Try SpotterConfigure IPv4 access proxy in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure IPv4 access proxy.
fortios_firewall_access_proxy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_access_proxy:
add_vhost_domain_to_dnsdb: "enable"
api_gateway:
-
application:
-
name: "default_name_6"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "14"
ldb_method: "static"
persistence: "none"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
domain: "<your_own_value>"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "25"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_31 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "0"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
api_gateway6:
-
application:
-
name: "default_name_53"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "61"
ldb_method: "static"
persistence: "none"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
domain: "<your_own_value>"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "72"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_78 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "0"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
auth_portal: "disable"
auth_virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
client_cert: "disable"
decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
empty_cert_action: "accept"
ldb_method: "static"
log_blocked_traffic: "enable"
name: "default_name_105"
realservers:
-
id: "107"
ip: "<your_own_value>"
port: "0"
status: "active"
weight: "1"
server_pubkey_auth: "disable"
server_pubkey_auth_settings:
auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
cert_extension:
-
critical: "no"
data: "<your_own_value>"
name: "default_name_118"
type: "fixed"
permit_agent_forwarding: "enable"
permit_port_forwarding: "enable"
permit_pty: "enable"
permit_user_rc: "enable"
permit_x11_forwarding: "enable"
source_address: "enable"
user_agent_detect: "disable"
vip: "<your_own_value> (source firewall.vip.name)"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
firewall_access_proxy:
default: null
description:
- Configure IPv4 access proxy.
suboptions:
add_vhost_domain_to_dnsdb:
choices:
- enable
- disable
description:
- Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.
type: str
api_gateway:
description:
- Set IPv4 API Gateway.
elements: dict
suboptions:
application:
description:
- SaaS application controlled by this Access Proxy.
elements: dict
suboptions:
name:
description:
- SaaS application name.
type: str
type: list
http_cookie_age:
description:
- Time in minutes that client web browsers should keep a cookie. Default is
60 minutes. 0 = no time limit.
type: int
http_cookie_domain:
description:
- Domain that HTTP cookie persistence should apply to.
type: str
http_cookie_domain_from_host:
choices:
- disable
- enable
description:
- Enable/disable use of HTTP cookie domain from host field in HTTP.
type: str
http_cookie_generation:
description:
- Generation of HTTP cookie to be accepted. Changing invalidates all existing
cookies.
type: int
http_cookie_path:
description:
- Limit HTTP cookie persistence to the specified path.
type: str
http_cookie_share:
choices:
- disable
- same-ip
description:
- Control sharing of cookies across API Gateway. Use of same-ip means a cookie
from one virtual server can be used by another. Disable stops cookie sharing.
type: str
https_cookie_secure:
choices:
- disable
- enable
description:
- Enable/disable verification that inserted HTTPS cookies are secure.
type: str
id:
description:
- API Gateway ID.
type: int
ldb_method:
choices:
- static
- round-robin
- weighted
- first-alive
- http-host
- least-session
- least-rtt
description:
- Method used to distribute sessions to real servers.
type: str
persistence:
choices:
- none
- http-cookie
description:
- Configure how to make sure that clients connect to the same server every
time they make a request that is part of the same session.
type: str
realservers:
description:
- Select the real servers that this Access Proxy will distribute traffic to.
elements: dict
suboptions:
addr_type:
choices:
- ip
- fqdn
description:
- Type of address.
type: str
address:
description:
- Address or address group of the real server. Source firewall.address.name
firewall.addrgrp.name.
type: str
domain:
description:
- Wildcard domain name of the real server.
type: str
health_check:
choices:
- disable
- enable
description:
- Enable to check the responsiveness of the real server before forwarding
traffic.
type: str
health_check_proto:
choices:
- ping
- http
- tcp-connect
description:
- Protocol of the health check monitor to use when polling to determine
server"s connectivity status.
type: str
holddown_interval:
choices:
- enable
- disable
description:
- Enable/disable holddown timer. Server will be considered active and
reachable once the holddown period has expired (30 seconds).
type: str
http_host:
description:
- HTTP server domain name in HTTP header.
type: str
id:
description:
- Real server ID.
type: int
ip:
description:
- IP address of the real server.
type: str
mappedport:
description:
- Port for communicating with the real server.
type: str
port:
description:
- Port for communicating with the real server.
type: int
ssh_client_cert:
description:
- Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name.
type: str
ssh_host_key:
description:
- One or more server host key.
elements: dict
suboptions:
name:
description:
- Server host key name. Source firewall.ssh.host-key.name.
type: str
type: list
ssh_host_key_validation:
choices:
- disable
- enable
description:
- Enable/disable SSH real server host key validation.
type: str
status:
choices:
- active
- standby
- disable
description:
- Set the status of the real server to active so that it can accept traffic,
or on standby or disabled so no traffic is sent.
type: str
type:
choices:
- tcp-forwarding
- ssh
description:
- TCP forwarding server type.
type: str
weight:
description:
- Weight of the real server. If weighted load balancing is enabled, the
server with the highest weight gets more connections.
type: int
type: list
saml_redirect:
choices:
- disable
- enable
description:
- Enable/disable SAML redirection after successful authentication.
type: str
saml_server:
description:
- SAML service provider configuration for VIP authentication. Source user.saml.name.
type: str
service:
choices:
- http
- https
- tcp-forwarding
- samlsp
- web-portal
- saas
description:
- Service.
type: str
ssl_algorithm:
choices:
- high
- medium
- low
- custom
description:
- Permitted encryption algorithms for the server side of SSL full mode sessions
according to encryption strength.
type: str
ssl_cipher_suites:
description:
- SSL/TLS cipher suites to offer to a server, ordered by priority.
elements: dict
suboptions:
cipher:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-AES-128-CBC-SHA
- TLS-RSA-WITH-AES-256-CBC-SHA
- TLS-RSA-WITH-AES-128-CBC-SHA256
- TLS-RSA-WITH-AES-128-GCM-SHA256
- TLS-RSA-WITH-AES-256-CBC-SHA256
- TLS-RSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-SEED-CBC-SHA
- TLS-DHE-DSS-WITH-SEED-CBC-SHA
- TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384
- TLS-RSA-WITH-SEED-CBC-SHA
- TLS-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-RC4-128-SHA
- TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-RC4-128-MD5
- TLS-RSA-WITH-RC4-128-SHA
- TLS-DHE-RSA-WITH-DES-CBC-SHA
- TLS-DHE-DSS-WITH-DES-CBC-SHA
- TLS-RSA-WITH-DES-CBC-SHA
description:
- Cipher suite name.
type: str
priority:
description:
- SSL/TLS cipher suites priority.
type: int
versions:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- SSL/TLS versions that the cipher suite can be used with.
elements: str
type: list
type: list
ssl_dh_bits:
choices:
- '768'
- '1024'
- '1536'
- '2048'
- '3072'
- '4096'
description:
- Number of bits to use in the Diffie-Hellman exchange for RSA encryption
of SSL sessions.
type: str
ssl_max_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Highest SSL/TLS version acceptable from a server.
type: str
ssl_min_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Lowest SSL/TLS version acceptable from a server.
type: str
ssl_vpn_web_portal:
description:
- SSL-VPN web portal. Source vpn.ssl.web.portal.name.
type: str
url_map:
description:
- URL pattern to match.
type: str
url_map_type:
choices:
- sub-string
- wildcard
- regex
description:
- Type of url-map.
type: str
virtual_host:
description:
- Virtual host. Source firewall.access-proxy-virtual-host.name.
type: str
type: list
api_gateway6:
description:
- Set IPv6 API Gateway.
elements: dict
suboptions:
application:
description:
- SaaS application controlled by this Access Proxy.
elements: dict
suboptions:
name:
description:
- SaaS application name.
type: str
type: list
http_cookie_age:
description:
- Time in minutes that client web browsers should keep a cookie. Default is
60 minutes. 0 = no time limit.
type: int
http_cookie_domain:
description:
- Domain that HTTP cookie persistence should apply to.
type: str
http_cookie_domain_from_host:
choices:
- disable
- enable
description:
- Enable/disable use of HTTP cookie domain from host field in HTTP.
type: str
http_cookie_generation:
description:
- Generation of HTTP cookie to be accepted. Changing invalidates all existing
cookies.
type: int
http_cookie_path:
description:
- Limit HTTP cookie persistence to the specified path.
type: str
http_cookie_share:
choices:
- disable
- same-ip
description:
- Control sharing of cookies across API Gateway. Use of same-ip means a cookie
from one virtual server can be used by another. Disable stops cookie sharing.
type: str
https_cookie_secure:
choices:
- disable
- enable
description:
- Enable/disable verification that inserted HTTPS cookies are secure.
type: str
id:
description:
- API Gateway ID.
type: int
ldb_method:
choices:
- static
- round-robin
- weighted
- first-alive
- http-host
description:
- Method used to distribute sessions to real servers.
type: str
persistence:
choices:
- none
- http-cookie
description:
- Configure how to make sure that clients connect to the same server every
time they make a request that is part of the same session.
type: str
realservers:
description:
- Select the real servers that this Access Proxy will distribute traffic to.
elements: dict
suboptions:
addr_type:
choices:
- ip
- fqdn
description:
- Type of address.
type: str
address:
description:
- Address or address group of the real server. Source firewall.address6.name
firewall.addrgrp6.name.
type: str
domain:
description:
- Wildcard domain name of the real server.
type: str
health_check:
choices:
- disable
- enable
description:
- Enable to check the responsiveness of the real server before forwarding
traffic.
type: str
health_check_proto:
choices:
- ping
- http
- tcp-connect
description:
- Protocol of the health check monitor to use when polling to determine
server"s connectivity status.
type: str
holddown_interval:
choices:
- enable
- disable
description:
- Enable/disable holddown timer. Server will be considered active and
reachable once the holddown period has expired (30 seconds).
type: str
http_host:
description:
- HTTP server domain name in HTTP header.
type: str
id:
description:
- Real server ID.
type: int
ip:
description:
- IPv6 address of the real server.
type: str
mappedport:
description:
- Port for communicating with the real server.
type: str
port:
description:
- Port for communicating with the real server.
type: int
ssh_client_cert:
description:
- Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name.
type: str
ssh_host_key:
description:
- One or more server host key.
elements: dict
suboptions:
name:
description:
- Server host key name. Source firewall.ssh.host-key.name.
type: str
type: list
ssh_host_key_validation:
choices:
- disable
- enable
description:
- Enable/disable SSH real server host key validation.
type: str
status:
choices:
- active
- standby
- disable
description:
- Set the status of the real server to active so that it can accept traffic,
or on standby or disabled so no traffic is sent.
type: str
type:
choices:
- tcp-forwarding
- ssh
description:
- TCP forwarding server type.
type: str
weight:
description:
- Weight of the real server. If weighted load balancing is enabled, the
server with the highest weight gets more connections.
type: int
type: list
saml_redirect:
choices:
- disable
- enable
description:
- Enable/disable SAML redirection after successful authentication.
type: str
saml_server:
description:
- SAML service provider configuration for VIP authentication. Source user.saml.name.
type: str
service:
choices:
- http
- https
- tcp-forwarding
- samlsp
- web-portal
- saas
description:
- Service.
type: str
ssl_algorithm:
choices:
- high
- medium
- low
description:
- Permitted encryption algorithms for the server side of SSL full mode sessions
according to encryption strength.
type: str
ssl_cipher_suites:
description:
- SSL/TLS cipher suites to offer to a server, ordered by priority.
elements: dict
suboptions:
cipher:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA
- TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA
- TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
- TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
- TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
- TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-AES-128-CBC-SHA
- TLS-RSA-WITH-AES-256-CBC-SHA
- TLS-RSA-WITH-AES-128-CBC-SHA256
- TLS-RSA-WITH-AES-128-GCM-SHA256
- TLS-RSA-WITH-AES-256-CBC-SHA256
- TLS-RSA-WITH-AES-256-GCM-SHA384
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
- TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
- TLS-DHE-RSA-WITH-SEED-CBC-SHA
- TLS-DHE-DSS-WITH-SEED-CBC-SHA
- TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256
- TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384
- TLS-RSA-WITH-SEED-CBC-SHA
- TLS-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256
- TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384
- TLS-ECDHE-RSA-WITH-RC4-128-SHA
- TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-3DES-EDE-CBC-SHA
- TLS-RSA-WITH-RC4-128-MD5
- TLS-RSA-WITH-RC4-128-SHA
- TLS-DHE-RSA-WITH-DES-CBC-SHA
- TLS-DHE-DSS-WITH-DES-CBC-SHA
- TLS-RSA-WITH-DES-CBC-SHA
description:
- Cipher suite name.
type: str
priority:
description:
- SSL/TLS cipher suites priority.
type: int
versions:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- SSL/TLS versions that the cipher suite can be used with.
elements: str
type: list
type: list
ssl_dh_bits:
choices:
- '768'
- '1024'
- '1536'
- '2048'
- '3072'
- '4096'
description:
- Number of bits to use in the Diffie-Hellman exchange for RSA encryption
of SSL sessions.
type: str
ssl_max_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Highest SSL/TLS version acceptable from a server.
type: str
ssl_min_version:
choices:
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Lowest SSL/TLS version acceptable from a server.
type: str
ssl_vpn_web_portal:
description:
- SSL-VPN web portal. Source vpn.ssl.web.portal.name.
type: str
url_map:
description:
- URL pattern to match.
type: str
url_map_type:
choices:
- sub-string
- wildcard
- regex
description:
- Type of url-map.
type: str
virtual_host:
description:
- Virtual host. Source firewall.access-proxy-virtual-host.name.
type: str
type: list
auth_portal:
choices:
- disable
- enable
description:
- Enable/disable authentication portal.
type: str
auth_virtual_host:
description:
- Virtual host for authentication portal. Source firewall.access-proxy-virtual-host.name.
type: str
client_cert:
choices:
- disable
- enable
description:
- Enable/disable to request client certificate.
type: str
decrypted_traffic_mirror:
description:
- Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name.
type: str
empty_cert_action:
choices:
- accept
- block
- accept-unmanageable
description:
- Action of an empty client certificate.
type: str
ldb_method:
choices:
- static
- round-robin
- weighted
- least-session
- least-rtt
- first-alive
description:
- Method used to distribute sessions to SSL real servers.
type: str
log_blocked_traffic:
choices:
- enable
- disable
description:
- Enable/disable logging of blocked traffic.
type: str
name:
description:
- Access Proxy name.
required: true
type: str
realservers:
description:
- Select the SSL real servers that this Access Proxy will distribute traffic to.
elements: dict
suboptions:
id:
description:
- Real server ID.
type: int
ip:
description:
- IP address of the real server.
type: str
port:
description:
- Port for communicating with the real server.
type: int
status:
choices:
- active
- standby
- disable
description:
- Set the status of the real server to active so that it can accept traffic,
or on standby or disabled so no traffic is sent.
type: str
weight:
description:
- Weight of the real server. If weighted load balancing is enabled, the server
with the highest weight gets more connections.
type: int
type: list
server_pubkey_auth:
choices:
- disable
- enable
description:
- Enable/disable SSH real server public key authentication.
type: str
server_pubkey_auth_settings:
description:
- Server SSH public key authentication settings.
suboptions:
auth_ca:
description:
- Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name.
type: str
cert_extension:
description:
- Configure certificate extension for user certificate.
elements: dict
suboptions:
critical:
choices:
- 'no'
- 'yes'
description:
- Critical option.
type: str
data:
description:
- Name of certificate extension.
type: str
name:
description:
- Name of certificate extension.
type: str
type:
choices:
- fixed
- user
description:
- Type of certificate extension.
type: str
type: list
permit_agent_forwarding:
choices:
- enable
- disable
description:
- Enable/disable appending permit-agent-forwarding certificate extension.
type: str
permit_port_forwarding:
choices:
- enable
- disable
description:
- Enable/disable appending permit-port-forwarding certificate extension.
type: str
permit_pty:
choices:
- enable
- disable
description:
- Enable/disable appending permit-pty certificate extension.
type: str
permit_user_rc:
choices:
- enable
- disable
description:
- Enable/disable appending permit-user-rc certificate extension.
type: str
permit_x11_forwarding:
choices:
- enable
- disable
description:
- Enable/disable appending permit-x11-forwarding certificate extension.
type: str
source_address:
choices:
- enable
- disable
description:
- Enable/disable appending source-address certificate critical option. This
option ensure certificate only accepted from FortiGate source address.
type: str
type: dict
user_agent_detect:
choices:
- disable
- enable
description:
- Enable/disable to detect device type by HTTP user-agent if no client certificate
provided.
type: str
vip:
description:
- Virtual IP name. Source firewall.vip.name.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str