Try SpotterConfigure SSL-VPN in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure SSL-VPN.
fortinet.fortios.fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_session_check_source_ip: "enable"
auth_timeout: "28800"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_11 (source user.group.name)"
id: "12"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_16 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_22 (source system.interface.name system.zone.name)"
user_peer: "<your_own_value> (source user.peer.name)"
users:
-
name: "default_name_25 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
browser_language_detection: "enable"
check_referer: "enable"
ciphersuite: "TLS-AES-128-GCM-SHA256"
client_sigalgs: "no-rsa-pss"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "6"
deflate_min_data_size: "300"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_heartbeat_fail_count: "3"
dtls_heartbeat_idle_timeout: "3"
dtls_heartbeat_interval: "3"
dtls_hello_timeout: "10"
dtls_max_proto_ver: "dtls1-0"
dtls_min_proto_ver: "dtls1-0"
dtls_tunnel: "enable"
dual_stack_mode: "enable"
encode_2f_sequence: "enable"
encrypt_and_store_password: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
hsts_include_subdomains: "enable"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "30"
http_request_header_timeout: "20"
https_redirect: "enable"
idle_timeout: "300"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "2"
login_block_time: "60"
login_timeout: "30"
port: "10443"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
saml_redirect_port: "8020"
server_hostname: "myhostname"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_72 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_75 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_78 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
ssl_max_proto_ver: "tls1-0"
ssl_min_proto_ver: "tls1-0"
status: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tlsv1_3: "enable"
transform_backward_slashes: "enable"
tunnel_addr_assigned_method: "first-available"
tunnel_connect_without_reauth: "enable"
tunnel_ip_pools:
-
name: "default_name_92 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_94 (source firewall.address6.name firewall.addrgrp6.name)"
tunnel_user_session_timeout: "30"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
user_peer: "<your_own_value> (source user.peer.name)"
web_mode_snat: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
ztna_trusted_client: "enable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
vpn_ssl_settings:
default: null
description:
- Configure SSL-VPN.
suboptions:
algorithm:
choices:
- high
- medium
- default
- low
description:
- Force the SSL-VPN security level. High allows only high. Medium allows medium
and high. Low allows any.
type: str
auth_session_check_source_ip:
choices:
- enable
- disable
description:
- Enable/disable checking of source IP for authentication session.
type: str
auth_timeout:
description:
- SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
type: int
authentication_rule:
description:
- Authentication rule for SSL-VPN.
elements: dict
suboptions:
auth:
choices:
- any
- local
- radius
- tacacs+
- ldap
- peer
description:
- SSL-VPN authentication method restriction.
type: str
cipher:
choices:
- any
- high
- medium
description:
- SSL-VPN cipher strength.
type: str
client_cert:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN client certificate restrictive.
type: str
groups:
description:
- User groups.
elements: dict
suboptions:
name:
description:
- Group name. Source user.group.name.
required: true
type: str
type: list
id:
description:
- ID (0 - 4294967295). see <a href='#notes'>Notes</a>.
required: true
type: int
portal:
description:
- SSL-VPN portal. Source vpn.ssl.web.portal.name.
type: str
realm:
description:
- SSL-VPN realm. Source vpn.ssl.web.realm.url-path.
type: str
source_address:
description:
- Source address of incoming traffic.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name.
required: true
type: str
type: list
source_address6:
description:
- IPv6 source address of incoming traffic.
elements: dict
suboptions:
name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name
system.external-resource.name.
required: true
type: str
type: list
source_address6_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source IPv6 address match.
type: str
source_address_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source address match.
type: str
source_interface:
description:
- SSL-VPN source interface of incoming traffic.
elements: dict
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
type: str
type: list
user_peer:
description:
- Name of user peer. Source user.peer.name.
type: str
users:
description:
- User name.
elements: dict
suboptions:
name:
description:
- User name. Source user.local.name.
required: true
type: str
type: list
type: list
auto_tunnel_static_route:
choices:
- enable
- disable
description:
- Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses.
type: str
banned_cipher:
choices:
- RSA
- DHE
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
- DH
- ECDH
description:
- Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
Only applies to TLS 1.2 and below.
elements: str
type: list
browser_language_detection:
choices:
- enable
- disable
description:
- Enable/disable overriding the configured system language based on the preferred
language of the browser.
type: str
check_referer:
choices:
- enable
- disable
description:
- Enable/disable verification of referer field in HTTP request header.
type: str
ciphersuite:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
description:
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in
TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver
to tls1-2 or below.
elements: str
type: list
client_sigalgs:
choices:
- no-rsa-pss
- all
description:
- Set signature algorithms related to client authentication. Affects TLS version
<= 1.2 only.
type: str
default_portal:
description:
- Default SSL-VPN portal. Source vpn.ssl.web.portal.name.
type: str
deflate_compression_level:
description:
- Compression level (0~9).
type: int
deflate_min_data_size:
description:
- Minimum amount of data that triggers compression (200 - 65535 bytes).
type: int
dns_server1:
description:
- DNS server 1.
type: str
dns_server2:
description:
- DNS server 2.
type: str
dns_suffix:
description:
- DNS suffix used for SSL-VPN clients.
type: str
dtls_heartbeat_fail_count:
description:
- Number of missing heartbeats before the connection is considered dropped.
type: int
dtls_heartbeat_idle_timeout:
description:
- Idle timeout before DTLS heartbeat is sent.
type: int
dtls_heartbeat_interval:
description:
- Interval between DTLS heartbeat.
type: int
dtls_hello_timeout:
description:
- SSLVPN maximum DTLS hello timeout (10 - 60 sec).
type: int
dtls_max_proto_ver:
choices:
- dtls1-0
- dtls1-2
description:
- DTLS maximum protocol version.
type: str
dtls_min_proto_ver:
choices:
- dtls1-0
- dtls1-2
description:
- DTLS minimum protocol version.
type: str
dtls_tunnel:
choices:
- enable
- disable
description:
- Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.
type: str
dual_stack_mode:
choices:
- enable
- disable
description:
- 'Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and
IPv6 bookmarks in the portal.'
type: str
encode_2f_sequence:
choices:
- enable
- disable
description:
- Encode 2F sequence to forward slash in URLs.
type: str
encrypt_and_store_password:
choices:
- enable
- disable
description:
- Encrypt and store user passwords for SSL-VPN web sessions.
type: str
force_two_factor_auth:
choices:
- enable
- disable
description:
- Enable/disable only PKI users with two-factor authentication for SSL-VPNs.
type: str
header_x_forwarded_for:
choices:
- pass
- add
- remove
description:
- Forward the same, add, or remove HTTP header.
type: str
hsts_include_subdomains:
choices:
- enable
- disable
description:
- Add HSTS includeSubDomains response header.
type: str
http_compression:
choices:
- enable
- disable
description:
- Enable/disable to allow HTTP compression over SSL-VPN tunnels.
type: str
http_only_cookie:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN support for HttpOnly cookies.
type: str
http_request_body_timeout:
description:
- SSL-VPN session is disconnected if an HTTP request body is not received within
this time (1 - 60 sec).
type: int
http_request_header_timeout:
description:
- SSL-VPN session is disconnected if an HTTP request header is not received within
this time (1 - 60 sec).
type: int
https_redirect:
choices:
- enable
- disable
description:
- Enable/disable redirect of port 80 to SSL-VPN port.
type: str
idle_timeout:
description:
- SSL-VPN disconnects if idle for specified time in seconds.
type: int
ipv6_dns_server1:
description:
- IPv6 DNS server 1.
type: str
ipv6_dns_server2:
description:
- IPv6 DNS server 2.
type: str
ipv6_wins_server1:
description:
- IPv6 WINS server 1.
type: str
ipv6_wins_server2:
description:
- IPv6 WINS server 2.
type: str
login_attempt_limit:
description:
- SSL-VPN maximum login attempt times before block (0 - 10).
type: int
login_block_time:
description:
- Time for which a user is blocked from logging in after too many failed login
attempts (0 - 86400 sec).
type: int
login_timeout:
description:
- SSLVPN maximum login timeout (10 - 180 sec).
type: int
port:
description:
- SSL-VPN access port (1 - 65535).
type: int
port_precedence:
choices:
- enable
- disable
description:
- Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface
admin GUI connections are blocked on that interface.
type: str
reqclientcert:
choices:
- enable
- disable
description:
- Enable/disable to require client certificates for all SSL-VPN users.
type: str
route_source_interface:
choices:
- enable
- disable
description:
- Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming
interface.
type: str
saml_redirect_port:
description:
- SAML local redirect port in the machine running FortiClient (0 - 65535). 0 is
to disable redirection on FGT side.
type: int
server_hostname:
description:
- Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host
header for any redirection.
type: str
servercert:
description:
- Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
type: str
source_address:
description:
- Source address of incoming traffic.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name.
required: true
type: str
type: list
source_address6:
description:
- IPv6 source address of incoming traffic.
elements: dict
suboptions:
name:
description:
- IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name
system.external-resource.name.
required: true
type: str
type: list
source_address6_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source IPv6 address match.
type: str
source_address_negate:
choices:
- enable
- disable
description:
- Enable/disable negated source address match.
type: str
source_interface:
description:
- SSL-VPN source interface of incoming traffic.
elements: dict
suboptions:
name:
description:
- Interface name. Source system.interface.name system.zone.name.
required: true
type: str
type: list
ssl_client_renegotiation:
choices:
- disable
- enable
description:
- Enable/disable to allow client renegotiation by the server if the tunnel goes
down.
type: str
ssl_insert_empty_fragment:
choices:
- enable
- disable
description:
- Enable/disable insertion of empty fragment.
type: str
ssl_max_proto_ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description:
- SSL maximum protocol version.
type: str
ssl_min_proto_ver:
choices:
- tls1-0
- tls1-1
- tls1-2
- tls1-3
description:
- SSL minimum protocol version.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN.
type: str
tlsv1_0:
choices:
- enable
- disable
description:
- tlsv1-0
type: str
tlsv1_1:
choices:
- enable
- disable
description:
- tlsv1-1
type: str
tlsv1_2:
choices:
- enable
- disable
description:
- tlsv1-2
type: str
tlsv1_3:
choices:
- enable
- disable
description:
- tlsv1-3
type: str
transform_backward_slashes:
choices:
- enable
- disable
description:
- Transform backward slashes to forward slashes in URLs.
type: str
tunnel_addr_assigned_method:
choices:
- first-available
- round-robin
description:
- Method used for assigning address for tunnel.
type: str
tunnel_connect_without_reauth:
choices:
- enable
- disable
description:
- Enable/disable tunnel connection without re-authorization if previous connection
dropped.
type: str
tunnel_ip_pools:
description:
- Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved
for remote clients.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name.
required: true
type: str
type: list
tunnel_ipv6_pools:
description:
- Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved
for remote clients.
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
type: str
type: list
tunnel_user_session_timeout:
description:
- Time out value to clean up user session after tunnel connection is dropped (1
- 255 sec).
type: int
unsafe_legacy_renegotiation:
choices:
- enable
- disable
description:
- Enable/disable unsafe legacy re-negotiation.
type: str
url_obscuration:
choices:
- enable
- disable
description:
- Enable/disable to obscure the host name of the URL of the web browser display.
type: str
user_peer:
description:
- Name of user peer. Source user.peer.name.
type: str
web_mode_snat:
choices:
- enable
- disable
description:
- Enable/disable use of IP pools defined in firewall policy while using web-mode.
type: str
wins_server1:
description:
- WINS server 1.
type: str
wins_server2:
description:
- WINS server 2.
type: str
x_content_type_options:
choices:
- enable
- disable
description:
- Add HTTP X-Content-Type-Options header.
type: str
ztna_trusted_client:
choices:
- enable
- disable
description:
- Enable/disable verification of device certificate for SSLVPN ZTNA session.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str