Try SpotterConfigure SSL VPN.
| "added in version" 2.1.0 of drmofu.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections:
- name: drmofu.fortimanager
version: 2.2.2This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fmgr_vpn_ssl_settings:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
device: <your own value>
vdom: <your own value>
vpn_ssl_settings:
algorithm: <value in [default, high, low, ...]>
auth-session-check-source-ip: <value in [disable, enable]>
auth-timeout: <value of integer>
authentication-rule:
-
auth: <value in [any, local, radius, ...]>
cipher: <value in [any, high, medium]>
client-cert: <value in [disable, enable]>
groups: <value of string>
id: <value of integer>
portal: <value of string>
realm: <value of string>
source-address: <value of string>
source-address-negate: <value in [disable, enable]>
source-address6: <value of string>
source-address6-negate: <value in [disable, enable]>
source-interface: <value of string>
user-peer: <value of string>
users: <value of string>
auto-tunnel-static-route: <value in [disable, enable]>
banned-cipher:
- RSA
- DH
- DHE
- ECDH
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
check-referer: <value in [disable, enable]>
default-portal: <value of string>
deflate-compression-level: <value of integer>
deflate-min-data-size: <value of integer>
dns-server1: <value of string>
dns-server2: <value of string>
dns-suffix: <value of string>
dtls-hello-timeout: <value of integer>
dtls-max-proto-ver: <value in [dtls1-0, dtls1-2]>
dtls-min-proto-ver: <value in [dtls1-0, dtls1-2]>
dtls-tunnel: <value in [disable, enable]>
encode-2f-sequence: <value in [disable, enable]>
encrypt-and-store-password: <value in [disable, enable]>
force-two-factor-auth: <value in [disable, enable]>
header-x-forwarded-for: <value in [pass, add, remove]>
hsts-include-subdomains: <value in [disable, enable]>
http-compression: <value in [disable, enable]>
http-only-cookie: <value in [disable, enable]>
http-request-body-timeout: <value of integer>
http-request-header-timeout: <value of integer>
https-redirect: <value in [disable, enable]>
idle-timeout: <value of integer>
ipv6-dns-server1: <value of string>
ipv6-dns-server2: <value of string>
ipv6-wins-server1: <value of string>
ipv6-wins-server2: <value of string>
login-attempt-limit: <value of integer>
login-block-time: <value of integer>
login-timeout: <value of integer>
port: <value of integer>
port-precedence: <value in [disable, enable]>
reqclientcert: <value in [disable, enable]>
route-source-interface: <value in [disable, enable]>
servercert: <value of string>
source-address: <value of string>
source-address-negate: <value in [disable, enable]>
source-address6: <value of string>
source-address6-negate: <value in [disable, enable]>
source-interface: <value of string>
ssl-client-renegotiation: <value in [disable, enable]>
ssl-insert-empty-fragment: <value in [disable, enable]>
ssl-max-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
ssl-min-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
tlsv1-0: <value in [disable, enable]>
tlsv1-1: <value in [disable, enable]>
tlsv1-2: <value in [disable, enable]>
tlsv1-3: <value in [disable, enable]>
transform-backward-slashes: <value in [disable, enable]>
tunnel-connect-without-reauth: <value in [disable, enable]>
tunnel-ip-pools: <value of string>
tunnel-ipv6-pools: <value of string>
tunnel-user-session-timeout: <value of integer>
unsafe-legacy-renegotiation: <value in [disable, enable]>
url-obscuration: <value in [disable, enable]>
user-peer: <value of string>
wins-server1: <value of string>
wins-server2: <value of string>
x-content-type-options: <value in [disable, enable]>
sslv3: <value in [disable, enable]>
ssl-big-buffer: <value in [disable, enable]>
client-sigalgs: <value in [no-rsa-pss, all]>
ciphersuite:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
dual-stack-mode: <value in [disable, enable]>
tunnel-addr-assigned-method: <value in [first-available, round-robin]>
browser-language-detection: <value in [disable, enable]>
saml-redirect-port: <value of integer>
status: <value in [disable, enable]>
web-mode-snat: <value in [disable, enable]>
ztna-trusted-client: <value in [disable, enable]>
dtls-heartbeat-fail-count: <value of integer>
dtls-heartbeat-idle-timeout: <value of integer>
dtls-heartbeat-interval: <value of integer>
server-hostname: <value of string>
vdom:
description: the parameter (vdom) in requested url
required: true
type: str
device:
description: the parameter (device) in requested url
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
required: false
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
required: false
type: bool
access_token:
description: The token to access FortiManager without using username and password.
required: false
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
required: false
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
required: false
type: str
vpn_ssl_settings:
description: the top level parameters set
required: false
suboptions:
algorithm:
choices:
- default
- high
- low
- medium
description: Force the SSL VPN security level.
type: str
auth-session-check-source-ip:
choices:
- disable
- enable
description: Enable/disable checking of source IP for authentication session.
type: str
auth-timeout:
description: SSL VPN authentication timeout
type: int
authentication-rule:
description: description
elements: dict
suboptions:
auth:
choices:
- any
- local
- radius
- ldap
- tacacs+
- peer
description: SSL VPN authentication method restriction.
type: str
cipher:
choices:
- any
- high
- medium
description: SSL VPN cipher strength.
type: str
client-cert:
choices:
- disable
- enable
description: Enable/disable SSL VPN client certificate restrictive.
type: str
groups:
description: User groups.
type: str
id:
description: ID
type: int
portal:
description: SSL VPN portal.
type: str
realm:
description: SSL VPN realm.
type: str
source-address:
description: Source address of incoming traffic.
type: str
source-address-negate:
choices:
- disable
- enable
description: Enable/disable negated source address match.
type: str
source-address6:
description: IPv6 source address of incoming traffic.
type: str
source-address6-negate:
choices:
- disable
- enable
description: Enable/disable negated source IPv6 address match.
type: str
source-interface:
description: SSL VPN source interface of incoming traffic.
type: str
user-peer:
description: Name of user peer.
type: str
users:
description: User name.
type: str
type: list
auto-tunnel-static-route:
choices:
- disable
- enable
description: Enable/disable to auto-create static routes for the SSL VPN tunnel
IP addresses.
type: str
banned-cipher:
choices:
- RSA
- DH
- DHE
- ECDH
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
description: description
elements: str
type: list
browser-language-detection:
choices:
- disable
- enable
description: Enable/disable overriding the configured system language based on
the preferred language of the browser.
type: str
check-referer:
choices:
- disable
- enable
description: Enable/disable verification of referer field in HTTP request header.
type: str
ciphersuite:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
description: description
elements: str
type: list
client-sigalgs:
choices:
- no-rsa-pss
- all
description: Set signature algorithms related to client authentication.
type: str
default-portal:
description: Default SSL VPN portal.
type: str
deflate-compression-level:
description: Compression level
type: int
deflate-min-data-size:
description: Minimum amount of data that triggers compression
type: int
dns-server1:
description: DNS server 1.
type: str
dns-server2:
description: DNS server 2.
type: str
dns-suffix:
description: DNS suffix used for SSL VPN clients.
type: str
dtls-heartbeat-fail-count:
description: Number of missing heartbeats before the connection is considered
dropped.
type: int
dtls-heartbeat-idle-timeout:
description: Idle timeout before DTLS heartbeat is sent.
type: int
dtls-heartbeat-interval:
description: Interval between DTLS heartbeat.
type: int
dtls-hello-timeout:
description: SSLVPN maximum DTLS hello timeout
type: int
dtls-max-proto-ver:
choices:
- dtls1-0
- dtls1-2
description: DTLS maximum protocol version.
type: str
dtls-min-proto-ver:
choices:
- dtls1-0
- dtls1-2
description: DTLS minimum protocol version.
type: str
dtls-tunnel:
choices:
- disable
- enable
description: Enable/disable DTLS to prevent eavesdropping, tampering, or message
forgery.
type: str
dual-stack-mode:
choices:
- disable
- enable
description: Tunnel mode
type: str
encode-2f-sequence:
choices:
- disable
- enable
description: Encode 2F sequence to forward slash in URLs.
type: str
encrypt-and-store-password:
choices:
- disable
- enable
description: Encrypt and store user passwords for SSL VPN web sessions.
type: str
force-two-factor-auth:
choices:
- disable
- enable
description: Enable/disable only PKI users with two-factor authentication for
SSL VPNs.
type: str
header-x-forwarded-for:
choices:
- pass
- add
- remove
description: Forward the same, add, or remove HTTP header.
type: str
hsts-include-subdomains:
choices:
- disable
- enable
description: Add HSTS includeSubDomains response header.
type: str
http-compression:
choices:
- disable
- enable
description: Enable/disable to allow HTTP compression over SSL VPN tunnels.
type: str
http-only-cookie:
choices:
- disable
- enable
description: Enable/disable SSL VPN support for HttpOnly cookies.
type: str
http-request-body-timeout:
description: SSL VPN session is disconnected if an HTTP request body is not received
within this time
type: int
http-request-header-timeout:
description: SSL VPN session is disconnected if an HTTP request header is not
received within this time
type: int
https-redirect:
choices:
- disable
- enable
description: Enable/disable redirect of port 80 to SSL VPN port.
type: str
idle-timeout:
description: SSL VPN disconnects if idle for specified time in seconds.
type: int
ipv6-dns-server1:
description: IPv6 DNS server 1.
type: str
ipv6-dns-server2:
description: IPv6 DNS server 2.
type: str
ipv6-wins-server1:
description: IPv6 WINS server 1.
type: str
ipv6-wins-server2:
description: IPv6 WINS server 2.
type: str
login-attempt-limit:
description: SSL VPN maximum login attempt times before block
type: int
login-block-time:
description: Time for which a user is blocked from logging in after too many failed
login attempts
type: int
login-timeout:
description: SSLVPN maximum login timeout
type: int
port:
description: SSL VPN access port
type: int
port-precedence:
choices:
- disable
- enable
description: Enable/disable, Enable means that if SSL VPN connections are allowed
on an interface admin GUI connections are blocked on that ...
type: str
reqclientcert:
choices:
- disable
- enable
description: Enable/disable to require client certificates for all SSL VPN users.
type: str
route-source-interface:
choices:
- disable
- enable
description: Enable/disable to allow SSL VPN sessions to bypass routing and bind
to the incoming interface.
type: str
saml-redirect-port:
description: SAML local redirect port in the machine running FortiClient
type: int
server-hostname:
description: Server hostname for HTTPS.
type: str
servercert:
description: Name of the server certificate to be used for SSL VPNs.
type: str
source-address:
description: Source address of incoming traffic.
type: str
source-address-negate:
choices:
- disable
- enable
description: Enable/disable negated source address match.
type: str
source-address6:
description: IPv6 source address of incoming traffic.
type: str
source-address6-negate:
choices:
- disable
- enable
description: Enable/disable negated source IPv6 address match.
type: str
source-interface:
description: SSL VPN source interface of incoming traffic.
type: str
ssl-big-buffer:
choices:
- disable
- enable
description: Disable using the big SSLv3 buffer feature to save memory and force
higher security.
type: str
ssl-client-renegotiation:
choices:
- disable
- enable
description: Enable/disable to allow client renegotiation by the server if the
tunnel goes down.
type: str
ssl-insert-empty-fragment:
choices:
- disable
- enable
description: Enable/disable insertion of empty fragment.
type: str
ssl-max-proto-ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description: SSL maximum protocol version.
type: str
ssl-min-proto-ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description: SSL minimum protocol version.
type: str
sslv3:
choices:
- disable
- enable
description: no description
type: str
status:
choices:
- disable
- enable
description: Enable/disable SSL-VPN.
type: str
tlsv1-0:
choices:
- disable
- enable
description: Enable/disable TLSv1.
type: str
tlsv1-1:
choices:
- disable
- enable
description: Enable/disable TLSv1.
type: str
tlsv1-2:
choices:
- disable
- enable
description: Enable/disable TLSv1.
type: str
tlsv1-3:
choices:
- disable
- enable
description: no description
type: str
transform-backward-slashes:
choices:
- disable
- enable
description: Transform backward slashes to forward slashes in URLs.
type: str
tunnel-addr-assigned-method:
choices:
- first-available
- round-robin
description: Method used for assigning address for tunnel.
type: str
tunnel-connect-without-reauth:
choices:
- disable
- enable
description: Enable/disable tunnel connection without re-authorization if previous
connection dropped.
type: str
tunnel-ip-pools:
description: Names of the IPv4 IP Pool firewall objects that define the IP addresses
reserved for remote clients.
type: str
tunnel-ipv6-pools:
description: Names of the IPv6 IP Pool firewall objects that define the IP addresses
reserved for remote clients.
type: str
tunnel-user-session-timeout:
description: Time out value to clean up user session after tunnel connection is
dropped
type: int
unsafe-legacy-renegotiation:
choices:
- disable
- enable
description: Enable/disable unsafe legacy re-negotiation.
type: str
url-obscuration:
choices:
- disable
- enable
description: Enable/disable to obscure the host name of the URL of the web browser
display.
type: str
user-peer:
description: Name of user peer.
type: str
web-mode-snat:
choices:
- disable
- enable
description: Enable/disable use of IP pools defined in firewall policy while using
web-mode.
type: str
wins-server1:
description: WINS server 1.
type: str
wins-server2:
description: WINS server 2.
type: str
x-content-type-options:
choices:
- disable
- enable
description: Add HTTP X-Content-Type-Options header.
type: str
ztna-trusted-client:
choices:
- disable
- enable
description: Enable/disable verification of device certificate for SSLVPN ZTNA
session.
type: str
type: dict
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
required: false
type: bool
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
required: false
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
required: false
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
required: false
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list