drmofu / drmofu.fortimanager / 2.2.2 / module / fmgr_pkg_firewall_policy Configure IPv4 policies. | "added in version" 1.0.0 of drmofu.fortimanager" Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu) preview | supported by communitydrmofu.fortimanager.fmgr_pkg_firewall_policy (2.2.2) — module
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections: - name: drmofu.fortimanager version: 2.2.2
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- hosts: fortimanager00 collections: - fortinet.fortimanager connection: httpapi vars: ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_httpapi_port: 443 tasks: - name: Configure IPv4 policies. fmgr_pkg_firewall_policy: bypass_validation: False adom: ansible pkg: ansible # package name state: present pkg_firewall_policy: action: accept #<value in [deny, accept, ipsec, ...]> comments: ansible-comment dstaddr: all dstintf: any #name: ansible-test-policy nat: disable policyid: 1 schedule: always service: ALL srcaddr: all srcintf: any status: disable
- name: gathering fortimanager facts hosts: fortimanager00 gather_facts: no connection: httpapi collections: - fortinet.fortimanager vars: ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_httpapi_port: 443 tasks: - name: retrieve all the IPv4 policies fmgr_fact: facts: selector: 'pkg_firewall_policy' params: adom: 'ansible' pkg: 'ansible' # package name policy: 'your_value'
pkg: description: the parameter (pkg) in requested url required: true type: str adom: description: the parameter (adom) in requested url required: true type: str state: choices: - present - absent description: The directive to create, update or delete an object. required: true type: str rc_failed: description: The rc codes list with which the conditions to fail will be overriden. elements: int required: false type: list enable_log: default: false description: Enable/Disable logging for task. required: false type: bool access_token: description: The token to access FortiManager without using username and password. required: false type: str rc_succeeded: description: The rc codes list with which the conditions to succeed will be overriden. elements: int required: false type: list proposed_method: choices: - update - set - add description: The overridden method for the underlying Json RPC request. required: false type: str bypass_validation: default: false description: Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. required: false type: bool pkg_firewall_policy: description: the top level parameters set required: false suboptions: _policy_block: description: Assigned policy block. type: int action: choices: - deny - accept - ipsec - ssl-vpn - redirect - isolate description: Policy action type: str anti-replay: choices: - disable - enable description: Enable/disable anti-replay check. type: str app-category: description: Application category ID list. type: str app-group: description: Application group names. type: str application: description: Application ID list. type: int application-list: description: Name of an existing Application list. type: str auth-cert: description: HTTPS server certificate for policy authentication. type: str auth-path: choices: - disable - enable description: Enable/disable authentication-based routing. type: str auth-redirect-addr: description: HTTP-to-HTTPS redirect address for firewall authentication. type: str auto-asic-offload: choices: - disable - enable description: Enable/disable offloading security profile processing to CP processors. type: str av-profile: description: Name of an existing Antivirus profile. type: str best-route: choices: - disable - enable description: Enable/disable the use of best route. type: str block-notification: choices: - disable - enable description: Enable/disable block notification. type: str captive-portal-exempt: choices: - disable - enable description: Enable to exempt some users from the captive portal. type: str capture-packet: choices: - disable - enable description: Enable/disable capture packets. type: str casi-profile: description: CASI profile. type: str cgn-eif: choices: - disable - enable description: Enable/Disable CGN endpoint independent filtering. type: str cgn-eim: choices: - disable - enable description: Enable/Disable CGN endpoint independent mapping type: str cgn-log-server-grp: description: NP log server group name type: str cgn-resource-quota: description: resource quota type: int cgn-session-quota: description: session quota type: int cifs-profile: description: Name of an existing CIFS profile. type: str comments: description: no description type: str custom-log-fields: description: Custom fields to append to log messages for this policy. type: str decrypted-traffic-mirror: description: Decrypted traffic mirror. type: str delay-tcp-npu-session: choices: - disable - enable description: Enable TCP NPU session delay to guarantee packet order of 3-way handshake. type: str delay-tcp-npu-sessoin: choices: - disable - enable description: Enable/disable TCP NPU session delay in order to guarantee packet order of 3-way handshake. type: str devices: description: Names of devices or device groups that can be matched by the policy. type: str diffserv-copy: choices: - disable - enable description: Enable to copy packets DiffServ values from sessions original direction to its reply direction. type: str diffserv-forward: choices: - disable - enable description: Enable to change packets DiffServ values to the specified diffservcode-forward value. type: str diffserv-reverse: choices: - disable - enable description: Enable to change packets reverse type: str diffservcode-forward: description: Change packets DiffServ to this value. type: str diffservcode-rev: description: Change packets reverse type: str disclaimer: choices: - disable - enable - user - domain - policy description: Enable/disable user authentication disclaimer. type: str dlp-profile: description: Name of an existing DLP profile. type: str dlp-sensor: description: Name of an existing DLP sensor. type: str dnsfilter-profile: description: Name of an existing DNS filter profile. type: str dscp-match: choices: - disable - enable description: Enable DSCP check. type: str dscp-negate: choices: - disable - enable description: Enable negated DSCP match. type: str dscp-value: description: DSCP value. type: str dsri: choices: - disable - enable description: Enable DSRI to ignore HTTP server responses. type: str dstaddr: description: Destination address and address group names. type: str dstaddr-negate: choices: - disable - enable description: When enabled dstaddr specifies what the destination address must NOT be. type: str dstaddr6: description: Destination IPv6 address name and address group names. type: str dstaddr6-negate: choices: - disable - enable description: When enabled dstaddr6 specifies what the destination address must NOT be. type: str dstintf: description: Outgoing type: str dynamic-shaping: choices: - disable - enable description: Enable/disable dynamic RADIUS defined traffic shaping. type: str email-collect: choices: - disable - enable description: Enable/disable email collection. type: str emailfilter-profile: description: Name of an existing email filter profile. type: str fec: choices: - disable - enable description: Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. type: str file-filter-profile: description: Name of an existing file-filter profile. type: str firewall-session-dirty: choices: - check-all - check-new description: How to handle sessions if the configuration of this firewall policy changes. type: str fixedport: choices: - disable - enable description: Enable to prevent source NAT from changing a sessions source port. type: str fsso: choices: - disable - enable description: Enable/disable Fortinet Single Sign-On. type: str fsso-agent-for-ntlm: description: FSSO agent to use for NTLM authentication. type: str fsso-groups: description: Names of FSSO groups. type: str geoip-anycast: choices: - disable - enable description: Enable/disable recognition of anycast IP addresses using the geography IP database. type: str geoip-match: choices: - physical-location - registered-location description: Match geography address based either on its physical location or registered location. type: str global-label: description: Label for the policy that appears when the GUI is in Global View mode. type: str groups: description: Names of user groups that can authenticate with this policy. type: str gtp-profile: description: GTP profile. type: str http-policy-redirect: choices: - disable - enable description: Redirect HTTP type: str icap-profile: description: Name of an existing ICAP profile. type: str identity-based-route: description: Name of identity-based routing rule. type: str inbound: choices: - disable - enable description: Policy-based IPsec VPN type: str inspection-mode: choices: - proxy - flow description: Policy inspection mode type: str internet-service: choices: - disable - enable description: Enable/disable use of Internet Services for this policy. type: str internet-service-custom: description: Custom Internet Service Name. type: str internet-service-custom-group: description: Custom Internet Service group name. type: str internet-service-group: description: Internet Service group name. type: str internet-service-id: description: Internet Service ID. type: str internet-service-name: description: Internet Service name. type: str internet-service-negate: choices: - disable - enable description: When enabled internet-service specifies what the service must NOT be. type: str internet-service-src: choices: - disable - enable description: Enable/disable use of Internet Services in source for this policy. type: str internet-service-src-custom: description: Custom Internet Service source name. type: str internet-service-src-custom-group: description: Custom Internet Service source group name. type: str internet-service-src-group: description: Internet Service source group name. type: str internet-service-src-id: description: Internet Service source ID. type: str internet-service-src-name: description: Internet Service source name. type: str internet-service-src-negate: choices: - disable - enable description: When enabled internet-service-src specifies what the service must NOT be. type: str internet-service6: choices: - disable - enable description: Enable/disable use of IPv6 Internet Services for this policy. type: str internet-service6-custom: description: description type: str internet-service6-custom-group: description: description type: str internet-service6-group: description: description type: str internet-service6-name: description: description type: str internet-service6-negate: choices: - disable - enable description: When enabled internet-service6 specifies what the service must NOT be. type: str internet-service6-src: choices: - disable - enable description: Enable/disable use of IPv6 Internet Services in source for this policy. type: str internet-service6-src-custom: description: description type: str internet-service6-src-custom-group: description: description type: str internet-service6-src-group: description: description type: str internet-service6-src-name: description: description type: str internet-service6-src-negate: choices: - disable - enable description: When enabled internet-service6-src specifies what the service must NOT be. type: str ip-version-type: description: IP version of the policy. type: str ippool: choices: - disable - enable description: Enable to use IP Pools for source NAT. type: str ips-sensor: description: Name of an existing IPS sensor. type: str ips-voip-filter: description: Name of an existing VoIP type: str label: description: Label for the policy that appears when the GUI is in Section View mode. type: str learning-mode: choices: - disable - enable description: Enable to allow everything, but log all of the meaningful data for security information gathering. type: str logtraffic: choices: - disable - enable - all - utm description: Enable or disable logging. type: str logtraffic-start: choices: - disable - enable description: Record logs when a session starts and ends. type: str match-vip: choices: - disable - enable description: Enable to match packets that have had their destination addresses changed by a VIP. type: str match-vip-only: choices: - disable - enable description: Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. type: str mms-profile: description: Name of an existing MMS profile. type: str name: description: Policy name. type: str nat: choices: - disable - enable description: Enable/disable source NAT. type: str nat46: choices: - disable - enable description: Enable/disable NAT46. type: str nat64: choices: - disable - enable description: Enable/disable NAT64. type: str natinbound: choices: - disable - enable description: Policy-based IPsec VPN type: str natip: description: Policy-based IPsec VPN type: str natoutbound: choices: - disable - enable description: Policy-based IPsec VPN type: str network-service-dynamic: description: description type: str network-service-src-dynamic: description: description type: str np-accelation: choices: - disable - enable description: Enable/disable UTM Network Processor acceleration. type: str np-acceleration: choices: - disable - enable description: Enable/disable UTM Network Processor acceleration. type: str ntlm: choices: - disable - enable description: Enable/disable NTLM authentication. type: str ntlm-enabled-browsers: description: HTTP-User-Agent value of supported browsers. type: str ntlm-guest: choices: - disable - enable description: Enable/disable NTLM guest user access. type: str object position: description: description elements: str type: list outbound: choices: - disable - enable description: Policy-based IPsec VPN type: str passive-wan-health-measurement: choices: - disable - enable description: Enable/disable passive WAN health measurement. type: str pcp-inbound: choices: - disable - enable description: Enable/disable PCP inbound DNAT. type: str pcp-outbound: choices: - disable - enable description: Enable/disable PCP outbound SNAT. type: str pcp-poolname: description: description type: str per-ip-shaper: description: Per-IP traffic shaper. type: str permit-any-host: choices: - disable - enable description: Accept UDP packets from any host. type: str permit-stun-host: choices: - disable - enable description: Accept UDP packets from any Session Traversal Utilities for NAT type: str pfcp-profile: description: PFCP profile. type: str policy-behaviour-type: description: Behaviour of the policy. type: str policy-expiry: choices: - disable - enable description: Enable/disable policy expiry. type: str policy-expiry-date: description: Policy expiry date type: str policy-expiry-date-utc: description: Policy expiry date and time, in epoch format. type: str policy-offload: choices: - disable - enable description: Enable/Disable hardware session setup for CGNAT. type: str policyid: description: Policy ID. type: int poolname: description: IP Pool names. type: str poolname6: description: IPv6 pool names. type: str profile-group: description: Name of profile group. type: str profile-protocol-options: description: Name of an existing Protocol options profile. type: str profile-type: choices: - single - group description: Determine whether the firewall policy allows security profile groups or single profiles only. type: str radius-mac-auth-bypass: choices: - disable - enable description: Enable MAC authentication bypass. type: str redirect-url: description: URL users are directed to after seeing and accepting the disclaimer or authenticating. type: str replacemsg-override-group: description: Override the default replacement message group for this policy. type: str reputation-direction: choices: - source - destination description: Direction of the initial traffic for reputation to take effect. type: str reputation-direction6: choices: - source - destination description: Direction of the initial traffic for IPv6 reputation to take effect. type: str reputation-minimum: description: Minimum Reputation to take action. type: int reputation-minimum6: description: IPv6 Minimum Reputation to take action. type: int rsso: choices: - disable - enable description: Enable/disable RADIUS single sign-on type: str rtp-addr: description: Address names if this is an RTP NAT policy. type: str rtp-nat: choices: - disable - enable description: Enable Real Time Protocol type: str scan-botnet-connections: choices: - disable - block - monitor description: Block or monitor connections to Botnet servers or disable Botnet scanning. type: str schedule: description: Schedule name. type: str schedule-timeout: choices: - disable - enable description: Enable to force current sessions to end when the schedule object times out. type: str sctp-filter-profile: description: Name of an existing SCTP filter profile. type: str send-deny-packet: choices: - disable - enable description: Enable to send a reply when a session is denied or blocked by a firewall policy. type: str service: description: Service and service group names. type: str service-negate: choices: - disable - enable description: When enabled service specifies what the service must NOT be. type: str session-ttl: description: Session TTL in seconds for sessions accepted by this policy. type: int sgt: description: description type: int sgt-check: choices: - disable - enable description: Enable/disable security group tags type: str spamfilter-profile: description: Name of an existing Spam filter profile. type: str src-vendor-mac: description: Vendor MAC source ID. type: str srcaddr: description: Source address and address group names. type: str srcaddr-negate: choices: - disable - enable description: When enabled srcaddr specifies what the source address must NOT be. type: str srcaddr6: description: Source IPv6 address name and address group names. type: str srcaddr6-negate: choices: - disable - enable description: When enabled srcaddr6 specifies what the source address must NOT be. type: str srcintf: description: Incoming type: str ssh-filter-profile: description: Name of an existing SSH filter profile. type: str ssh-policy-redirect: choices: - disable - enable description: Redirect SSH traffic to matching transparent proxy policy. type: str ssl-mirror: choices: - disable - enable description: Enable to copy decrypted SSL traffic to a FortiGate interface type: str ssl-mirror-intf: description: SSL mirror interface name. type: str ssl-ssh-profile: description: Name of an existing SSL SSH profile. type: str status: choices: - disable - enable description: Enable or disable this policy. type: str tags: description: Names of object-tags applied to this policy. type: str tcp-mss-receiver: description: Receiver TCP maximum segment size type: int tcp-mss-sender: description: Sender TCP maximum segment size type: int tcp-session-without-syn: choices: - all - data-only - disable description: Enable/disable creation of TCP session without SYN flag. type: str tcp-timeout-pid: description: TCP timeout profile ID type: str timeout-send-rst: choices: - disable - enable description: Enable/disable sending RST packets when TCP sessions expire. type: str tos: description: ToS type: str tos-mask: description: Non-zero bit positions are used for comparison while zero bit positions are ignored. type: str tos-negate: choices: - disable - enable description: Enable negated TOS match. type: str traffic-shaper: description: Traffic shaper. type: str traffic-shaper-reverse: description: Reverse traffic shaper. type: str udp-timeout-pid: description: UDP timeout profile ID type: str url-category: description: URL category ID list. type: str users: description: Names of individual users that can authenticate with this policy. type: str utm-status: choices: - disable - enable description: Enable to add one or more security profiles type: str uuid: description: Universally Unique Identifier type: str videofilter-profile: description: Name of an existing VideoFilter profile. type: str vlan-cos-fwd: description: VLAN forward direction user priority type: int vlan-cos-rev: description: VLAN reverse direction user priority type: int vlan-filter: description: Set VLAN filters. type: str voip-profile: description: Name of an existing VoIP profile. type: str vpn_dst_node: description: Vpn_Dst_Node. elements: dict suboptions: host: description: Host. type: str seq: description: Seq. type: int subnet: description: Subnet. type: str type: list vpn_src_node: description: Vpn_Src_Node. elements: dict suboptions: host: description: Host. type: str seq: description: Seq. type: int subnet: description: Subnet. type: str type: list vpntunnel: description: Policy-based IPsec VPN type: str waf-profile: description: Name of an existing Web application firewall profile. type: str wanopt: choices: - disable - enable description: Enable/disable WAN optimization. type: str wanopt-detection: choices: - active - passive - 'off' description: WAN optimization auto-detection mode. type: str wanopt-passive-opt: choices: - default - transparent - non-transparent description: WAN optimization passive mode options. type: str wanopt-peer: description: WAN optimization peer. type: str wanopt-profile: description: WAN optimization profile. type: str wccp: choices: - disable - enable description: Enable/disable forwarding traffic matching this policy to a configured WCCP server. type: str webcache: choices: - disable - enable description: Enable/disable web cache. type: str webcache-https: choices: - disable - ssl-server - any - enable description: Enable/disable web cache for HTTPS. type: str webfilter-profile: description: Name of an existing Web filter profile. type: str webproxy-forward-server: description: Webproxy forward server name. type: str webproxy-profile: description: Webproxy profile name. type: str wsso: choices: - disable - enable description: Enable/disable WiFi Single Sign On type: str ztna-device-ownership: choices: - disable - enable description: Enable/disable zero trust device ownership. type: str ztna-ems-tag: description: Source ztna-ems-tag names. type: str ztna-ems-tag-secondary: description: description type: str ztna-geo-tag: description: Source ztna-geo-tag names. type: str ztna-policy-redirect: choices: - disable - enable description: Redirect ZTNA traffic to matching Access-Proxy proxy-policy. type: str ztna-status: choices: - disable - enable description: Enable/disable zero trust access. type: str ztna-tags-match-logic: choices: - or - and description: ZTNA tag matching logic. type: str type: dict workspace_locking_adom: description: The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. required: false type: str forticloud_access_token: description: Authenticate Ansible client with forticloud API access token. required: false type: str workspace_locking_timeout: default: 300 description: The maximum time in seconds to wait for other user to release the workspace lock. required: false type: int
meta: contains: request_url: description: The full url requested. returned: always sample: /sys/login/user type: str response_code: description: The status of api request. returned: always sample: 0 type: int response_data: description: The api response. returned: always type: list response_message: description: The descriptive message of the api response. returned: always sample: OK. type: str system_information: description: The information of the target system. returned: always type: dict description: The result of the request. returned: always type: dict rc: description: The status the request. returned: always sample: 0 type: int version_check_warning: description: Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: complex type: list