Try SpotterConfigure IPv4 policies.
| "added in version" 1.0.0 of drmofu.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections:
- name: drmofu.fortimanager
version: 2.2.2This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- hosts: fortimanager00
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure IPv4 policies.
fmgr_pkg_firewall_policy:
bypass_validation: False
adom: ansible
pkg: ansible # package name
state: present
pkg_firewall_policy:
action: accept #<value in [deny, accept, ipsec, ...]>
comments: ansible-comment
dstaddr: all
dstintf: any
#name: ansible-test-policy
nat: disable
policyid: 1
schedule: always
service: ALL
srcaddr: all
srcintf: any
status: disable
- name: gathering fortimanager facts
hosts: fortimanager00
gather_facts: no
connection: httpapi
collections:
- fortinet.fortimanager
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: retrieve all the IPv4 policies
fmgr_fact:
facts:
selector: 'pkg_firewall_policy'
params:
adom: 'ansible'
pkg: 'ansible' # package name
policy: 'your_value'
pkg:
description: the parameter (pkg) in requested url
required: true
type: str
adom:
description: the parameter (adom) in requested url
required: true
type: str
state:
choices:
- present
- absent
description: The directive to create, update or delete an object.
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
required: false
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
required: false
type: bool
access_token:
description: The token to access FortiManager without using username and password.
required: false
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
required: false
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
required: false
type: str
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
required: false
type: bool
pkg_firewall_policy:
description: the top level parameters set
required: false
suboptions:
_policy_block:
description: Assigned policy block.
type: int
action:
choices:
- deny
- accept
- ipsec
- ssl-vpn
- redirect
- isolate
description: Policy action
type: str
anti-replay:
choices:
- disable
- enable
description: Enable/disable anti-replay check.
type: str
app-category:
description: Application category ID list.
type: str
app-group:
description: Application group names.
type: str
application:
description: Application ID list.
type: int
application-list:
description: Name of an existing Application list.
type: str
auth-cert:
description: HTTPS server certificate for policy authentication.
type: str
auth-path:
choices:
- disable
- enable
description: Enable/disable authentication-based routing.
type: str
auth-redirect-addr:
description: HTTP-to-HTTPS redirect address for firewall authentication.
type: str
auto-asic-offload:
choices:
- disable
- enable
description: Enable/disable offloading security profile processing to CP processors.
type: str
av-profile:
description: Name of an existing Antivirus profile.
type: str
best-route:
choices:
- disable
- enable
description: Enable/disable the use of best route.
type: str
block-notification:
choices:
- disable
- enable
description: Enable/disable block notification.
type: str
captive-portal-exempt:
choices:
- disable
- enable
description: Enable to exempt some users from the captive portal.
type: str
capture-packet:
choices:
- disable
- enable
description: Enable/disable capture packets.
type: str
casi-profile:
description: CASI profile.
type: str
cgn-eif:
choices:
- disable
- enable
description: Enable/Disable CGN endpoint independent filtering.
type: str
cgn-eim:
choices:
- disable
- enable
description: Enable/Disable CGN endpoint independent mapping
type: str
cgn-log-server-grp:
description: NP log server group name
type: str
cgn-resource-quota:
description: resource quota
type: int
cgn-session-quota:
description: session quota
type: int
cifs-profile:
description: Name of an existing CIFS profile.
type: str
comments:
description: no description
type: str
custom-log-fields:
description: Custom fields to append to log messages for this policy.
type: str
decrypted-traffic-mirror:
description: Decrypted traffic mirror.
type: str
delay-tcp-npu-session:
choices:
- disable
- enable
description: Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
type: str
delay-tcp-npu-sessoin:
choices:
- disable
- enable
description: Enable/disable TCP NPU session delay in order to guarantee packet
order of 3-way handshake.
type: str
devices:
description: Names of devices or device groups that can be matched by the policy.
type: str
diffserv-copy:
choices:
- disable
- enable
description: Enable to copy packets DiffServ values from sessions original direction
to its reply direction.
type: str
diffserv-forward:
choices:
- disable
- enable
description: Enable to change packets DiffServ values to the specified diffservcode-forward
value.
type: str
diffserv-reverse:
choices:
- disable
- enable
description: Enable to change packets reverse
type: str
diffservcode-forward:
description: Change packets DiffServ to this value.
type: str
diffservcode-rev:
description: Change packets reverse
type: str
disclaimer:
choices:
- disable
- enable
- user
- domain
- policy
description: Enable/disable user authentication disclaimer.
type: str
dlp-profile:
description: Name of an existing DLP profile.
type: str
dlp-sensor:
description: Name of an existing DLP sensor.
type: str
dnsfilter-profile:
description: Name of an existing DNS filter profile.
type: str
dscp-match:
choices:
- disable
- enable
description: Enable DSCP check.
type: str
dscp-negate:
choices:
- disable
- enable
description: Enable negated DSCP match.
type: str
dscp-value:
description: DSCP value.
type: str
dsri:
choices:
- disable
- enable
description: Enable DSRI to ignore HTTP server responses.
type: str
dstaddr:
description: Destination address and address group names.
type: str
dstaddr-negate:
choices:
- disable
- enable
description: When enabled dstaddr specifies what the destination address must
NOT be.
type: str
dstaddr6:
description: Destination IPv6 address name and address group names.
type: str
dstaddr6-negate:
choices:
- disable
- enable
description: When enabled dstaddr6 specifies what the destination address must
NOT be.
type: str
dstintf:
description: Outgoing
type: str
dynamic-shaping:
choices:
- disable
- enable
description: Enable/disable dynamic RADIUS defined traffic shaping.
type: str
email-collect:
choices:
- disable
- enable
description: Enable/disable email collection.
type: str
emailfilter-profile:
description: Name of an existing email filter profile.
type: str
fec:
choices:
- disable
- enable
description: Enable/disable Forward Error Correction on traffic matching this
policy on a FEC device.
type: str
file-filter-profile:
description: Name of an existing file-filter profile.
type: str
firewall-session-dirty:
choices:
- check-all
- check-new
description: How to handle sessions if the configuration of this firewall policy
changes.
type: str
fixedport:
choices:
- disable
- enable
description: Enable to prevent source NAT from changing a sessions source port.
type: str
fsso:
choices:
- disable
- enable
description: Enable/disable Fortinet Single Sign-On.
type: str
fsso-agent-for-ntlm:
description: FSSO agent to use for NTLM authentication.
type: str
fsso-groups:
description: Names of FSSO groups.
type: str
geoip-anycast:
choices:
- disable
- enable
description: Enable/disable recognition of anycast IP addresses using the geography
IP database.
type: str
geoip-match:
choices:
- physical-location
- registered-location
description: Match geography address based either on its physical location or
registered location.
type: str
global-label:
description: Label for the policy that appears when the GUI is in Global View
mode.
type: str
groups:
description: Names of user groups that can authenticate with this policy.
type: str
gtp-profile:
description: GTP profile.
type: str
http-policy-redirect:
choices:
- disable
- enable
description: Redirect HTTP
type: str
icap-profile:
description: Name of an existing ICAP profile.
type: str
identity-based-route:
description: Name of identity-based routing rule.
type: str
inbound:
choices:
- disable
- enable
description: Policy-based IPsec VPN
type: str
inspection-mode:
choices:
- proxy
- flow
description: Policy inspection mode
type: str
internet-service:
choices:
- disable
- enable
description: Enable/disable use of Internet Services for this policy.
type: str
internet-service-custom:
description: Custom Internet Service Name.
type: str
internet-service-custom-group:
description: Custom Internet Service group name.
type: str
internet-service-group:
description: Internet Service group name.
type: str
internet-service-id:
description: Internet Service ID.
type: str
internet-service-name:
description: Internet Service name.
type: str
internet-service-negate:
choices:
- disable
- enable
description: When enabled internet-service specifies what the service must NOT
be.
type: str
internet-service-src:
choices:
- disable
- enable
description: Enable/disable use of Internet Services in source for this policy.
type: str
internet-service-src-custom:
description: Custom Internet Service source name.
type: str
internet-service-src-custom-group:
description: Custom Internet Service source group name.
type: str
internet-service-src-group:
description: Internet Service source group name.
type: str
internet-service-src-id:
description: Internet Service source ID.
type: str
internet-service-src-name:
description: Internet Service source name.
type: str
internet-service-src-negate:
choices:
- disable
- enable
description: When enabled internet-service-src specifies what the service must
NOT be.
type: str
internet-service6:
choices:
- disable
- enable
description: Enable/disable use of IPv6 Internet Services for this policy.
type: str
internet-service6-custom:
description: description
type: str
internet-service6-custom-group:
description: description
type: str
internet-service6-group:
description: description
type: str
internet-service6-name:
description: description
type: str
internet-service6-negate:
choices:
- disable
- enable
description: When enabled internet-service6 specifies what the service must NOT
be.
type: str
internet-service6-src:
choices:
- disable
- enable
description: Enable/disable use of IPv6 Internet Services in source for this policy.
type: str
internet-service6-src-custom:
description: description
type: str
internet-service6-src-custom-group:
description: description
type: str
internet-service6-src-group:
description: description
type: str
internet-service6-src-name:
description: description
type: str
internet-service6-src-negate:
choices:
- disable
- enable
description: When enabled internet-service6-src specifies what the service must
NOT be.
type: str
ip-version-type:
description: IP version of the policy.
type: str
ippool:
choices:
- disable
- enable
description: Enable to use IP Pools for source NAT.
type: str
ips-sensor:
description: Name of an existing IPS sensor.
type: str
ips-voip-filter:
description: Name of an existing VoIP
type: str
label:
description: Label for the policy that appears when the GUI is in Section View
mode.
type: str
learning-mode:
choices:
- disable
- enable
description: Enable to allow everything, but log all of the meaningful data for
security information gathering.
type: str
logtraffic:
choices:
- disable
- enable
- all
- utm
description: Enable or disable logging.
type: str
logtraffic-start:
choices:
- disable
- enable
description: Record logs when a session starts and ends.
type: str
match-vip:
choices:
- disable
- enable
description: Enable to match packets that have had their destination addresses
changed by a VIP.
type: str
match-vip-only:
choices:
- disable
- enable
description: Enable/disable matching of only those packets that have had their
destination addresses changed by a VIP.
type: str
mms-profile:
description: Name of an existing MMS profile.
type: str
name:
description: Policy name.
type: str
nat:
choices:
- disable
- enable
description: Enable/disable source NAT.
type: str
nat46:
choices:
- disable
- enable
description: Enable/disable NAT46.
type: str
nat64:
choices:
- disable
- enable
description: Enable/disable NAT64.
type: str
natinbound:
choices:
- disable
- enable
description: Policy-based IPsec VPN
type: str
natip:
description: Policy-based IPsec VPN
type: str
natoutbound:
choices:
- disable
- enable
description: Policy-based IPsec VPN
type: str
network-service-dynamic:
description: description
type: str
network-service-src-dynamic:
description: description
type: str
np-accelation:
choices:
- disable
- enable
description: Enable/disable UTM Network Processor acceleration.
type: str
np-acceleration:
choices:
- disable
- enable
description: Enable/disable UTM Network Processor acceleration.
type: str
ntlm:
choices:
- disable
- enable
description: Enable/disable NTLM authentication.
type: str
ntlm-enabled-browsers:
description: HTTP-User-Agent value of supported browsers.
type: str
ntlm-guest:
choices:
- disable
- enable
description: Enable/disable NTLM guest user access.
type: str
object position:
description: description
elements: str
type: list
outbound:
choices:
- disable
- enable
description: Policy-based IPsec VPN
type: str
passive-wan-health-measurement:
choices:
- disable
- enable
description: Enable/disable passive WAN health measurement.
type: str
pcp-inbound:
choices:
- disable
- enable
description: Enable/disable PCP inbound DNAT.
type: str
pcp-outbound:
choices:
- disable
- enable
description: Enable/disable PCP outbound SNAT.
type: str
pcp-poolname:
description: description
type: str
per-ip-shaper:
description: Per-IP traffic shaper.
type: str
permit-any-host:
choices:
- disable
- enable
description: Accept UDP packets from any host.
type: str
permit-stun-host:
choices:
- disable
- enable
description: Accept UDP packets from any Session Traversal Utilities for NAT
type: str
pfcp-profile:
description: PFCP profile.
type: str
policy-behaviour-type:
description: Behaviour of the policy.
type: str
policy-expiry:
choices:
- disable
- enable
description: Enable/disable policy expiry.
type: str
policy-expiry-date:
description: Policy expiry date
type: str
policy-expiry-date-utc:
description: Policy expiry date and time, in epoch format.
type: str
policy-offload:
choices:
- disable
- enable
description: Enable/Disable hardware session setup for CGNAT.
type: str
policyid:
description: Policy ID.
type: int
poolname:
description: IP Pool names.
type: str
poolname6:
description: IPv6 pool names.
type: str
profile-group:
description: Name of profile group.
type: str
profile-protocol-options:
description: Name of an existing Protocol options profile.
type: str
profile-type:
choices:
- single
- group
description: Determine whether the firewall policy allows security profile groups
or single profiles only.
type: str
radius-mac-auth-bypass:
choices:
- disable
- enable
description: Enable MAC authentication bypass.
type: str
redirect-url:
description: URL users are directed to after seeing and accepting the disclaimer
or authenticating.
type: str
replacemsg-override-group:
description: Override the default replacement message group for this policy.
type: str
reputation-direction:
choices:
- source
- destination
description: Direction of the initial traffic for reputation to take effect.
type: str
reputation-direction6:
choices:
- source
- destination
description: Direction of the initial traffic for IPv6 reputation to take effect.
type: str
reputation-minimum:
description: Minimum Reputation to take action.
type: int
reputation-minimum6:
description: IPv6 Minimum Reputation to take action.
type: int
rsso:
choices:
- disable
- enable
description: Enable/disable RADIUS single sign-on
type: str
rtp-addr:
description: Address names if this is an RTP NAT policy.
type: str
rtp-nat:
choices:
- disable
- enable
description: Enable Real Time Protocol
type: str
scan-botnet-connections:
choices:
- disable
- block
- monitor
description: Block or monitor connections to Botnet servers or disable Botnet
scanning.
type: str
schedule:
description: Schedule name.
type: str
schedule-timeout:
choices:
- disable
- enable
description: Enable to force current sessions to end when the schedule object
times out.
type: str
sctp-filter-profile:
description: Name of an existing SCTP filter profile.
type: str
send-deny-packet:
choices:
- disable
- enable
description: Enable to send a reply when a session is denied or blocked by a firewall
policy.
type: str
service:
description: Service and service group names.
type: str
service-negate:
choices:
- disable
- enable
description: When enabled service specifies what the service must NOT be.
type: str
session-ttl:
description: Session TTL in seconds for sessions accepted by this policy.
type: int
sgt:
description: description
type: int
sgt-check:
choices:
- disable
- enable
description: Enable/disable security group tags
type: str
spamfilter-profile:
description: Name of an existing Spam filter profile.
type: str
src-vendor-mac:
description: Vendor MAC source ID.
type: str
srcaddr:
description: Source address and address group names.
type: str
srcaddr-negate:
choices:
- disable
- enable
description: When enabled srcaddr specifies what the source address must NOT be.
type: str
srcaddr6:
description: Source IPv6 address name and address group names.
type: str
srcaddr6-negate:
choices:
- disable
- enable
description: When enabled srcaddr6 specifies what the source address must NOT
be.
type: str
srcintf:
description: Incoming
type: str
ssh-filter-profile:
description: Name of an existing SSH filter profile.
type: str
ssh-policy-redirect:
choices:
- disable
- enable
description: Redirect SSH traffic to matching transparent proxy policy.
type: str
ssl-mirror:
choices:
- disable
- enable
description: Enable to copy decrypted SSL traffic to a FortiGate interface
type: str
ssl-mirror-intf:
description: SSL mirror interface name.
type: str
ssl-ssh-profile:
description: Name of an existing SSL SSH profile.
type: str
status:
choices:
- disable
- enable
description: Enable or disable this policy.
type: str
tags:
description: Names of object-tags applied to this policy.
type: str
tcp-mss-receiver:
description: Receiver TCP maximum segment size
type: int
tcp-mss-sender:
description: Sender TCP maximum segment size
type: int
tcp-session-without-syn:
choices:
- all
- data-only
- disable
description: Enable/disable creation of TCP session without SYN flag.
type: str
tcp-timeout-pid:
description: TCP timeout profile ID
type: str
timeout-send-rst:
choices:
- disable
- enable
description: Enable/disable sending RST packets when TCP sessions expire.
type: str
tos:
description: ToS
type: str
tos-mask:
description: Non-zero bit positions are used for comparison while zero bit positions
are ignored.
type: str
tos-negate:
choices:
- disable
- enable
description: Enable negated TOS match.
type: str
traffic-shaper:
description: Traffic shaper.
type: str
traffic-shaper-reverse:
description: Reverse traffic shaper.
type: str
udp-timeout-pid:
description: UDP timeout profile ID
type: str
url-category:
description: URL category ID list.
type: str
users:
description: Names of individual users that can authenticate with this policy.
type: str
utm-status:
choices:
- disable
- enable
description: Enable to add one or more security profiles
type: str
uuid:
description: Universally Unique Identifier
type: str
videofilter-profile:
description: Name of an existing VideoFilter profile.
type: str
vlan-cos-fwd:
description: VLAN forward direction user priority
type: int
vlan-cos-rev:
description: VLAN reverse direction user priority
type: int
vlan-filter:
description: Set VLAN filters.
type: str
voip-profile:
description: Name of an existing VoIP profile.
type: str
vpn_dst_node:
description: Vpn_Dst_Node.
elements: dict
suboptions:
host:
description: Host.
type: str
seq:
description: Seq.
type: int
subnet:
description: Subnet.
type: str
type: list
vpn_src_node:
description: Vpn_Src_Node.
elements: dict
suboptions:
host:
description: Host.
type: str
seq:
description: Seq.
type: int
subnet:
description: Subnet.
type: str
type: list
vpntunnel:
description: Policy-based IPsec VPN
type: str
waf-profile:
description: Name of an existing Web application firewall profile.
type: str
wanopt:
choices:
- disable
- enable
description: Enable/disable WAN optimization.
type: str
wanopt-detection:
choices:
- active
- passive
- 'off'
description: WAN optimization auto-detection mode.
type: str
wanopt-passive-opt:
choices:
- default
- transparent
- non-transparent
description: WAN optimization passive mode options.
type: str
wanopt-peer:
description: WAN optimization peer.
type: str
wanopt-profile:
description: WAN optimization profile.
type: str
wccp:
choices:
- disable
- enable
description: Enable/disable forwarding traffic matching this policy to a configured
WCCP server.
type: str
webcache:
choices:
- disable
- enable
description: Enable/disable web cache.
type: str
webcache-https:
choices:
- disable
- ssl-server
- any
- enable
description: Enable/disable web cache for HTTPS.
type: str
webfilter-profile:
description: Name of an existing Web filter profile.
type: str
webproxy-forward-server:
description: Webproxy forward server name.
type: str
webproxy-profile:
description: Webproxy profile name.
type: str
wsso:
choices:
- disable
- enable
description: Enable/disable WiFi Single Sign On
type: str
ztna-device-ownership:
choices:
- disable
- enable
description: Enable/disable zero trust device ownership.
type: str
ztna-ems-tag:
description: Source ztna-ems-tag names.
type: str
ztna-ems-tag-secondary:
description: description
type: str
ztna-geo-tag:
description: Source ztna-geo-tag names.
type: str
ztna-policy-redirect:
choices:
- disable
- enable
description: Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
type: str
ztna-status:
choices:
- disable
- enable
description: Enable/disable zero trust access.
type: str
ztna-tags-match-logic:
choices:
- or
- and
description: ZTNA tag matching logic.
type: str
type: dict
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
required: false
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
required: false
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
required: false
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list