Try SpotterConfigure VDOM settings in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==1.1.7
collections:
- name: fortinet.fortios
version: 1.1.7This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.4.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
vdom: "{{ vdom }}"
system_settings:
allow_linkdown_path: "enable"
allow_subnet_overlap: "enable"
asymroute: "enable"
asymroute_icmp: "enable"
asymroute6: "enable"
asymroute6_icmp: "enable"
auxiliary_session: "enable"
bfd: "enable"
bfd_desired_min_tx: "11"
bfd_detect_mult: "12"
bfd_dont_enforce_src_port: "enable"
bfd_required_min_rx: "14"
block_land_attack: "disable"
central_nat: "enable"
comments: "<your_own_value>"
consolidated_firewall_mode: "<your_own_value>"
default_voip_alg_mode: "proxy-based"
deny_tcp_with_icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp_proxy: "enable"
dhcp_server_ip: "<your_own_value>"
dhcp6_server_ip: "<your_own_value>"
discovered_device_timeout: "25"
ecmp_max_paths: "26"
email_portal_check_dns: "disable"
firewall_session_dirty: "check-all"
fw_session_hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gui_advanced_policy: "enable"
gui_allow_unnamed_policy: "enable"
gui_antivirus: "enable"
gui_ap_profile: "enable"
gui_application_control: "enable"
gui_default_policy_columns:
-
name: "default_name_38"
gui_dhcp_advanced: "enable"
gui_dns_database: "enable"
gui_dnsfilter: "enable"
gui_domain_ip_reputation: "enable"
gui_dos_policy: "enable"
gui_dynamic_profile_display: "enable"
gui_dynamic_routing: "enable"
gui_email_collection: "enable"
gui_endpoint_control: "enable"
gui_endpoint_control_advanced: "enable"
gui_explicit_proxy: "enable"
gui_fortiap_split_tunneling: "enable"
gui_fortiextender_controller: "enable"
gui_icap: "enable"
gui_implicit_policy: "enable"
gui_ips: "enable"
gui_load_balance: "enable"
gui_local_in_policy: "enable"
gui_local_reports: "enable"
gui_multicast_policy: "enable"
gui_multiple_interface_policy: "enable"
gui_multiple_utm_profiles: "enable"
gui_nat46_64: "enable"
gui_object_colors: "enable"
gui_policy_based_ipsec: "enable"
gui_policy_disclaimer: "enable"
gui_replacement_message_groups: "enable"
gui_spamfilter: "enable"
gui_sslvpn_personal_bookmarks: "enable"
gui_sslvpn_realms: "enable"
gui_switch_controller: "enable"
gui_threat_weight: "enable"
gui_traffic_shaping: "enable"
gui_voip_profile: "enable"
gui_vpn: "enable"
gui_waf_profile: "enable"
gui_wan_load_balancing: "enable"
gui_wanopt_cache: "enable"
gui_webfilter: "enable"
gui_webfilter_advanced: "enable"
gui_wireless_controller: "enable"
http_external_dest: "fortiweb"
ike_dn_format: "with-space"
ike_quick_crash_detect: "enable"
ike_session_resume: "enable"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link_down_access: "enable"
lldp_reception: "enable"
lldp_transmission: "enable"
mac_ttl: "89"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast_forward: "enable"
multicast_skip_policy: "enable"
multicast_ttl_notchange: "enable"
ngfw_mode: "profile-based"
opmode: "nat"
prp_trailer_action: "enable"
sccp_port: "98"
sctp_session_without_init: "enable"
ses_denied_traffic: "enable"
sip_expectation: "enable"
sip_nat_trace: "enable"
sip_ssl_port: "103"
sip_tcp_port: "104"
sip_udp_port: "105"
snat_hairpin_traffic: "enable"
status: "enable"
strict_src_check: "enable"
tcp_session_without_syn: "enable"
utf8_spam_tagging: "enable"
v4_ecmp_mode: "source-ip-based"
vpn_stats_log: "ipsec"
vpn_stats_period: "113"
wccp_cache_engine: "enable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
system_settings:
default: null
description:
- Configure VDOM settings.
suboptions:
allow_linkdown_path:
choices:
- enable
- disable
description:
- Enable/disable link down path.
type: str
allow_subnet_overlap:
choices:
- enable
- disable
description:
- Enable/disable allowing interface subnets to use overlapping IP addresses.
type: str
asymroute:
choices:
- enable
- disable
description:
- Enable/disable IPv4 asymmetric routing.
type: str
asymroute6:
choices:
- enable
- disable
description:
- Enable/disable asymmetric IPv6 routing.
type: str
asymroute6_icmp:
choices:
- enable
- disable
description:
- Enable/disable asymmetric ICMPv6 routing.
type: str
asymroute_icmp:
choices:
- enable
- disable
description:
- Enable/disable ICMP asymmetric routing.
type: str
auxiliary_session:
choices:
- enable
- disable
description:
- Enable/disable auxiliary session.
type: str
bfd:
choices:
- enable
- disable
description:
- Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
type: str
bfd_desired_min_tx:
description:
- BFD desired minimal transmit interval (1 - 100000 ms).
type: int
bfd_detect_mult:
description:
- BFD detection multiplier (1 - 50).
type: int
bfd_dont_enforce_src_port:
choices:
- enable
- disable
description:
- Enable to not enforce verifying the source port of BFD Packets.
type: str
bfd_required_min_rx:
description:
- BFD required minimal receive interval (1 - 100000 ms).
type: int
block_land_attack:
choices:
- disable
- enable
description:
- Enable/disable blocking of land attacks.
type: str
central_nat:
choices:
- enable
- disable
description:
- Enable/disable central NAT.
type: str
comments:
description:
- VDOM comments.
type: str
consolidated_firewall_mode:
description:
- Consolidated firewall mode.
type: str
default_voip_alg_mode:
choices:
- proxy-based
- kernel-helper-based
description:
- Configure how the FortiGate handles VoIP traffic when a policy that accepts
the traffic doesn"t include a VoIP profile.
type: str
deny_tcp_with_icmp:
choices:
- enable
- disable
description:
- Enable/disable denying TCP by sending an ICMP communication prohibited packet.
type: str
device:
description:
- Interface to use for management access for NAT mode. Source system.interface.name.
type: str
dhcp6_server_ip:
description:
- DHCPv6 server IPv6 address.
type: str
dhcp_proxy:
choices:
- enable
- disable
description:
- Enable/disable the DHCP Proxy.
type: str
dhcp_server_ip:
description:
- DHCP Server IPv4 address.
type: str
discovered_device_timeout:
description:
- Timeout for discovered devices (1 - 365 days).
type: int
ecmp_max_paths:
description:
- Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable
ECMP routing (1 - 255).
type: int
email_portal_check_dns:
choices:
- disable
- enable
description:
- Enable/disable using DNS to validate email addresses collected by a captive
portal.
type: str
firewall_session_dirty:
choices:
- check-all
- check-new
- check-policy-option
description:
- Select how to manage sessions affected by firewall policy configuration changes.
type: str
fw_session_hairpin:
choices:
- enable
- disable
description:
- Enable/disable checking for a matching policy each time hairpin traffic goes
through the FortiGate.
type: str
gateway:
description:
- Transparent mode IPv4 default gateway IP address.
type: str
gateway6:
description:
- Transparent mode IPv4 default gateway IP address.
type: str
gui_advanced_policy:
choices:
- enable
- disable
description:
- Enable/disable advanced policy configuration on the GUI.
type: str
gui_allow_unnamed_policy:
choices:
- enable
- disable
description:
- Enable/disable the requirement for policy naming on the GUI.
type: str
gui_antivirus:
choices:
- enable
- disable
description:
- Enable/disable AntiVirus on the GUI.
type: str
gui_ap_profile:
choices:
- enable
- disable
description:
- Enable/disable FortiAP profiles on the GUI.
type: str
gui_application_control:
choices:
- enable
- disable
description:
- Enable/disable application control on the GUI.
type: str
gui_default_policy_columns:
description:
- Default columns to display for policy lists on GUI.
suboptions:
name:
description:
- Select column name.
required: true
type: str
type: list
gui_dhcp_advanced:
choices:
- enable
- disable
description:
- Enable/disable advanced DHCP options on the GUI.
type: str
gui_dns_database:
choices:
- enable
- disable
description:
- Enable/disable DNS database settings on the GUI.
type: str
gui_dnsfilter:
choices:
- enable
- disable
description:
- Enable/disable DNS Filtering on the GUI.
type: str
gui_domain_ip_reputation:
choices:
- enable
- disable
description:
- Enable/disable Domain and IP Reputation on the GUI.
type: str
gui_dos_policy:
choices:
- enable
- disable
description:
- Enable/disable DoS policies on the GUI.
type: str
gui_dynamic_profile_display:
choices:
- enable
- disable
description:
- Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
type: str
gui_dynamic_routing:
choices:
- enable
- disable
description:
- Enable/disable dynamic routing on the GUI.
type: str
gui_email_collection:
choices:
- enable
- disable
description:
- Enable/disable email collection on the GUI.
type: str
gui_endpoint_control:
choices:
- enable
- disable
description:
- Enable/disable endpoint control on the GUI.
type: str
gui_endpoint_control_advanced:
choices:
- enable
- disable
description:
- Enable/disable advanced endpoint control options on the GUI.
type: str
gui_explicit_proxy:
choices:
- enable
- disable
description:
- Enable/disable the explicit proxy on the GUI.
type: str
gui_fortiap_split_tunneling:
choices:
- enable
- disable
description:
- Enable/disable FortiAP split tunneling on the GUI.
type: str
gui_fortiextender_controller:
choices:
- enable
- disable
description:
- Enable/disable FortiExtender on the GUI.
type: str
gui_icap:
choices:
- enable
- disable
description:
- Enable/disable ICAP on the GUI.
type: str
gui_implicit_policy:
choices:
- enable
- disable
description:
- Enable/disable implicit firewall policies on the GUI.
type: str
gui_ips:
choices:
- enable
- disable
description:
- Enable/disable IPS on the GUI.
type: str
gui_load_balance:
choices:
- enable
- disable
description:
- Enable/disable server load balancing on the GUI.
type: str
gui_local_in_policy:
choices:
- enable
- disable
description:
- Enable/disable Local-In policies on the GUI.
type: str
gui_local_reports:
choices:
- enable
- disable
description:
- Enable/disable local reports on the GUI.
type: str
gui_multicast_policy:
choices:
- enable
- disable
description:
- Enable/disable multicast firewall policies on the GUI.
type: str
gui_multiple_interface_policy:
choices:
- enable
- disable
description:
- Enable/disable adding multiple interfaces to a policy on the GUI.
type: str
gui_multiple_utm_profiles:
choices:
- enable
- disable
description:
- Enable/disable multiple UTM profiles on the GUI.
type: str
gui_nat46_64:
choices:
- enable
- disable
description:
- Enable/disable NAT46 and NAT64 settings on the GUI.
type: str
gui_object_colors:
choices:
- enable
- disable
description:
- Enable/disable object colors on the GUI.
type: str
gui_policy_based_ipsec:
choices:
- enable
- disable
description:
- Enable/disable policy-based IPsec VPN on the GUI.
type: str
gui_policy_disclaimer:
choices:
- enable
- disable
description:
- Enable/disable policy disclaimer on the GUI.
type: str
gui_replacement_message_groups:
choices:
- enable
- disable
description:
- Enable/disable replacement message groups on the GUI.
type: str
gui_spamfilter:
choices:
- enable
- disable
description:
- Enable/disable Antispam on the GUI.
type: str
gui_sslvpn_personal_bookmarks:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN personal bookmark management on the GUI.
type: str
gui_sslvpn_realms:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN realms on the GUI.
type: str
gui_switch_controller:
choices:
- enable
- disable
description:
- Enable/disable the switch controller on the GUI.
type: str
gui_threat_weight:
choices:
- enable
- disable
description:
- Enable/disable threat weight on the GUI.
type: str
gui_traffic_shaping:
choices:
- enable
- disable
description:
- Enable/disable traffic shaping on the GUI.
type: str
gui_voip_profile:
choices:
- enable
- disable
description:
- Enable/disable VoIP profiles on the GUI.
type: str
gui_vpn:
choices:
- enable
- disable
description:
- Enable/disable VPN tunnels on the GUI.
type: str
gui_waf_profile:
choices:
- enable
- disable
description:
- Enable/disable Web Application Firewall on the GUI.
type: str
gui_wan_load_balancing:
choices:
- enable
- disable
description:
- Enable/disable SD-WAN on the GUI.
type: str
gui_wanopt_cache:
choices:
- enable
- disable
description:
- Enable/disable WAN Optimization and Web Caching on the GUI.
type: str
gui_webfilter:
choices:
- enable
- disable
description:
- Enable/disable Web filtering on the GUI.
type: str
gui_webfilter_advanced:
choices:
- enable
- disable
description:
- Enable/disable advanced web filtering on the GUI.
type: str
gui_wireless_controller:
choices:
- enable
- disable
description:
- Enable/disable the wireless controller on the GUI.
type: str
http_external_dest:
choices:
- fortiweb
- forticache
description:
- Offload HTTP traffic to FortiWeb or FortiCache.
type: str
ike_dn_format:
choices:
- with-space
- no-space
description:
- Configure IKE ASN.1 Distinguished Name format conventions.
type: str
ike_quick_crash_detect:
choices:
- enable
- disable
description:
- Enable/disable IKE quick crash detection (RFC 6290).
type: str
ike_session_resume:
choices:
- enable
- disable
description:
- Enable/disable IKEv2 session resumption (RFC 5723).
type: str
ip:
description:
- IP address and netmask.
type: str
ip6:
description:
- IPv6 address prefix for NAT mode.
type: str
link_down_access:
choices:
- enable
- disable
description:
- Enable/disable link down access traffic.
type: str
lldp_reception:
choices:
- enable
- disable
- global
description:
- Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM
or apply global settings to this VDOM.
type: str
lldp_transmission:
choices:
- enable
- disable
- global
description:
- Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM
or apply global settings to this VDOM.
type: str
mac_ttl:
description:
- Duration of MAC addresses in Transparent mode (300 - 8640000 sec).
type: int
manageip:
description:
- Transparent mode IPv4 management IP address and netmask.
type: str
manageip6:
description:
- Transparent mode IPv6 management IP address and netmask.
type: str
multicast_forward:
choices:
- enable
- disable
description:
- Enable/disable multicast forwarding.
type: str
multicast_skip_policy:
choices:
- enable
- disable
description:
- Enable/disable allowing multicast traffic through the FortiGate without a policy
check.
type: str
multicast_ttl_notchange:
choices:
- enable
- disable
description:
- Enable/disable preventing the FortiGate from changing the TTL for forwarded
multicast packets.
type: str
ngfw_mode:
choices:
- profile-based
- policy-based
description:
- Next Generation Firewall (NGFW) mode.
type: str
opmode:
choices:
- nat
- transparent
description:
- Firewall operation mode (NAT or Transparent).
type: str
prp_trailer_action:
choices:
- enable
- disable
description:
- Enable/disable action to take on PRP trailer.
type: str
sccp_port:
description:
- TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535).
type: int
sctp_session_without_init:
choices:
- enable
- disable
description:
- Enable/disable SCTP session creation without SCTP INIT.
type: str
ses_denied_traffic:
choices:
- enable
- disable
description:
- Enable/disable including denied session in the session table.
type: str
sip_expectation:
choices:
- enable
- disable
description:
- Enable/disable the SIP kernel session helper to create an expectation for port
5060.
type: str
sip_nat_trace:
choices:
- enable
- disable
description:
- Enable/disable recording the original SIP source IP address when NAT is used.
type: str
sip_ssl_port:
description:
- TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535).
type: int
sip_tcp_port:
description:
- TCP port the SIP proxy monitors for SIP traffic (0 - 65535).
type: int
sip_udp_port:
description:
- UDP port the SIP proxy monitors for SIP traffic (0 - 65535).
type: int
snat_hairpin_traffic:
choices:
- enable
- disable
description:
- Enable/disable source NAT (SNAT) for hairpin traffic.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable this VDOM.
type: str
strict_src_check:
choices:
- enable
- disable
description:
- Enable/disable strict source verification.
type: str
tcp_session_without_syn:
choices:
- enable
- disable
description:
- Enable/disable allowing TCP session without SYN flags.
type: str
utf8_spam_tagging:
choices:
- enable
- disable
description:
- Enable/disable converting antispam tags to UTF-8 for better non-ASCII character
support.
type: str
v4_ecmp_mode:
choices:
- source-ip-based
- weight-based
- usage-based
- source-dest-ip-based
description:
- IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
type: str
vpn_stats_log:
choices:
- ipsec
- pptp
- l2tp
- ssl
description:
- Enable/disable periodic VPN log statistics for one or more types of VPN. Separate
names with a space.
type: str
vpn_stats_period:
description:
- Period to send VPN log statistics (0 or 60 - 86400 sec).
type: int
wccp_cache_engine:
choices:
- enable
- disable
description:
- Enable/disable WCCP cache engine.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str