fortinet / fortinet.fortimanager / 2.4.0 / module / fmgr_vpn_ssl_settings Configure SSL VPN. | "added in version" 2.1.0 of fortinet.fortimanager" Authors: Xinwei Du (@dux-fortinet), Xing Li (@lix-fortinet), Jie Xue (@JieX19), Link Zheng (@chillancezen), Frank Shen (@fshen01), Hongbin Lu (@fgtdev-hblu) preview | supported by communityfortinet.fortimanager.fmgr_vpn_ssl_settings (2.4.0) — module
Install with ansible-galaxy collection install fortinet.fortimanager:==2.4.0
collections: - name: fortinet.fortimanager version: 2.4.0
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
- name: Example playbook (generated based on argument schema) hosts: fortimanagers connection: httpapi vars: ansible_httpapi_use_ssl: true ansible_httpapi_validate_certs: false ansible_httpapi_port: 443 tasks: - name: Configure SSL VPN. fortinet.fortimanager.fmgr_vpn_ssl_settings: # bypass_validation: false workspace_locking_adom: <value in [global, custom adom including root]> workspace_locking_timeout: 300 # rc_succeeded: [0, -2, -3, ...] # rc_failed: [-2, -3, ...] device: <your own value> vdom: <your own value> vpn_ssl_settings: algorithm: <value in [default, high, low, ...]> auth_session_check_source_ip: <value in [disable, enable]> auth_timeout: <integer> authentication_rule: - auth: <value in [any, local, radius, ...]> cipher: <value in [any, high, medium]> client_cert: <value in [disable, enable]> groups: <list or string> id: <integer> portal: <string> realm: <string> source_address: <list or string> source_address_negate: <value in [disable, enable]> source_address6: <list or string> source_address6_negate: <value in [disable, enable]> source_interface: <list or string> user_peer: <string> users: <list or string> auto_tunnel_static_route: <value in [disable, enable]> banned_cipher: - RSA - DH - DHE - ECDH - ECDHE - DSS - ECDSA - AES - AESGCM - CAMELLIA - 3DES - SHA1 - SHA256 - SHA384 - STATIC - CHACHA20 - ARIA - AESCCM check_referer: <value in [disable, enable]> default_portal: <string> deflate_compression_level: <integer> deflate_min_data_size: <integer> dns_server1: <string> dns_server2: <string> dns_suffix: <string> dtls_hello_timeout: <integer> dtls_max_proto_ver: <value in [dtls1-0, dtls1-2]> dtls_min_proto_ver: <value in [dtls1-0, dtls1-2]> dtls_tunnel: <value in [disable, enable]> encode_2f_sequence: <value in [disable, enable]> encrypt_and_store_password: <value in [disable, enable]> force_two_factor_auth: <value in [disable, enable]> header_x_forwarded_for: <value in [pass, add, remove]> hsts_include_subdomains: <value in [disable, enable]> http_compression: <value in [disable, enable]> http_only_cookie: <value in [disable, enable]> http_request_body_timeout: <integer> http_request_header_timeout: <integer> https_redirect: <value in [disable, enable]> idle_timeout: <integer> ipv6_dns_server1: <string> ipv6_dns_server2: <string> ipv6_wins_server1: <string> ipv6_wins_server2: <string> login_attempt_limit: <integer> login_block_time: <integer> login_timeout: <integer> port: <integer> port_precedence: <value in [disable, enable]> reqclientcert: <value in [disable, enable]> route_source_interface: <value in [disable, enable]> servercert: <string> source_address: <list or string> source_address_negate: <value in [disable, enable]> source_address6: <list or string> source_address6_negate: <value in [disable, enable]> source_interface: <list or string> ssl_client_renegotiation: <value in [disable, enable]> ssl_insert_empty_fragment: <value in [disable, enable]> ssl_max_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]> ssl_min_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]> tlsv1_0: <value in [disable, enable]> tlsv1_1: <value in [disable, enable]> tlsv1_2: <value in [disable, enable]> tlsv1_3: <value in [disable, enable]> transform_backward_slashes: <value in [disable, enable]> tunnel_connect_without_reauth: <value in [disable, enable]> tunnel_ip_pools: <list or string> tunnel_ipv6_pools: <list or string> tunnel_user_session_timeout: <integer> unsafe_legacy_renegotiation: <value in [disable, enable]> url_obscuration: <value in [disable, enable]> user_peer: <string> wins_server1: <string> wins_server2: <string> x_content_type_options: <value in [disable, enable]> sslv3: <value in [disable, enable]> ssl_big_buffer: <value in [disable, enable]> client_sigalgs: <value in [no-rsa-pss, all]> ciphersuite: - TLS-AES-128-GCM-SHA256 - TLS-AES-256-GCM-SHA384 - TLS-CHACHA20-POLY1305-SHA256 - TLS-AES-128-CCM-SHA256 - TLS-AES-128-CCM-8-SHA256 dual_stack_mode: <value in [disable, enable]> tunnel_addr_assigned_method: <value in [first-available, round-robin]> browser_language_detection: <value in [disable, enable]> saml_redirect_port: <integer> status: <value in [disable, enable]> web_mode_snat: <value in [disable, enable]> ztna_trusted_client: <value in [disable, enable]> dtls_heartbeat_fail_count: <integer> dtls_heartbeat_idle_timeout: <integer> dtls_heartbeat_interval: <integer> server_hostname: <string>
vdom: description: The parameter (vdom) in requested url. required: true type: str device: description: The parameter (device) in requested url. required: true type: str rc_failed: description: The rc codes list with which the conditions to fail will be overriden. elements: int type: list enable_log: default: false description: Enable/Disable logging for task. type: bool access_token: description: The token to access FortiManager without using username and password. type: str rc_succeeded: description: The rc codes list with which the conditions to succeed will be overriden. elements: int type: list proposed_method: choices: - update - set - add description: The overridden method for the underlying Json RPC request. type: str vpn_ssl_settings: description: The top level parameters set. required: false suboptions: algorithm: choices: - default - high - low - medium description: Force the SSL VPN security level. type: str auth-session-check-source-ip: choices: - disable - enable description: Deprecated, please rename it to auth_session_check_source_ip. Enable/disable checking of source IP for authentication session. type: str auth-timeout: description: Deprecated, please rename it to auth_timeout. SSL VPN authentication timeout type: int authentication-rule: description: Deprecated, please rename it to authentication_rule. elements: dict suboptions: auth: choices: - any - local - radius - ldap - tacacs+ - peer description: SSL VPN authentication method restriction. type: str cipher: choices: - any - high - medium description: SSL VPN cipher strength. type: str client-cert: choices: - disable - enable description: Deprecated, please rename it to client_cert. Enable/disable SSL VPN client certificate restrictive. type: str groups: description: (list or str) User groups. type: raw id: description: ID type: int portal: description: SSL VPN portal. type: str realm: description: SSL VPN realm. type: str source-address: description: (list or str) Deprecated, please rename it to source_address. Source address of incoming traffic. type: raw source-address-negate: choices: - disable - enable description: Deprecated, please rename it to source_address_negate. Enable/disable negated source address match. type: str source-address6: description: (list or str) Deprecated, please rename it to source_address6. IPv6 source address of incoming traffic. type: raw source-address6-negate: choices: - disable - enable description: Deprecated, please rename it to source_address6_negate. Enable/disable negated source IPv6 address match. type: str source-interface: description: (list or str) Deprecated, please rename it to source_interface. SSL VPN source interface of incoming traffic. type: raw user-peer: description: Deprecated, please rename it to user_peer. Name of user peer. type: str users: description: (list or str) User name. type: raw type: list auto-tunnel-static-route: choices: - disable - enable description: Deprecated, please rename it to auto_tunnel_static_route. Enable/disable to auto-create static routes for the SSL VPN tunn... type: str banned-cipher: choices: - RSA - DH - DHE - ECDH - ECDHE - DSS - ECDSA - AES - AESGCM - CAMELLIA - 3DES - SHA1 - SHA256 - SHA384 - STATIC - CHACHA20 - ARIA - AESCCM description: Deprecated, please rename it to banned_cipher. elements: str type: list browser-language-detection: choices: - disable - enable description: Deprecated, please rename it to browser_language_detection. Enable/disable overriding the configured system language based... type: str check-referer: choices: - disable - enable description: Deprecated, please rename it to check_referer. Enable/disable verification of referer field in HTTP request header. type: str ciphersuite: choices: - TLS-AES-128-GCM-SHA256 - TLS-AES-256-GCM-SHA384 - TLS-CHACHA20-POLY1305-SHA256 - TLS-AES-128-CCM-SHA256 - TLS-AES-128-CCM-8-SHA256 description: No description. elements: str type: list client-sigalgs: choices: - no-rsa-pss - all description: Deprecated, please rename it to client_sigalgs. Set signature algorithms related to client authentication. type: str default-portal: description: Deprecated, please rename it to default_portal. Default SSL VPN portal. type: str deflate-compression-level: description: Deprecated, please rename it to deflate_compression_level. Compression level type: int deflate-min-data-size: description: Deprecated, please rename it to deflate_min_data_size. Minimum amount of data that triggers compression type: int dns-server1: description: Deprecated, please rename it to dns_server1. DNS server 1. type: str dns-server2: description: Deprecated, please rename it to dns_server2. DNS server 2. type: str dns-suffix: description: Deprecated, please rename it to dns_suffix. DNS suffix used for SSL VPN clients. type: str dtls-heartbeat-fail-count: description: Deprecated, please rename it to dtls_heartbeat_fail_count. Number of missing heartbeats before the connection is considere... type: int dtls-heartbeat-idle-timeout: description: Deprecated, please rename it to dtls_heartbeat_idle_timeout. Idle timeout before DTLS heartbeat is sent. type: int dtls-heartbeat-interval: description: Deprecated, please rename it to dtls_heartbeat_interval. Interval between DTLS heartbeat. type: int dtls-hello-timeout: description: Deprecated, please rename it to dtls_hello_timeout. SSLVPN maximum DTLS hello timeout type: int dtls-max-proto-ver: choices: - dtls1-0 - dtls1-2 description: Deprecated, please rename it to dtls_max_proto_ver. DTLS maximum protocol version. type: str dtls-min-proto-ver: choices: - dtls1-0 - dtls1-2 description: Deprecated, please rename it to dtls_min_proto_ver. DTLS minimum protocol version. type: str dtls-tunnel: choices: - disable - enable description: Deprecated, please rename it to dtls_tunnel. Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str dual-stack-mode: choices: - disable - enable description: Deprecated, please rename it to dual_stack_mode. Tunnel mode type: str encode-2f-sequence: choices: - disable - enable description: Deprecated, please rename it to encode_2f_sequence. Encode 2F sequence to forward slash in URLs. type: str encrypt-and-store-password: choices: - disable - enable description: Deprecated, please rename it to encrypt_and_store_password. Encrypt and store user passwords for SSL VPN web sessions. type: str force-two-factor-auth: choices: - disable - enable description: Deprecated, please rename it to force_two_factor_auth. Enable/disable only PKI users with two-factor authentication for SS... type: str header-x-forwarded-for: choices: - pass - add - remove description: Deprecated, please rename it to header_x_forwarded_for. Forward the same, add, or remove HTTP header. type: str hsts-include-subdomains: choices: - disable - enable description: Deprecated, please rename it to hsts_include_subdomains. Add HSTS includeSubDomains response header. type: str http-compression: choices: - disable - enable description: Deprecated, please rename it to http_compression. Enable/disable to allow HTTP compression over SSL VPN tunnels. type: str http-only-cookie: choices: - disable - enable description: Deprecated, please rename it to http_only_cookie. Enable/disable SSL VPN support for HttpOnly cookies. type: str http-request-body-timeout: description: Deprecated, please rename it to http_request_body_timeout. SSL VPN session is disconnected if an HTTP request body is not ... type: int http-request-header-timeout: description: Deprecated, please rename it to http_request_header_timeout. SSL VPN session is disconnected if an HTTP request header is ... type: int https-redirect: choices: - disable - enable description: Deprecated, please rename it to https_redirect. Enable/disable redirect of port 80 to SSL VPN port. type: str idle-timeout: description: Deprecated, please rename it to idle_timeout. SSL VPN disconnects if idle for specified time in seconds. type: int ipv6-dns-server1: description: Deprecated, please rename it to ipv6_dns_server1. IPv6 DNS server 1. type: str ipv6-dns-server2: description: Deprecated, please rename it to ipv6_dns_server2. IPv6 DNS server 2. type: str ipv6-wins-server1: description: Deprecated, please rename it to ipv6_wins_server1. IPv6 WINS server 1. type: str ipv6-wins-server2: description: Deprecated, please rename it to ipv6_wins_server2. IPv6 WINS server 2. type: str login-attempt-limit: description: Deprecated, please rename it to login_attempt_limit. SSL VPN maximum login attempt times before block type: int login-block-time: description: Deprecated, please rename it to login_block_time. Time for which a user is blocked from logging in after too many failed l... type: int login-timeout: description: Deprecated, please rename it to login_timeout. SSLVPN maximum login timeout type: int port: description: SSL VPN access port type: int port-precedence: choices: - disable - enable description: Deprecated, please rename it to port_precedence. Enable/disable, Enable means that if SSL VPN connections are allowed on a... type: str reqclientcert: choices: - disable - enable description: Enable/disable to require client certificates for all SSL VPN users. type: str route-source-interface: choices: - disable - enable description: Deprecated, please rename it to route_source_interface. Enable/disable to allow SSL VPN sessions to bypass routing and bin... type: str saml-redirect-port: description: Deprecated, please rename it to saml_redirect_port. SAML local redirect port in the machine running FortiClient type: int server-hostname: description: Deprecated, please rename it to server_hostname. Server hostname for HTTPS. type: str servercert: description: Name of the server certificate to be used for SSL VPNs. type: str source-address: description: (list or str) Deprecated, please rename it to source_address. Source address of incoming traffic. type: raw source-address-negate: choices: - disable - enable description: Deprecated, please rename it to source_address_negate. Enable/disable negated source address match. type: str source-address6: description: (list or str) Deprecated, please rename it to source_address6. IPv6 source address of incoming traffic. type: raw source-address6-negate: choices: - disable - enable description: Deprecated, please rename it to source_address6_negate. Enable/disable negated source IPv6 address match. type: str source-interface: description: (list or str) Deprecated, please rename it to source_interface. SSL VPN source interface of incoming traffic. type: raw ssl-big-buffer: choices: - disable - enable description: Deprecated, please rename it to ssl_big_buffer. Disable using the big SSLv3 buffer feature to save memory and force higher... type: str ssl-client-renegotiation: choices: - disable - enable description: Deprecated, please rename it to ssl_client_renegotiation. Enable/disable to allow client renegotiation by the server if th... type: str ssl-insert-empty-fragment: choices: - disable - enable description: Deprecated, please rename it to ssl_insert_empty_fragment. Enable/disable insertion of empty fragment. type: str ssl-max-proto-ver: choices: - tls1-0 - tls1-1 - tls1-2 - tls1-3 description: Deprecated, please rename it to ssl_max_proto_ver. SSL maximum protocol version. type: str ssl-min-proto-ver: choices: - tls1-0 - tls1-1 - tls1-2 - tls1-3 description: Deprecated, please rename it to ssl_min_proto_ver. SSL minimum protocol version. type: str sslv3: choices: - disable - enable description: No description. type: str status: choices: - disable - enable description: Enable/disable SSL-VPN. type: str tlsv1-0: choices: - disable - enable description: Deprecated, please rename it to tlsv1_0. Enable/disable TLSv1. type: str tlsv1-1: choices: - disable - enable description: Deprecated, please rename it to tlsv1_1. Enable/disable TLSv1. type: str tlsv1-2: choices: - disable - enable description: Deprecated, please rename it to tlsv1_2. Enable/disable TLSv1. type: str tlsv1-3: choices: - disable - enable description: Deprecated, please rename it to tlsv1_3. type: str transform-backward-slashes: choices: - disable - enable description: Deprecated, please rename it to transform_backward_slashes. Transform backward slashes to forward slashes in URLs. type: str tunnel-addr-assigned-method: choices: - first-available - round-robin description: Deprecated, please rename it to tunnel_addr_assigned_method. Method used for assigning address for tunnel. type: str tunnel-connect-without-reauth: choices: - disable - enable description: Deprecated, please rename it to tunnel_connect_without_reauth. Enable/disable tunnel connection without re-authorization i... type: str tunnel-ip-pools: description: (list or str) Deprecated, please rename it to tunnel_ip_pools. Names of the IPv4 IP Pool firewall objects that define the ... type: raw tunnel-ipv6-pools: description: (list or str) Deprecated, please rename it to tunnel_ipv6_pools. Names of the IPv6 IP Pool firewall objects that define th... type: raw tunnel-user-session-timeout: description: Deprecated, please rename it to tunnel_user_session_timeout. Time out value to clean up user session after tunnel connecti... type: int unsafe-legacy-renegotiation: choices: - disable - enable description: Deprecated, please rename it to unsafe_legacy_renegotiation. Enable/disable unsafe legacy re-negotiation. type: str url-obscuration: choices: - disable - enable description: Deprecated, please rename it to url_obscuration. Enable/disable to obscure the host name of the URL of the web browser dis... type: str user-peer: description: Deprecated, please rename it to user_peer. Name of user peer. type: str web-mode-snat: choices: - disable - enable description: Deprecated, please rename it to web_mode_snat. Enable/disable use of IP pools defined in firewall policy while using web-mode. type: str wins-server1: description: Deprecated, please rename it to wins_server1. WINS server 1. type: str wins-server2: description: Deprecated, please rename it to wins_server2. WINS server 2. type: str x-content-type-options: choices: - disable - enable description: Deprecated, please rename it to x_content_type_options. Add HTTP X-Content-Type-Options header. type: str ztna-trusted-client: choices: - disable - enable description: Deprecated, please rename it to ztna_trusted_client. Enable/disable verification of device certificate for SSLVPN ZTNA ses... type: str type: dict bypass_validation: default: false description: Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool workspace_locking_adom: description: The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. type: str forticloud_access_token: description: Authenticate Ansible client with forticloud API access token. type: str workspace_locking_timeout: default: 300 description: The maximum time in seconds to wait for other user to release the workspace lock. type: int
meta: contains: request_url: description: The full url requested. returned: always sample: /sys/login/user type: str response_code: description: The status of api request. returned: always sample: 0 type: int response_data: description: The api response. returned: always type: list response_message: description: The descriptive message of the api response. returned: always sample: OK. type: str system_information: description: The information of the target system. returned: always type: dict description: The result of the request. returned: always type: dict rc: description: The status the request. returned: always sample: 0 type: int version_check_warning: description: Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: complex type: list