices:
- compatible
- high-encryption
description:
- Relative strength of encryption algorithms accepted during negotiation.
- choice | compatible | Allow a broader set of encryption algorithms for best compatibility.
- choice | high-encryption | Allow only AES-CTR, AES-GCM ciphers and high encryption
algorithms.
required: false
ssl_anomalies_log:
choices:
- disable
- enable
description:
- Enable/disable logging SSL anomalies.
- choice | disable | Disable logging SSL anomalies.
- choice | enable | Enable logging SSL anomalies.
required: false
ssl_exempt_address:
description:
- IPv4 address object.
required: false
ssl_exemptions_log:
choices:
- disable
- enable
description:
- Enable/disable logging SSL exemptions.
- choice | disable | Disable logging SSL exemptions.
- choice | enable | Enable logging SSL exemptions.
required: false
ssl_untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
- choice | allow | Allow the untrusted server certificate.
- choice | block | Block the connection when an untrusted server certificate is detected.
- choice | ignore | Always take the server certificate as trusted.
required: false
ftps_untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
- choice | allow | Allow the untrusted server certificate.
- choice | block | Block the connection when an untrusted server certificate is detected.
- choice | ignore | Always take the server certificate as trusted.
required: false
ssl_exempt_address6:
description:
- IPv6 address object.
required: false
ssl_unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ftps_unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
https_untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
- choice | allow | Allow the untrusted server certificate.
- choice | block | Block the connection when an untrusted server certificate is detected.
- choice | ignore | Always take the server certificate as trusted.
required: false
imaps_untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
- choice | allow | Allow the untrusted server certificate.
- choice | block | Block the connection when an untrusted server certificate is detected.
- choice | ignore | Always take the server certificate as trusted.
required: false
pop3s_untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
- choice | allow | Allow the untrusted server certificate.
- choice | block | Block the connection when an untrusted server certificate is detected.
- choice | ignore | Always take the server certificate as trusted.
required: false
smtps_untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
- choice | allow | Allow the untrusted server certificate.
- choice | block | Block the connection when an untrusted server certificate is detected.
- choice | ignore | Always take the server certificate as trusted.
required: false
ssh_ssh_policy_check:
choices:
- disable
- enable
description:
- Enable/disable SSH policy check.
- choice | disable | Disable SSH policy check.
- choice | enable | Enable SSH policy check.
required: false
https_unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
imaps_unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
pop3s_unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
smtps_unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssh_unsupported_version:
choices:
- block
- bypass
description:
- Action based on SSH version being unsupported.
- choice | block | Block.
- choice | bypass | Bypass.
required: false
ssl_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ftps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssh_ssh_tun_policy_check:
choices:
- disable
- enable
description:
- Enable/disable SSH tunnel policy check.
- choice | disable | Disable SSH tunnel policy check.
- choice | enable | Enable SSH tunnel policy check.
required: false
ssl_exempt_wildcard_fqdn:
description:
- Exempt servers by wildcard FQDN.
required: false
https_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
imaps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
pop3s_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
smtps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssl_allow_invalid_server_cert:
choices:
- disable
- enable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ftps_allow_invalid_server_cert:
choices:
- disable
- enable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ssl_exempt_fortiguard_category:
description:
- FortiGuard category ID.
required: false
https_allow_invalid_server_cert:
choices:
- disable
- enable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
imaps_allow_invalid_server_cert:
choices:
- disable
- enable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
pop3s_allow_invalid_server_cert:
choices:
- disable
- enable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
smtps_allow_invalid_server_cert:
choices:
- disable
- enable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
- choice | disable | Disable setting.
- choice | enable | Enable setting.
required: false
ssl_server_ftps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure during the FTPS handshake.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssl_server_https_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure during the HTTPS handshake.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssl_server_imaps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure during the IMAPS handshake.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssl_server_pop3s_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure during the POP3S handshake.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssl_server_smtps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure during the SMTPS handshake.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
ssl_server_ssl_other_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request failure during an SSL protocol handshake.
- choice | bypass | Bypass.
- choice | inspect | Inspect.
- choice | block | Block.
required: false
api_result: description: full API response, includes status code and message returned: always type: str