fortinet / fortinet.fortios / 1.1.7 / module / fortios_vpn_ssl_settings Configure SSL VPN in Fortinet's FortiOS and FortiGate. | "added in version" 2.8 of fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityfortinet.fortios.fortios_vpn_ssl_settings (1.1.7) — module
Install with ansible-galaxy collection install fortinet.fortios:==1.1.7
collections: - name: fortinet.fortios version: 1.1.7
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.4.0
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure SSL VPN. fortios_vpn_ssl_settings: vdom: "{{ vdom }}" vpn_ssl_settings: algorithm: "high" auth_session_check_source_ip: "enable" auth_timeout: "5" authentication_rule: - auth: "any" cipher: "any" client_cert: "enable" groups: - name: "default_name_11 (source user.group.name)" id: "12" portal: "<your_own_value> (source vpn.ssl.web.portal.name)" realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)" source_address: - name: "default_name_16 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)" source_address_negate: "enable" source_address6: - name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)" source_address6_negate: "enable" source_interface: - name: "default_name_22 (source system.interface.name system.zone.name)" user_peer: "<your_own_value> (source user.peer.name)" users: - name: "default_name_25 (source user.local.name)" auto_tunnel_static_route: "enable" banned_cipher: "RSA" check_referer: "enable" default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)" deflate_compression_level: "30" deflate_min_data_size: "31" dns_server1: "<your_own_value>" dns_server2: "<your_own_value>" dns_suffix: "<your_own_value>" dtls_hello_timeout: "35" dtls_max_proto_ver: "dtls1-0" dtls_min_proto_ver: "dtls1-0" dtls_tunnel: "enable" encode_2f_sequence: "enable" encrypt_and_store_password: "enable" force_two_factor_auth: "enable" header_x_forwarded_for: "pass" hsts_include_subdomains: "enable" http_compression: "enable" http_only_cookie: "enable" http_request_body_timeout: "46" http_request_header_timeout: "47" https_redirect: "enable" idle_timeout: "49" ipv6_dns_server1: "<your_own_value>" ipv6_dns_server2: "<your_own_value>" ipv6_wins_server1: "<your_own_value>" ipv6_wins_server2: "<your_own_value>" login_attempt_limit: "54" login_block_time: "55" login_timeout: "56" port: "57" port_precedence: "enable" reqclientcert: "enable" route_source_interface: "enable" servercert: "<your_own_value> (source vpn.certificate.local.name)" source_address: - name: "default_name_63 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)" source_address_negate: "enable" source_address6: - name: "default_name_66 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)" source_address6_negate: "enable" source_interface: - name: "default_name_69 (source system.interface.name system.zone.name)" ssl_client_renegotiation: "disable" ssl_insert_empty_fragment: "enable" ssl_max_proto_ver: "tls1-0" ssl_min_proto_ver: "tls1-0" tlsv1_0: "enable" tlsv1_1: "enable" tlsv1_2: "enable" tlsv1_3: "enable" transform_backward_slashes: "enable" tunnel_connect_without_reauth: "enable" tunnel_ip_pools: - name: "default_name_81 (source firewall.address.name firewall.addrgrp.name)" tunnel_ipv6_pools: - name: "default_name_83 (source firewall.address6.name firewall.addrgrp6.name)" tunnel_user_session_timeout: "84" unsafe_legacy_renegotiation: "enable" url_obscuration: "enable" user_peer: "<your_own_value> (source user.peer.name)" wins_server1: "<your_own_value>" wins_server2: "<your_own_value>" x_content_type_options: "enable"
vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str vpn_ssl_settings: default: null description: - Configure SSL VPN. suboptions: algorithm: choices: - high - medium - default - low description: - Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. type: str auth_session_check_source_ip: choices: - enable - disable description: - Enable/disable checking of source IP for authentication session. type: str auth_timeout: description: - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int authentication_rule: description: - Authentication rule for SSL VPN. suboptions: auth: choices: - any - local - radius - tacacs+ - ldap description: - SSL VPN authentication method restriction. type: str cipher: choices: - any - high - medium description: - SSL VPN cipher strength. type: str client_cert: choices: - enable - disable description: - Enable/disable SSL VPN client certificate restrictive. type: str groups: description: - User groups. suboptions: name: description: - Group name. Source user.group.name. required: true type: str type: list id: description: - ID (0 - 4294967295). required: true type: int portal: description: - SSL VPN portal. Source vpn.ssl.web.portal.name. type: str realm: description: - SSL VPN realm. Source vpn.ssl.web.realm.url-path. type: str source_address: description: - Source address of incoming traffic. suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. required: true type: str type: list source_address6: description: - IPv6 source address of incoming traffic. suboptions: name: description: - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. required: true type: str type: list source_address6_negate: choices: - enable - disable description: - Enable/disable negated source IPv6 address match. type: str source_address_negate: choices: - enable - disable description: - Enable/disable negated source address match. type: str source_interface: description: - SSL VPN source interface of incoming traffic. suboptions: name: description: - Interface name. Source system.interface.name system.zone.name. required: true type: str type: list user_peer: description: - Name of user peer. Source user.peer.name. type: str users: description: - User name. suboptions: name: description: - User name. Source user.local.name. required: true type: str type: list type: list auto_tunnel_static_route: choices: - enable - disable description: - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. type: str banned_cipher: choices: - RSA - DHE - ECDHE - DSS - ECDSA - AES - AESGCM - CAMELLIA - 3DES - SHA1 - SHA256 - SHA384 - STATIC description: - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. type: list check_referer: choices: - enable - disable description: - Enable/disable verification of referer field in HTTP request header. type: str default_portal: description: - Default SSL VPN portal. Source vpn.ssl.web.portal.name. type: str deflate_compression_level: description: - Compression level (0~9). type: int deflate_min_data_size: description: - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int dns_server1: description: - DNS server 1. type: str dns_server2: description: - DNS server 2. type: str dns_suffix: description: - DNS suffix used for SSL-VPN clients. type: str dtls_hello_timeout: description: - SSLVPN maximum DTLS hello timeout (10 - 60 sec). type: int dtls_max_proto_ver: choices: - dtls1-0 - dtls1-2 description: - DTLS maximum protocol version. type: str dtls_min_proto_ver: choices: - dtls1-0 - dtls1-2 description: - DTLS minimum protocol version. type: str dtls_tunnel: choices: - enable - disable description: - Enable DTLS to prevent eavesdropping, tampering, or message forgery. type: str encode_2f_sequence: choices: - enable - disable description: - Encode 2F sequence to forward slash in URLs. type: str encrypt_and_store_password: choices: - enable - disable description: - Encrypt and store user passwords for SSL-VPN web sessions. type: str force_two_factor_auth: choices: - enable - disable description: - Enable only PKI users with two-factor authentication for SSL-VPNs. type: str header_x_forwarded_for: choices: - pass - add - remove description: - Forward the same, add, or remove HTTP header. type: str hsts_include_subdomains: choices: - enable - disable description: - Add HSTS includeSubDomains response header. type: str http_compression: choices: - enable - disable description: - Enable to allow HTTP compression over SSL-VPN tunnels. type: str http_only_cookie: choices: - enable - disable description: - Enable/disable SSL-VPN support for HttpOnly cookies. type: str http_request_body_timeout: description: - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). type: int http_request_header_timeout: description: - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). type: int https_redirect: choices: - enable - disable description: - Enable/disable redirect of port 80 to SSL-VPN port. type: str idle_timeout: description: - SSL VPN disconnects if idle for specified time in seconds. type: int ipv6_dns_server1: description: - IPv6 DNS server 1. type: str ipv6_dns_server2: description: - IPv6 DNS server 2. type: str ipv6_wins_server1: description: - IPv6 WINS server 1. type: str ipv6_wins_server2: description: - IPv6 WINS server 2. type: str login_attempt_limit: description: - SSL VPN maximum login attempt times before block (0 - 10). type: int login_block_time: description: - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). type: int login_timeout: description: - SSLVPN maximum login timeout (10 - 180 sec). type: int port: description: - SSL-VPN access port (1 - 65535). type: int port_precedence: choices: - enable - disable description: - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str reqclientcert: choices: - enable - disable description: - Enable to require client certificates for all SSL-VPN users. type: str route_source_interface: choices: - enable - disable description: - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. type: str servercert: description: - Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. type: str source_address: description: - Source address of incoming traffic. suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. required: true type: str type: list source_address6: description: - IPv6 source address of incoming traffic. suboptions: name: description: - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. required: true type: str type: list source_address6_negate: choices: - enable - disable description: - Enable/disable negated source IPv6 address match. type: str source_address_negate: choices: - enable - disable description: - Enable/disable negated source address match. type: str source_interface: description: - SSL VPN source interface of incoming traffic. suboptions: name: description: - Interface name. Source system.interface.name system.zone.name. required: true type: str type: list ssl_client_renegotiation: choices: - disable - enable description: - Enable to allow client renegotiation by the server if the tunnel goes down. type: str ssl_insert_empty_fragment: choices: - enable - disable description: - Enable/disable insertion of empty fragment. type: str ssl_max_proto_ver: choices: - tls1-0 - tls1-1 - tls1-2 - tls1-3 description: - SSL maximum protocol version. type: str ssl_min_proto_ver: choices: - tls1-0 - tls1-1 - tls1-2 - tls1-3 description: - SSL minimum protocol version. type: str tlsv1_0: choices: - enable - disable description: - tlsv1-0 type: str tlsv1_1: choices: - enable - disable description: - tlsv1-1 type: str tlsv1_2: choices: - enable - disable description: - tlsv1-2 type: str tlsv1_3: choices: - enable - disable description: - tlsv1-3 type: str transform_backward_slashes: choices: - enable - disable description: - Transform backward slashes to forward slashes in URLs. type: str tunnel_connect_without_reauth: choices: - enable - disable description: - Enable/disable tunnel connection without re-authorization if previous connection dropped. type: str tunnel_ip_pools: description: - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name. required: true type: str type: list tunnel_ipv6_pools: description: - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name. required: true type: str type: list tunnel_user_session_timeout: description: - Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec). type: int unsafe_legacy_renegotiation: choices: - enable - disable description: - Enable/disable unsafe legacy re-negotiation. type: str url_obscuration: choices: - enable - disable description: - Enable to obscure the host name of the URL of the web browser display. type: str user_peer: description: - Name of user peer. Source user.peer.name. type: str wins_server1: description: - WINS server 1. type: str wins_server2: description: - WINS server 2. type: str x_content_type_options: choices: - enable - disable description: - Add HTTP X-Content-Type-Options header. type: str type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str