lix_fortinet / lix_fortinet.fortios / 102.2.120 / module / fortios_firewall_profile_protocol_options Configure protocol options in Fortinet's FortiOS and FortiGate. | "added in version" 2.0.0 of lix_fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communitylix_fortinet.fortios.fortios_firewall_profile_protocol_options (102.2.120) — module
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections: - name: lix_fortinet.fortios version: 102.2.120
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and profile_protocol_options category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure protocol options. fortios_firewall_profile_protocol_options: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" firewall_profile_protocol_options: cifs: domain_controller: "<your_own_value> (source user.domain-controller.name credential-store.domain-controller.server-name)" options: "oversize" oversize_limit: "10" ports: "<your_own_value>" scan_bzip2: "enable" server_credential_type: "none" server_keytab: - keytab: "<your_own_value>" principal: "<your_own_value>" status: "enable" tcp_window_maximum: "8388608" tcp_window_minimum: "131072" tcp_window_size: "262144" tcp_window_type: "auto-tuning" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" comment: "Optional comments." dns: ports: "<your_own_value>" status: "enable" ftp: comfort_amount: "1" comfort_interval: "10" explicit_ftp_tls: "enable" inspect_all: "enable" options: "clientcomfort" oversize_limit: "10" ports: "<your_own_value>" scan_bzip2: "enable" ssl_offloaded: "no" status: "enable" stream_based_uncompressed_limit: "0" tcp_window_maximum: "8388608" tcp_window_minimum: "131072" tcp_window_size: "262144" tcp_window_type: "auto-tuning" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" http: address_ip_rating: "enable" block_page_status_code: "403" comfort_amount: "1" comfort_interval: "10" fortinet_bar: "enable" fortinet_bar_port: "32767" h2c: "enable" http_policy: "disable" inspect_all: "enable" options: "clientcomfort" oversize_limit: "10" ports: "<your_own_value>" post_lang: "jisx0201" proxy_after_tcp_handshake: "enable" range_block: "disable" retry_count: "0" scan_bzip2: "enable" ssl_offloaded: "no" status: "enable" stream_based_uncompressed_limit: "0" streaming_content_bypass: "enable" strip_x_forwarded_for: "disable" switching_protocols: "bypass" tcp_window_maximum: "8388608" tcp_window_minimum: "131072" tcp_window_size: "262144" tcp_window_type: "auto-tuning" tunnel_non_http: "enable" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" unknown_http_version: "reject" verify_dns_for_policy_matching: "enable" imap: inspect_all: "enable" options: "fragmail" oversize_limit: "10" ports: "<your_own_value>" proxy_after_tcp_handshake: "enable" scan_bzip2: "enable" ssl_offloaded: "no" status: "enable" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" mail_signature: signature: "<your_own_value>" status: "disable" mapi: options: "fragmail" oversize_limit: "10" ports: "<your_own_value>" scan_bzip2: "enable" status: "enable" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" name: "default_name_97" nntp: inspect_all: "enable" options: "oversize" oversize_limit: "10" ports: "<your_own_value>" proxy_after_tcp_handshake: "enable" scan_bzip2: "enable" status: "enable" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" oversize_log: "disable" pop3: inspect_all: "enable" options: "fragmail" oversize_limit: "10" ports: "<your_own_value>" proxy_after_tcp_handshake: "enable" scan_bzip2: "enable" ssl_offloaded: "no" status: "enable" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)" rpc_over_http: "enable" smtp: inspect_all: "enable" options: "fragmail" oversize_limit: "10" ports: "<your_own_value>" proxy_after_tcp_handshake: "enable" scan_bzip2: "enable" server_busy: "enable" ssl_offloaded: "no" status: "enable" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" ssh: comfort_amount: "1" comfort_interval: "10" options: "oversize" oversize_limit: "10" scan_bzip2: "enable" ssl_offloaded: "no" stream_based_uncompressed_limit: "0" tcp_window_maximum: "8388608" tcp_window_minimum: "131072" tcp_window_size: "262144" tcp_window_type: "auto-tuning" uncompressed_nest_limit: "12" uncompressed_oversize_limit: "10" switching_protocols_log: "disable"
vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str state: choices: - present - absent description: - Indicates whether to create or remove the object. required: true type: str enable_log: default: false description: - Enable/Disable logging for task. required: false type: bool member_path: description: - Member attribute path to operate on. - Delimited by a slash character if there are more than one attribute. - Parameter marked with member_path is legitimate for doing member operation. type: str access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str member_state: choices: - present - absent description: - Add or delete a member under specified attribute path. - When member_state is specified, the state option is ignored. type: str firewall_profile_protocol_options: default: null description: - Configure protocol options. suboptions: cifs: description: - Configure CIFS protocol options. suboptions: domain_controller: description: - Domain for which to decrypt CIFS traffic. Source user.domain-controller.name credential-store.domain-controller.server-name. type: str options: choices: - oversize description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str server_credential_type: choices: - none - credential-replication - credential-keytab description: - CIFS server credential type. type: str server_keytab: description: - Server keytab. elements: dict suboptions: keytab: description: - Base64 encoded keytab file containing credential of the server. type: str principal: description: - Service principal. For example, host/cifsserver.example.com@example.com. type: str type: list status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str tcp_window_maximum: description: - Maximum dynamic TCP window size. type: int tcp_window_minimum: description: - Minimum dynamic TCP window size. type: int tcp_window_size: description: - Set TCP static window size. type: int tcp_window_type: choices: - auto-tuning - system - static - dynamic description: - TCP window type to use for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict comment: description: - Optional comments. type: str dns: description: - Configure DNS protocol options. suboptions: ports: description: - Ports to scan for content (1 - 65535). elements: int type: list status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str type: dict ftp: description: - Configure FTP protocol options. suboptions: comfort_amount: description: - Amount of data to send in a transmission for client comforting (1 - 65535 bytes). type: int comfort_interval: description: - Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). type: int explicit_ftp_tls: choices: - enable - disable description: - Enable/disable FTP redirection for explicit FTPS. type: str inspect_all: choices: - enable - disable description: - Enable/disable the inspection of all ports for the protocol. type: str options: choices: - clientcomfort - oversize - splice - bypass-rest-command - bypass-mode-command description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str ssl_offloaded: choices: - 'no' - 'yes' description: - SSL decryption and encryption performed by an external device. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str stream_based_uncompressed_limit: description: - Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). type: int tcp_window_maximum: description: - Maximum dynamic TCP window size. type: int tcp_window_minimum: description: - Minimum dynamic TCP window size. type: int tcp_window_size: description: - Set TCP static window size. type: int tcp_window_type: choices: - auto-tuning - system - static - dynamic description: - TCP window type to use for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict http: description: - Configure HTTP protocol options. suboptions: address_ip_rating: choices: - enable - disable description: - Enable/disable IP based URL rating. type: str block_page_status_code: description: - Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599). type: int comfort_amount: description: - Amount of data to send in a transmission for client comforting (1 - 65535 bytes). type: int comfort_interval: description: - Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). type: int fortinet_bar: choices: - enable - disable description: - Enable/disable Fortinet bar on HTML content. type: str fortinet_bar_port: description: - Port for use by Fortinet Bar (1 - 65535). type: int h2c: choices: - enable - disable description: - Enable/disable h2c HTTP connection upgrade. type: str http_policy: choices: - disable - enable description: - Enable/disable HTTP policy check. type: str inspect_all: choices: - enable - disable description: - Enable/disable the inspection of all ports for the protocol. type: str options: choices: - clientcomfort - servercomfort - oversize - chunkedbypass description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list post_lang: choices: - jisx0201 - jisx0208 - jisx0212 - gb2312 - ksc5601-ex - euc-jp - sjis - iso2022-jp - iso2022-jp-1 - iso2022-jp-2 - euc-cn - ces-gbk - hz - ces-big5 - euc-kr - iso2022-jp-3 - iso8859-1 - tis620 - cp874 - cp1252 - cp1251 description: - ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets). elements: str type: list proxy_after_tcp_handshake: choices: - enable - disable description: - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str range_block: choices: - disable - enable description: - Enable/disable blocking of partial downloads. type: str retry_count: description: - Number of attempts to retry HTTP connection (0 - 100). type: int scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str ssl_offloaded: choices: - 'no' - 'yes' description: - SSL decryption and encryption performed by an external device. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str stream_based_uncompressed_limit: description: - Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). type: int streaming_content_bypass: choices: - enable - disable description: - Enable/disable bypassing of streaming content from buffering. type: str strip_x_forwarded_for: choices: - disable - enable description: - Enable/disable stripping of HTTP X-Forwarded-For header. type: str switching_protocols: choices: - bypass - block description: - Bypass from scanning, or block a connection that attempts to switch protocol. type: str tcp_window_maximum: description: - Maximum dynamic TCP window size. type: int tcp_window_minimum: description: - Minimum dynamic TCP window size. type: int tcp_window_size: description: - Set TCP static window size. type: int tcp_window_type: choices: - auto-tuning - system - static - dynamic description: - TCP window type to use for this protocol. type: str tunnel_non_http: choices: - enable - disable description: - Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int unknown_http_version: choices: - reject - tunnel - best-effort description: - How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1. type: str verify_dns_for_policy_matching: choices: - enable - disable description: - Enable/disable verification of DNS for policy matching. type: str type: dict imap: description: - Configure IMAP protocol options. suboptions: inspect_all: choices: - enable - disable description: - Enable/disable the inspection of all ports for the protocol. type: str options: choices: - fragmail - oversize description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list proxy_after_tcp_handshake: choices: - enable - disable description: - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str ssl_offloaded: choices: - 'no' - 'yes' description: - SSL decryption and encryption performed by an external device. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict mail_signature: description: - Configure Mail signature. suboptions: signature: description: - Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks). type: str status: choices: - disable - enable description: - Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate. type: str type: dict mapi: description: - Configure MAPI protocol options. suboptions: options: choices: - fragmail - oversize description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict name: description: - Name. required: true type: str nntp: description: - Configure NNTP protocol options. suboptions: inspect_all: choices: - enable - disable description: - Enable/disable the inspection of all ports for the protocol. type: str options: choices: - oversize - splice description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list proxy_after_tcp_handshake: choices: - enable - disable description: - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict oversize_log: choices: - disable - enable description: - Enable/disable logging for antivirus oversize file blocking. type: str pop3: description: - Configure POP3 protocol options. suboptions: inspect_all: choices: - enable - disable description: - Enable/disable the inspection of all ports for the protocol. type: str options: choices: - fragmail - oversize description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list proxy_after_tcp_handshake: choices: - enable - disable description: - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str ssl_offloaded: choices: - 'no' - 'yes' description: - SSL decryption and encryption performed by an external device. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict replacemsg_group: description: - Name of the replacement message group to be used. Source system.replacemsg-group.name. type: str rpc_over_http: choices: - enable - disable description: - Enable/disable inspection of RPC over HTTP. type: str smtp: description: - Configure SMTP protocol options. suboptions: inspect_all: choices: - enable - disable description: - Enable/disable the inspection of all ports for the protocol. type: str options: choices: - fragmail - oversize - splice description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int ports: description: - Ports to scan for content (1 - 65535). elements: int type: list proxy_after_tcp_handshake: choices: - enable - disable description: - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str server_busy: choices: - enable - disable description: - Enable/disable SMTP server busy when server not available. type: str ssl_offloaded: choices: - 'no' - 'yes' description: - SSL decryption and encryption performed by an external device. type: str status: choices: - enable - disable description: - Enable/disable the active status of scanning for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict ssh: description: - Configure SFTP and SCP protocol options. suboptions: comfort_amount: description: - Amount of data to send in a transmission for client comforting (1 - 65535 bytes). type: int comfort_interval: description: - Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). type: int options: choices: - oversize - clientcomfort - servercomfort description: - One or more options that can be applied to the session. elements: str type: list oversize_limit: description: - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int scan_bzip2: choices: - enable - disable description: - Enable/disable scanning of BZip2 compressed files. type: str ssl_offloaded: choices: - 'no' - 'yes' description: - SSL decryption and encryption performed by an external device. type: str stream_based_uncompressed_limit: description: - Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). type: int tcp_window_maximum: description: - Maximum dynamic TCP window size. type: int tcp_window_minimum: description: - Minimum dynamic TCP window size. type: int tcp_window_size: description: - Set TCP static window size. type: int tcp_window_type: choices: - auto-tuning - system - static - dynamic description: - TCP window type to use for this protocol. type: str uncompressed_nest_limit: description: - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int uncompressed_oversize_limit: description: - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int type: dict switching_protocols_log: choices: - disable - enable description: - Enable/disable logging for HTTP/HTTPS switching protocols. type: str type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str