Try SpotterConfigure IPv6 access proxy in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy6 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure IPv6 access proxy.
fortinet.fortios.fortios_firewall_access_proxy6:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_access_proxy6:
add_vhost_domain_to_dnsdb: "enable"
api_gateway:
-
application:
-
name: "default_name_6"
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "16"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
domain: "<your_own_value>"
external_auth: "enable"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "37"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_43 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
translate_host: "enable"
tunnel_encryption: "enable"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
api_gateway6:
-
application:
-
name: "default_name_68"
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "78"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
domain: "<your_own_value>"
external_auth: "enable"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "99"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_105 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
translate_host: "enable"
tunnel_encryption: "enable"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
auth_portal: "disable"
auth_virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
client_cert: "disable"
decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
empty_cert_action: "accept"
http_supported_max_version: "http1"
log_blocked_traffic: "enable"
name: "default_name_135"
svr_pool_multiplex: "enable"
svr_pool_server_max_concurrent_request: "0"
svr_pool_server_max_request: "0"
svr_pool_ttl: "15"
user_agent_detect: "disable"
vip: "<your_own_value> (source firewall.vip6.name)"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
firewall_access_proxy6:
default: null
description:
- Configure IPv6 access proxy.
suboptions:
add_vhost_domain_to_dnsdb:
choices:
- enable
- disable
description:
- Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.
type: str
api_gateway:
description:
- Set IPv4 API Gateway.
elements: dict
suboptions:
application:
description:
- SaaS application controlled by this Access Proxy.
elements: dict
suboptions:
name:
description:
- SaaS application name.
required: true
type: str
type: list
h2_support:
choices:
- enable
- disable
description:
- HTTP2 support, default=Enable.
type: str
h3_support:
choices:
- enable
- disable
description:
- HTTP3/QUIC support, default=Disable.
type: str
http_cookie_age:
description:
- Time in minutes that client web browsers should keep a cookie. Default is
60 minutes. 0 = no time limit.
type: int
http_cookie_domain:
description:
- Domain that HTTP cookie persistence should apply to.
type: str
http_cookie_domain_from_host:
choices:
- disable
- enable
description:
- Enable/disable use of HTTP cookie domain from host field in HTTP.
type: str
http_cookie_generation:
description:
- Generation of HTTP cookie to be accepted. Changing invalidates all existing
cookies.
type: int
http_cookie_path:
description:
- Limit HTTP cookie persistence to the specified path.
type: str
http_cookie_share:
choices:
- disable
- same-ip
description:
- Control sharing of cookies across API Gateway. Use of same-ip means a cookie
from one virtual server can be used by another. Disable stops cookie sharing.
type: str
https_cookie_secure:
choices:
- disable
- enable
description:
- Enable/disable verification that inserted HTTPS cookies are secure.
type: str
id:
description:
- API Gateway ID. see <a href='#notes'>Notes</a>.
required: true
type: int
ldb_method:
choices:
- static
- round-robin
- weighted
- first-alive
- http-host
description:
- Method used to distribute sessions to real servers.
type: str
persistence:
choices:
- none
- http-cookie
description:
- Configure how to make sure that clients connect to the same server every
time they make a request that is part of the same session.
type: str
quic:
description:
- QUIC setting.
suboptions:
ack_delay_exponent:
description:
- ACK delay exponent (1 - 20).
type: int
active_connection_id_limit:
description:
- Active connection ID limit (1 - 8).
type: int
active_migration:
choices:
- enable
- disable
description:
- Enable/disable active migration .
type: str
grease_quic_bit:
choices:
- enable
- disable
description:
- Enable/disable grease QUIC bit .
type: str
max_ack_delay:
description:
- Maximum ACK delay in milliseconds (1 - 16383).
type: int
max_datagram_frame_size:
description:
- Maximum datagram frame size in bytes (1 - 1500).
type: int
max_idle_timeout:
description:
- Maximum idle timeout milliseconds (1 - 60000).
type: int
max_udp_payload_size:
description:
- Maximum UDP payload size in bytes (1200 - 1500).
type: int
type: dict
realservers:
description:
- Select the real servers that this Access Proxy will distribute traffic to.
elements: dict
suboptions:
addr_type:
choices:
- ip
- fqdn
description:
- Type of address.
type: str
address:
description:
- Address or address group of the real server. Source firewall.address.name
firewall.addrgrp.name.
type: str
domain:
description:
- Wildcard domain name of the real server.
type: str
external_auth:
choices:
- enable
- disable
description:
- Enable/disable use of external browser as user-agent for SAML user authentication.
type: str
health_check:
choices:
- disable
- enable
description:
- Enable to check the responsiveness of the real server before forwarding
traffic.
type: str
health_check_proto:
choices:
- ping
- http
- tcp-connect
description:
- Protocol of the health check monitor to use when polling to determine
server"s connectivity status.
type: str
holddown_interval:
choices:
- enable
- disable
description:
- Enable/disable holddown timer. Server will be considered active and
reachable once the holddown period has expired (30 seconds).
type: str
http_host:
description:
- HTTP server domain name in HTTP header.
type: str
id:
description:
- Real server ID. see <a href='#notes'>Notes</a>.
required: true
type: int
ip:
description:
- IP address of the real server.
type: str
mappedport:
description:
- Port for communicating with the real server.
type: str
port:
description:
- Port for communicating with the real server.
type: int
ssh_client_cert:
description:
- Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name.
type: str
ssh_host_key:
description:
- One or more server host key.
elements: dict
suboptions:
name:
description:
- Server host key name. Source firewall.ssh.host-key.name.
required: true
type: str
type: list
ssh_host_key_validation:
choices:
- disable
- enable
description:
- Enable/disable SSH real server host key validation.
type: str
status:
choices:
- active
- standby
- disable
description:
- Set the status of the real server to active so that it can accept traffic,
or on standby or disabled so no traffic is sent.
type: str
translate_host:
choices:
- enable
- disable
description:
- Enable/disable translation of hostname/IP from virtual server to real
server.
type: str
tunnel_encryption:
choices:
- enable
- disable
description:
- Tunnel encryption.
type: str
type:
choices:
- tcp-forwarding
- ssh
description:
- TCP forwarding server type.
type: str
weight:
description:
- Weight of the real server. If weighted load balancing is enabled, the
server with the highest weight gets more connections.
type: int
type: list
saml_redirect:
choices:
- disable
- enable
description:
- Enable/disable SAML redirection after successful authentication.
type: str
saml_server:
description:
- SAML service provider configuration for VIP authentication. Source user.saml.name.
type: str
service:
choices:
- http
- https
- tcp-forwarding
- samlsp
- web-portal
- saas
description:
- Service.
type: str
ssl_algorithm:
choices:
- high
- medium
- low
description:
- Permitted encryption algorithms for the server side of SSL full mode sessions
according to encryption strength.
type: str
ssl_cipher_suites:
description:
- SSL/TLS cipher suites to offer to a server, ordered by priority.
elements: dict
suboptions:
cipher:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-AES-128-CBC-SHA
- TLS-RSA-WITH-AES-256-CBC-SHA
- TLS-RSA-WITH-AES-128-CBC-SHA256
- TLS-RSA-WITH-AES-128-GCM-SHA256
- TLS-RSA-WITH-AES-256-CBC-SHA256
- TLS-RSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-SEED-CBC-SHA
- TLS-DHE-DSS-WITH-SEED-CBC-SHA
- TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384
- TLS-RSA-WITH-SEED-CBC-SHA
- TLS-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-RC4-128-SHA
- TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-RC4-128-MD5
- TLS-RSA-WITH-RC4-128-SHA
- TLS-DHE-RSA-WITH-DES-CBC-SHA
- TLS-DHE-DSS-WITH-DES-CBC-SHA
- TLS-RSA-WITH-DES-CBC-SHA
description:
- Cipher suite name.
type: str
priority:
description:
- SSL/TLS cipher suites priority. see <a href='#notes'>Notes</a>.
required: true
type: int
versions:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- SSL/TLS versions that the cipher suite can be used with.
elements: str
type: list
type: list
ssl_dh_bits:
choices:
- '768'
- '1024'
- '1536'
- '2048'
- '3072'
- '4096'
description:
- Number of bits to use in the Diffie-Hellman exchange for RSA encryption
of SSL sessions.
type: str
ssl_max_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Highest SSL/TLS version acceptable from a server.
type: str
ssl_min_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Lowest SSL/TLS version acceptable from a server.
type: str
ssl_renegotiation:
choices:
- enable
- disable
description:
- Enable/disable secure renegotiation to comply with RFC 5746.
type: str
ssl_vpn_web_portal:
description:
- SSL-VPN web portal. Source vpn.ssl.web.portal.name.
type: str
url_map:
description:
- URL pattern to match.
type: str
url_map_type:
choices:
- sub-string
- wildcard
- regex
description:
- Type of url-map.
type: str
virtual_host:
description:
- Virtual host. Source firewall.access-proxy-virtual-host.name.
type: str
type: list
api_gateway6:
description:
- Set IPv6 API Gateway.
elements: dict
suboptions:
application:
description:
- SaaS application controlled by this Access Proxy.
elements: dict
suboptions:
name:
description:
- SaaS application name.
required: true
type: str
type: list
h2_support:
choices:
- enable
- disable
description:
- HTTP2 support, default=Enable.
type: str
h3_support:
choices:
- enable
- disable
description:
- HTTP3/QUIC support, default=Disable.
type: str
http_cookie_age:
description:
- Time in minutes that client web browsers should keep a cookie. Default is
60 minutes. 0 = no time limit.
type: int
http_cookie_domain:
description:
- Domain that HTTP cookie persistence should apply to.
type: str
http_cookie_domain_from_host:
choices:
- disable
- enable
description:
- Enable/disable use of HTTP cookie domain from host field in HTTP.
type: str
http_cookie_generation:
description:
- Generation of HTTP cookie to be accepted. Changing invalidates all existing
cookies.
type: int
http_cookie_path:
description:
- Limit HTTP cookie persistence to the specified path.
type: str
http_cookie_share:
choices:
- disable
- same-ip
description:
- Control sharing of cookies across API Gateway. Use of same-ip means a cookie
from one virtual server can be used by another. Disable stops cookie sharing.
type: str
https_cookie_secure:
choices:
- disable
- enable
description:
- Enable/disable verification that inserted HTTPS cookies are secure.
type: str
id:
description:
- API Gateway ID. see <a href='#notes'>Notes</a>.
required: true
type: int
ldb_method:
choices:
- static
- round-robin
- weighted
- first-alive
- http-host
description:
- Method used to distribute sessions to real servers.
type: str
persistence:
choices:
- none
- http-cookie
description:
- Configure how to make sure that clients connect to the same server every
time they make a request that is part of the same session.
type: str
quic:
description:
- QUIC setting.
suboptions:
ack_delay_exponent:
description:
- ACK delay exponent (1 - 20).
type: int
active_connection_id_limit:
description:
- Active connection ID limit (1 - 8).
type: int
active_migration:
choices:
- enable
- disable
description:
- Enable/disable active migration .
type: str
grease_quic_bit:
choices:
- enable
- disable
description:
- Enable/disable grease QUIC bit .
type: str
max_ack_delay:
description:
- Maximum ACK delay in milliseconds (1 - 16383).
type: int
max_datagram_frame_size:
description:
- Maximum datagram frame size in bytes (1 - 1500).
type: int
max_idle_timeout:
description:
- Maximum idle timeout milliseconds (1 - 60000).
type: int
max_udp_payload_size:
description:
- Maximum UDP payload size in bytes (1200 - 1500).
type: int
type: dict
realservers:
description:
- Select the real servers that this Access Proxy will distribute traffic to.
elements: dict
suboptions:
addr_type:
choices:
- ip
- fqdn
description:
- Type of address.
type: str
address:
description:
- Address or address group of the real server. Source firewall.address6.name
firewall.addrgrp6.name.
type: str
domain:
description:
- Wildcard domain name of the real server.
type: str
external_auth:
choices:
- enable
- disable
description:
- Enable/disable use of external browser as user-agent for SAML user authentication.
type: str
health_check:
choices:
- disable
- enable
description:
- Enable to check the responsiveness of the real server before forwarding
traffic.
type: str
health_check_proto:
choices:
- ping
- http
- tcp-connect
description:
- Protocol of the health check monitor to use when polling to determine
server"s connectivity status.
type: str
holddown_interval:
choices:
- enable
- disable
description:
- Enable/disable holddown timer. Server will be considered active and
reachable once the holddown period has expired (30 seconds).
type: str
http_host:
description:
- HTTP server domain name in HTTP header.
type: str
id:
description:
- Real server ID. see <a href='#notes'>Notes</a>.
required: true
type: int
ip:
description:
- IPv6 address of the real server.
type: str
mappedport:
description:
- Port for communicating with the real server.
type: str
port:
description:
- Port for communicating with the real server.
type: int
ssh_client_cert:
description:
- Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name.
type: str
ssh_host_key:
description:
- One or more server host key.
elements: dict
suboptions:
name:
description:
- Server host key name. Source firewall.ssh.host-key.name.
required: true
type: str
type: list
ssh_host_key_validation:
choices:
- disable
- enable
description:
- Enable/disable SSH real server host key validation.
type: str
status:
choices:
- active
- standby
- disable
description:
- Set the status of the real server to active so that it can accept traffic,
or on standby or disabled so no traffic is sent.
type: str
translate_host:
choices:
- enable
- disable
description:
- Enable/disable translation of hostname/IP from virtual server to real
server.
type: str
tunnel_encryption:
choices:
- enable
- disable
description:
- Tunnel encryption.
type: str
type:
choices:
- tcp-forwarding
- ssh
description:
- TCP forwarding server type.
type: str
weight:
description:
- Weight of the real server. If weighted load balancing is enabled, the
server with the highest weight gets more connections.
type: int
type: list
saml_redirect:
choices:
- disable
- enable
description:
- Enable/disable SAML redirection after successful authentication.
type: str
saml_server:
description:
- SAML service provider configuration for VIP authentication. Source user.saml.name.
type: str
service:
choices:
- http
- https
- tcp-forwarding
- samlsp
- web-portal
- saas
description:
- Service.
type: str
ssl_algorithm:
choices:
- high
- medium
- low
description:
- Permitted encryption algorithms for the server side of SSL full mode sessions
according to encryption strength.
type: str
ssl_cipher_suites:
description:
- SSL/TLS cipher suites to offer to a server, ordered by priority.
elements: dict
suboptions:
cipher:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-AES-128-CBC-SHA
- TLS-RSA-WITH-AES-256-CBC-SHA
- TLS-RSA-WITH-AES-128-CBC-SHA256
- TLS-RSA-WITH-AES-128-GCM-SHA256
- TLS-RSA-WITH-AES-256-CBC-SHA256
- TLS-RSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-SEED-CBC-SHA
- TLS-DHE-DSS-WITH-SEED-CBC-SHA
- TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384
- TLS-RSA-WITH-SEED-CBC-SHA
- TLS-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-RC4-128-SHA
- TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-RC4-128-MD5
- TLS-RSA-WITH-RC4-128-SHA
- TLS-DHE-RSA-WITH-DES-CBC-SHA
- TLS-DHE-DSS-WITH-DES-CBC-SHA
- TLS-RSA-WITH-DES-CBC-SHA
description:
- Cipher suite name.
type: str
priority:
description:
- SSL/TLS cipher suites priority. see <a href='#notes'>Notes</a>.
required: true
type: int
versions:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- SSL/TLS versions that the cipher suite can be used with.
elements: str
type: list
type: list
ssl_dh_bits:
choices:
- '768'
- '1024'
- '1536'
- '2048'
- '3072'
- '4096'
description:
- Number of bits to use in the Diffie-Hellman exchange for RSA encryption
of SSL sessions.
type: str
ssl_max_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Highest SSL/TLS version acceptable from a server.
type: str
ssl_min_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Lowest SSL/TLS version acceptable from a server.
type: str
ssl_renegotiation:
choices:
- enable
- disable
description:
- Enable/disable secure renegotiation to comply with RFC 5746.
type: str
ssl_vpn_web_portal:
description:
- SSL-VPN web portal. Source vpn.ssl.web.portal.name.
type: str
url_map:
description:
- URL pattern to match.
type: str
url_map_type:
choices:
- sub-string
- wildcard
- regex
description:
- Type of url-map.
type: str
virtual_host:
description:
- Virtual host. Source firewall.access-proxy-virtual-host.name.
type: str
type: list
auth_portal:
choices:
- disable
- enable
description:
- Enable/disable authentication portal.
type: str
auth_virtual_host:
description:
- Virtual host for authentication portal. Source firewall.access-proxy-virtual-host.name.
type: str
client_cert:
choices:
- disable
- enable
description:
- Enable/disable to request client certificate.
type: str
decrypted_traffic_mirror:
description:
- Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name.
type: str
empty_cert_action:
choices:
- accept
- block
- accept-unmanageable
description:
- Action of an empty client certificate.
type: str
http_supported_max_version:
choices:
- http1
- http2
description:
- Maximum supported HTTP versions. default = HTTP2
type: str
log_blocked_traffic:
choices:
- enable
- disable
description:
- Enable/disable logging of blocked traffic.
type: str
name:
description:
- Access Proxy name.
required: true
type: str
svr_pool_multiplex:
choices:
- enable
- disable
description:
- Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS,
and web-portal api-gateway.
type: str
svr_pool_server_max_concurrent_request:
description:
- Maximum number of concurrent requests that servers in server pool could handle
.
type: int
svr_pool_server_max_request:
description:
- Maximum number of requests that servers in server pool handle before disconnecting
.
type: int
svr_pool_ttl:
description:
- Time-to-live in the server pool for idle connections to servers.
type: int
user_agent_detect:
choices:
- disable
- enable
description:
- Enable/disable to detect device type by HTTP user-agent if no client certificate
provided.
type: str
vip:
description:
- Virtual IP name. Source firewall.vip6.name.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str