lix_fortinet / lix_fortinet.fortios / 102.2.120 / module / fortios_firewall_policy Configure IPv4/IPv6 policies in Fortinet's FortiOS and FortiGate. | "added in version" 2.0.0 of lix_fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communitylix_fortinet.fortios.fortios_firewall_policy (102.2.120) — module
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections: - name: lix_fortinet.fortios version: 102.2.120
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure IPv4/IPv6 policies. fortios_firewall_policy: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" firewall_policy: action: "accept" anti_replay: "enable" app_category: - id: "6" app_group: - name: "default_name_8 (source application.group.name)" application: - id: "10" application_list: "<your_own_value> (source application.list.name)" auth_cert: "<your_own_value> (source vpn.certificate.local.name)" auth_path: "enable" auth_redirect_addr: "<your_own_value>" auto_asic_offload: "enable" av_profile: "<your_own_value> (source antivirus.profile.name)" block_notification: "enable" captive_portal_exempt: "enable" capture_packet: "enable" cifs_profile: "<your_own_value> (source cifs.profile.name)" comments: "<your_own_value>" custom_log_fields: - field_id: "<your_own_value> (source log.custom-field.id)" decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)" delay_tcp_npu_session: "enable" devices: - name: "default_name_27 (source user.device.alias user.device-group.name user.device-category.name)" diffserv_copy: "enable" diffserv_forward: "enable" diffserv_reverse: "enable" diffservcode_forward: "<your_own_value>" diffservcode_rev: "<your_own_value>" disclaimer: "enable" dlp_profile: "<your_own_value> (source dlp.profile.name)" dlp_sensor: "<your_own_value> (source dlp.sensor.name)" dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)" dscp_match: "enable" dscp_negate: "enable" dscp_value: "<your_own_value>" dsri: "enable" dstaddr: - name: "default_name_42 (source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name system.external-resource.name)" dstaddr_negate: "enable" dstaddr6: - name: "default_name_45 (source firewall.address6.name firewall.addrgrp6.name firewall.vipgrp6.name firewall.vip6.name system.external-resource .name)" dstaddr6_negate: "enable" dstintf: - name: "default_name_48 (source system.interface.name system.zone.name system.sdwan.zone.name)" dynamic_shaping: "enable" email_collect: "enable" emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)" fec: "enable" file_filter_profile: "<your_own_value> (source file-filter.profile.name)" firewall_session_dirty: "check-all" fixedport: "enable" fsso: "enable" fsso_agent_for_ntlm: "<your_own_value> (source user.fsso.name)" fsso_groups: - name: "default_name_59 (source user.adgrp.name)" geoip_anycast: "enable" geoip_match: "physical-location" global_label: "<your_own_value>" groups: - name: "default_name_64 (source user.group.name)" gtp_profile: "<your_own_value> (source firewall.gtp.name)" http_policy_redirect: "enable" icap_profile: "<your_own_value> (source icap.profile.name)" identity_based_route: "<your_own_value> (source firewall.identity-based-route.name)" inbound: "enable" inspection_mode: "proxy" internet_service: "enable" internet_service_custom: - name: "default_name_73 (source firewall.internet-service-custom.name)" internet_service_custom_group: - name: "default_name_75 (source firewall.internet-service-custom-group.name)" internet_service_group: - name: "default_name_77 (source firewall.internet-service-group.name)" internet_service_id: - id: "79 (source firewall.internet-service.id)" internet_service_name: - name: "default_name_81 (source firewall.internet-service-name.name)" internet_service_negate: "enable" internet_service_src: "enable" internet_service_src_custom: - name: "default_name_85 (source firewall.internet-service-custom.name)" internet_service_src_custom_group: - name: "default_name_87 (source firewall.internet-service-custom-group.name)" internet_service_src_group: - name: "default_name_89 (source firewall.internet-service-group.name)" internet_service_src_id: - id: "91 (source firewall.internet-service.id)" internet_service_src_name: - name: "default_name_93 (source firewall.internet-service-name.name)" internet_service_src_negate: "enable" internet_service6: "enable" internet_service6_custom: - name: "default_name_97 (source )" internet_service6_custom_group: - name: "default_name_99 (source )" internet_service6_group: - name: "default_name_101 (source )" internet_service6_name: - name: "default_name_103 (source )" internet_service6_negate: "enable" internet_service6_src: "enable" internet_service6_src_custom: - name: "default_name_107 (source )" internet_service6_src_custom_group: - name: "default_name_109 (source )" internet_service6_src_group: - name: "default_name_111 (source )" internet_service6_src_name: - name: "default_name_113 (source )" internet_service6_src_negate: "enable" ippool: "enable" ips_sensor: "<your_own_value> (source ips.sensor.name)" label: "<your_own_value>" learning_mode: "enable" logtraffic: "all" logtraffic_start: "enable" match_vip: "enable" match_vip_only: "enable" mms_profile: "<your_own_value> (source firewall.mms-profile.name)" name: "default_name_124" nat: "enable" nat46: "enable" nat64: "enable" natinbound: "enable" natip: "<your_own_value>" natoutbound: "enable" network_service_dynamic: - name: "default_name_132 (source )" network_service_src_dynamic: - name: "default_name_134 (source )" np_acceleration: "enable" ntlm: "enable" ntlm_enabled_browsers: - user_agent_string: "<your_own_value>" ntlm_guest: "enable" outbound: "enable" passive_wan_health_measurement: "enable" per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)" permit_any_host: "enable" permit_stun_host: "enable" pfcp_profile: "<your_own_value> (source firewall.pfcp.name)" policy_expiry: "enable" policy_expiry_date: "<your_own_value>" policyid: "0" poolname: - name: "default_name_150 (source firewall.ippool.name)" poolname6: - name: "default_name_152 (source firewall.ippool6.name)" profile_group: "<your_own_value> (source firewall.profile-group.name)" profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)" profile_type: "single" radius_mac_auth_bypass: "enable" redirect_url: "<your_own_value>" replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)" reputation_direction: "source" reputation_direction6: "source" reputation_minimum: "0" reputation_minimum6: "0" rsso: "enable" rtp_addr: - name: "default_name_165 (source firewall.internet-service-custom-group.name firewall.addrgrp.name)" rtp_nat: "disable" scan_botnet_connections: "disable" schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)" schedule_timeout: "enable" sctp_filter_profile: "<your_own_value> (source sctp-filter.profile.name)" send_deny_packet: "disable" service: - name: "default_name_173 (source firewall.service.custom.name firewall.service.group.name)" service_negate: "enable" session_ttl: "<your_own_value>" sgt: - id: "177" sgt_check: "enable" spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)" src_vendor_mac: - id: "181 (source firewall.vendor-mac.id)" srcaddr: - name: "default_name_183 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)" srcaddr_negate: "enable" srcaddr6: - name: "default_name_186 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)" srcaddr6_negate: "enable" srcintf: - name: "default_name_189 (source system.interface.name system.zone.name system.sdwan.zone.name)" ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)" ssh_policy_redirect: "enable" ssl_mirror: "enable" ssl_mirror_intf: - name: "default_name_194 (source system.interface.name system.zone.name)" ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)" status: "enable" tcp_mss_receiver: "0" tcp_mss_sender: "0" tcp_session_without_syn: "all" timeout_send_rst: "enable" tos: "<your_own_value>" tos_mask: "<your_own_value>" tos_negate: "enable" traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)" traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)" url_category: - id: "207" users: - name: "default_name_209 (source user.local.name)" utm_status: "enable" uuid: "<your_own_value>" videofilter_profile: "<your_own_value> (source videofilter.profile.name)" vlan_cos_fwd: "255" vlan_cos_rev: "255" vlan_filter: "<your_own_value>" voip_profile: "<your_own_value> (source voip.profile.name)" vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)" waf_profile: "<your_own_value> (source waf.profile.name)" wanopt: "enable" wanopt_detection: "active" wanopt_passive_opt: "default" wanopt_peer: "<your_own_value> (source wanopt.peer.peer-host-id)" wanopt_profile: "<your_own_value> (source wanopt.profile.name)" wccp: "enable" webcache: "enable" webcache_https: "disable" webfilter_profile: "<your_own_value> (source webfilter.profile.name)" webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)" webproxy_profile: "<your_own_value> (source web-proxy.profile.name)" wsso: "enable" ztna_ems_tag: - name: "default_name_232 (source firewall.address.name firewall.addrgrp.name)" ztna_geo_tag: - name: "default_name_234 (source firewall.address.name firewall.addrgrp.name)" ztna_status: "enable" - name: move firewall.policy fortios_firewall_policy: vdom: "root" action: "move" self: "<mkey of self identifier>" after: "<mkey of target identifier>"
self: description: - mkey of self identifier type: str vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str after: description: - mkey of target identifier type: str state: choices: - present - absent description: - Indicates whether to create or remove the object. required: false type: str action: choices: - move description: - the action indiactor to move an object in the list type: str before: description: - mkey of target identifier type: str enable_log: default: false description: - Enable/Disable logging for task. required: false type: bool member_path: description: - Member attribute path to operate on. - Delimited by a slash character if there are more than one attribute. - Parameter marked with member_path is legitimate for doing member operation. type: str access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str member_state: choices: - present - absent description: - Add or delete a member under specified attribute path. - When member_state is specified, the state option is ignored. type: str firewall_policy: default: null description: - Configure IPv4/IPv6 policies. suboptions: action: choices: - accept - deny - ipsec description: - Policy action (accept/deny/ipsec). type: str anti_replay: choices: - enable - disable description: - Enable/disable anti-replay check. type: str app_category: description: - Application category ID list. elements: dict suboptions: id: description: - Category IDs. type: int type: list app_group: description: - Application group names. elements: dict suboptions: name: description: - Application group names. Source application.group.name. type: str type: list application: description: - Application ID list. elements: dict suboptions: id: description: - Application IDs. type: int type: list application_list: description: - Name of an existing Application list. Source application.list.name. type: str auth_cert: description: - HTTPS server certificate for policy authentication. Source vpn.certificate.local.name. type: str auth_path: choices: - enable - disable description: - Enable/disable authentication-based routing. type: str auth_redirect_addr: description: - HTTP-to-HTTPS redirect address for firewall authentication. type: str auto_asic_offload: choices: - enable - disable description: - Enable/disable policy traffic ASIC offloading. type: str av_profile: description: - Name of an existing Antivirus profile. Source antivirus.profile.name. type: str block_notification: choices: - enable - disable description: - Enable/disable block notification. type: str captive_portal_exempt: choices: - enable - disable description: - Enable to exempt some users from the captive portal. type: str capture_packet: choices: - enable - disable description: - Enable/disable capture packets. type: str cifs_profile: description: - Name of an existing CIFS profile. Source cifs.profile.name. type: str comments: description: - Comment. type: str custom_log_fields: description: - Custom fields to append to log messages for this policy. elements: dict suboptions: field_id: description: - Custom log field. Source log.custom-field.id. type: str type: list decrypted_traffic_mirror: description: - Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name. type: str delay_tcp_npu_session: choices: - enable - disable description: - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. type: str devices: description: - Names of devices or device groups that can be matched by the policy. elements: dict suboptions: name: description: - Device or group name. Source user.device.alias user.device-group.name user.device-category.name. type: str type: list diffserv_copy: choices: - enable - disable description: - Enable to copy packet"s DiffServ values from session"s original direction to its reply direction. type: str diffserv_forward: choices: - enable - disable description: - Enable to change packet"s DiffServ values to the specified diffservcode-forward value. type: str diffserv_reverse: choices: - enable - disable description: - Enable to change packet"s reverse (reply) DiffServ values to the specified diffservcode-rev value. type: str diffservcode_forward: description: - Change packet"s DiffServ to this value. type: str diffservcode_rev: description: - Change packet"s reverse (reply) DiffServ to this value. type: str disclaimer: choices: - enable - disable description: - Enable/disable user authentication disclaimer. type: str dlp_profile: description: - Name of an existing DLP profile. Source dlp.profile.name. type: str dlp_sensor: description: - Name of an existing DLP sensor. Source dlp.sensor.name. type: str dnsfilter_profile: description: - Name of an existing DNS filter profile. Source dnsfilter.profile.name. type: str dscp_match: choices: - enable - disable description: - Enable DSCP check. type: str dscp_negate: choices: - enable - disable description: - Enable negated DSCP match. type: str dscp_value: description: - DSCP value. type: str dsri: choices: - enable - disable description: - Enable DSRI to ignore HTTP server responses. type: str dstaddr: description: - Destination IPv4 address and address group names. elements: dict suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name system.external-resource .name. type: str type: list dstaddr6: description: - Destination IPv6 address name and address group names. elements: dict suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vipgrp6.name firewall.vip6.name system .external-resource.name. type: str type: list dstaddr6_negate: choices: - enable - disable description: - When enabled dstaddr6 specifies what the destination address must NOT be. type: str dstaddr_negate: choices: - enable - disable description: - When enabled dstaddr specifies what the destination address must NOT be. type: str dstintf: description: - Outgoing (egress) interface. elements: dict suboptions: name: description: - Interface name. Source system.interface.name system.zone.name system.sdwan.zone.name. type: str type: list dynamic_shaping: choices: - enable - disable description: - Enable/disable dynamic RADIUS defined traffic shaping. type: str email_collect: choices: - enable - disable description: - Enable/disable email collection. type: str emailfilter_profile: description: - Name of an existing email filter profile. Source emailfilter.profile.name. type: str fec: choices: - enable - disable description: - Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. type: str file_filter_profile: description: - Name of an existing file-filter profile. Source file-filter.profile.name. type: str firewall_session_dirty: choices: - check-all - check-new description: - How to handle sessions if the configuration of this firewall policy changes. type: str fixedport: choices: - enable - disable description: - Enable to prevent source NAT from changing a session"s source port. type: str fsso: choices: - enable - disable description: - Enable/disable Fortinet Single Sign-On. type: str fsso_agent_for_ntlm: description: - FSSO agent to use for NTLM authentication. Source user.fsso.name. type: str fsso_groups: description: - Names of FSSO groups. elements: dict suboptions: name: description: - Names of FSSO groups. Source user.adgrp.name. type: str type: list geoip_anycast: choices: - enable - disable description: - Enable/disable recognition of anycast IP addresses using the geography IP database. type: str geoip_match: choices: - physical-location - registered-location description: - Match geography address based either on its physical location or registered location. type: str global_label: description: - Label for the policy that appears when the GUI is in Global View mode. type: str groups: description: - Names of user groups that can authenticate with this policy. elements: dict suboptions: name: description: - Group name. Source user.group.name. type: str type: list gtp_profile: description: - GTP profile. Source firewall.gtp.name. type: str http_policy_redirect: choices: - enable - disable description: - Redirect HTTP(S) traffic to matching transparent web proxy policy. type: str icap_profile: description: - Name of an existing ICAP profile. Source icap.profile.name. type: str identity_based_route: description: - Name of identity-based routing rule. Source firewall.identity-based-route.name. type: str inbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.' type: str inspection_mode: choices: - proxy - flow description: - Policy inspection mode (Flow/proxy). Default is Flow mode. type: str internet_service: choices: - enable - disable description: - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. type: str internet_service6: choices: - enable - disable description: - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. type: str internet_service6_custom: description: - Custom IPv6 Internet Service name. elements: dict suboptions: name: description: - Custom Internet Service name. Source . type: str type: list internet_service6_custom_group: description: - Custom Internet Service6 group name. elements: dict suboptions: name: description: - Custom Internet Service6 group name. Source . type: str type: list internet_service6_group: description: - Internet Service group name. elements: dict suboptions: name: description: - Internet Service group name. Source . type: str type: list internet_service6_name: description: - IPv6 Internet Service name. elements: dict suboptions: name: description: - IPv6 Internet Service name. Source . type: str type: list internet_service6_negate: choices: - enable - disable description: - When enabled internet-service6 specifies what the service must NOT be. type: str internet_service6_src: choices: - enable - disable description: - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. type: str internet_service6_src_custom: description: - Custom IPv6 Internet Service source name. elements: dict suboptions: name: description: - Custom Internet Service name. Source . type: str type: list internet_service6_src_custom_group: description: - Custom Internet Service6 source group name. elements: dict suboptions: name: description: - Custom Internet Service6 group name. Source . type: str type: list internet_service6_src_group: description: - Internet Service6 source group name. elements: dict suboptions: name: description: - Internet Service group name. Source . type: str type: list internet_service6_src_name: description: - IPv6 Internet Service source name. elements: dict suboptions: name: description: - Internet Service name. Source . type: str type: list internet_service6_src_negate: choices: - enable - disable description: - When enabled internet-service6-src specifies what the service must NOT be. type: str internet_service_custom: description: - Custom Internet Service name. elements: dict suboptions: name: description: - Custom Internet Service name. Source firewall.internet-service-custom.name. type: str type: list internet_service_custom_group: description: - Custom Internet Service group name. elements: dict suboptions: name: description: - Custom Internet Service group name. Source firewall.internet-service-custom-group.name. type: str type: list internet_service_group: description: - Internet Service group name. elements: dict suboptions: name: description: - Internet Service group name. Source firewall.internet-service-group.name. type: str type: list internet_service_id: description: - Internet Service ID. elements: dict suboptions: id: description: - Internet Service ID. Source firewall.internet-service.id. type: int type: list internet_service_name: description: - Internet Service name. elements: dict suboptions: name: description: - Internet Service name. Source firewall.internet-service-name.name. type: str type: list internet_service_negate: choices: - enable - disable description: - When enabled internet-service specifies what the service must NOT be. type: str internet_service_src: choices: - enable - disable description: - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. type: str internet_service_src_custom: description: - Custom Internet Service source name. elements: dict suboptions: name: description: - Custom Internet Service name. Source firewall.internet-service-custom.name. type: str type: list internet_service_src_custom_group: description: - Custom Internet Service source group name. elements: dict suboptions: name: description: - Custom Internet Service group name. Source firewall.internet-service-custom-group.name. type: str type: list internet_service_src_group: description: - Internet Service source group name. elements: dict suboptions: name: description: - Internet Service group name. Source firewall.internet-service-group.name. type: str type: list internet_service_src_id: description: - Internet Service source ID. elements: dict suboptions: id: description: - Internet Service ID. Source firewall.internet-service.id. type: int type: list internet_service_src_name: description: - Internet Service source name. elements: dict suboptions: name: description: - Internet Service name. Source firewall.internet-service-name.name. type: str type: list internet_service_src_negate: choices: - enable - disable description: - When enabled internet-service-src specifies what the service must NOT be. type: str ippool: choices: - enable - disable description: - Enable to use IP Pools for source NAT. type: str ips_sensor: description: - Name of an existing IPS sensor. Source ips.sensor.name. type: str label: description: - Label for the policy that appears when the GUI is in Section View mode. type: str learning_mode: choices: - enable - disable description: - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. type: str logtraffic: choices: - all - utm - disable description: - Enable or disable logging. Log all sessions or security profile sessions. type: str logtraffic_start: choices: - enable - disable description: - Record logs when a session starts. type: str match_vip: choices: - enable - disable description: - Enable to match packets that have had their destination addresses changed by a VIP. type: str match_vip_only: choices: - enable - disable description: - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. type: str mms_profile: description: - Name of an existing MMS profile. Source firewall.mms-profile.name. type: str name: description: - Policy name. type: str nat: choices: - enable - disable description: - Enable/disable source NAT. type: str nat46: choices: - enable - disable description: - Enable/disable NAT46. type: str nat64: choices: - enable - disable description: - Enable/disable NAT64. type: str natinbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: apply destination NAT to inbound traffic.' type: str natip: description: - 'Policy-based IPsec VPN: source NAT IP address for outgoing traffic.' type: str natoutbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: apply source NAT to outbound traffic.' type: str network_service_dynamic: description: - Dynamic Network Service name. elements: dict suboptions: name: description: - Dynamic Network Service name. Source . type: str type: list network_service_src_dynamic: description: - Dynamic Network Service source name. elements: dict suboptions: name: description: - Dynamic Network Service name. Source . type: str type: list np_acceleration: choices: - enable - disable description: - Enable/disable UTM Network Processor acceleration. type: str ntlm: choices: - enable - disable description: - Enable/disable NTLM authentication. type: str ntlm_enabled_browsers: description: - HTTP-User-Agent value of supported browsers. elements: dict suboptions: user_agent_string: description: - User agent string. type: str type: list ntlm_guest: choices: - enable - disable description: - Enable/disable NTLM guest user access. type: str outbound: choices: - enable - disable description: - 'Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.' type: str passive_wan_health_measurement: choices: - enable - disable description: - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. type: str per_ip_shaper: description: - Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name. type: str permit_any_host: choices: - enable - disable description: - Accept UDP packets from any host. type: str permit_stun_host: choices: - enable - disable description: - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. type: str pfcp_profile: description: - PFCP profile. Source firewall.pfcp.name. type: str policy_expiry: choices: - enable - disable description: - Enable/disable policy expiry. type: str policy_expiry_date: description: - Policy expiry date (YYYY-MM-DD HH:MM:SS). type: str policyid: description: - Policy ID (0 - 4294967294). required: true type: int poolname: description: - IP Pool names. elements: dict suboptions: name: description: - IP pool name. Source firewall.ippool.name. type: str type: list poolname6: description: - IPv6 pool names. elements: dict suboptions: name: description: - IPv6 pool name. Source firewall.ippool6.name. type: str type: list profile_group: description: - Name of profile group. Source firewall.profile-group.name. type: str profile_protocol_options: description: - Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. type: str profile_type: choices: - single - group description: - Determine whether the firewall policy allows security profile groups or single profiles only. type: str radius_mac_auth_bypass: choices: - enable - disable description: - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. type: str redirect_url: description: - URL users are directed to after seeing and accepting the disclaimer or authenticating. type: str replacemsg_override_group: description: - Override the default replacement message group for this policy. Source system.replacemsg-group.name. type: str reputation_direction: choices: - source - destination description: - Direction of the initial traffic for reputation to take effect. type: str reputation_direction6: choices: - source - destination description: - Direction of the initial traffic for IPv6 reputation to take effect. type: str reputation_minimum: description: - Minimum Reputation to take action. Source firewall.internet-service-reputation.id. type: int reputation_minimum6: description: - IPv6 Minimum Reputation to take action. Source . type: int rsso: choices: - enable - disable description: - Enable/disable RADIUS single sign-on (RSSO). type: str rtp_addr: description: - Address names if this is an RTP NAT policy. elements: dict suboptions: name: description: - Address name. Source firewall.internet-service-custom-group.name firewall.addrgrp.name. type: str type: list rtp_nat: choices: - disable - enable description: - Enable Real Time Protocol (RTP) NAT. type: str scan_botnet_connections: choices: - disable - block - monitor description: - Block or monitor connections to Botnet servers or disable Botnet scanning. type: str schedule: description: - Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. type: str schedule_timeout: choices: - enable - disable description: - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. type: str sctp_filter_profile: description: - Name of an existing SCTP filter profile. Source sctp-filter.profile.name. type: str send_deny_packet: choices: - disable - enable description: - Enable to send a reply when a session is denied or blocked by a firewall policy. type: str service: description: - Service and service group names. elements: dict suboptions: name: description: - Service and service group names. Source firewall.service.custom.name firewall.service.group.name. type: str type: list service_negate: choices: - enable - disable description: - When enabled service specifies what the service must NOT be. type: str session_ttl: description: - TTL in seconds for sessions accepted by this policy (0 means use the system ). type: str sgt: description: - Security group tags. elements: dict suboptions: id: description: - Security group tag (1 - 65535). type: int type: list sgt_check: choices: - enable - disable description: - Enable/disable security group tags (SGT) check. type: str spamfilter_profile: description: - Name of an existing Spam filter profile. Source spamfilter.profile.name. type: str src_vendor_mac: description: - Vendor MAC source ID. elements: dict suboptions: id: description: - Vendor MAC ID. Source firewall.vendor-mac.id. type: int type: list srcaddr: description: - Source IPv4 address and address group names. elements: dict suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. type: str type: list srcaddr6: description: - Source IPv6 address name and address group names. elements: dict suboptions: name: description: - Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. type: str type: list srcaddr6_negate: choices: - enable - disable description: - When enabled srcaddr6 specifies what the source address must NOT be. type: str srcaddr_negate: choices: - enable - disable description: - When enabled srcaddr specifies what the source address must NOT be. type: str srcintf: description: - Incoming (ingress) interface. elements: dict suboptions: name: description: - Interface name. Source system.interface.name system.zone.name system.sdwan.zone.name. type: str type: list ssh_filter_profile: description: - Name of an existing SSH filter profile. Source ssh-filter.profile.name. type: str ssh_policy_redirect: choices: - enable - disable description: - Redirect SSH traffic to matching transparent proxy policy. type: str ssl_mirror: choices: - enable - disable description: - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). type: str ssl_mirror_intf: description: - SSL mirror interface name. elements: dict suboptions: name: description: - Mirror Interface name. Source system.interface.name system.zone.name. type: str type: list ssl_ssh_profile: description: - Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. type: str status: choices: - enable - disable description: - Enable or disable this policy. type: str tcp_mss_receiver: description: - Receiver TCP maximum segment size (MSS). type: int tcp_mss_sender: description: - Sender TCP maximum segment size (MSS). type: int tcp_session_without_syn: choices: - all - data-only - disable description: - Enable/disable creation of TCP session without SYN flag. type: str timeout_send_rst: choices: - enable - disable description: - Enable/disable sending RST packets when TCP sessions expire. type: str tos: description: - ToS (Type of Service) value used for comparison. type: str tos_mask: description: - Non-zero bit positions are used for comparison while zero bit positions are ignored. type: str tos_negate: choices: - enable - disable description: - Enable negated TOS match. type: str traffic_shaper: description: - Traffic shaper. Source firewall.shaper.traffic-shaper.name. type: str traffic_shaper_reverse: description: - Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. type: str url_category: description: - URL category ID list. elements: dict suboptions: id: description: - URL category ID. type: int type: list users: description: - Names of individual users that can authenticate with this policy. elements: dict suboptions: name: description: - Names of individual users that can authenticate with this policy. Source user.local.name. type: str type: list utm_status: choices: - enable - disable description: - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. type: str uuid: description: - Universally Unique Identifier (UUID; automatically assigned but can be manually reset). type: str videofilter_profile: description: - Name of an existing VideoFilter profile. Source videofilter.profile.name. type: str vlan_cos_fwd: description: - 'VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.' type: int vlan_cos_rev: description: - 'VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.' type: int vlan_filter: description: - Set VLAN filters. type: str voip_profile: description: - Name of an existing VoIP profile. Source voip.profile.name. type: str vpntunnel: description: - 'Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.' type: str waf_profile: description: - Name of an existing Web application firewall profile. Source waf.profile.name. type: str wanopt: choices: - enable - disable description: - Enable/disable WAN optimization. type: str wanopt_detection: choices: - active - passive - 'off' description: - WAN optimization auto-detection mode. type: str wanopt_passive_opt: choices: - default - transparent - non-transparent description: - WAN optimization passive mode options. This option decides what IP address will be used to connect server. type: str wanopt_peer: description: - WAN optimization peer. Source wanopt.peer.peer-host-id. type: str wanopt_profile: description: - WAN optimization profile. Source wanopt.profile.name. type: str wccp: choices: - enable - disable description: - Enable/disable forwarding traffic matching this policy to a configured WCCP server. type: str webcache: choices: - enable - disable description: - Enable/disable web cache. type: str webcache_https: choices: - disable - enable description: - Enable/disable web cache for HTTPS. type: str webfilter_profile: description: - Name of an existing Web filter profile. Source webfilter.profile.name. type: str webproxy_forward_server: description: - Webproxy forward server name. Source web-proxy.forward-server.name web-proxy.forward-server-group.name. type: str webproxy_profile: description: - Webproxy profile name. Source web-proxy.profile.name. type: str wsso: choices: - enable - disable description: - Enable/disable WiFi Single Sign On (WSSO). type: str ztna_ems_tag: description: - Source ztna-ems-tag names. elements: dict suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name. type: str type: list ztna_geo_tag: description: - Source ztna-geo-tag names. elements: dict suboptions: name: description: - Address name. Source firewall.address.name firewall.addrgrp.name. type: str type: list ztna_status: choices: - enable - disable description: - Enable/disable zero trust access. type: str type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str