drmofu / drmofu.fortimanager / 2.2.2 / module / fmgr_vpn_ssl_settings Configure SSL VPN. | "added in version" 2.1.0 of drmofu.fortimanager" Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu) preview | supported by communitydrmofu.fortimanager.fmgr_vpn_ssl_settings (2.2.2) — module
Install with ansible-galaxy collection install drmofu.fortimanager:==2.2.2
collections: - name: drmofu.fortimanager version: 2.2.2
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- hosts: fortimanager-inventory collections: - fortinet.fortimanager connection: httpapi vars: ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_httpapi_port: 443 tasks: - name: Configure SSL VPN. fmgr_vpn_ssl_settings: bypass_validation: False workspace_locking_adom: <value in [global, custom adom including root]> workspace_locking_timeout: 300 rc_succeeded: [0, -2, -3, ...] rc_failed: [-2, -3, ...] device: <your own value> vdom: <your own value> vpn_ssl_settings: algorithm: <value in [default, high, low, ...]> auth-session-check-source-ip: <value in [disable, enable]> auth-timeout: <value of integer> authentication-rule: - auth: <value in [any, local, radius, ...]> cipher: <value in [any, high, medium]> client-cert: <value in [disable, enable]> groups: <value of string> id: <value of integer> portal: <value of string> realm: <value of string> source-address: <value of string> source-address-negate: <value in [disable, enable]> source-address6: <value of string> source-address6-negate: <value in [disable, enable]> source-interface: <value of string> user-peer: <value of string> users: <value of string> auto-tunnel-static-route: <value in [disable, enable]> banned-cipher: - RSA - DH - DHE - ECDH - ECDHE - DSS - ECDSA - AES - AESGCM - CAMELLIA - 3DES - SHA1 - SHA256 - SHA384 - STATIC - CHACHA20 - ARIA - AESCCM check-referer: <value in [disable, enable]> default-portal: <value of string> deflate-compression-level: <value of integer> deflate-min-data-size: <value of integer> dns-server1: <value of string> dns-server2: <value of string> dns-suffix: <value of string> dtls-hello-timeout: <value of integer> dtls-max-proto-ver: <value in [dtls1-0, dtls1-2]> dtls-min-proto-ver: <value in [dtls1-0, dtls1-2]> dtls-tunnel: <value in [disable, enable]> encode-2f-sequence: <value in [disable, enable]> encrypt-and-store-password: <value in [disable, enable]> force-two-factor-auth: <value in [disable, enable]> header-x-forwarded-for: <value in [pass, add, remove]> hsts-include-subdomains: <value in [disable, enable]> http-compression: <value in [disable, enable]> http-only-cookie: <value in [disable, enable]> http-request-body-timeout: <value of integer> http-request-header-timeout: <value of integer> https-redirect: <value in [disable, enable]> idle-timeout: <value of integer> ipv6-dns-server1: <value of string> ipv6-dns-server2: <value of string> ipv6-wins-server1: <value of string> ipv6-wins-server2: <value of string> login-attempt-limit: <value of integer> login-block-time: <value of integer> login-timeout: <value of integer> port: <value of integer> port-precedence: <value in [disable, enable]> reqclientcert: <value in [disable, enable]> route-source-interface: <value in [disable, enable]> servercert: <value of string> source-address: <value of string> source-address-negate: <value in [disable, enable]> source-address6: <value of string> source-address6-negate: <value in [disable, enable]> source-interface: <value of string> ssl-client-renegotiation: <value in [disable, enable]> ssl-insert-empty-fragment: <value in [disable, enable]> ssl-max-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]> ssl-min-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]> tlsv1-0: <value in [disable, enable]> tlsv1-1: <value in [disable, enable]> tlsv1-2: <value in [disable, enable]> tlsv1-3: <value in [disable, enable]> transform-backward-slashes: <value in [disable, enable]> tunnel-connect-without-reauth: <value in [disable, enable]> tunnel-ip-pools: <value of string> tunnel-ipv6-pools: <value of string> tunnel-user-session-timeout: <value of integer> unsafe-legacy-renegotiation: <value in [disable, enable]> url-obscuration: <value in [disable, enable]> user-peer: <value of string> wins-server1: <value of string> wins-server2: <value of string> x-content-type-options: <value in [disable, enable]> sslv3: <value in [disable, enable]> ssl-big-buffer: <value in [disable, enable]> client-sigalgs: <value in [no-rsa-pss, all]> ciphersuite: - TLS-AES-128-GCM-SHA256 - TLS-AES-256-GCM-SHA384 - TLS-CHACHA20-POLY1305-SHA256 - TLS-AES-128-CCM-SHA256 - TLS-AES-128-CCM-8-SHA256 dual-stack-mode: <value in [disable, enable]> tunnel-addr-assigned-method: <value in [first-available, round-robin]> browser-language-detection: <value in [disable, enable]> saml-redirect-port: <value of integer> status: <value in [disable, enable]> web-mode-snat: <value in [disable, enable]> ztna-trusted-client: <value in [disable, enable]> dtls-heartbeat-fail-count: <value of integer> dtls-heartbeat-idle-timeout: <value of integer> dtls-heartbeat-interval: <value of integer> server-hostname: <value of string>
vdom: description: the parameter (vdom) in requested url required: true type: str device: description: the parameter (device) in requested url required: true type: str rc_failed: description: The rc codes list with which the conditions to fail will be overriden. elements: int required: false type: list enable_log: default: false description: Enable/Disable logging for task. required: false type: bool access_token: description: The token to access FortiManager without using username and password. required: false type: str rc_succeeded: description: The rc codes list with which the conditions to succeed will be overriden. elements: int required: false type: list proposed_method: choices: - update - set - add description: The overridden method for the underlying Json RPC request. required: false type: str vpn_ssl_settings: description: the top level parameters set required: false suboptions: algorithm: choices: - default - high - low - medium description: Force the SSL VPN security level. type: str auth-session-check-source-ip: choices: - disable - enable description: Enable/disable checking of source IP for authentication session. type: str auth-timeout: description: SSL VPN authentication timeout type: int authentication-rule: description: description elements: dict suboptions: auth: choices: - any - local - radius - ldap - tacacs+ - peer description: SSL VPN authentication method restriction. type: str cipher: choices: - any - high - medium description: SSL VPN cipher strength. type: str client-cert: choices: - disable - enable description: Enable/disable SSL VPN client certificate restrictive. type: str groups: description: User groups. type: str id: description: ID type: int portal: description: SSL VPN portal. type: str realm: description: SSL VPN realm. type: str source-address: description: Source address of incoming traffic. type: str source-address-negate: choices: - disable - enable description: Enable/disable negated source address match. type: str source-address6: description: IPv6 source address of incoming traffic. type: str source-address6-negate: choices: - disable - enable description: Enable/disable negated source IPv6 address match. type: str source-interface: description: SSL VPN source interface of incoming traffic. type: str user-peer: description: Name of user peer. type: str users: description: User name. type: str type: list auto-tunnel-static-route: choices: - disable - enable description: Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses. type: str banned-cipher: choices: - RSA - DH - DHE - ECDH - ECDHE - DSS - ECDSA - AES - AESGCM - CAMELLIA - 3DES - SHA1 - SHA256 - SHA384 - STATIC - CHACHA20 - ARIA - AESCCM description: description elements: str type: list browser-language-detection: choices: - disable - enable description: Enable/disable overriding the configured system language based on the preferred language of the browser. type: str check-referer: choices: - disable - enable description: Enable/disable verification of referer field in HTTP request header. type: str ciphersuite: choices: - TLS-AES-128-GCM-SHA256 - TLS-AES-256-GCM-SHA384 - TLS-CHACHA20-POLY1305-SHA256 - TLS-AES-128-CCM-SHA256 - TLS-AES-128-CCM-8-SHA256 description: description elements: str type: list client-sigalgs: choices: - no-rsa-pss - all description: Set signature algorithms related to client authentication. type: str default-portal: description: Default SSL VPN portal. type: str deflate-compression-level: description: Compression level type: int deflate-min-data-size: description: Minimum amount of data that triggers compression type: int dns-server1: description: DNS server 1. type: str dns-server2: description: DNS server 2. type: str dns-suffix: description: DNS suffix used for SSL VPN clients. type: str dtls-heartbeat-fail-count: description: Number of missing heartbeats before the connection is considered dropped. type: int dtls-heartbeat-idle-timeout: description: Idle timeout before DTLS heartbeat is sent. type: int dtls-heartbeat-interval: description: Interval between DTLS heartbeat. type: int dtls-hello-timeout: description: SSLVPN maximum DTLS hello timeout type: int dtls-max-proto-ver: choices: - dtls1-0 - dtls1-2 description: DTLS maximum protocol version. type: str dtls-min-proto-ver: choices: - dtls1-0 - dtls1-2 description: DTLS minimum protocol version. type: str dtls-tunnel: choices: - disable - enable description: Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str dual-stack-mode: choices: - disable - enable description: Tunnel mode type: str encode-2f-sequence: choices: - disable - enable description: Encode 2F sequence to forward slash in URLs. type: str encrypt-and-store-password: choices: - disable - enable description: Encrypt and store user passwords for SSL VPN web sessions. type: str force-two-factor-auth: choices: - disable - enable description: Enable/disable only PKI users with two-factor authentication for SSL VPNs. type: str header-x-forwarded-for: choices: - pass - add - remove description: Forward the same, add, or remove HTTP header. type: str hsts-include-subdomains: choices: - disable - enable description: Add HSTS includeSubDomains response header. type: str http-compression: choices: - disable - enable description: Enable/disable to allow HTTP compression over SSL VPN tunnels. type: str http-only-cookie: choices: - disable - enable description: Enable/disable SSL VPN support for HttpOnly cookies. type: str http-request-body-timeout: description: SSL VPN session is disconnected if an HTTP request body is not received within this time type: int http-request-header-timeout: description: SSL VPN session is disconnected if an HTTP request header is not received within this time type: int https-redirect: choices: - disable - enable description: Enable/disable redirect of port 80 to SSL VPN port. type: str idle-timeout: description: SSL VPN disconnects if idle for specified time in seconds. type: int ipv6-dns-server1: description: IPv6 DNS server 1. type: str ipv6-dns-server2: description: IPv6 DNS server 2. type: str ipv6-wins-server1: description: IPv6 WINS server 1. type: str ipv6-wins-server2: description: IPv6 WINS server 2. type: str login-attempt-limit: description: SSL VPN maximum login attempt times before block type: int login-block-time: description: Time for which a user is blocked from logging in after too many failed login attempts type: int login-timeout: description: SSLVPN maximum login timeout type: int port: description: SSL VPN access port type: int port-precedence: choices: - disable - enable description: Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on that ... type: str reqclientcert: choices: - disable - enable description: Enable/disable to require client certificates for all SSL VPN users. type: str route-source-interface: choices: - disable - enable description: Enable/disable to allow SSL VPN sessions to bypass routing and bind to the incoming interface. type: str saml-redirect-port: description: SAML local redirect port in the machine running FortiClient type: int server-hostname: description: Server hostname for HTTPS. type: str servercert: description: Name of the server certificate to be used for SSL VPNs. type: str source-address: description: Source address of incoming traffic. type: str source-address-negate: choices: - disable - enable description: Enable/disable negated source address match. type: str source-address6: description: IPv6 source address of incoming traffic. type: str source-address6-negate: choices: - disable - enable description: Enable/disable negated source IPv6 address match. type: str source-interface: description: SSL VPN source interface of incoming traffic. type: str ssl-big-buffer: choices: - disable - enable description: Disable using the big SSLv3 buffer feature to save memory and force higher security. type: str ssl-client-renegotiation: choices: - disable - enable description: Enable/disable to allow client renegotiation by the server if the tunnel goes down. type: str ssl-insert-empty-fragment: choices: - disable - enable description: Enable/disable insertion of empty fragment. type: str ssl-max-proto-ver: choices: - tls1-0 - tls1-1 - tls1-2 - tls1-3 description: SSL maximum protocol version. type: str ssl-min-proto-ver: choices: - tls1-0 - tls1-1 - tls1-2 - tls1-3 description: SSL minimum protocol version. type: str sslv3: choices: - disable - enable description: no description type: str status: choices: - disable - enable description: Enable/disable SSL-VPN. type: str tlsv1-0: choices: - disable - enable description: Enable/disable TLSv1. type: str tlsv1-1: choices: - disable - enable description: Enable/disable TLSv1. type: str tlsv1-2: choices: - disable - enable description: Enable/disable TLSv1. type: str tlsv1-3: choices: - disable - enable description: no description type: str transform-backward-slashes: choices: - disable - enable description: Transform backward slashes to forward slashes in URLs. type: str tunnel-addr-assigned-method: choices: - first-available - round-robin description: Method used for assigning address for tunnel. type: str tunnel-connect-without-reauth: choices: - disable - enable description: Enable/disable tunnel connection without re-authorization if previous connection dropped. type: str tunnel-ip-pools: description: Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str tunnel-ipv6-pools: description: Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str tunnel-user-session-timeout: description: Time out value to clean up user session after tunnel connection is dropped type: int unsafe-legacy-renegotiation: choices: - disable - enable description: Enable/disable unsafe legacy re-negotiation. type: str url-obscuration: choices: - disable - enable description: Enable/disable to obscure the host name of the URL of the web browser display. type: str user-peer: description: Name of user peer. type: str web-mode-snat: choices: - disable - enable description: Enable/disable use of IP pools defined in firewall policy while using web-mode. type: str wins-server1: description: WINS server 1. type: str wins-server2: description: WINS server 2. type: str x-content-type-options: choices: - disable - enable description: Add HTTP X-Content-Type-Options header. type: str ztna-trusted-client: choices: - disable - enable description: Enable/disable verification of device certificate for SSLVPN ZTNA session. type: str type: dict bypass_validation: default: false description: Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. required: false type: bool workspace_locking_adom: description: The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. required: false type: str forticloud_access_token: description: Authenticate Ansible client with forticloud API access token. required: false type: str workspace_locking_timeout: default: 300 description: The maximum time in seconds to wait for other user to release the workspace lock. required: false type: int
meta: contains: request_url: description: The full url requested. returned: always sample: /sys/login/user type: str response_code: description: The status of api request. returned: always sample: 0 type: int response_data: description: The api response. returned: always type: list response_message: description: The descriptive message of the api response. returned: always sample: OK. type: str system_information: description: The information of the target system. returned: always type: dict description: The result of the request. returned: always type: dict rc: description: The status the request. returned: always sample: 0 type: int version_check_warning: description: Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: complex type: list