Try SpotterConfigure SSL VPN.
| "added in version" 2.1.0 of fortinet.fortimanager"
Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortimanager:==2.4.0
collections:
- name: fortinet.fortimanager
version: 2.4.0This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortinet.fortimanager.fmgr_vpn_ssl_settings:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
device: <your own value>
vdom: <your own value>
vpn_ssl_settings:
algorithm: <value in [default, high, low, ...]>
auth_session_check_source_ip: <value in [disable, enable]>
auth_timeout: <integer>
authentication_rule:
-
auth: <value in [any, local, radius, ...]>
cipher: <value in [any, high, medium]>
client_cert: <value in [disable, enable]>
groups: <list or string>
id: <integer>
portal: <string>
realm: <string>
source_address: <list or string>
source_address_negate: <value in [disable, enable]>
source_address6: <list or string>
source_address6_negate: <value in [disable, enable]>
source_interface: <list or string>
user_peer: <string>
users: <list or string>
auto_tunnel_static_route: <value in [disable, enable]>
banned_cipher:
- RSA
- DH
- DHE
- ECDH
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
check_referer: <value in [disable, enable]>
default_portal: <string>
deflate_compression_level: <integer>
deflate_min_data_size: <integer>
dns_server1: <string>
dns_server2: <string>
dns_suffix: <string>
dtls_hello_timeout: <integer>
dtls_max_proto_ver: <value in [dtls1-0, dtls1-2]>
dtls_min_proto_ver: <value in [dtls1-0, dtls1-2]>
dtls_tunnel: <value in [disable, enable]>
encode_2f_sequence: <value in [disable, enable]>
encrypt_and_store_password: <value in [disable, enable]>
force_two_factor_auth: <value in [disable, enable]>
header_x_forwarded_for: <value in [pass, add, remove]>
hsts_include_subdomains: <value in [disable, enable]>
http_compression: <value in [disable, enable]>
http_only_cookie: <value in [disable, enable]>
http_request_body_timeout: <integer>
http_request_header_timeout: <integer>
https_redirect: <value in [disable, enable]>
idle_timeout: <integer>
ipv6_dns_server1: <string>
ipv6_dns_server2: <string>
ipv6_wins_server1: <string>
ipv6_wins_server2: <string>
login_attempt_limit: <integer>
login_block_time: <integer>
login_timeout: <integer>
port: <integer>
port_precedence: <value in [disable, enable]>
reqclientcert: <value in [disable, enable]>
route_source_interface: <value in [disable, enable]>
servercert: <string>
source_address: <list or string>
source_address_negate: <value in [disable, enable]>
source_address6: <list or string>
source_address6_negate: <value in [disable, enable]>
source_interface: <list or string>
ssl_client_renegotiation: <value in [disable, enable]>
ssl_insert_empty_fragment: <value in [disable, enable]>
ssl_max_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
ssl_min_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
tlsv1_0: <value in [disable, enable]>
tlsv1_1: <value in [disable, enable]>
tlsv1_2: <value in [disable, enable]>
tlsv1_3: <value in [disable, enable]>
transform_backward_slashes: <value in [disable, enable]>
tunnel_connect_without_reauth: <value in [disable, enable]>
tunnel_ip_pools: <list or string>
tunnel_ipv6_pools: <list or string>
tunnel_user_session_timeout: <integer>
unsafe_legacy_renegotiation: <value in [disable, enable]>
url_obscuration: <value in [disable, enable]>
user_peer: <string>
wins_server1: <string>
wins_server2: <string>
x_content_type_options: <value in [disable, enable]>
sslv3: <value in [disable, enable]>
ssl_big_buffer: <value in [disable, enable]>
client_sigalgs: <value in [no-rsa-pss, all]>
ciphersuite:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
dual_stack_mode: <value in [disable, enable]>
tunnel_addr_assigned_method: <value in [first-available, round-robin]>
browser_language_detection: <value in [disable, enable]>
saml_redirect_port: <integer>
status: <value in [disable, enable]>
web_mode_snat: <value in [disable, enable]>
ztna_trusted_client: <value in [disable, enable]>
dtls_heartbeat_fail_count: <integer>
dtls_heartbeat_idle_timeout: <integer>
dtls_heartbeat_interval: <integer>
server_hostname: <string>
vdom:
description: The parameter (vdom) in requested url.
required: true
type: str
device:
description: The parameter (device) in requested url.
required: true
type: str
rc_failed:
description: The rc codes list with which the conditions to fail will be overriden.
elements: int
type: list
enable_log:
default: false
description: Enable/Disable logging for task.
type: bool
access_token:
description: The token to access FortiManager without using username and password.
type: str
rc_succeeded:
description: The rc codes list with which the conditions to succeed will be overriden.
elements: int
type: list
proposed_method:
choices:
- update
- set
- add
description: The overridden method for the underlying Json RPC request.
type: str
vpn_ssl_settings:
description: The top level parameters set.
required: false
suboptions:
algorithm:
choices:
- default
- high
- low
- medium
description: Force the SSL VPN security level.
type: str
auth-session-check-source-ip:
choices:
- disable
- enable
description: Deprecated, please rename it to auth_session_check_source_ip. Enable/disable
checking of source IP for authentication session.
type: str
auth-timeout:
description: Deprecated, please rename it to auth_timeout. SSL VPN authentication
timeout
type: int
authentication-rule:
description: Deprecated, please rename it to authentication_rule.
elements: dict
suboptions:
auth:
choices:
- any
- local
- radius
- ldap
- tacacs+
- peer
description: SSL VPN authentication method restriction.
type: str
cipher:
choices:
- any
- high
- medium
description: SSL VPN cipher strength.
type: str
client-cert:
choices:
- disable
- enable
description: Deprecated, please rename it to client_cert. Enable/disable SSL
VPN client certificate restrictive.
type: str
groups:
description: (list or str) User groups.
type: raw
id:
description: ID
type: int
portal:
description: SSL VPN portal.
type: str
realm:
description: SSL VPN realm.
type: str
source-address:
description: (list or str) Deprecated, please rename it to source_address.
Source address of incoming traffic.
type: raw
source-address-negate:
choices:
- disable
- enable
description: Deprecated, please rename it to source_address_negate. Enable/disable
negated source address match.
type: str
source-address6:
description: (list or str) Deprecated, please rename it to source_address6.
IPv6 source address of incoming traffic.
type: raw
source-address6-negate:
choices:
- disable
- enable
description: Deprecated, please rename it to source_address6_negate. Enable/disable
negated source IPv6 address match.
type: str
source-interface:
description: (list or str) Deprecated, please rename it to source_interface.
SSL VPN source interface of incoming traffic.
type: raw
user-peer:
description: Deprecated, please rename it to user_peer. Name of user peer.
type: str
users:
description: (list or str) User name.
type: raw
type: list
auto-tunnel-static-route:
choices:
- disable
- enable
description: Deprecated, please rename it to auto_tunnel_static_route. Enable/disable
to auto-create static routes for the SSL VPN tunn...
type: str
banned-cipher:
choices:
- RSA
- DH
- DHE
- ECDH
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
description: Deprecated, please rename it to banned_cipher.
elements: str
type: list
browser-language-detection:
choices:
- disable
- enable
description: Deprecated, please rename it to browser_language_detection. Enable/disable
overriding the configured system language based...
type: str
check-referer:
choices:
- disable
- enable
description: Deprecated, please rename it to check_referer. Enable/disable verification
of referer field in HTTP request header.
type: str
ciphersuite:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
description: No description.
elements: str
type: list
client-sigalgs:
choices:
- no-rsa-pss
- all
description: Deprecated, please rename it to client_sigalgs. Set signature algorithms
related to client authentication.
type: str
default-portal:
description: Deprecated, please rename it to default_portal. Default SSL VPN portal.
type: str
deflate-compression-level:
description: Deprecated, please rename it to deflate_compression_level. Compression
level
type: int
deflate-min-data-size:
description: Deprecated, please rename it to deflate_min_data_size. Minimum amount
of data that triggers compression
type: int
dns-server1:
description: Deprecated, please rename it to dns_server1. DNS server 1.
type: str
dns-server2:
description: Deprecated, please rename it to dns_server2. DNS server 2.
type: str
dns-suffix:
description: Deprecated, please rename it to dns_suffix. DNS suffix used for SSL
VPN clients.
type: str
dtls-heartbeat-fail-count:
description: Deprecated, please rename it to dtls_heartbeat_fail_count. Number
of missing heartbeats before the connection is considere...
type: int
dtls-heartbeat-idle-timeout:
description: Deprecated, please rename it to dtls_heartbeat_idle_timeout. Idle
timeout before DTLS heartbeat is sent.
type: int
dtls-heartbeat-interval:
description: Deprecated, please rename it to dtls_heartbeat_interval. Interval
between DTLS heartbeat.
type: int
dtls-hello-timeout:
description: Deprecated, please rename it to dtls_hello_timeout. SSLVPN maximum
DTLS hello timeout
type: int
dtls-max-proto-ver:
choices:
- dtls1-0
- dtls1-2
description: Deprecated, please rename it to dtls_max_proto_ver. DTLS maximum
protocol version.
type: str
dtls-min-proto-ver:
choices:
- dtls1-0
- dtls1-2
description: Deprecated, please rename it to dtls_min_proto_ver. DTLS minimum
protocol version.
type: str
dtls-tunnel:
choices:
- disable
- enable
description: Deprecated, please rename it to dtls_tunnel. Enable/disable DTLS
to prevent eavesdropping, tampering, or message forgery.
type: str
dual-stack-mode:
choices:
- disable
- enable
description: Deprecated, please rename it to dual_stack_mode. Tunnel mode
type: str
encode-2f-sequence:
choices:
- disable
- enable
description: Deprecated, please rename it to encode_2f_sequence. Encode 2F sequence
to forward slash in URLs.
type: str
encrypt-and-store-password:
choices:
- disable
- enable
description: Deprecated, please rename it to encrypt_and_store_password. Encrypt
and store user passwords for SSL VPN web sessions.
type: str
force-two-factor-auth:
choices:
- disable
- enable
description: Deprecated, please rename it to force_two_factor_auth. Enable/disable
only PKI users with two-factor authentication for SS...
type: str
header-x-forwarded-for:
choices:
- pass
- add
- remove
description: Deprecated, please rename it to header_x_forwarded_for. Forward the
same, add, or remove HTTP header.
type: str
hsts-include-subdomains:
choices:
- disable
- enable
description: Deprecated, please rename it to hsts_include_subdomains. Add HSTS
includeSubDomains response header.
type: str
http-compression:
choices:
- disable
- enable
description: Deprecated, please rename it to http_compression. Enable/disable
to allow HTTP compression over SSL VPN tunnels.
type: str
http-only-cookie:
choices:
- disable
- enable
description: Deprecated, please rename it to http_only_cookie. Enable/disable
SSL VPN support for HttpOnly cookies.
type: str
http-request-body-timeout:
description: Deprecated, please rename it to http_request_body_timeout. SSL VPN
session is disconnected if an HTTP request body is not ...
type: int
http-request-header-timeout:
description: Deprecated, please rename it to http_request_header_timeout. SSL
VPN session is disconnected if an HTTP request header is ...
type: int
https-redirect:
choices:
- disable
- enable
description: Deprecated, please rename it to https_redirect. Enable/disable redirect
of port 80 to SSL VPN port.
type: str
idle-timeout:
description: Deprecated, please rename it to idle_timeout. SSL VPN disconnects
if idle for specified time in seconds.
type: int
ipv6-dns-server1:
description: Deprecated, please rename it to ipv6_dns_server1. IPv6 DNS server
1.
type: str
ipv6-dns-server2:
description: Deprecated, please rename it to ipv6_dns_server2. IPv6 DNS server
2.
type: str
ipv6-wins-server1:
description: Deprecated, please rename it to ipv6_wins_server1. IPv6 WINS server
1.
type: str
ipv6-wins-server2:
description: Deprecated, please rename it to ipv6_wins_server2. IPv6 WINS server
2.
type: str
login-attempt-limit:
description: Deprecated, please rename it to login_attempt_limit. SSL VPN maximum
login attempt times before block
type: int
login-block-time:
description: Deprecated, please rename it to login_block_time. Time for which
a user is blocked from logging in after too many failed l...
type: int
login-timeout:
description: Deprecated, please rename it to login_timeout. SSLVPN maximum login
timeout
type: int
port:
description: SSL VPN access port
type: int
port-precedence:
choices:
- disable
- enable
description: Deprecated, please rename it to port_precedence. Enable/disable,
Enable means that if SSL VPN connections are allowed on a...
type: str
reqclientcert:
choices:
- disable
- enable
description: Enable/disable to require client certificates for all SSL VPN users.
type: str
route-source-interface:
choices:
- disable
- enable
description: Deprecated, please rename it to route_source_interface. Enable/disable
to allow SSL VPN sessions to bypass routing and bin...
type: str
saml-redirect-port:
description: Deprecated, please rename it to saml_redirect_port. SAML local redirect
port in the machine running FortiClient
type: int
server-hostname:
description: Deprecated, please rename it to server_hostname. Server hostname
for HTTPS.
type: str
servercert:
description: Name of the server certificate to be used for SSL VPNs.
type: str
source-address:
description: (list or str) Deprecated, please rename it to source_address. Source
address of incoming traffic.
type: raw
source-address-negate:
choices:
- disable
- enable
description: Deprecated, please rename it to source_address_negate. Enable/disable
negated source address match.
type: str
source-address6:
description: (list or str) Deprecated, please rename it to source_address6. IPv6
source address of incoming traffic.
type: raw
source-address6-negate:
choices:
- disable
- enable
description: Deprecated, please rename it to source_address6_negate. Enable/disable
negated source IPv6 address match.
type: str
source-interface:
description: (list or str) Deprecated, please rename it to source_interface. SSL
VPN source interface of incoming traffic.
type: raw
ssl-big-buffer:
choices:
- disable
- enable
description: Deprecated, please rename it to ssl_big_buffer. Disable using the
big SSLv3 buffer feature to save memory and force higher...
type: str
ssl-client-renegotiation:
choices:
- disable
- enable
description: Deprecated, please rename it to ssl_client_renegotiation. Enable/disable
to allow client renegotiation by the server if th...
type: str
ssl-insert-empty-fragment:
choices:
- disable
- enable
description: Deprecated, please rename it to ssl_insert_empty_fragment. Enable/disable
insertion of empty fragment.
type: str
ssl-max-proto-ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description: Deprecated, please rename it to ssl_max_proto_ver. SSL maximum protocol
version.
type: str
ssl-min-proto-ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description: Deprecated, please rename it to ssl_min_proto_ver. SSL minimum protocol
version.
type: str
sslv3:
choices:
- disable
- enable
description: No description.
type: str
status:
choices:
- disable
- enable
description: Enable/disable SSL-VPN.
type: str
tlsv1-0:
choices:
- disable
- enable
description: Deprecated, please rename it to tlsv1_0. Enable/disable TLSv1.
type: str
tlsv1-1:
choices:
- disable
- enable
description: Deprecated, please rename it to tlsv1_1. Enable/disable TLSv1.
type: str
tlsv1-2:
choices:
- disable
- enable
description: Deprecated, please rename it to tlsv1_2. Enable/disable TLSv1.
type: str
tlsv1-3:
choices:
- disable
- enable
description: Deprecated, please rename it to tlsv1_3.
type: str
transform-backward-slashes:
choices:
- disable
- enable
description: Deprecated, please rename it to transform_backward_slashes. Transform
backward slashes to forward slashes in URLs.
type: str
tunnel-addr-assigned-method:
choices:
- first-available
- round-robin
description: Deprecated, please rename it to tunnel_addr_assigned_method. Method
used for assigning address for tunnel.
type: str
tunnel-connect-without-reauth:
choices:
- disable
- enable
description: Deprecated, please rename it to tunnel_connect_without_reauth. Enable/disable
tunnel connection without re-authorization i...
type: str
tunnel-ip-pools:
description: (list or str) Deprecated, please rename it to tunnel_ip_pools. Names
of the IPv4 IP Pool firewall objects that define the ...
type: raw
tunnel-ipv6-pools:
description: (list or str) Deprecated, please rename it to tunnel_ipv6_pools.
Names of the IPv6 IP Pool firewall objects that define th...
type: raw
tunnel-user-session-timeout:
description: Deprecated, please rename it to tunnel_user_session_timeout. Time
out value to clean up user session after tunnel connecti...
type: int
unsafe-legacy-renegotiation:
choices:
- disable
- enable
description: Deprecated, please rename it to unsafe_legacy_renegotiation. Enable/disable
unsafe legacy re-negotiation.
type: str
url-obscuration:
choices:
- disable
- enable
description: Deprecated, please rename it to url_obscuration. Enable/disable to
obscure the host name of the URL of the web browser dis...
type: str
user-peer:
description: Deprecated, please rename it to user_peer. Name of user peer.
type: str
web-mode-snat:
choices:
- disable
- enable
description: Deprecated, please rename it to web_mode_snat. Enable/disable use
of IP pools defined in firewall policy while using web-mode.
type: str
wins-server1:
description: Deprecated, please rename it to wins_server1. WINS server 1.
type: str
wins-server2:
description: Deprecated, please rename it to wins_server2. WINS server 2.
type: str
x-content-type-options:
choices:
- disable
- enable
description: Deprecated, please rename it to x_content_type_options. Add HTTP
X-Content-Type-Options header.
type: str
ztna-trusted-client:
choices:
- disable
- enable
description: Deprecated, please rename it to ztna_trusted_client. Enable/disable
verification of device certificate for SSLVPN ZTNA ses...
type: str
type: dict
bypass_validation:
default: false
description: Only set to True when module schema diffs with FortiManager API structure,
module continues to execute without validating parameters.
type: bool
workspace_locking_adom:
description: The adom to lock for FortiManager running in workspace mode, the value
can be global and others including root.
type: str
forticloud_access_token:
description: Authenticate Ansible client with forticloud API access token.
type: str
workspace_locking_timeout:
default: 300
description: The maximum time in seconds to wait for other user to release the workspace
lock.
type: int
meta:
contains:
request_url:
description: The full url requested.
returned: always
sample: /sys/login/user
type: str
response_code:
description: The status of api request.
returned: always
sample: 0
type: int
response_data:
description: The api response.
returned: always
type: list
response_message:
description: The descriptive message of the api response.
returned: always
sample: OK.
type: str
system_information:
description: The information of the target system.
returned: always
type: dict
description: The result of the request.
returned: always
type: dict
rc:
description: The status the request.
returned: always
sample: 0
type: int
version_check_warning:
description: Warning if the parameters used in the playbook are not supported by
the current FortiManager version.
returned: complex
type: list