Try SpotterConfigure SSL VPN in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==1.1.7
collections:
- name: fortinet.fortios
version: 1.1.7This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.4.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_session_check_source_ip: "enable"
auth_timeout: "5"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_11 (source user.group.name)"
id: "12"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_16 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_22 (source system.interface.name system.zone.name)"
user_peer: "<your_own_value> (source user.peer.name)"
users:
-
name: "default_name_25 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "30"
deflate_min_data_size: "31"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "35"
dtls_max_proto_ver: "dtls1-0"
dtls_min_proto_ver: "dtls1-0"
dtls_tunnel: "enable"
encode_2f_sequence: "enable"
encrypt_and_store_password: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
hsts_include_subdomains: "enable"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "46"
http_request_header_timeout: "47"
https_redirect: "enable"
idle_timeout: "49"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "54"
login_block_time: "55"
login_timeout: "56"
port: "57"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_63 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_66 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_69 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
ssl_max_proto_ver: "tls1-0"
ssl_min_proto_ver: "tls1-0"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tlsv1_3: "enable"
transform_backward_slashes: "enable"
tunnel_connect_without_reauth: "enable"
tunnel_ip_pools:
-
name: "default_name_81 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_83 (source firewall.address6.name firewall.addrgrp6.name)"
tunnel_user_session_timeout: "84"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
user_peer: "<your_own_value> (source user.peer.name)"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
vpn_ssl_settings:
default: null
description:
- Configure SSL VPN.
suboptions:
algorithm:
choices:
- high
- medium
- default
- low
description:
- Force the SSL-VPN security level. High allows only high. Medium allows medium
and high. Low allows any.
type: str
auth_session_check_source_ip:
choices:
- enable
- disable
description:
- Enable/disable checking of source IP for authentication session.
type: str
auth_timeout:
description:
- SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
type: int
authentication_rule:
description:
- Authentication rule for SSL VPN.
suboptions:
auth:
choices:
- any
- local
- radius
- tacacs+
- ldap
description:
- SSL VPN authentication method restriction.
type: str
cipher:
choices:
- any
- high
- medium
description:
- SSL VPN cipher strength.
type: str
client_cert:
choices:
- enable
- disable
description:
- Enable/disable SSL VPN client certificate restrictive.
type: str
groups:
description:
- User groups.
suboptions:
name:
description:
- Group name. Source user.group.name.
required: true
type: str
type: list
id:
description:
- ID (0 - 4294967295).
required: true
type: int
portal:
description:
- SSL VPN portal. Source vpn.ssl.web.portal.name.
type: str
realm:
description:
- SSL VPN realm. Source vpn.ssl.web.realm.url-path.
type: str
source_address:
description:
- Source address of incoming traffic.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name.
required: true
type: str
type: list
source_address6:
description:
- IPv6 source address of incoming traffic.
suboptions:
name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name
system.external-resource.name.
required: true
type: str
type: list
source_address6_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source IPv6 address match.
type: str
source_address_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source address match.
type: str
source_interface:
description:
- SSL VPN source interface of incoming traffic.
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
type: str
type: list
user_peer:
description:
- Name of user peer. Source user.peer.name.
type: str
users:
description:
- User name.
suboptions:
name:
description:
- User name. Source user.local.name.
required: true
type: str
type: list
type: list
auto_tunnel_static_route:
choices:
- enable
- disable
description:
- Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
type: str
banned_cipher:
choices:
- RSA
- DHE
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
description:
- Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
type: list
check_referer:
choices:
- enable
- disable
description:
- Enable/disable verification of referer field in HTTP request header.
type: str
default_portal:
description:
- Default SSL VPN portal. Source vpn.ssl.web.portal.name.
type: str
deflate_compression_level:
description:
- Compression level (0~9).
type: int
deflate_min_data_size:
description:
- Minimum amount of data that triggers compression (200 - 65535 bytes).
type: int
dns_server1:
description:
- DNS server 1.
type: str
dns_server2:
description:
- DNS server 2.
type: str
dns_suffix:
description:
- DNS suffix used for SSL-VPN clients.
type: str
dtls_hello_timeout:
description:
- SSLVPN maximum DTLS hello timeout (10 - 60 sec).
type: int
dtls_max_proto_ver:
choices:
- dtls1-0
- dtls1-2
description:
- DTLS maximum protocol version.
type: str
dtls_min_proto_ver:
choices:
- dtls1-0
- dtls1-2
description:
- DTLS minimum protocol version.
type: str
dtls_tunnel:
choices:
- enable
- disable
description:
- Enable DTLS to prevent eavesdropping, tampering, or message forgery.
type: str
encode_2f_sequence:
choices:
- enable
- disable
description:
- Encode 2F sequence to forward slash in URLs.
type: str
encrypt_and_store_password:
choices:
- enable
- disable
description:
- Encrypt and store user passwords for SSL-VPN web sessions.
type: str
force_two_factor_auth:
choices:
- enable
- disable
description:
- Enable only PKI users with two-factor authentication for SSL-VPNs.
type: str
header_x_forwarded_for:
choices:
- pass
- add
- remove
description:
- Forward the same, add, or remove HTTP header.
type: str
hsts_include_subdomains:
choices:
- enable
- disable
description:
- Add HSTS includeSubDomains response header.
type: str
http_compression:
choices:
- enable
- disable
description:
- Enable to allow HTTP compression over SSL-VPN tunnels.
type: str
http_only_cookie:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN support for HttpOnly cookies.
type: str
http_request_body_timeout:
description:
- SSL-VPN session is disconnected if an HTTP request body is not received within
this time (1 - 60 sec).
type: int
http_request_header_timeout:
description:
- SSL-VPN session is disconnected if an HTTP request header is not received within
this time (1 - 60 sec).
type: int
https_redirect:
choices:
- enable
- disable
description:
- Enable/disable redirect of port 80 to SSL-VPN port.
type: str
idle_timeout:
description:
- SSL VPN disconnects if idle for specified time in seconds.
type: int
ipv6_dns_server1:
description:
- IPv6 DNS server 1.
type: str
ipv6_dns_server2:
description:
- IPv6 DNS server 2.
type: str
ipv6_wins_server1:
description:
- IPv6 WINS server 1.
type: str
ipv6_wins_server2:
description:
- IPv6 WINS server 2.
type: str
login_attempt_limit:
description:
- SSL VPN maximum login attempt times before block (0 - 10).
type: int
login_block_time:
description:
- Time for which a user is blocked from logging in after too many failed login
attempts (0 - 86400 sec).
type: int
login_timeout:
description:
- SSLVPN maximum login timeout (10 - 180 sec).
type: int
port:
description:
- SSL-VPN access port (1 - 65535).
type: int
port_precedence:
choices:
- enable
- disable
description:
- Enable means that if SSL-VPN connections are allowed on an interface admin GUI
connections are blocked on that interface.
type: str
reqclientcert:
choices:
- enable
- disable
description:
- Enable to require client certificates for all SSL-VPN users.
type: str
route_source_interface:
choices:
- enable
- disable
description:
- Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming
interface.
type: str
servercert:
description:
- Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
type: str
source_address:
description:
- Source address of incoming traffic.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name.
required: true
type: str
type: list
source_address6:
description:
- IPv6 source address of incoming traffic.
suboptions:
name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name
system.external-resource.name.
required: true
type: str
type: list
source_address6_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source IPv6 address match.
type: str
source_address_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source address match.
type: str
source_interface:
description:
- SSL VPN source interface of incoming traffic.
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
type: str
type: list
ssl_client_renegotiation:
choices:
- disable
- enable
description:
- Enable to allow client renegotiation by the server if the tunnel goes down.
type: str
ssl_insert_empty_fragment:
choices:
- enable
- disable
description:
- Enable/disable insertion of empty fragment.
type: str
ssl_max_proto_ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description:
- SSL maximum protocol version.
type: str
ssl_min_proto_ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description:
- SSL minimum protocol version.
type: str
tlsv1_0:
choices:
- enable
- disable
description:
- tlsv1-0
type: str
tlsv1_1:
choices:
- enable
- disable
description:
- tlsv1-1
type: str
tlsv1_2:
choices:
- enable
- disable
description:
- tlsv1-2
type: str
tlsv1_3:
choices:
- enable
- disable
description:
- tlsv1-3
type: str
transform_backward_slashes:
choices:
- enable
- disable
description:
- Transform backward slashes to forward slashes in URLs.
type: str
tunnel_connect_without_reauth:
choices:
- enable
- disable
description:
- Enable/disable tunnel connection without re-authorization if previous connection
dropped.
type: str
tunnel_ip_pools:
description:
- Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved
for remote clients.
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name.
required: true
type: str
type: list
tunnel_ipv6_pools:
description:
- Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved
for remote clients.
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
type: str
type: list
tunnel_user_session_timeout:
description:
- Time out value to clean up user session after tunnel connection is dropped (1
- 255 sec).
type: int
unsafe_legacy_renegotiation:
choices:
- enable
- disable
description:
- Enable/disable unsafe legacy re-negotiation.
type: str
url_obscuration:
choices:
- enable
- disable
description:
- Enable to obscure the host name of the URL of the web browser display.
type: str
user_peer:
description:
- Name of user peer. Source user.peer.name.
type: str
wins_server1:
description:
- WINS server 1.
type: str
wins_server2:
description:
- WINS server 2.
type: str
x_content_type_options:
choices:
- enable
- disable
description:
- Add HTTP X-Content-Type-Options header.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str