fortinet / fortinet.fortios / 2.3.6 / module / fortios_firewall_policy6 Configure IPv6 policies in Fortinet's FortiOS and FortiGate. | "added in version" 2.0.0 of fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityfortinet.fortios.fortios_firewall_policy6 (2.3.6) — module
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections: - name: fortinet.fortios version: 2.3.6
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy6 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure IPv6 policies. fortinet.fortios.fortios_firewall_policy6: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" firewall_policy6: action: "accept" anti_replay: "enable" app_category: - id: "6" app_group: - name: "default_name_8 (source application.group.name)" application: - id: "10" application_list: "<your_own_value> (source application.list.name)" auto_asic_offload: "enable" av_profile: "<your_own_value> (source antivirus.profile.name)" cifs_profile: "<your_own_value> (source cifs.profile.name)" comments: "<your_own_value>" custom_log_fields: - field_id: "<your_own_value> (source log.custom-field.id)" devices: - name: "default_name_19 (source user.device.alias user.device-group.name user.device-category.name)" diffserv_forward: "enable" diffserv_reverse: "enable" diffservcode_forward: "<your_own_value>" diffservcode_rev: "<your_own_value>" dlp_sensor: "<your_own_value> (source dlp.sensor.name)" dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)" dscp_match: "enable" dscp_negate: "enable" dscp_value: "<your_own_value>" dsri: "enable" dstaddr: - name: "default_name_31 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system .external-resource.name)" dstaddr_negate: "enable" dstintf: - name: "default_name_34 (source system.interface.name system.zone.name)" emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)" firewall_session_dirty: "check-all" fixedport: "enable" fsso_groups: - name: "default_name_39 (source user.adgrp.name)" global_label: "<your_own_value>" groups: - name: "default_name_42 (source user.group.name)" http_policy_redirect: "enable" icap_profile: "<your_own_value> (source icap.profile.name)" inbound: "enable" inspection_mode: "proxy" ippool: "enable" ips_sensor: "<your_own_value> (source ips.sensor.name)" label: "<your_own_value>" logtraffic: "all" logtraffic_start: "enable" mms_profile: "<your_own_value> (source firewall.mms-profile.name)" name: "default_name_53" nat: "enable" natinbound: "enable" natoutbound: "enable" np_acceleration: "enable" outbound: "enable" per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)" policyid: "<you_own_value>" poolname: - name: "default_name_62 (source firewall.ippool6.name)" profile_group: "<your_own_value> (source firewall.profile-group.name)" profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)" profile_type: "single" replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)" rsso: "enable" schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)" send_deny_packet: "enable" service: - name: "default_name_71 (source firewall.service.custom.name firewall.service.group.name)" service_negate: "enable" session_ttl: "<your_own_value>" spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)" srcaddr: - name: "default_name_76 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)" srcaddr_negate: "enable" srcintf: - name: "default_name_79 (source system.zone.name system.interface.name)" ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)" ssh_policy_redirect: "enable" ssl_mirror: "enable" ssl_mirror_intf: - name: "default_name_84 (source system.zone.name system.interface.name)" ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)" status: "enable" tcp_mss_receiver: "32767" tcp_mss_sender: "32767" tcp_session_without_syn: "all" timeout_send_rst: "enable" tos: "<your_own_value>" tos_mask: "<your_own_value>" tos_negate: "enable" traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)" traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)" url_category: - id: "97" users: - name: "default_name_99 (source user.local.name)" utm_status: "enable" uuid: "<your_own_value>" vlan_cos_fwd: "3" vlan_cos_rev: "3" vlan_filter: "<your_own_value>" voip_profile: "<your_own_value> (source voip.profile.name)" vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)" waf_profile: "<your_own_value> (source waf.profile.name)" webcache: "enable" webcache_https: "disable" webfilter_profile: "<your_own_value> (source webfilter.profile.name)" webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)" webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"
vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str state: choices: - present - absent description: - Indicates whether to create or remove the object. required: true type: str enable_log: default: false description: - Enable/Disable logging for task. required: false type: bool member_path: description: - Member attribute path to operate on. - Delimited by a slash character if there are more than one attribute. - Parameter marked with member_path is legitimate for doing member operation. type: str access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str member_state: choices: - present - absent description: - Add or delete a member under specified attribute path. - When member_state is specified, the state option is ignored. type: str firewall_policy6: default: null description: - Configure IPv6 policies. suboptions: action: choices: - accept - deny - ipsec description: - Policy action (allow/deny/ipsec). type: str anti_replay: choices: - enable - disable description: - Enable/disable anti-replay check. type: str app_category: description: - Application category ID list. elements: dict suboptions: id: description: - Category IDs. see <a href='#notes'>Notes</a>. required: true type: int type: list app_group: description: - Application group names. elements: dict suboptions: name: description: - Application group names. Source application.group.name. required: true type: str type: list application: description: - Application ID list. elements: dict suboptions: id: description: - Application IDs. see <a href='#notes'>Notes</a>. required: true type: int type: list application_list: description: - Name of an existing Application list. Source application.list.name. type: str auto_asic_offload: choices: - enable - disable description: - Enable/disable policy traffic ASIC offloading. type: str av_profile: description: - Name of an existing Antivirus profile. Source antivirus.profile.name. type: str cifs_profile: description: - Name of an existing CIFS profile. Source cifs.profile.name. type: str comments: description: - Comment. type: str custom_log_fields: description: - Log field index numbers to append custom log fields to log messages for this policy. elements: dict suboptions: field_id: description: - Custom log field. Source log.custom-field.id. required: true type: str type: list devices: description: - Names of devices or device groups that can be matched by the policy. elements: dict suboptions: name: description: - Device or group name. Source user.device.alias user.device-group.name user.device-category.name. required: true type: str type: list diffserv_forward: choices: - enable - disable description: - Enable to change packet"s DiffServ values to the specified diffservcode-forward value. type: str diffserv_reverse: choices: - enable - disable description: - Enable to change packet"s reverse (reply) DiffServ values to the specified diffservcode-rev value. type: str diffservcode_forward: description: - Change packet"s DiffServ to this value. type: str diffservcode_rev: description: - Change packet"s reverse (reply) DiffServ to this value. type: str dlp_sensor: description: - Name of an existing DLP sensor. Source dlp.sensor.name. type: str dnsfilter_profile: description: - Name of an existing DNS filter profile. Source dnsfilter.profile.name. type: str dscp_match: choices: - enable - disable description: - Enable DSCP check. type: str dscp_negate: choices: - enable - disable description: - Enable negated DSCP match. type: str dscp_value: description: - DSCP value. type: str dsri: choices: - enable - disable description: - Enable DSRI to ignore HTTP server responses. type: str dstaddr: description: - Destination address and address group names. elements: dict suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system .external-resource.name. required: true type: str type: list dstaddr_negate: choices: - enable - disable description: - When enabled dstaddr specifies what the destination address must NOT be. type: str dstintf: description: - Outgoing (egress) interface. elements: dict suboptions: name: description: - Interface name. Source system.interface.name system.zone.name. required: true type: str type: list emailfilter_profile: description: - Name of an existing email filter profile. Source emailfilter.profile.name. type: str firewall_session_dirty: choices: - check-all - check-new description: - How to handle sessions if the configuration of this firewall policy changes. type: str fixedport: choices: - enable - disable description: - Enable to prevent source NAT from changing a session"s source port. type: str fsso_groups: description: - Names of FSSO groups. elements: dict suboptions: name: description: - Names of FSSO groups. Source user.adgrp.name. required: true type: str type: list global_label: description: - Label for the policy that appears when the GUI is in Global View mode. type: str groups: description: - Names of user groups that can authenticate with this policy. elements: dict suboptions: name: description: - Group name. Source user.group.name. required: true type: str type: list http_policy_redirect: choices: - enable - disable description: - Redirect HTTP(S) traffic to matching transparent web proxy policy. type: str icap_profile: description: - Name of an existing ICAP profile. Source icap.profile.name. type: str inbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.' type: str inspection_mode: choices: - proxy - flow description: - Policy inspection mode (Flow/proxy). Default is Flow mode. type: str ippool: choices: - enable - disable description: - Enable to use IP Pools for source NAT. type: str ips_sensor: description: - Name of an existing IPS sensor. Source ips.sensor.name. type: str label: description: - Label for the policy that appears when the GUI is in Section View mode. type: str logtraffic: choices: - all - utm - disable description: - Enable or disable logging. Log all sessions or security profile sessions. type: str logtraffic_start: choices: - enable - disable description: - Record logs when a session starts. type: str mms_profile: description: - Name of an existing MMS profile. Source firewall.mms-profile.name. type: str name: description: - Policy name. type: str nat: choices: - enable - disable description: - Enable/disable source NAT. type: str natinbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: apply destination NAT to inbound traffic.' type: str natoutbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: apply source NAT to outbound traffic.' type: str np_acceleration: choices: - enable - disable description: - Enable/disable UTM Network Processor acceleration. type: str outbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.' type: str per_ip_shaper: description: - Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name. type: str policyid: description: - Policy ID (0 - 4294967294). see <a href='#notes'>Notes</a>. required: true type: int poolname: description: - IP Pool names. elements: dict suboptions: name: description: - IP pool name. Source firewall.ippool6.name. required: true type: str type: list profile_group: description: - Name of profile group. Source firewall.profile-group.name. type: str profile_protocol_options: description: - Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. type: str profile_type: choices: - single - group description: - Determine whether the firewall policy allows security profile groups or single profiles only. type: str replacemsg_override_group: description: - Override the default replacement message group for this policy. Source system.replacemsg-group.name. type: str rsso: choices: - enable - disable description: - Enable/disable RADIUS single sign-on (RSSO). type: str schedule: description: - Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. type: str send_deny_packet: choices: - enable - disable description: - Enable/disable return of deny-packet. type: str service: description: - Service and service group names. elements: dict suboptions: name: description: - Address name. Source firewall.service.custom.name firewall.service.group.name. required: true type: str type: list service_negate: choices: - enable - disable description: - When enabled service specifies what the service must NOT be. type: str session_ttl: description: - Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. type: str spamfilter_profile: description: - Name of an existing Spam filter profile. Source spamfilter.profile.name. type: str srcaddr: description: - Source address and address group names. elements: dict suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. required: true type: str type: list srcaddr_negate: choices: - enable - disable description: - When enabled srcaddr specifies what the source address must NOT be. type: str srcintf: description: - Incoming (ingress) interface. elements: dict suboptions: name: description: - Interface name. Source system.zone.name system.interface.name. required: true type: str type: list ssh_filter_profile: description: - Name of an existing SSH filter profile. Source ssh-filter.profile.name. type: str ssh_policy_redirect: choices: - enable - disable description: - Redirect SSH traffic to matching transparent proxy policy. type: str ssl_mirror: choices: - enable - disable description: - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). type: str ssl_mirror_intf: description: - SSL mirror interface name. elements: dict suboptions: name: description: - Interface name. Source system.zone.name system.interface.name. required: true type: str type: list ssl_ssh_profile: description: - Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. type: str status: choices: - enable - disable description: - Enable or disable this policy. type: str tcp_mss_receiver: description: - Receiver TCP maximum segment size (MSS). type: int tcp_mss_sender: description: - Sender TCP maximum segment size (MSS). type: int tcp_session_without_syn: choices: - all - data-only - disable description: - Enable/disable creation of TCP session without SYN flag. type: str timeout_send_rst: choices: - enable - disable description: - Enable/disable sending RST packets when TCP sessions expire. type: str tos: description: - ToS (Type of Service) value used for comparison. type: str tos_mask: description: - Non-zero bit positions are used for comparison while zero bit positions are ignored. type: str tos_negate: choices: - enable - disable description: - Enable negated TOS match. type: str traffic_shaper: description: - Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. type: str traffic_shaper_reverse: description: - Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. type: str url_category: description: - URL category ID list. elements: dict suboptions: id: description: - URL category ID. see <a href='#notes'>Notes</a>. required: true type: int type: list users: description: - Names of individual users that can authenticate with this policy. elements: dict suboptions: name: description: - Names of individual users that can authenticate with this policy. Source user.local.name. required: true type: str type: list utm_status: choices: - enable - disable description: - Enable AV/web/ips protection profile. type: str uuid: description: - Universally Unique Identifier (UUID; automatically assigned but can be manually reset). type: str vlan_cos_fwd: description: - 'VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest' type: int vlan_cos_rev: description: - 'VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest' type: int vlan_filter: description: - Set VLAN filters. type: str voip_profile: description: - Name of an existing VoIP profile. Source voip.profile.name. type: str vpntunnel: description: - 'Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.' type: str waf_profile: description: - Name of an existing Web application firewall profile. Source waf.profile.name. type: str webcache: choices: - enable - disable description: - Enable/disable web cache. type: str webcache_https: choices: - disable - enable description: - Enable/disable web cache for HTTPS. type: str webfilter_profile: description: - Name of an existing Web filter profile. Source webfilter.profile.name. type: str webproxy_forward_server: description: - Web proxy forward server name. Source web-proxy.forward-server.name web-proxy.forward-server-group.name. type: str webproxy_profile: description: - Webproxy profile name. Source web-proxy.profile.name. type: str type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str