Try SpotterConfigure Web proxy global settings in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify web_proxy feature and global category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure Web proxy global settings.
fortinet.fortios.fortios_web_proxy_global:
vdom: "{{ vdom }}"
web_proxy_global:
fast_policy_match: "enable"
forward_proxy_auth: "enable"
forward_server_affinity_timeout: "30"
ldap_user_cache: "enable"
learn_client_ip: "enable"
learn_client_ip_from_header: "true-client-ip"
learn_client_ip_srcaddr:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name)"
learn_client_ip_srcaddr6:
-
name: "default_name_12 (source firewall.address6.name firewall.addrgrp6.name)"
log_app_id: "enable"
log_forward_server: "enable"
log_policy_pending: "enable"
max_message_length: "32"
max_request_length: "8"
max_waf_body_cache_length: "32"
policy_category_deep_inspect: "enable"
proxy_fqdn: "<your_own_value>"
src_affinity_exempt_addr: "<your_own_value>"
src_affinity_exempt_addr6: "<your_own_value>"
ssl_ca_cert: "<your_own_value> (source vpn.certificate.local.name)"
ssl_cert: "<your_own_value> (source vpn.certificate.local.name)"
strict_web_check: "enable"
tunnel_non_http: "enable"
unknown_http_version: "reject"
webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
web_proxy_global:
default: null
description:
- Configure Web proxy global settings.
suboptions:
fast_policy_match:
choices:
- enable
- disable
description:
- Enable/disable fast matching algorithm for explicit and transparent proxy policy.
type: str
forward_proxy_auth:
choices:
- enable
- disable
description:
- Enable/disable forwarding proxy authentication headers.
type: str
forward_server_affinity_timeout:
description:
- Period of time before the source IP"s traffic is no longer assigned to the forwarding
server (6 - 60 min).
type: int
ldap_user_cache:
choices:
- enable
- disable
description:
- Enable/disable LDAP user cache for explicit and transparent proxy user.
type: str
learn_client_ip:
choices:
- enable
- disable
description:
- Enable/disable learning the client"s IP address from headers.
type: str
learn_client_ip_from_header:
choices:
- true-client-ip
- x-real-ip
- x-forwarded-for
description:
- Learn client IP address from the specified headers.
elements: str
type: list
learn_client_ip_srcaddr:
description:
- Source address name (srcaddr or srcaddr6 must be set).
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address.name firewall.addrgrp.name.
required: true
type: str
type: list
learn_client_ip_srcaddr6:
description:
- IPv6 Source address name (srcaddr or srcaddr6 must be set).
elements: dict
suboptions:
name:
description:
- Address name. Source firewall.address6.name firewall.addrgrp6.name.
required: true
type: str
type: list
log_app_id:
choices:
- enable
- disable
description:
- Enable/disable always log application type in traffic log.
type: str
log_forward_server:
choices:
- enable
- disable
description:
- Enable/disable forward server name logging in forward traffic log.
type: str
log_policy_pending:
choices:
- enable
- disable
description:
- Enable/disable logging sessions that are pending on policy matching.
type: str
max_message_length:
description:
- Maximum length of HTTP message, not including body (16 - 256 Kbytes).
type: int
max_request_length:
description:
- Maximum length of HTTP request line (2 - 64 Kbytes).
type: int
max_waf_body_cache_length:
description:
- Maximum length of HTTP messages processed by Web Application Firewall (WAF)
(10 - 1024 Kbytes).
type: int
policy_category_deep_inspect:
choices:
- enable
- disable
description:
- Enable/disable deep inspection for application level category policy matching.
type: str
proxy_fqdn:
description:
- Fully Qualified Domain Name (FQDN) that clients connect to to connect to the
explicit web proxy.
type: str
src_affinity_exempt_addr:
description:
- IPv4 source addresses to exempt proxy affinity.
elements: str
type: list
src_affinity_exempt_addr6:
description:
- IPv6 source addresses to exempt proxy affinity.
elements: str
type: list
ssl_ca_cert:
description:
- SSL CA certificate for SSL interception. Source vpn.certificate.local.name.
type: str
ssl_cert:
description:
- SSL certificate for SSL interception. Source vpn.certificate.local.name.
type: str
strict_web_check:
choices:
- enable
- disable
description:
- Enable/disable strict web checking to block web sites that send incorrect headers
that don"t conform to HTTP 1.1.
type: str
tunnel_non_http:
choices:
- enable
- disable
description:
- Enable/disable allowing non-HTTP traffic. Allowed non-HTTP traffic is tunneled.
type: str
unknown_http_version:
choices:
- reject
- tunnel
- best-effort
description:
- 'Action to take when an unknown version of HTTP is encountered: reject, allow
(tunnel), or proceed with best-effort.'
type: str
webproxy_profile:
description:
- Name of the web proxy profile to apply when explicit proxy traffic is allowed
by default and traffic is accepted that does not match an explicit proxy policy.
Source web-proxy.profile.name.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str