drmofu / drmofu.fortimanager / 2.2.2 / module / fmgr_firewall_sslsshprofile Configure SSL/SSH protocol options. | "added in version" 1.0.0 of drmofu.fortimanager" Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu) preview | supported by communitydrmofu.fortimanager.fmgr_firewall_sslsshprofile (2.2.2) — module
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections: - name: drmofu.fortimanager version: 2.2.2
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- name: gathering fortimanager facts hosts: fortimanager00 gather_facts: no connection: httpapi collections: - fortinet.fortimanager vars: ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_httpapi_port: 443 tasks: - name: retrieve all the SSL/SSH protocol options fmgr_fact: facts: selector: 'firewall_sslsshprofile' params: adom: 'ansible' ssl-ssh-profile: 'your_value'
- hosts: fortimanager00 collections: - fortinet.fortimanager connection: httpapi vars: ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_httpapi_port: 443 tasks: - name: Configure SSL/SSH protocol options. fmgr_firewall_sslsshprofile: bypass_validation: False adom: ansible state: present firewall_sslsshprofile: comment: 'ansible-comment1' mapi-over-https: disable #<value in [disable, enable]> name: 'ansible-test' use-ssl-server: disable #<value in [disable, enable]> whitelist: enable #<value in [disable, enable]>
adom: description: the parameter (adom) in requested url required: true type: str state: choices: - present - absent description: The directive to create, update or delete an object. required: true type: str rc_failed: description: The rc codes list with which the conditions to fail will be overriden. elements: int required: false type: list enable_log: default: false description: Enable/Disable logging for task. required: false type: bool access_token: description: The token to access FortiManager without using username and password. required: false type: str rc_succeeded: description: The rc codes list with which the conditions to succeed will be overriden. elements: int required: false type: list proposed_method: choices: - update - set - add description: The overridden method for the underlying Json RPC request. required: false type: str bypass_validation: default: false description: Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. required: false type: bool firewall_sslsshprofile: description: the top level parameters set required: false suboptions: allowlist: choices: - disable - enable description: Enable/disable exempting servers by FortiGuard allowlist. type: str block-blacklisted-certificates: choices: - disable - enable description: Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. type: str block-blocklisted-certificates: choices: - disable - enable description: Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. type: str caname: description: CA certificate used by SSL Inspection. type: str certname: description: Certificate containing the key to use when re-signing server certificates for SSL inspection. type: str comment: description: Optional comments. type: str dot: description: no description required: false suboptions: cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: no description type: str proxy-after-tcp-handshake: choices: - disable - enable description: Proxy traffic after the TCP 3-way handshake has been established type: str revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - enable - strict - disable description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str status: choices: - disable - deep-inspection description: Configure protocol inspection status. type: str unsupported-ssl-cipher: choices: - block - allow description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - block - allow description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict ftps: description: no description required: false suboptions: allow-invalid-server-cert: choices: - disable - enable description: When enabled, allows SSL sessions whose server certificate validation failed. type: str cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str invalid-server-cert: choices: - allow - block description: Allow or block the invalid SSL session server certificate. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: Minimum SSL version to be allowed. type: str ports: description: Ports to use for scanning type: int revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - disable - enable - strict description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str status: choices: - disable - deep-inspection description: Configure protocol inspection status. type: str unsupported-ssl: choices: - bypass - inspect - block description: Action based on the SSL encryption used being unsupported. type: str unsupported-ssl-cipher: choices: - allow - block description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - allow - block description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-cert: choices: - allow - block - ignore description: Allow, ignore, or block the untrusted SSL session server certificate. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict https: description: no description required: false suboptions: allow-invalid-server-cert: choices: - disable - enable description: When enabled, allows SSL sessions whose server certificate validation failed. type: str cert-probe-failure: choices: - block - allow description: Action based on certificate probe failure. type: str cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str invalid-server-cert: choices: - allow - block description: Allow or block the invalid SSL session server certificate. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: Minimum SSL version to be allowed. type: str ports: description: Ports to use for scanning type: int proxy-after-tcp-handshake: choices: - disable - enable description: Proxy traffic after the TCP 3-way handshake has been established type: str revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - disable - enable - strict description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str status: choices: - disable - certificate-inspection - deep-inspection description: Configure protocol inspection status. type: str unsupported-ssl: choices: - bypass - inspect - block description: Action based on the SSL encryption used being unsupported. type: str unsupported-ssl-cipher: choices: - allow - block description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - allow - block description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-cert: choices: - allow - block - ignore description: Allow, ignore, or block the untrusted SSL session server certificate. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict imaps: description: no description required: false suboptions: allow-invalid-server-cert: choices: - disable - enable description: When enabled, allows SSL sessions whose server certificate validation failed. type: str cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str invalid-server-cert: choices: - allow - block description: Allow or block the invalid SSL session server certificate. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: no description type: str ports: description: Ports to use for scanning type: int proxy-after-tcp-handshake: choices: - disable - enable description: Proxy traffic after the TCP 3-way handshake has been established type: str revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - disable - enable - strict description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str status: choices: - disable - deep-inspection description: Configure protocol inspection status. type: str unsupported-ssl: choices: - bypass - inspect - block description: Action based on the SSL encryption used being unsupported. type: str unsupported-ssl-cipher: choices: - allow - block description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - allow - block description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-cert: choices: - allow - block - ignore description: Allow, ignore, or block the untrusted SSL session server certificate. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict mapi-over-https: choices: - disable - enable description: Enable/disable inspection of MAPI over HTTPS. type: str name: description: Name. type: str pop3s: description: no description required: false suboptions: allow-invalid-server-cert: choices: - disable - enable description: When enabled, allows SSL sessions whose server certificate validation failed. type: str cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str invalid-server-cert: choices: - allow - block description: Allow or block the invalid SSL session server certificate. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: no description type: str ports: description: Ports to use for scanning type: int proxy-after-tcp-handshake: choices: - disable - enable description: Proxy traffic after the TCP 3-way handshake has been established type: str revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - disable - enable - strict description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str status: choices: - disable - deep-inspection description: Configure protocol inspection status. type: str unsupported-ssl: choices: - bypass - inspect - block description: Action based on the SSL encryption used being unsupported. type: str unsupported-ssl-cipher: choices: - allow - block description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - allow - block description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-cert: choices: - allow - block - ignore description: Allow, ignore, or block the untrusted SSL session server certificate. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict rpc-over-https: choices: - disable - enable description: Enable/disable inspection of RPC over HTTPS. type: str server-cert: description: Certificate used by SSL Inspection to replace server certificate. type: str server-cert-mode: choices: - re-sign - replace description: Re-sign or replace the servers certificate. type: str smtps: description: no description required: false suboptions: allow-invalid-server-cert: choices: - disable - enable description: When enabled, allows SSL sessions whose server certificate validation failed. type: str cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str invalid-server-cert: choices: - allow - block description: Allow or block the invalid SSL session server certificate. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: no description type: str ports: description: Ports to use for scanning type: int proxy-after-tcp-handshake: choices: - disable - enable description: Proxy traffic after the TCP 3-way handshake has been established type: str revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - disable - enable - strict description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str status: choices: - disable - deep-inspection description: Configure protocol inspection status. type: str unsupported-ssl: choices: - bypass - inspect - block description: Action based on the SSL encryption used being unsupported. type: str unsupported-ssl-cipher: choices: - allow - block description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - allow - block description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-cert: choices: - allow - block - ignore description: Allow, ignore, or block the untrusted SSL session server certificate. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict ssh: description: no description required: false suboptions: block: choices: - x11-filter - ssh-shell - exec - port-forward description: description elements: str type: list inspect-all: choices: - disable - deep-inspection description: Level of SSL inspection. type: str log: choices: - x11-filter - ssh-shell - exec - port-forward description: description elements: str type: list ports: description: Ports to use for scanning type: int proxy-after-tcp-handshake: choices: - disable - enable description: Proxy traffic after the TCP 3-way handshake has been established type: str ssh-algorithm: choices: - compatible - high-encryption description: Relative strength of encryption algorithms accepted during negotiation. type: str ssh-policy-check: choices: - disable - enable description: Enable/disable SSH policy check. type: str ssh-tun-policy-check: choices: - disable - enable description: Enable/disable SSH tunnel policy check. type: str status: choices: - disable - deep-inspection description: Configure protocol inspection status. type: str unsupported-version: choices: - block - bypass description: Action based on SSH version being unsupported. type: str type: dict ssl: description: no description required: false suboptions: allow-invalid-server-cert: choices: - disable - enable description: When enabled, allows SSL sessions whose server certificate validation failed. type: str cert-probe-failure: choices: - block - allow description: Action based on certificate probe failure. type: str cert-validation-failure: choices: - allow - block - ignore description: Action based on certificate validation failure. type: str cert-validation-timeout: choices: - allow - block - ignore description: Action based on certificate validation timeout. type: str client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request. type: str client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate. type: str expired-server-cert: choices: - allow - block - ignore description: Action based on server certificate is expired. type: str inspect-all: choices: - disable - certificate-inspection - deep-inspection description: Level of SSL inspection. type: str invalid-server-cert: choices: - allow - block description: Allow or block the invalid SSL session server certificate. type: str min-allowed-ssl-version: choices: - ssl-3.0 - tls-1.0 - tls-1.1 - tls-1.2 - tls-1.3 description: Minimum SSL version to be allowed. type: str revoked-server-cert: choices: - allow - block - ignore description: Action based on server certificate is revoked. type: str sni-server-cert-check: choices: - disable - enable - strict description: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str unsupported-ssl: choices: - bypass - inspect - block description: Action based on the SSL encryption used being unsupported. type: str unsupported-ssl-cipher: choices: - allow - block description: Action based on the SSL cipher used being unsupported. type: str unsupported-ssl-negotiation: choices: - allow - block description: Action based on the SSL negotiation used being unsupported. type: str unsupported-ssl-version: choices: - block - allow - inspect description: Action based on the SSL version used being unsupported. type: str untrusted-cert: choices: - allow - block - ignore description: Allow, ignore, or block the untrusted SSL session server certificate. type: str untrusted-server-cert: choices: - allow - block - ignore description: Action based on server certificate is not issued by a trusted CA. type: str type: dict ssl-anomalies-log: choices: - disable - enable description: Enable/disable logging SSL anomalies. type: str ssl-anomaly-log: choices: - disable - enable description: Enable/disable logging of SSL anomalies. type: str ssl-exempt: description: Ssl-Exempt. elements: dict suboptions: address: description: IPv4 address object. type: str address6: description: IPv6 address object. type: str fortiguard-category: description: FortiGuard category ID. type: str id: description: ID number. type: int regex: description: Exempt servers by regular expression. type: str type: choices: - fortiguard-category - address - address6 - wildcard-fqdn - regex - finger-print description: Type of address object type: str wildcard-fqdn: description: Exempt servers by wildcard FQDN. type: str type: list ssl-exemption-ip-rating: choices: - disable - enable description: Enable/disable IP based URL rating. type: str ssl-exemption-log: choices: - disable - enable description: Enable/disable logging SSL exemptions. type: str ssl-exemptions-log: choices: - disable - enable description: Enable/disable logging SSL exemptions. type: str ssl-handshake-log: choices: - disable - enable description: Enable/disable logging of TLS handshakes. type: str ssl-invalid-server-cert-log: choices: - disable - enable description: Enable/disable SSL server certificate validation logging. type: str ssl-negotiation-log: choices: - disable - enable description: Enable/disable logging SSL negotiation. type: str ssl-server: description: Ssl-Server. elements: dict suboptions: ftps-client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request during the FTPS handshake. type: str ftps-client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate during the FTPS handshake. type: str https-client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request during the HTTPS handshake. type: str https-client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate during the HTTPS handshake. type: str id: description: SSL server ID. type: int imaps-client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request during the IMAPS handshake. type: str imaps-client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate during the IMAPS handshake. type: str ip: description: IPv4 address of the SSL server. type: str pop3s-client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request during the POP3S handshake. type: str pop3s-client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate during the POP3S handshake. type: str smtps-client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request during the SMTPS handshake. type: str smtps-client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate during the SMTPS handshake. type: str ssl-other-client-cert-request: choices: - bypass - inspect - block description: Action based on client certificate request during an SSL protocol handshake. type: str ssl-other-client-certificate: choices: - bypass - inspect - block description: Action based on received client certificate during an SSL protocol handshake. type: str type: list ssl-server-cert-log: choices: - disable - enable description: Enable/disable logging of server certificate information. type: str supported-alpn: choices: - none - http1-1 - http2 - all description: Configure ALPN option. type: str untrusted-caname: description: Untrusted CA certificate used by SSL Inspection. type: str use-ssl-server: choices: - disable - enable description: Enable/disable the use of SSL server table for SSL offloading. type: str whitelist: choices: - disable - enable description: Enable/disable exempting servers by FortiGuard whitelist. type: str type: dict workspace_locking_adom: description: The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. required: false type: str forticloud_access_token: description: Authenticate Ansible client with forticloud API access token. required: false type: str workspace_locking_timeout: default: 300 description: The maximum time in seconds to wait for other user to release the workspace lock. required: false type: int
meta: contains: request_url: description: The full url requested. returned: always sample: /sys/login/user type: str response_code: description: The status of api request. returned: always sample: 0 type: int response_data: description: The api response. returned: always type: list response_message: description: The descriptive message of the api response. returned: always sample: OK. type: str system_information: description: The information of the target system. returned: always type: dict description: The result of the request. returned: always type: dict rc: description: The status the request. returned: always sample: 0 type: int version_check_warning: description: Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: complex type: list