Try SpotterConfigure IPv6 policies in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy6 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure IPv6 policies.
fortinet.fortios.fortios_firewall_policy6:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_policy6:
action: "accept"
anti_replay: "enable"
app_category:
-
id: "6"
app_group:
-
name: "default_name_8 (source application.group.name)"
application:
-
id: "10"
application_list: "<your_own_value> (source application.list.name)"
auto_asic_offload: "enable"
av_profile: "<your_own_value> (source antivirus.profile.name)"
cifs_profile: "<your_own_value> (source cifs.profile.name)"
comments: "<your_own_value>"
custom_log_fields:
-
field_id: "<your_own_value> (source log.custom-field.id)"
devices:
-
name: "default_name_19 (source user.device.alias user.device-group.name user.device-category.name)"
diffserv_forward: "enable"
diffserv_reverse: "enable"
diffservcode_forward: "<your_own_value>"
diffservcode_rev: "<your_own_value>"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
dscp_match: "enable"
dscp_negate: "enable"
dscp_value: "<your_own_value>"
dsri: "enable"
dstaddr:
-
name: "default_name_31 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system
.external-resource.name)"
dstaddr_negate: "enable"
dstintf:
-
name: "default_name_34 (source system.interface.name system.zone.name)"
emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)"
firewall_session_dirty: "check-all"
fixedport: "enable"
fsso_groups:
-
name: "default_name_39 (source user.adgrp.name)"
global_label: "<your_own_value>"
groups:
-
name: "default_name_42 (source user.group.name)"
http_policy_redirect: "enable"
icap_profile: "<your_own_value> (source icap.profile.name)"
inbound: "enable"
inspection_mode: "proxy"
ippool: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic_start: "enable"
mms_profile: "<your_own_value> (source firewall.mms-profile.name)"
name: "default_name_53"
nat: "enable"
natinbound: "enable"
natoutbound: "enable"
np_acceleration: "enable"
outbound: "enable"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
policyid: "<you_own_value>"
poolname:
-
name: "default_name_62 (source firewall.ippool6.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
rsso: "enable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
send_deny_packet: "enable"
service:
-
name: "default_name_71 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "<your_own_value>"
spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_76 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
srcaddr_negate: "enable"
srcintf:
-
name: "default_name_79 (source system.zone.name system.interface.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssh_policy_redirect: "enable"
ssl_mirror: "enable"
ssl_mirror_intf:
-
name: "default_name_84 (source system.zone.name system.interface.name)"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp_mss_receiver: "32767"
tcp_mss_sender: "32767"
tcp_session_without_syn: "all"
timeout_send_rst: "enable"
tos: "<your_own_value>"
tos_mask: "<your_own_value>"
tos_negate: "enable"
traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
url_category:
-
id: "97"
users:
-
name: "default_name_99 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
vlan_cos_fwd: "3"
vlan_cos_rev: "3"
vlan_filter: "<your_own_value>"
voip_profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
waf_profile: "<your_own_value> (source waf.profile.name)"
webcache: "enable"
webcache_https: "disable"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
firewall_policy6:
default: null
description:
- Configure IPv6 policies.
suboptions:
action:
choices:
- accept
- deny
- ipsec
description:
- Policy action (allow/deny/ipsec).
type: str
anti_replay:
choices:
- enable
- disable
description:
- Enable/disable anti-replay check.
type: str
app_category:
description:
- Application category ID list.
elements: dict
suboptions:
id:
description:
- Category IDs. see <a href='#notes'>Notes</a>.
required: true
type: int
type: list
app_group:
description:
- Application group names.
elements: dict
suboptions:
name:
description:
- Application group names. Source application.group.name.
required: true
type: str
type: list
application:
description:
- Application ID list.
elements: dict
suboptions:
id:
description:
- Application IDs. see <a href='#notes'>Notes</a>.
required: true
type: int
type: list
application_list:
description:
- Name of an existing Application list. Source application.list.name.
type: str
auto_asic_offload:
choices:
- enable
- disable
description:
- Enable/disable policy traffic ASIC offloading.
type: str
av_profile:
description:
- Name of an existing Antivirus profile. Source antivirus.profile.name.
type: str
cifs_profile:
description:
- Name of an existing CIFS profile. Source cifs.profile.name.
type: str
comments:
description:
- Comment.
type: str
custom_log_fields:
description:
- Log field index numbers to append custom log fields to log messages for this
policy.
elements: dict
suboptions:
field_id:
description:
- Custom log field. Source log.custom-field.id.
required: true
type: str
type: list
devices:
description:
- Names of devices or device groups that can be matched by the policy.
elements: dict
suboptions:
name:
description:
- Device or group name. Source user.device.alias user.device-group.name user.device-category.name.
required: true
type: str
type: list
diffserv_forward:
choices:
- enable
- disable
description:
- Enable to change packet"s DiffServ values to the specified diffservcode-forward
value.
type: str
diffserv_reverse:
choices:
- enable
- disable
description:
- Enable to change packet"s reverse (reply) DiffServ values to the specified diffservcode-rev
value.
type: str
diffservcode_forward:
description:
- Change packet"s DiffServ to this value.
type: str
diffservcode_rev:
description:
- Change packet"s reverse (reply) DiffServ to this value.
type: str
dlp_sensor:
description:
- Name of an existing DLP sensor. Source dlp.sensor.name.
type: str
dnsfilter_profile:
description:
- Name of an existing DNS filter profile. Source dnsfilter.profile.name.
type: str
dscp_match:
choices:
- enable
- disable
description:
- Enable DSCP check.
type: str
dscp_negate:
choices:
- enable
- disable
description:
- Enable negated DSCP match.
type: str
dscp_value:
description:
- DSCP value.
type: str
dsri:
choices:
- enable
- disable
description:
- Enable DSRI to ignore HTTP server responses.
type: str
dstaddr:
description:
- Destination address and address group names.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name
firewall.vipgrp6.name system .external-resource.name.
required: true
type: str
type: list
dstaddr_negate:
choices:
- enable
- disable
description:
- When enabled dstaddr specifies what the destination address must NOT be.
type: str
dstintf:
description:
- Outgoing (egress) interface.
elements: dict
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
type: str
type: list
emailfilter_profile:
description:
- Name of an existing email filter profile. Source emailfilter.profile.name.
type: str
firewall_session_dirty:
choices:
- check-all
- check-new
description:
- How to handle sessions if the configuration of this firewall policy changes.
type: str
fixedport:
choices:
- enable
- disable
description:
- Enable to prevent source NAT from changing a session"s source port.
type: str
fsso_groups:
description:
- Names of FSSO groups.
elements: dict
suboptions:
name:
description:
- Names of FSSO groups. Source user.adgrp.name.
required: true
type: str
type: list
global_label:
description:
- Label for the policy that appears when the GUI is in Global View mode.
type: str
groups:
description:
- Names of user groups that can authenticate with this policy.
elements: dict
suboptions:
name:
description:
- Group name. Source user.group.name.
required: true
type: str
type: list
http_policy_redirect:
choices:
- enable
- disable
description:
- Redirect HTTP(S) traffic to matching transparent web proxy policy.
type: str
icap_profile:
description:
- Name of an existing ICAP profile. Source icap.profile.name.
type: str
inbound:
choices:
- enable
- disable
description:
- 'Policy-based IPsec VPN: only traffic from the remote network can initiate a
VPN.'
type: str
inspection_mode:
choices:
- proxy
- flow
description:
- Policy inspection mode (Flow/proxy). Default is Flow mode.
type: str
ippool:
choices:
- enable
- disable
description:
- Enable to use IP Pools for source NAT.
type: str
ips_sensor:
description:
- Name of an existing IPS sensor. Source ips.sensor.name.
type: str
label:
description:
- Label for the policy that appears when the GUI is in Section View mode.
type: str
logtraffic:
choices:
- all
- utm
- disable
description:
- Enable or disable logging. Log all sessions or security profile sessions.
type: str
logtraffic_start:
choices:
- enable
- disable
description:
- Record logs when a session starts.
type: str
mms_profile:
description:
- Name of an existing MMS profile. Source firewall.mms-profile.name.
type: str
name:
description:
- Policy name.
type: str
nat:
choices:
- enable
- disable
description:
- Enable/disable source NAT.
type: str
natinbound:
choices:
- enable
- disable
description:
- 'Policy-based IPsec VPN: apply destination NAT to inbound traffic.'
type: str
natoutbound:
choices:
- enable
- disable
description:
- 'Policy-based IPsec VPN: apply source NAT to outbound traffic.'
type: str
np_acceleration:
choices:
- enable
- disable
description:
- Enable/disable UTM Network Processor acceleration.
type: str
outbound:
choices:
- enable
- disable
description:
- 'Policy-based IPsec VPN: only traffic from the internal network can initiate
a VPN.'
type: str
per_ip_shaper:
description:
- Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
type: str
policyid:
description:
- Policy ID (0 - 4294967294). see <a href='#notes'>Notes</a>.
required: true
type: int
poolname:
description:
- IP Pool names.
elements: dict
suboptions:
name:
description:
- IP pool name. Source firewall.ippool6.name.
required: true
type: str
type: list
profile_group:
description:
- Name of profile group. Source firewall.profile-group.name.
type: str
profile_protocol_options:
description:
- Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
type: str
profile_type:
choices:
- single
- group
description:
- Determine whether the firewall policy allows security profile groups or single
profiles only.
type: str
replacemsg_override_group:
description:
- Override the default replacement message group for this policy. Source system.replacemsg-group.name.
type: str
rsso:
choices:
- enable
- disable
description:
- Enable/disable RADIUS single sign-on (RSSO).
type: str
schedule:
description:
- Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name
firewall.schedule.group.name.
type: str
send_deny_packet:
choices:
- enable
- disable
description:
- Enable/disable return of deny-packet.
type: str
service:
description:
- Service and service group names.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.service.custom.name firewall.service.group.name.
required: true
type: str
type: list
service_negate:
choices:
- enable
- disable
description:
- When enabled service specifies what the service must NOT be.
type: str
session_ttl:
description:
- Session TTL in seconds for sessions accepted by this policy. 0 means use the
system default session TTL.
type: str
spamfilter_profile:
description:
- Name of an existing Spam filter profile. Source spamfilter.profile.name.
type: str
srcaddr:
description:
- Source address and address group names.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name.
required: true
type: str
type: list
srcaddr_negate:
choices:
- enable
- disable
description:
- When enabled srcaddr specifies what the source address must NOT be.
type: str
srcintf:
description:
- Incoming (ingress) interface.
elements: dict
suboptions:
name:
description:
- Interface name. Source system.zone.name system.interface.name.
required: true
type: str
type: list
ssh_filter_profile:
description:
- Name of an existing SSH filter profile. Source ssh-filter.profile.name.
type: str
ssh_policy_redirect:
choices:
- enable
- disable
description:
- Redirect SSH traffic to matching transparent proxy policy.
type: str
ssl_mirror:
choices:
- enable
- disable
description:
- Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
type: str
ssl_mirror_intf:
description:
- SSL mirror interface name.
elements: dict
suboptions:
name:
description:
- Interface name. Source system.zone.name system.interface.name.
required: true
type: str
type: list
ssl_ssh_profile:
description:
- Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
type: str
status:
choices:
- enable
- disable
description:
- Enable or disable this policy.
type: str
tcp_mss_receiver:
description:
- Receiver TCP maximum segment size (MSS).
type: int
tcp_mss_sender:
description:
- Sender TCP maximum segment size (MSS).
type: int
tcp_session_without_syn:
choices:
- all
- data-only
- disable
description:
- Enable/disable creation of TCP session without SYN flag.
type: str
timeout_send_rst:
choices:
- enable
- disable
description:
- Enable/disable sending RST packets when TCP sessions expire.
type: str
tos:
description:
- ToS (Type of Service) value used for comparison.
type: str
tos_mask:
description:
- Non-zero bit positions are used for comparison while zero bit positions are
ignored.
type: str
tos_negate:
choices:
- enable
- disable
description:
- Enable negated TOS match.
type: str
traffic_shaper:
description:
- Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
type: str
traffic_shaper_reverse:
description:
- Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
type: str
url_category:
description:
- URL category ID list.
elements: dict
suboptions:
id:
description:
- URL category ID. see <a href='#notes'>Notes</a>.
required: true
type: int
type: list
users:
description:
- Names of individual users that can authenticate with this policy.
elements: dict
suboptions:
name:
description:
- Names of individual users that can authenticate with this policy. Source
user.local.name.
required: true
type: str
type: list
utm_status:
choices:
- enable
- disable
description:
- Enable AV/web/ips protection profile.
type: str
uuid:
description:
- Universally Unique Identifier (UUID; automatically assigned but can be manually
reset).
type: str
vlan_cos_fwd:
description:
- 'VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest'
type: int
vlan_cos_rev:
description:
- 'VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest'
type: int
vlan_filter:
description:
- Set VLAN filters.
type: str
voip_profile:
description:
- Name of an existing VoIP profile. Source voip.profile.name.
type: str
vpntunnel:
description:
- 'Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name
vpn.ipsec.manualkey.name.'
type: str
waf_profile:
description:
- Name of an existing Web application firewall profile. Source waf.profile.name.
type: str
webcache:
choices:
- enable
- disable
description:
- Enable/disable web cache.
type: str
webcache_https:
choices:
- disable
- enable
description:
- Enable/disable web cache for HTTPS.
type: str
webfilter_profile:
description:
- Name of an existing Web filter profile. Source webfilter.profile.name.
type: str
webproxy_forward_server:
description:
- Web proxy forward server name. Source web-proxy.forward-server.name web-proxy.forward-server-group.name.
type: str
webproxy_profile:
description:
- Webproxy profile name. Source web-proxy.profile.name.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str