Try SpotterConfigure SSL/SSH protocol options in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and ssl_ssh_profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL/SSH protocol options.
fortios_firewall_ssl_ssh_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_ssl_ssh_profile:
allowlist: "enable"
block_blacklisted_certificates: "disable"
block_blocklisted_certificates: "disable"
caname: "<your_own_value> (source vpn.certificate.local.name)"
comment: "Optional comments."
dot:
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_certificate: "bypass"
expired_server_cert: "allow"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_server_cert: "allow"
ftps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
ports: "<your_own_value>"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
https:
allow_invalid_server_cert: "enable"
cert_probe_failure: "allow"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
imaps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
mapi_over_https: "enable"
name: "default_name_81"
pop3s:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
rpc_over_https: "enable"
server_cert:
-
name: "default_name_103 (source vpn.certificate.local.name)"
server_cert_mode: "re-sign"
smtps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
ssh:
inspect_all: "disable"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
ssh_algorithm: "compatible"
ssh_policy_check: "disable"
ssh_tun_policy_check: "disable"
status: "disable"
unsupported_version: "bypass"
ssl:
allow_invalid_server_cert: "enable"
cert_probe_failure: "allow"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
inspect_all: "disable"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
ssl_anomalies_log: "disable"
ssl_anomaly_log: "disable"
ssl_exempt:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
fortiguard_category: "0"
id: "158"
regex: "<your_own_value>"
type: "fortiguard-category"
wildcard_fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
ssl_exemption_ip_rating: "enable"
ssl_exemption_log: "disable"
ssl_exemptions_log: "disable"
ssl_handshake_log: "disable"
ssl_negotiation_log: "disable"
ssl_server:
-
ftps_client_cert_request: "bypass"
ftps_client_certificate: "bypass"
https_client_cert_request: "bypass"
https_client_certificate: "bypass"
id: "172"
imaps_client_cert_request: "bypass"
imaps_client_certificate: "bypass"
ip: "<your_own_value>"
pop3s_client_cert_request: "bypass"
pop3s_client_certificate: "bypass"
smtps_client_cert_request: "bypass"
smtps_client_certificate: "bypass"
ssl_other_client_cert_request: "bypass"
ssl_other_client_certificate: "bypass"
ssl_server_cert_log: "disable"
supported_alpn: "http1-1"
untrusted_caname: "<your_own_value> (source vpn.certificate.local.name)"
use_ssl_server: "disable"
whitelist: "enable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
firewall_ssl_ssh_profile:
default: null
description:
- Configure SSL/SSH protocol options.
suboptions:
allowlist:
choices:
- enable
- disable
description:
- Enable/disable exempting servers by FortiGuard allowlist.
type: str
block_blacklisted_certificates:
choices:
- disable
- enable
description:
- Enable/disable blocking SSL-based botnet communication by FortiGuard certificate
blacklist.
type: str
block_blocklisted_certificates:
choices:
- disable
- enable
description:
- Enable/disable blocking SSL-based botnet communication by FortiGuard certificate
blocklist.
type: str
caname:
description:
- CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
type: str
comment:
description:
- Optional comments.
type: str
dot:
description:
- Configure DNS over TLS options.
suboptions:
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
ftps:
description:
- Configure FTPS options.
suboptions:
allow_invalid_server_cert:
choices:
- enable
- disable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
type: str
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
invalid_server_cert:
choices:
- allow
- block
description:
- Allow or block the invalid SSL session server certificate.
type: str
min_allowed_ssl_version:
choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Minimum SSL version to be allowed.
type: str
ports:
description:
- Ports to use for scanning (1 - 65535).
elements: int
type: list
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
https:
description:
- Configure HTTPS options.
suboptions:
allow_invalid_server_cert:
choices:
- enable
- disable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
type: str
cert_probe_failure:
choices:
- allow
- block
description:
- Action based on certificate probe failure.
type: str
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
invalid_server_cert:
choices:
- allow
- block
description:
- Allow or block the invalid SSL session server certificate.
type: str
min_allowed_ssl_version:
choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Minimum SSL version to be allowed.
type: str
ports:
description:
- Ports to use for scanning (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
status:
choices:
- disable
- certificate-inspection
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
imaps:
description:
- Configure IMAPS options.
suboptions:
allow_invalid_server_cert:
choices:
- enable
- disable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
type: str
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
invalid_server_cert:
choices:
- allow
- block
description:
- Allow or block the invalid SSL session server certificate.
type: str
ports:
description:
- Ports to use for scanning (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
mapi_over_https:
choices:
- enable
- disable
description:
- Enable/disable inspection of MAPI over HTTPS.
type: str
name:
description:
- Name.
required: true
type: str
pop3s:
description:
- Configure POP3S options.
suboptions:
allow_invalid_server_cert:
choices:
- enable
- disable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
type: str
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
invalid_server_cert:
choices:
- allow
- block
description:
- Allow or block the invalid SSL session server certificate.
type: str
ports:
description:
- Ports to use for scanning (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
rpc_over_https:
choices:
- enable
- disable
description:
- Enable/disable inspection of RPC over HTTPS.
type: str
server_cert:
description:
- Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name.
elements: dict
suboptions:
name:
description:
- Certificate list. Source vpn.certificate.local.name.
type: str
type: list
server_cert_mode:
choices:
- re-sign
- replace
description:
- Re-sign or replace the server"s certificate.
type: str
smtps:
description:
- Configure SMTPS options.
suboptions:
allow_invalid_server_cert:
choices:
- enable
- disable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
type: str
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
invalid_server_cert:
choices:
- allow
- block
description:
- Allow or block the invalid SSL session server certificate.
type: str
ports:
description:
- Ports to use for scanning (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
ssh:
description:
- Configure SSH options.
suboptions:
inspect_all:
choices:
- disable
- deep-inspection
description:
- Level of SSL inspection.
type: str
ports:
description:
- Ports to use for scanning (1 - 65535).
elements: int
type: list
proxy_after_tcp_handshake:
choices:
- enable
- disable
description:
- Proxy traffic after the TCP 3-way handshake has been established (not before).
type: str
ssh_algorithm:
choices:
- compatible
- high-encryption
description:
- Relative strength of encryption algorithms accepted during negotiation.
type: str
ssh_policy_check:
choices:
- disable
- enable
description:
- Enable/disable SSH policy check.
type: str
ssh_tun_policy_check:
choices:
- disable
- enable
description:
- Enable/disable SSH tunnel policy check.
type: str
status:
choices:
- disable
- deep-inspection
description:
- Configure protocol inspection status.
type: str
unsupported_version:
choices:
- bypass
- block
description:
- Action based on SSH version being unsupported.
type: str
type: dict
ssl:
description:
- Configure SSL options.
suboptions:
allow_invalid_server_cert:
choices:
- enable
- disable
description:
- When enabled, allows SSL sessions whose server certificate validation failed.
type: str
cert_probe_failure:
choices:
- allow
- block
description:
- Action based on certificate probe failure.
type: str
cert_validation_failure:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation failure.
type: str
cert_validation_timeout:
choices:
- allow
- block
- ignore
description:
- Action based on certificate validation timeout.
type: str
client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request.
type: str
client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate.
type: str
expired_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is expired.
type: str
inspect_all:
choices:
- disable
- certificate-inspection
- deep-inspection
description:
- Level of SSL inspection.
type: str
invalid_server_cert:
choices:
- allow
- block
description:
- Allow or block the invalid SSL session server certificate.
type: str
min_allowed_ssl_version:
choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
- tls-1.3
description:
- Minimum SSL version to be allowed.
type: str
revoked_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is revoked.
type: str
sni_server_cert_check:
choices:
- enable
- strict
- disable
description:
- Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate.
type: str
unsupported_ssl:
choices:
- bypass
- inspect
- block
description:
- Action based on the SSL encryption used being unsupported.
type: str
unsupported_ssl_cipher:
choices:
- allow
- block
description:
- Action based on the SSL cipher used being unsupported.
type: str
unsupported_ssl_negotiation:
choices:
- allow
- block
description:
- Action based on the SSL negotiation used being unsupported.
type: str
unsupported_ssl_version:
choices:
- allow
- block
- inspect
description:
- Action based on the SSL version used being unsupported.
type: str
untrusted_cert:
choices:
- allow
- block
- ignore
description:
- Allow, ignore, or block the untrusted SSL session server certificate.
type: str
untrusted_server_cert:
choices:
- allow
- block
- ignore
description:
- Action based on server certificate is not issued by a trusted CA.
type: str
type: dict
ssl_anomalies_log:
choices:
- disable
- enable
description:
- Enable/disable logging SSL anomalies.
type: str
ssl_anomaly_log:
choices:
- disable
- enable
description:
- Enable/disable logging of SSL anomalies.
type: str
ssl_exempt:
description:
- Servers to exempt from SSL inspection.
elements: dict
suboptions:
address:
description:
- IPv4 address object. Source firewall.address.name firewall.addrgrp.name.
type: str
address6:
description:
- IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name.
type: str
fortiguard_category:
description:
- FortiGuard category ID.
type: int
id:
description:
- ID number.
type: int
regex:
description:
- Exempt servers by regular expression.
type: str
type:
choices:
- fortiguard-category
- address
- address6
- wildcard-fqdn
- regex
description:
- Type of address object (IPv4 or IPv6) or FortiGuard category.
type: str
wildcard_fqdn:
description:
- Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name
firewall.wildcard-fqdn.group.name.
type: str
type: list
ssl_exemption_ip_rating:
choices:
- enable
- disable
description:
- Enable/disable IP based URL rating.
type: str
ssl_exemption_log:
choices:
- disable
- enable
description:
- Enable/disable logging SSL exemptions.
type: str
ssl_exemptions_log:
choices:
- disable
- enable
description:
- Enable/disable logging SSL exemptions.
type: str
ssl_handshake_log:
choices:
- disable
- enable
description:
- Enable/disable logging of TLS handshakes.
type: str
ssl_negotiation_log:
choices:
- disable
- enable
description:
- Enable/disable logging SSL negotiation.
type: str
ssl_server:
description:
- SSL server settings used for client certificate request.
elements: dict
suboptions:
ftps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request during the FTPS handshake.
type: str
ftps_client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate during the FTPS handshake.
type: str
https_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request during the HTTPS handshake.
type: str
https_client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate during the HTTPS handshake.
type: str
id:
description:
- SSL server ID.
type: int
imaps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request during the IMAPS handshake.
type: str
imaps_client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate during the IMAPS handshake.
type: str
ip:
description:
- IPv4 address of the SSL server.
type: str
pop3s_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request during the POP3S handshake.
type: str
pop3s_client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate during the POP3S handshake.
type: str
smtps_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request during the SMTPS handshake.
type: str
smtps_client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate during the SMTPS handshake.
type: str
ssl_other_client_cert_request:
choices:
- bypass
- inspect
- block
description:
- Action based on client certificate request during an SSL protocol handshake.
type: str
ssl_other_client_certificate:
choices:
- bypass
- inspect
- block
description:
- Action based on received client certificate during an SSL protocol handshake.
type: str
type: list
ssl_server_cert_log:
choices:
- disable
- enable
description:
- Enable/disable logging of server certificate information.
type: str
supported_alpn:
choices:
- http1-1
- http2
- all
- none
description:
- Configure ALPN option.
type: str
untrusted_caname:
description:
- Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
type: str
use_ssl_server:
choices:
- disable
- enable
description:
- Enable/disable the use of SSL server table for SSL offloading.
type: str
whitelist:
choices:
- enable
- disable
description:
- Enable/disable exempting servers by FortiGuard whitelist.
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str