Try SpotterConfigure protocol options in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and profile_protocol_options category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure protocol options.
fortinet.fortios.fortios_firewall_profile_protocol_options:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_profile_protocol_options:
cifs:
domain_controller: "<your_own_value> (source user.domain-controller.name credential-store.domain-controller.server-name)"
options: "oversize"
oversize_limit: "10"
ports: "<your_own_value>"
scan_bzip2: "enable"
server_credential_type: "none"
server_keytab:
-
keytab: "<your_own_value>"
principal: "<your_own_value>"
status: "enable"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
comment: "Optional comments."
dns:
ports: "<your_own_value>"
status: "enable"
ftp:
comfort_amount: "1"
comfort_interval: "10"
explicit_ftp_tls: "enable"
inspect_all: "enable"
options: "clientcomfort"
oversize_limit: "10"
ports: "<your_own_value>"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
stream_based_uncompressed_limit: "0"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
http:
address_ip_rating: "enable"
block_page_status_code: "403"
comfort_amount: "1"
comfort_interval: "10"
fortinet_bar: "enable"
fortinet_bar_port: "32767"
h2c: "enable"
http_policy: "disable"
inspect_all: "enable"
options: "clientcomfort"
oversize_limit: "10"
ports: "<your_own_value>"
post_lang: "jisx0201"
proxy_after_tcp_handshake: "enable"
range_block: "disable"
retry_count: "0"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
stream_based_uncompressed_limit: "0"
streaming_content_bypass: "enable"
strip_x_forwarded_for: "disable"
switching_protocols: "bypass"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
tunnel_non_http: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
unknown_content_encoding: "block"
unknown_http_version: "reject"
verify_dns_for_policy_matching: "enable"
imap:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
mail_signature:
signature: "<your_own_value>"
status: "disable"
mapi:
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
scan_bzip2: "enable"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
name: "default_name_98"
nntp:
inspect_all: "enable"
options: "oversize"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
oversize_log: "disable"
pop3:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
rpc_over_http: "enable"
smtp:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
server_busy: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
ssh:
comfort_amount: "1"
comfort_interval: "10"
options: "oversize"
oversize_limit: "10"
scan_bzip2: "enable"
ssl_offloaded: "no"
stream_based_uncompressed_limit: "0"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
switching_protocols_log: "disable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
firewall_profile_protocol_options:
default: null
description:
- Configure protocol options.
suboptions:
cifs:
description:
- Configure CIFS protocol options.
suboptions:
domain_controller:
description:
- Domain for which to decrypt CIFS traffic. Source user.domain-controller.name
credential-store.domain-controller.server-name.
type: str
options:
choices:
- oversize
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
server_credential_type:
choices:
- none
- credential-replication
- credential-keytab
description:
- CIFS server credential type.
type: str
server_keytab:
description:
- Server keytab.
elements: dict
suboptions:
keytab:
description:
- Base64 encoded keytab file containing credential of the server.
type: str
principal:
description:
- Service principal. For example, host/cifsserver.example.com@example.com.
required: true
type: str
type: list
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
tcp_window_maximum:
description:
- Maximum dynamic TCP window size.
type: int
tcp_window_minimum:
description:
- Minimum dynamic TCP window size.
type: int
tcp_window_size:
description:
- Set TCP static window size.
type: int
tcp_window_type:
choices:
- auto-tuning
- system
- static
- dynamic
description:
- TCP window type to use for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
comment:
description:
- Optional comments.
type: str
dns:
description:
- Configure DNS protocol options.
suboptions:
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
type: dict
ftp:
description:
- Configure FTP protocol options.
suboptions:
comfort_amount:
description:
- Number of bytes to send in each transmission for client comforting (bytes).
type: int
comfort_interval:
description:
- Interval between successive transmissions of data for client comforting
(seconds).
type: int
explicit_ftp_tls:
choices:
- enable
- disable
description:
- Enable/disable FTP redirection for explicit FTPS.
type: str
inspect_all:
choices:
- enable
- disable
description:
- Enable/disable the inspection of all ports for the protocol.
type: str
options:
choices:
- clientcomfort
- oversize
- splice
- bypass-rest-command
- bypass-mode-command
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
ssl_offloaded:
choices:
- 'no'
- 'yes'
description:
- SSL decryption and encryption performed by an external device.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
stream_based_uncompressed_limit:
description:
- Maximum stream-based uncompressed data size that will be scanned in megabytes.
Stream-based uncompression used only under certain conditions (unlimited
= 0).
type: int
tcp_window_maximum:
description:
- Maximum dynamic TCP window size.
type: int
tcp_window_minimum:
description:
- Minimum dynamic TCP window size.
type: int
tcp_window_size:
description:
- Set TCP static window size.
type: int
tcp_window_type:
choices:
- auto-tuning
- system
- static
- dynamic
description:
- TCP window type to use for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
http:
description:
- Configure HTTP protocol options.
suboptions:
address_ip_rating:
choices:
- enable
- disable
description:
- Enable/disable IP based URL rating.
type: str
block_page_status_code:
description:
- Code number returned for blocked HTTP pages (non-FortiGuard only) (100 -
599).
type: int
comfort_amount:
description:
- Number of bytes to send in each transmission for client comforting (bytes).
type: int
comfort_interval:
description:
- Interval between successive transmissions of data for client comforting
(seconds).
type: int
fortinet_bar:
choices:
- enable
- disable
description:
- Enable/disable Fortinet bar on HTML content.
type: str
fortinet_bar_port:
description:
- Port for use by Fortinet Bar (1 - 65535).
type: int
h2c:
choices:
- enable
- disable
description:
- Enable/disable h2c HTTP connection upgrade.
type: str
http_policy:
choices:
- disable
- enable
description:
- Enable/disable HTTP policy check.
type: str
inspect_all:
choices:
- enable
- disable
description:
- Enable/disable the inspection of all ports for the protocol.
type: str
options:
choices:
- clientcomfort
- servercomfort
- oversize
- chunkedbypass
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
post_lang:
choices:
- jisx0201
- jisx0208
- jisx0212
- gb2312
- ksc5601-ex
- euc-jp
- sjis
- iso2022-jp
- iso2022-jp-1
- iso2022-jp-2
- euc-cn
- ces-gbk
- hz
- ces-big5
- euc-kr
- iso2022-jp-3
- iso8859-1
- tis620
- cp874
- cp1252
- cp1251
description:
- ID codes for character sets to be used to convert to UTF-8 for banned words
and DLP on HTTP posts (maximum of 5 character sets).
elements: str
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
range_block:
choices:
- disable
- enable
description:
- Enable/disable blocking of partial downloads.
type: str
retry_count:
description:
- Number of attempts to retry HTTP connection (0 - 100).
type: int
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
ssl_offloaded:
choices:
- 'no'
- 'yes'
description:
- SSL decryption and encryption performed by an external device.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
stream_based_uncompressed_limit:
description:
- Maximum stream-based uncompressed data size that will be scanned in megabytes.
Stream-based uncompression used only under certain conditions (unlimited
= 0).
type: int
streaming_content_bypass:
choices:
- enable
- disable
description:
- Enable/disable bypassing of streaming content from buffering.
type: str
strip_x_forwarded_for:
choices:
- disable
- enable
description:
- Enable/disable stripping of HTTP X-Forwarded-For header.
type: str
switching_protocols:
choices:
- bypass
- block
description:
- Bypass from scanning, or block a connection that attempts to switch protocol.
type: str
tcp_window_maximum:
description:
- Maximum dynamic TCP window size.
type: int
tcp_window_minimum:
description:
- Minimum dynamic TCP window size.
type: int
tcp_window_size:
description:
- Set TCP static window size.
type: int
tcp_window_type:
choices:
- auto-tuning
- system
- static
- dynamic
description:
- TCP window type to use for this protocol.
type: str
tunnel_non_http:
choices:
- enable
- disable
description:
- Configure how to process non-HTTP traffic when a profile configured for
HTTP traffic accepts a non-HTTP session. Can occur if an application sends
non-HTTP traffic using an HTTP destination port.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
unknown_content_encoding:
choices:
- block
- inspect
- bypass
description:
- Configure the action the FortiGate unit will take on unknown content-encoding.
type: str
unknown_http_version:
choices:
- reject
- tunnel
- best-effort
description:
- How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.
type: str
verify_dns_for_policy_matching:
choices:
- enable
- disable
description:
- Enable/disable verification of DNS for policy matching.
type: str
type: dict
imap:
description:
- Configure IMAP protocol options.
suboptions:
inspect_all:
choices:
- enable
- disable
description:
- Enable/disable the inspection of all ports for the protocol.
type: str
options:
choices:
- fragmail
- oversize
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
ssl_offloaded:
choices:
- 'no'
- 'yes'
description:
- SSL decryption and encryption performed by an external device.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
mail_signature:
description:
- Configure Mail signature.
suboptions:
signature:
description:
- Email signature to be added to outgoing email (if the signature contains
spaces, enclose with quotation marks).
type: str
status:
choices:
- disable
- enable
description:
- Enable/disable adding an email signature to SMTP email messages as they
pass through the FortiGate.
type: str
type: dict
mapi:
description:
- Configure MAPI protocol options.
suboptions:
options:
choices:
- fragmail
- oversize
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
name:
description:
- Name.
required: true
type: str
nntp:
description:
- Configure NNTP protocol options.
suboptions:
inspect_all:
choices:
- enable
- disable
description:
- Enable/disable the inspection of all ports for the protocol.
type: str
options:
choices:
- oversize
- splice
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
oversize_log:
choices:
- disable
- enable
description:
- Enable/disable logging for antivirus oversize file blocking.
type: str
pop3:
description:
- Configure POP3 protocol options.
suboptions:
inspect_all:
choices:
- enable
- disable
description:
- Enable/disable the inspection of all ports for the protocol.
type: str
options:
choices:
- fragmail
- oversize
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
ssl_offloaded:
choices:
- 'no'
- 'yes'
description:
- SSL decryption and encryption performed by an external device.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
replacemsg_group:
description:
- Name of the replacement message group to be used. Source system.replacemsg-group.name.
type: str
rpc_over_http:
choices:
- enable
- disable
description:
- Enable/disable inspection of RPC over HTTP.
type: str
smtp:
description:
- Configure SMTP protocol options.
suboptions:
inspect_all:
choices:
- enable
- disable
description:
- Enable/disable the inspection of all ports for the protocol.
type: str
options:
choices:
- fragmail
- oversize
- splice
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
ports:
description:
- Ports to scan for content (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
server_busy:
choices:
- enable
- disable
description:
- Enable/disable SMTP server busy when server not available.
type: str
ssl_offloaded:
choices:
- 'no'
- 'yes'
description:
- SSL decryption and encryption performed by an external device.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable the active status of scanning for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
ssh:
description:
- Configure SFTP and SCP protocol options.
suboptions:
comfort_amount:
description:
- Number of bytes to send in each transmission for client comforting (bytes).
type: int
comfort_interval:
description:
- Interval between successive transmissions of data for client comforting
(seconds).
type: int
options:
choices:
- oversize
- clientcomfort
- servercomfort
description:
- One or more options that can be applied to the session.
elements: str
type: list
oversize_limit:
description:
- Maximum in-memory file size that can be scanned (MB).
type: int
scan_bzip2:
choices:
- enable
- disable
description:
- Enable/disable scanning of BZip2 compressed files.
type: str
ssl_offloaded:
choices:
- 'no'
- 'yes'
description:
- SSL decryption and encryption performed by an external device.
type: str
stream_based_uncompressed_limit:
description:
- Maximum stream-based uncompressed data size that will be scanned in megabytes.
Stream-based uncompression used only under certain conditions (unlimited
= 0).
type: int
tcp_window_maximum:
description:
- Maximum dynamic TCP window size.
type: int
tcp_window_minimum:
description:
- Minimum dynamic TCP window size.
type: int
tcp_window_size:
description:
- Set TCP static window size.
type: int
tcp_window_type:
choices:
- auto-tuning
- system
- static
- dynamic
description:
- TCP window type to use for this protocol.
type: str
uncompressed_nest_limit:
description:
- Maximum nested levels of compression that can be uncompressed and scanned
(2 - 100).
type: int
uncompressed_oversize_limit:
description:
- Maximum in-memory uncompressed file size that can be scanned (MB).
type: int
type: dict
switching_protocols_log:
choices:
- disable
- enable
description:
- Enable/disable logging for HTTP/HTTPS switching protocols.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str