Try SpotterConfigure FortiClient endpoint control profiles in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify endpoint_control feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure FortiClient endpoint control profiles.
fortios_endpoint_control_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
endpoint_control_profile:
description: "<your_own_value>"
device_groups:
-
name: "default_name_5 (source user.device-group.name user.device-category.name)"
forticlient_android_settings:
disable_wf_when_protected: "enable"
forticlient_advanced_vpn: "enable"
forticlient_advanced_vpn_buffer: "<your_own_value>"
forticlient_vpn_provisioning: "enable"
forticlient_vpn_settings:
-
auth_method: "psk"
name: "default_name_13"
preshared_key: "<your_own_value>"
remote_gw: "<your_own_value>"
sslvpn_access_port: "32767"
sslvpn_require_certificate: "enable"
type: "ipsec"
forticlient_wf: "enable"
forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
forticlient_ios_settings:
client_vpn_provisioning: "enable"
client_vpn_settings:
-
auth_method: "psk"
name: "default_name_25"
preshared_key: "<your_own_value>"
remote_gw: "<your_own_value>"
sslvpn_access_port: "32767"
sslvpn_require_certificate: "enable"
type: "ipsec"
vpn_configuration_content: "<your_own_value>"
vpn_configuration_name: "<your_own_value>"
configuration_content: "<your_own_value>"
configuration_name: "<your_own_value>"
disable_wf_when_protected: "enable"
distribute_configuration_profile: "enable"
forticlient_wf: "enable"
forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
forticlient_winmac_settings:
av_realtime_protection: "enable"
av_signature_up_to_date: "enable"
forticlient_application_firewall: "enable"
forticlient_application_firewall_list: "<your_own_value> (source application.list.name)"
forticlient_av: "enable"
forticlient_ems_compliance: "enable"
forticlient_ems_compliance_action: "block"
forticlient_ems_entries:
-
name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
forticlient_linux_ver: "<your_own_value>"
forticlient_log_upload: "enable"
forticlient_log_upload_level: "traffic"
forticlient_log_upload_server: "<your_own_value>"
forticlient_mac_ver: "<your_own_value>"
forticlient_minimum_software_version: "enable"
forticlient_operating_system:
-
id: "56"
os_name: "<your_own_value>"
os_type: "custom"
forticlient_own_file:
-
file: "<your_own_value>"
id: "61"
forticlient_registration_compliance_action: "block"
forticlient_registry_entry:
-
id: "64"
registry_entry: "<your_own_value>"
forticlient_running_app:
-
app_name: "<your_own_value>"
app_sha256_signature: "<your_own_value>"
app_sha256_signature2: "<your_own_value>"
app_sha256_signature3: "<your_own_value>"
app_sha256_signature4: "<your_own_value>"
application_check_rule: "present"
id: "73"
process_name: "<your_own_value>"
process_name2: "<your_own_value>"
process_name3: "<your_own_value>"
process_name4: "<your_own_value>"
forticlient_security_posture: "enable"
forticlient_security_posture_compliance_action: "block"
forticlient_system_compliance: "enable"
forticlient_system_compliance_action: "block"
forticlient_vuln_scan: "enable"
forticlient_vuln_scan_compliance_action: "block"
forticlient_vuln_scan_enforce: "critical"
forticlient_vuln_scan_enforce_grace: "15"
forticlient_vuln_scan_exempt: "enable"
forticlient_wf: "enable"
forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
forticlient_win_ver: "<your_own_value>"
os_av_software_installed: "enable"
sandbox_address: "<your_own_value>"
sandbox_analysis: "enable"
on_net_addr:
-
name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
profile_name: "<your_own_value>"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
src_addr:
-
name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
user_groups:
-
name: "default_name_100 (source user.group.name)"
users:
-
name: "default_name_102 (source user.local.name)"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
endpoint_control_profile:
default: null
description:
- Configure FortiClient endpoint control profiles.
suboptions:
description:
description:
- Description.
type: str
device_groups:
description:
- Device groups.
elements: dict
suboptions:
name:
description:
- Device group object from available options. Source user.device-group.name
user.device-category.name.
type: str
type: list
forticlient_android_settings:
description:
- FortiClient settings for Android platform.
suboptions:
disable_wf_when_protected:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web category filtering when protected by FortiGate.
type: str
forticlient_advanced_vpn:
choices:
- enable
- disable
description:
- Enable/disable advanced FortiClient VPN configuration.
type: str
forticlient_advanced_vpn_buffer:
description:
- Advanced FortiClient VPN configuration.
type: str
forticlient_vpn_provisioning:
choices:
- enable
- disable
description:
- Enable/disable FortiClient VPN provisioning.
type: str
forticlient_vpn_settings:
description:
- FortiClient VPN settings.
elements: dict
suboptions:
auth_method:
choices:
- psk
- certificate
description:
- Authentication method.
type: str
name:
description:
- VPN name.
type: str
preshared_key:
description:
- Pre-shared secret for PSK authentication.
type: str
remote_gw:
description:
- IP address or FQDN of the remote VPN gateway.
type: str
sslvpn_access_port:
description:
- SSL VPN access port (1 - 65535).
type: int
sslvpn_require_certificate:
choices:
- enable
- disable
description:
- Enable/disable requiring SSL VPN client certificate.
type: str
type:
choices:
- ipsec
- ssl
description:
- VPN type (IPsec or SSL VPN).
type: str
type: list
forticlient_wf:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web filtering.
type: str
forticlient_wf_profile:
description:
- The FortiClient web filter profile to apply. Source webfilter.profile.name.
type: str
type: dict
forticlient_ios_settings:
description:
- FortiClient settings for iOS platform.
suboptions:
client_vpn_provisioning:
choices:
- enable
- disable
description:
- FortiClient VPN provisioning.
type: str
client_vpn_settings:
description:
- FortiClient VPN settings.
elements: dict
suboptions:
auth_method:
choices:
- psk
- certificate
description:
- Authentication method.
type: str
name:
description:
- VPN name.
type: str
preshared_key:
description:
- Pre-shared secret for PSK authentication.
type: str
remote_gw:
description:
- IP address or FQDN of the remote VPN gateway.
type: str
sslvpn_access_port:
description:
- SSL VPN access port (1 - 65535).
type: int
sslvpn_require_certificate:
choices:
- enable
- disable
description:
- Enable/disable requiring SSL VPN client certificate.
type: str
type:
choices:
- ipsec
- ssl
description:
- VPN type (IPsec or SSL VPN).
type: str
vpn_configuration_content:
description:
- Content of VPN configuration.
type: str
vpn_configuration_name:
description:
- Name of VPN configuration.
type: str
type: list
configuration_content:
description:
- Content of configuration profile.
type: str
configuration_name:
description:
- Name of configuration profile.
type: str
disable_wf_when_protected:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web category filtering when protected by FortiGate.
type: str
distribute_configuration_profile:
choices:
- enable
- disable
description:
- Enable/disable configuration profile (.mobileconfig file) distribution.
type: str
forticlient_wf:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web filtering.
type: str
forticlient_wf_profile:
description:
- The FortiClient web filter profile to apply. Source webfilter.profile.name.
type: str
type: dict
forticlient_winmac_settings:
description:
- FortiClient settings for Windows/Mac platform.
suboptions:
av_realtime_protection:
choices:
- enable
- disable
description:
- Enable/disable FortiClient AntiVirus real-time protection.
type: str
av_signature_up_to_date:
choices:
- enable
- disable
description:
- Enable/disable FortiClient AV signature updates.
type: str
forticlient_application_firewall:
choices:
- enable
- disable
description:
- Enable/disable the FortiClient application firewall.
type: str
forticlient_application_firewall_list:
description:
- FortiClient application firewall rule list. Source application.list.name.
type: str
forticlient_av:
choices:
- enable
- disable
description:
- Enable/disable FortiClient AntiVirus scanning.
type: str
forticlient_ems_compliance:
choices:
- enable
- disable
description:
- Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
type: str
forticlient_ems_compliance_action:
choices:
- block
- warning
description:
- FortiClient EMS compliance action.
type: str
forticlient_ems_entries:
description:
- FortiClient EMS entries.
elements: dict
suboptions:
name:
description:
- FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
type: str
type: list
forticlient_linux_ver:
description:
- Minimum FortiClient Linux version.
type: str
forticlient_log_upload:
choices:
- enable
- disable
description:
- Enable/disable uploading FortiClient logs.
type: str
forticlient_log_upload_level:
choices:
- traffic
- vulnerability
- event
description:
- Select the FortiClient logs to upload.
type: str
forticlient_log_upload_server:
description:
- IP address or FQDN of the server to which to upload FortiClient logs.
type: str
forticlient_mac_ver:
description:
- Minimum FortiClient Mac OS version.
type: str
forticlient_minimum_software_version:
choices:
- enable
- disable
description:
- Enable/disable requiring clients to run FortiClient with a minimum software
version number.
type: str
forticlient_operating_system:
description:
- FortiClient operating system.
elements: dict
suboptions:
id:
description:
- Operating system entry ID.
type: int
os_name:
description:
- Customize operating system name or Mac OS format:x.x.x
type: str
os_type:
choices:
- custom
- mac-os
- win-7
- win-80
- win-81
- win-10
- win-2000
- win-home-svr
- win-svr-10
- win-svr-2003
- win-svr-2003-r2
- win-svr-2008
- win-svr-2008-r2
- win-svr-2012
- win-svr-2012-r2
- win-sto-svr-2003
- win-vista
- win-xp
- ubuntu-linux
- centos-linux
- redhat-linux
- fedora-linux
description:
- Operating system type.
type: str
type: list
forticlient_own_file:
description:
- Checking the path and filename of the FortiClient application.
elements: dict
suboptions:
file:
description:
- File path and name.
type: str
id:
description:
- File ID.
type: int
type: list
forticlient_registration_compliance_action:
choices:
- block
- warning
description:
- FortiClient registration compliance action.
type: str
forticlient_registry_entry:
description:
- FortiClient registry entry.
elements: dict
suboptions:
id:
description:
- Registry entry ID.
type: int
registry_entry:
description:
- Registry entry.
type: str
type: list
forticlient_running_app:
description:
- Use FortiClient to verify if the listed applications are running on the
client.
elements: dict
suboptions:
app_name:
description:
- Application name.
type: str
app_sha256_signature:
description:
- App"s SHA256 signature.
type: str
app_sha256_signature2:
description:
- App"s SHA256 Signature.
type: str
app_sha256_signature3:
description:
- App"s SHA256 Signature.
type: str
app_sha256_signature4:
description:
- App"s SHA256 Signature.
type: str
application_check_rule:
choices:
- present
- absent
description:
- Application check rule.
type: str
id:
description:
- Application ID.
type: int
process_name:
description:
- Process name.
type: str
process_name2:
description:
- Process name.
type: str
process_name3:
description:
- Process name.
type: str
process_name4:
description:
- Process name.
type: str
type: list
forticlient_security_posture:
choices:
- enable
- disable
description:
- Enable/disable FortiClient security posture check options.
type: str
forticlient_security_posture_compliance_action:
choices:
- block
- warning
description:
- FortiClient security posture compliance action.
type: str
forticlient_system_compliance:
choices:
- enable
- disable
description:
- Enable/disable enforcement of FortiClient system compliance.
type: str
forticlient_system_compliance_action:
choices:
- block
- warning
description:
- Block or warn clients not compliant with FortiClient requirements.
type: str
forticlient_vuln_scan:
choices:
- enable
- disable
description:
- Enable/disable FortiClient vulnerability scanning.
type: str
forticlient_vuln_scan_compliance_action:
choices:
- block
- warning
description:
- FortiClient vulnerability compliance action.
type: str
forticlient_vuln_scan_enforce:
choices:
- critical
- high
- medium
- low
- info
description:
- Configure the level of the vulnerability found that causes a FortiClient
vulnerability compliance action.
type: str
forticlient_vuln_scan_enforce_grace:
description:
- FortiClient vulnerability scan enforcement grace period (0 - 30 days).
type: int
forticlient_vuln_scan_exempt:
choices:
- enable
- disable
description:
- Enable/disable compliance exemption for vulnerabilities that cannot be patched
automatically.
type: str
forticlient_wf:
choices:
- enable
- disable
description:
- Enable/disable FortiClient web filtering.
type: str
forticlient_wf_profile:
description:
- The FortiClient web filter profile to apply. Source webfilter.profile.name.
type: str
forticlient_win_ver:
description:
- Minimum FortiClient Windows version.
type: str
os_av_software_installed:
choices:
- enable
- disable
description:
- Enable/disable checking for OS recognized AntiVirus software.
type: str
sandbox_address:
description:
- FortiSandbox address.
type: str
sandbox_analysis:
choices:
- enable
- disable
description:
- Enable/disable sending files to FortiSandbox for analysis.
type: str
type: dict
on_net_addr:
description:
- Addresses for on-net detection.
elements: dict
suboptions:
name:
description:
- Address object from available options. Source firewall.address.name firewall.addrgrp.name.
type: str
type: list
profile_name:
description:
- Profile name.
type: str
replacemsg_override_group:
description:
- Select an endpoint control replacement message override group from available
options. Source system.replacemsg-group.name.
type: str
src_addr:
description:
- Source addresses.
elements: dict
suboptions:
name:
description:
- Address object from available options. Source firewall.address.name firewall.addrgrp.name.
type: str
type: list
user_groups:
description:
- User groups.
elements: dict
suboptions:
name:
description:
- User group name. Source user.group.name.
type: str
type: list
users:
description:
- Users.
elements: dict
suboptions:
name:
description:
- User name. Source user.local.name.
type: str
type: list
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str