Try SpotterConfigure global attributes in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and global category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure global attributes.
fortios_system_global:
vdom: "{{ vdom }}"
system_global:
admin_concurrent: "enable"
admin_console_timeout: "0"
admin_forticloud_sso_login: "enable"
admin_host: "myhostname"
admin_hsts_max_age: "15552000"
admin_https_pki_required: "enable"
admin_https_redirect: "enable"
admin_https_ssl_banned_ciphers: "RSA"
admin_https_ssl_ciphersuites: "TLS-AES-128-GCM-SHA256"
admin_https_ssl_versions: "tlsv1-1"
admin_lockout_duration: "60"
admin_lockout_threshold: "3"
admin_login_max: "100"
admin_maintainer: "enable"
admin_port: "80"
admin_restrict_local: "enable"
admin_scp: "enable"
admin_server_cert: "<your_own_value> (source certificate.local.name)"
admin_sport: "443"
admin_ssh_grace_time: "120"
admin_ssh_password: "enable"
admin_ssh_port: "22"
admin_ssh_v1: "enable"
admin_telnet: "enable"
admin_telnet_port: "23"
admintimeout: "5"
alias: "<your_own_value>"
allow_traffic_redirect: "enable"
anti_replay: "disable"
arp_max_entry: "131072"
asymroute: "enable"
auth_cert: "<your_own_value> (source certificate.local.name)"
auth_http_port: "1000"
auth_https_port: "1003"
auth_ike_saml_port: "1001"
auth_keepalive: "enable"
auth_session_limit: "block-new"
auto_auth_extension_device: "enable"
autorun_log_fsck: "enable"
av_affinity: "<your_own_value>"
av_failopen: "pass"
av_failopen_session: "enable"
batch_cmdb: "enable"
block_session_timer: "30"
br_fdb_max_entry: "8192"
cert_chain_max: "8"
cfg_revert_timeout: "600"
cfg_save: "automatic"
check_protocol_header: "loose"
check_reset_range: "strict"
cli_audit_log: "enable"
cloud_communication: "enable"
clt_cert_req: "enable"
cmdbsvr_affinity: "<your_own_value>"
compliance_check: "enable"
compliance_check_time: "<your_own_value>"
cpu_use_threshold: "90"
csr_ca_attribute: "enable"
daily_restart: "enable"
default_service_source_port: "<your_own_value>"
device_identification_active_scan_delay: "1800"
device_idle_timeout: "300"
dh_params: "1024"
dnsproxy_worker_count: "1"
dst: "enable"
early_tcp_npu_session: "enable"
edit_vdom_prompt: "enable"
endpoint_control_fds_access: "enable"
endpoint_control_portal_port: "32767"
extender_controller_reserved_network: "<your_own_value>"
failtime: "5"
faz_disk_buffer_size: "0"
fds_statistics: "enable"
fds_statistics_period: "60"
fec_port: "50000"
fgd_alert_subscription: "advisory"
forticarrier_bypass: "enable"
fortiextender: "disable"
fortiextender_data_port: "25246"
fortiextender_discovery_lockdown: "disable"
fortiextender_provision_on_authorization: "enable"
fortiextender_vlan_mode: "enable"
fortiipam_integration: "enable"
fortiservice_port: "8013"
fortitoken_cloud: "enable"
gui_allow_default_hostname: "enable"
gui_app_detection_sdwan: "enable"
gui_cdn_usage: "enable"
gui_certificates: "enable"
gui_custom_language: "enable"
gui_date_format: "yyyy/MM/dd"
gui_date_time_source: "system"
gui_device_latitude: "<your_own_value>"
gui_device_longitude: "<your_own_value>"
gui_display_hostname: "enable"
gui_firmware_upgrade_warning: "enable"
gui_forticare_registration_setup_warning: "enable"
gui_fortigate_cloud_sandbox: "enable"
gui_fortiguard_resource_fetch: "enable"
gui_fortisandbox_cloud: "enable"
gui_ipv6: "enable"
gui_lines_per_page: "500"
gui_local_out: "enable"
gui_replacement_message_groups: "enable"
gui_rest_api_cache: "enable"
gui_theme: "jade"
gui_wireless_opensecurity: "enable"
gui_workflow_management: "enable"
ha_affinity: "<your_own_value>"
honor_df: "enable"
hostname: "myhostname"
igmp_state_limit: "3200"
internet_service_database: "mini"
interval: "5"
ip_fragment_mem_thresholds: "32"
ip_src_port_range: "<your_own_value>"
ips_affinity: "<your_own_value>"
ipsec_asic_offload: "enable"
ipsec_ha_seqjump_rate: "10"
ipsec_hmac_offload: "enable"
ipsec_round_robin: "enable"
ipsec_soft_dec_async: "enable"
ipv6_accept_dad: "1"
ipv6_allow_anycast_probe: "enable"
ipv6_allow_local_in_slient_drop: "enable"
ipv6_allow_multicast_probe: "enable"
ipv6_allow_traffic_redirect: "enable"
irq_time_accounting: "auto"
language: "english"
ldapconntimeout: "500"
lldp_reception: "enable"
lldp_transmission: "enable"
log_ssl_connection: "enable"
log_uuid: "disable"
log_uuid_address: "enable"
log_uuid_policy: "enable"
login_timestamp: "enable"
long_vdom_name: "enable"
management_ip: "<your_own_value>"
management_port: "443"
management_port_use_admin_sport: "enable"
management_vdom: "<your_own_value> (source system.vdom.name)"
max_dlpstat_memory: "145"
max_route_cache_size: "0"
mc_ttl_notchange: "enable"
memory_use_threshold_extreme: "95"
memory_use_threshold_green: "82"
memory_use_threshold_red: "88"
miglog_affinity: "<your_own_value>"
miglogd_children: "0"
multi_factor_authentication: "optional"
multicast_forward: "enable"
ndp_max_entry: "0"
per_user_bal: "enable"
per_user_bwl: "enable"
pmtu_discovery: "enable"
policy_auth_concurrent: "0"
post_login_banner: "disable"
pre_login_banner: "enable"
private_data_encryption: "disable"
proxy_auth_lifetime: "enable"
proxy_auth_lifetime_timeout: "480"
proxy_auth_timeout: "10"
proxy_cert_use_mgmt_vdom: "enable"
proxy_cipher_hardware_acceleration: "disable"
proxy_hardware_acceleration: "disable"
proxy_kxp_hardware_acceleration: "disable"
proxy_re_authentication_mode: "session"
proxy_resource_mode: "enable"
proxy_worker_count: "0"
radius_port: "1812"
reboot_upon_config_restore: "enable"
refresh: "0"
remoteauthtimeout: "5"
reset_sessionless_tcp: "enable"
restart_time: "<your_own_value>"
revision_backup_on_logout: "enable"
revision_image_auto_backup: "enable"
scanunit_count: "0"
security_rating_result_submission: "enable"
security_rating_run_on_schedule: "enable"
send_pmtu_icmp: "enable"
snat_route_change: "enable"
special_file_23_support: "disable"
speedtest_server: "enable"
split_port: "<your_own_value>"
ssd_trim_date: "1"
ssd_trim_freq: "never"
ssd_trim_hour: "1"
ssd_trim_min: "60"
ssd_trim_weekday: "sunday"
ssh_cbc_cipher: "enable"
ssh_enc_algo: "chacha20-poly1305@openssh.com"
ssh_hmac_md5: "enable"
ssh_kex_algo: "diffie-hellman-group1-sha1"
ssh_kex_sha1: "enable"
ssh_mac_algo: "hmac-md5"
ssh_mac_weak: "enable"
ssl_min_proto_version: "SSLv3"
ssl_static_key_ciphers: "enable"
sslvpn_cipher_hardware_acceleration: "enable"
sslvpn_ems_sn_check: "enable"
sslvpn_kxp_hardware_acceleration: "enable"
sslvpn_max_worker_count: "0"
sslvpn_plugin_version_check: "enable"
strict_dirty_session_check: "enable"
strong_crypto: "enable"
switch_controller: "disable"
switch_controller_reserved_network: "<your_own_value>"
sys_perf_log_interval: "5"
tcp_halfclose_timer: "120"
tcp_halfopen_timer: "10"
tcp_option: "enable"
tcp_rst_timer: "5"
tcp_timewait_timer: "1"
tftp: "enable"
timezone: "01"
tp_mc_skip_policy: "enable"
traffic_priority: "tos"
traffic_priority_level: "low"
two_factor_email_expiry: "60"
two_factor_fac_expiry: "60"
two_factor_ftk_expiry: "60"
two_factor_ftm_expiry: "72"
two_factor_sms_expiry: "60"
udp_idle_timer: "180"
url_filter_affinity: "<your_own_value>"
url_filter_count: "1"
user_device_store_max_devices: "21052"
user_device_store_max_unified_mem: "105262899"
user_device_store_max_users: "21052"
user_server_cert: "<your_own_value> (source certificate.local.name)"
vdom_admin: "enable"
vdom_mode: "no-vdom"
vip_arp_range: "unlimited"
virtual_server_count: "20"
virtual_server_hardware_acceleration: "disable"
wad_affinity: "<your_own_value>"
wad_csvc_cs_count: "1"
wad_csvc_db_count: "0"
wad_memory_change_granularity: "10"
wad_source_affinity: "disable"
wad_worker_count: "0"
wifi_ca_certificate: "<your_own_value> (source certificate.ca.name)"
wifi_certificate: "<your_own_value> (source certificate.local.name)"
wimax_4g_usb: "enable"
wireless_controller: "enable"
wireless_controller_port: "5246"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
system_global:
default: null
description:
- Configure global attributes.
suboptions:
admin_concurrent:
choices:
- enable
- disable
description:
- Enable/disable concurrent administrator logins. Use policy-auth-concurrent for
firewall authenticated users.
type: str
admin_console_timeout:
description:
- Console login timeout that overrides the admin timeout value (15 - 300 seconds).
type: int
admin_forticloud_sso_login:
choices:
- enable
- disable
description:
- Enable/disable FortiCloud admin login via SSO.
type: str
admin_host:
description:
- Administrative host for HTTP and HTTPS. When set, will be used in lieu of the
client"s Host header for any redirection.
type: str
admin_hsts_max_age:
description:
- HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will
reset any HSTS records in the browser.When admin-https-redirect is disabled
the header max-age will be 0.
type: int
admin_https_pki_required:
choices:
- enable
- disable
description:
- Enable/disable admin login method. Enable to force administrators to provide
a valid certificate to log in if PKI is enabled. Disable to allow administrators
to log in with a certificate or password.
type: str
admin_https_redirect:
choices:
- enable
- disable
description:
- Enable/disable redirection of HTTP administration access to HTTPS.
type: str
admin_https_ssl_banned_ciphers:
choices:
- RSA
- DHE
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
description:
- Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations.
Only applies to TLS 1.2 and below.
elements: str
type: list
admin_https_ssl_ciphersuites:
choices:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
description:
- Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in
TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3
from admin-https-ssl-versions.
elements: str
type: list
admin_https_ssl_versions:
choices:
- tlsv1-1
- tlsv1-2
- tlsv1-3
- tlsv1-0
description:
- Allowed TLS versions for web administration.
elements: str
type: list
admin_lockout_duration:
description:
- Amount of time in seconds that an administrator account is locked out after
reaching the admin-lockout-threshold for repeated failed login attempts.
type: int
admin_lockout_threshold:
description:
- Number of failed login attempts before an administrator account is locked out
for the admin-lockout-duration.
type: int
admin_login_max:
description:
- Maximum number of administrators who can be logged in at the same time (1 -
100).
type: int
admin_maintainer:
choices:
- enable
- disable
description:
- Enable/disable maintainer administrator login. When enabled, the maintainer
account can be used to log in from the console after a hard reboot. The password
is "bcpb" followed by the FortiGate unit serial number. You have limited time
to complete this login.
type: str
admin_port:
description:
- Administrative access port for HTTP. (1 - 65535).
type: int
admin_restrict_local:
choices:
- enable
- disable
description:
- Enable/disable local admin authentication restriction when remote authenticator
is up and running .
type: str
admin_scp:
choices:
- enable
- disable
description:
- Enable/disable using SCP to download the system configuration. You can use SCP
as an alternative method for backing up the configuration.
type: str
admin_server_cert:
description:
- Server certificate that the FortiGate uses for HTTPS administrative connections.
Source certificate.local.name.
type: str
admin_sport:
description:
- Administrative access port for HTTPS. (1 - 65535).
type: int
admin_ssh_grace_time:
description:
- Maximum time in seconds permitted between making an SSH connection to the FortiGate
unit and authenticating (10 - 3600 sec (1 hour)).
type: int
admin_ssh_password:
choices:
- enable
- disable
description:
- Enable/disable password authentication for SSH admin access.
type: str
admin_ssh_port:
description:
- Administrative access port for SSH. (1 - 65535).
type: int
admin_ssh_v1:
choices:
- enable
- disable
description:
- Enable/disable SSH v1 compatibility.
type: str
admin_telnet:
choices:
- enable
- disable
description:
- Enable/disable TELNET service.
type: str
admin_telnet_port:
description:
- Administrative access port for TELNET. (1 - 65535).
type: int
admintimeout:
description:
- Number of minutes before an idle administrator session times out (1 - 480 minutes
(8 hours)). A shorter idle timeout is more secure.
type: int
alias:
description:
- Alias for your FortiGate unit.
type: str
allow_traffic_redirect:
choices:
- enable
- disable
description:
- Disable to prevent traffic with same local ingress and egress interface from
being forwarded without policy check.
type: str
anti_replay:
choices:
- disable
- loose
- strict
description:
- Level of checking for packet replay and TCP sequence checking.
type: str
arp_max_entry:
description:
- Maximum number of dynamically learned MAC addresses that can be added to the
ARP table (131072 - 2147483647).
type: int
asymroute:
choices:
- enable
- disable
description:
- Enable/disable asymmetric route.
type: str
auth_cert:
description:
- Server certificate that the FortiGate uses for HTTPS firewall authentication
connections. Source certificate.local.name.
type: str
auth_http_port:
description:
- User authentication HTTP port. (1 - 65535).
type: int
auth_https_port:
description:
- User authentication HTTPS port. (1 - 65535).
type: int
auth_ike_saml_port:
description:
- User IKE SAML authentication port (0 - 65535).
type: int
auth_keepalive:
choices:
- enable
- disable
description:
- Enable to prevent user authentication sessions from timing out when idle.
type: str
auth_session_limit:
choices:
- block-new
- logout-inactive
description:
- Action to take when the number of allowed user authenticated sessions is reached.
type: str
auto_auth_extension_device:
choices:
- enable
- disable
description:
- Enable/disable automatic authorization of dedicated Fortinet extension devices.
type: str
autorun_log_fsck:
choices:
- enable
- disable
description:
- Enable/disable automatic log partition check after ungraceful shutdown.
type: str
av_affinity:
description:
- Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format
of xxxxxxxxxxxxxxxx).
type: str
av_failopen:
choices:
- pass
- 'off'
- one-shot
description:
- Set the action to take if the FortiGate is running low on memory or the proxy
connection limit has been reached.
type: str
av_failopen_session:
choices:
- enable
- disable
description:
- When enabled and a proxy for a protocol runs out of room in its session table,
that protocol goes into failopen mode and enacts the action specified by av-failopen.
type: str
batch_cmdb:
choices:
- enable
- disable
description:
- Enable/disable batch mode, allowing you to enter a series of CLI commands that
will execute as a group once they are loaded.
type: str
block_session_timer:
description:
- Duration in seconds for blocked sessions (1 - 300 sec (5 minutes)).
type: int
br_fdb_max_entry:
description:
- Maximum number of bridge forwarding database (FDB) entries.
type: int
cert_chain_max:
description:
- Maximum number of certificates that can be traversed in a certificate chain.
type: int
cfg_revert_timeout:
description:
- Time-out for reverting to the last saved configuration. (10 - 4294967295 seconds).
type: int
cfg_save:
choices:
- automatic
- manual
- revert
description:
- Configuration file save mode for CLI changes.
type: str
check_protocol_header:
choices:
- loose
- strict
description:
- Level of checking performed on protocol headers. Strict checking is more thorough
but may affect performance. Loose checking is OK in most cases.
type: str
check_reset_range:
choices:
- strict
- disable
description:
- Configure ICMP error message verification. You can either apply strict RST range
checking or disable it.
type: str
cli_audit_log:
choices:
- enable
- disable
description:
- Enable/disable CLI audit log.
type: str
cloud_communication:
choices:
- enable
- disable
description:
- Enable/disable all cloud communication.
type: str
clt_cert_req:
choices:
- enable
- disable
description:
- Enable/disable requiring administrators to have a client certificate to log
into the GUI using HTTPS.
type: str
cmdbsvr_affinity:
description:
- Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format
of xxxxxxxxxxxxxxxx).
type: str
compliance_check:
choices:
- enable
- disable
description:
- Enable/disable global PCI DSS compliance check.
type: str
compliance_check_time:
description:
- Time of day to run scheduled PCI DSS compliance checks.
type: str
cpu_use_threshold:
description:
- Threshold at which CPU usage is reported (% of total CPU).
type: int
csr_ca_attribute:
choices:
- enable
- disable
description:
- Enable/disable the CA attribute in certificates. Some CA servers reject CSRs
that have the CA attribute.
type: str
daily_restart:
choices:
- enable
- disable
description:
- Enable/disable daily restart of FortiGate unit. Use the restart-time option
to set the time of day for the restart.
type: str
default_service_source_port:
description:
- Default service source port range .
type: str
device_identification_active_scan_delay:
description:
- Number of seconds to passively scan a device before performing an active scan.
(20 - 3600 sec, (20 sec to 1 hour)).
type: int
device_idle_timeout:
description:
- Time in seconds that a device must be idle to automatically log the device user
out. (30 - 31536000 sec (30 sec to 1 year)).
type: int
dh_params:
choices:
- '1024'
- '1536'
- '2048'
- '3072'
- '4096'
- '6144'
- '8192'
description:
- Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
type: str
dnsproxy_worker_count:
description:
- DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can
set the DNS process number from 1 to the number of logical CPUs.
type: int
dst:
choices:
- enable
- disable
description:
- Enable/disable daylight saving time.
type: str
early_tcp_npu_session:
choices:
- enable
- disable
description:
- Enable/disable early TCP NPU session.
type: str
edit_vdom_prompt:
choices:
- enable
- disable
description:
- Enable/disable edit new VDOM prompt.
type: str
endpoint_control_fds_access:
choices:
- enable
- disable
description:
- Enable/disable access to the FortiGuard network for non-compliant endpoints.
type: str
endpoint_control_portal_port:
description:
- Endpoint control portal port (1 - 65535).
type: int
extender_controller_reserved_network:
description:
- Configure reserved network subnet for managed LAN extension FortiExtender units.
This is available when the FortiExtender daemon is running.
type: str
failtime:
description:
- Fail-time for server lost.
type: int
faz_disk_buffer_size:
description:
- Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer.
To be used in the event that FortiAnalyzer is unavailable.
type: int
fds_statistics:
choices:
- enable
- disable
description:
- Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard.
This data is used to improve FortiGuard services and is not shared with external
parties and is protected by Fortinet"s privacy policy.
type: str
fds_statistics_period:
description:
- FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to
24 hours)).
type: int
fec_port:
description:
- Local UDP port for Forward Error Correction (49152 - 65535).
type: int
fgd_alert_subscription:
choices:
- advisory
- latest-threat
- latest-virus
- latest-attack
- new-antivirus-db
- new-attack-db
description:
- Type of alert to retrieve from FortiGuard.
elements: str
type: list
forticarrier_bypass:
choices:
- enable
- disable
description:
- Enable/disable forticarrier-bypass.
type: str
fortiextender:
choices:
- disable
- enable
description:
- Enable/disable FortiExtender.
type: str
fortiextender_data_port:
description:
- FortiExtender data port (1024 - 49150).
type: int
fortiextender_discovery_lockdown:
choices:
- disable
- enable
description:
- Enable/disable FortiExtender CAPWAP lockdown.
type: str
fortiextender_provision_on_authorization:
choices:
- enable
- disable
description:
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
type: str
fortiextender_vlan_mode:
choices:
- enable
- disable
description:
- Enable/disable FortiExtender VLAN mode.
type: str
fortiipam_integration:
choices:
- enable
- disable
description:
- Enable/disable integration with the FortiIPAM cloud service.
type: str
fortiservice_port:
description:
- FortiService port (1 - 65535). Used by FortiClient endpoint compliance. Older
versions of FortiClient used a different port.
type: int
fortitoken_cloud:
choices:
- enable
- disable
description:
- Enable/disable FortiToken Cloud service.
type: str
gui_allow_default_hostname:
choices:
- enable
- disable
description:
- Enable/disable the factory default hostname warning on the GUI setup wizard.
type: str
gui_app_detection_sdwan:
choices:
- enable
- disable
description:
- Enable/disable Allow app-detection based SD-WAN.
type: str
gui_cdn_usage:
choices:
- enable
- disable
description:
- Enable/disable Load GUI static files from a CDN.
type: str
gui_certificates:
choices:
- enable
- disable
description:
- Enable/disable the System > Certificate GUI page, allowing you to add and configure
certificates from the GUI.
type: str
gui_custom_language:
choices:
- enable
- disable
description:
- Enable/disable custom languages in GUI.
type: str
gui_date_format:
choices:
- yyyy/MM/dd
- dd/MM/yyyy
- MM/dd/yyyy
- yyyy-MM-dd
- dd-MM-yyyy
- MM-dd-yyyy
description:
- Default date format used throughout GUI.
type: str
gui_date_time_source:
choices:
- system
- browser
description:
- Source from which the FortiGate GUI uses to display date and time entries.
type: str
gui_device_latitude:
description:
- Add the latitude of the location of this FortiGate to position it on the Threat
Map.
type: str
gui_device_longitude:
description:
- Add the longitude of the location of this FortiGate to position it on the Threat
Map.
type: str
gui_display_hostname:
choices:
- enable
- disable
description:
- Enable/disable displaying the FortiGate"s hostname on the GUI login page.
type: str
gui_firmware_upgrade_warning:
choices:
- enable
- disable
description:
- Enable/disable the firmware upgrade warning on the GUI.
type: str
gui_forticare_registration_setup_warning:
choices:
- enable
- disable
description:
- Enable/disable the FortiCare registration setup warning on the GUI.
type: str
gui_fortigate_cloud_sandbox:
choices:
- enable
- disable
description:
- Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
type: str
gui_fortiguard_resource_fetch:
choices:
- enable
- disable
description:
- Enable/disable retrieving static GUI resources from FortiGuard. Disabling it
will improve GUI load time for air-gapped environments.
type: str
gui_fortisandbox_cloud:
choices:
- enable
- disable
description:
- Enable/disable displaying FortiSandbox Cloud on the GUI.
type: str
gui_ipv6:
choices:
- enable
- disable
description:
- Enable/disable IPv6 settings on the GUI.
type: str
gui_lines_per_page:
description:
- Number of lines to display per page for web administration.
type: int
gui_local_out:
choices:
- enable
- disable
description:
- Enable/disable Local-out traffic on the GUI.
type: str
gui_replacement_message_groups:
choices:
- enable
- disable
description:
- Enable/disable replacement message groups on the GUI.
type: str
gui_rest_api_cache:
choices:
- enable
- disable
description:
- Enable/disable REST API result caching on FortiGate.
type: str
gui_theme:
choices:
- jade
- neutrino
- mariner
- graphite
- melongene
- retro
- dark-matter
- onyx
- eclipse
- green
- blue
- red
description:
- Color scheme for the administration GUI.
type: str
gui_wireless_opensecurity:
choices:
- enable
- disable
description:
- Enable/disable wireless open security option on the GUI.
type: str
gui_workflow_management:
choices:
- enable
- disable
description:
- Enable/disable Workflow management features on the GUI.
type: str
ha_affinity:
description:
- Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format
of xxxxxxxxxxxxxxxx).
type: str
honor_df:
choices:
- enable
- disable
description:
- Enable/disable honoring of Don"t-Fragment (DF) flag.
type: str
hostname:
description:
- FortiGate unit"s hostname. Most models will truncate names longer than 24 characters.
Some models support hostnames up to 35 characters.
type: str
igmp_state_limit:
description:
- Maximum number of IGMP memberships (96 - 64000).
type: int
internet_service_database:
choices:
- mini
- standard
- full
description:
- Configure which Internet Service database size to download from FortiGuard and
use.
type: str
interval:
description:
- Dead gateway detection interval.
type: int
ip_fragment_mem_thresholds:
description:
- Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
type: int
ip_src_port_range:
description:
- IP source port range used for traffic originating from the FortiGate unit.
type: str
ips_affinity:
description:
- Affinity setting for IPS (hexadecimal value up to 256 bits in the format of
xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine
daemons).
type: str
ipsec_asic_offload:
choices:
- enable
- disable
description:
- Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic.
Hardware acceleration can offload IPsec VPN sessions and accelerate encryption
and decryption.
type: str
ipsec_ha_seqjump_rate:
description:
- ESP jump ahead rate (1G - 10G pps equivalent).
type: int
ipsec_hmac_offload:
choices:
- enable
- disable
description:
- Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec
VPN.
type: str
ipsec_round_robin:
choices:
- enable
- disable
description:
- Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
type: str
ipsec_soft_dec_async:
choices:
- enable
- disable
description:
- Enable/disable software decryption asynchronization (using multiple CPUs to
do decryption) for IPsec VPN traffic.
type: str
ipv6_accept_dad:
description:
- Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
type: int
ipv6_allow_anycast_probe:
choices:
- enable
- disable
description:
- Enable/disable IPv6 address probe through Anycast.
type: str
ipv6_allow_local_in_slient_drop:
choices:
- enable
- disable
description:
- Enable/disable silent drop of IPv6 local-in traffic.
type: str
ipv6_allow_multicast_probe:
choices:
- enable
- disable
description:
- Enable/disable IPv6 address probe through Multicast.
type: str
ipv6_allow_traffic_redirect:
choices:
- enable
- disable
description:
- Disable to prevent IPv6 traffic with same local ingress and egress interface
from being forwarded without policy check.
type: str
irq_time_accounting:
choices:
- auto
- force
description:
- Configure CPU IRQ time accounting mode.
type: str
language:
choices:
- english
- french
- spanish
- portuguese
- japanese
- trach
- simch
- korean
description:
- GUI display language.
type: str
ldapconntimeout:
description:
- Global timeout for connections with remote LDAP servers in milliseconds (1 -
300000).
type: int
lldp_reception:
choices:
- enable
- disable
description:
- Enable/disable Link Layer Discovery Protocol (LLDP) reception.
type: str
lldp_transmission:
choices:
- enable
- disable
description:
- Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
type: str
log_ssl_connection:
choices:
- enable
- disable
description:
- Enable/disable logging of SSL connection events.
type: str
log_uuid:
choices:
- disable
- policy-only
- extended
description:
- Whether UUIDs are added to traffic logs. You can disable UUIDs, add firewall
policy UUIDs to traffic logs, or add all UUIDs to traffic logs.
type: str
log_uuid_address:
choices:
- enable
- disable
description:
- Enable/disable insertion of address UUIDs to traffic logs.
type: str
log_uuid_policy:
choices:
- enable
- disable
description:
- Enable/disable insertion of policy UUIDs to traffic logs.
type: str
login_timestamp:
choices:
- enable
- disable
description:
- Enable/disable login time recording.
type: str
long_vdom_name:
choices:
- enable
- disable
description:
- Enable/disable long VDOM name support.
type: str
management_ip:
description:
- Management IP address of this FortiGate. Used to log into this FortiGate from
another FortiGate in the Security Fabric.
type: str
management_port:
description:
- Overriding port for management connection (Overrides admin port).
type: int
management_port_use_admin_sport:
choices:
- enable
- disable
description:
- Enable/disable use of the admin-sport setting for the management port. If disabled,
FortiGate will allow user to specify management-port.
type: str
management_vdom:
description:
- Management virtual domain name. Source system.vdom.name.
type: str
max_dlpstat_memory:
description:
- Maximum DLP stat memory (0 - 4294967295).
type: int
max_route_cache_size:
description:
- Maximum number of IP route cache entries (0 - 2147483647).
type: int
mc_ttl_notchange:
choices:
- enable
- disable
description:
- Enable/disable no modification of multicast TTL.
type: str
memory_use_threshold_extreme:
description:
- Threshold at which memory usage is considered extreme (new sessions are dropped)
(% of total RAM).
type: int
memory_use_threshold_green:
description:
- Threshold at which memory usage forces the FortiGate to exit conserve mode (%
of total RAM).
type: int
memory_use_threshold_red:
description:
- Threshold at which memory usage forces the FortiGate to enter conserve mode
(% of total RAM).
type: int
miglog_affinity:
description:
- Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
type: str
miglogd_children:
description:
- Number of logging (miglogd) processes to be allowed to run. Higher number can
reduce performance; lower number can slow log processing time. No logs will
be dropped or lost if the number is changed.
type: int
multi_factor_authentication:
choices:
- optional
- mandatory
description:
- Enforce all login methods to require an additional authentication factor .
type: str
multicast_forward:
choices:
- enable
- disable
description:
- Enable/disable multicast forwarding.
type: str
ndp_max_entry:
description:
- Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel
holds 65,536 entries).
type: int
per_user_bal:
choices:
- enable
- disable
description:
- Enable/disable per-user block/allow list filter.
type: str
per_user_bwl:
choices:
- enable
- disable
description:
- Enable/disable per-user black/white list filter.
type: str
pmtu_discovery:
choices:
- enable
- disable
description:
- Enable/disable path MTU discovery.
type: str
policy_auth_concurrent:
description:
- Number of concurrent firewall use logins from the same user (1 - 100).
type: int
post_login_banner:
choices:
- disable
- enable
description:
- Enable/disable displaying the administrator access disclaimer message after
an administrator successfully logs in.
type: str
pre_login_banner:
choices:
- enable
- disable
description:
- Enable/disable displaying the administrator access disclaimer message on the
login page before an administrator logs in.
type: str
private_data_encryption:
choices:
- disable
- enable
description:
- Enable/disable private data encryption using an AES 128-bit key or passpharse.
type: str
proxy_auth_lifetime:
choices:
- enable
- disable
description:
- Enable/disable authenticated users lifetime control. This is a cap on the total
time a proxy user can be authenticated for after which re-authentication will
take place.
type: str
proxy_auth_lifetime_timeout:
description:
- Lifetime timeout in minutes for authenticated users (5 - 65535 min).
type: int
proxy_auth_timeout:
description:
- Authentication timeout in minutes for authenticated users (1 - 300 min).
type: int
proxy_cert_use_mgmt_vdom:
choices:
- enable
- disable
description:
- Enable/disable using management VDOM to send requests.
type: str
proxy_cipher_hardware_acceleration:
choices:
- disable
- enable
description:
- Enable/disable using content processor (CP8 or CP9) hardware acceleration to
encrypt and decrypt IPsec and SSL traffic.
type: str
proxy_hardware_acceleration:
choices:
- disable
- enable
description:
- Enable/disable email proxy hardware acceleration.
type: str
proxy_kxp_hardware_acceleration:
choices:
- disable
- enable
description:
- Enable/disable using the content processor to accelerate KXP traffic.
type: str
proxy_re_authentication_mode:
choices:
- session
- traffic
- absolute
description:
- Control if users must re-authenticate after a session is closed, traffic has
been idle, or from the point at which the user was first created.
type: str
proxy_resource_mode:
choices:
- enable
- disable
description:
- Enable/disable use of the maximum memory usage on the FortiGate unit"s proxy
processing of resources, such as block lists, allow lists, and external resources.
type: str
proxy_worker_count:
description:
- Proxy worker count.
type: int
radius_port:
description:
- RADIUS service port number.
type: int
reboot_upon_config_restore:
choices:
- enable
- disable
description:
- Enable/disable reboot of system upon restoring configuration.
type: str
refresh:
description:
- Statistics refresh interval second(s) in GUI.
type: int
remoteauthtimeout:
description:
- Number of seconds that the FortiGate waits for responses from remote RADIUS,
LDAP, or TACACS+ authentication servers. (1-300 sec).
type: int
reset_sessionless_tcp:
choices:
- enable
- disable
description:
- Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding
session in its session table. NAT/Route mode only.
type: str
restart_time:
description:
- Daily restart time (hh:mm).
type: str
revision_backup_on_logout:
choices:
- enable
- disable
description:
- Enable/disable back-up of the latest configuration revision when an administrator
logs out of the CLI or GUI.
type: str
revision_image_auto_backup:
choices:
- enable
- disable
description:
- Enable/disable back-up of the latest image revision after the firmware is upgraded.
type: str
scanunit_count:
description:
- Number of scanunits. The range and the default depend on the number of CPUs.
Only available on FortiGate units with multiple CPUs.
type: int
security_rating_result_submission:
choices:
- enable
- disable
description:
- Enable/disable the submission of Security Rating results to FortiGuard.
type: str
security_rating_run_on_schedule:
choices:
- enable
- disable
description:
- Enable/disable scheduled runs of Security Rating.
type: str
send_pmtu_icmp:
choices:
- enable
- disable
description:
- Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination
unreachable packet and to support PMTUD protocol on your network to reduce fragmentation
of packets.
type: str
snat_route_change:
choices:
- enable
- disable
description:
- Enable/disable the ability to change the static NAT route.
type: str
special_file_23_support:
choices:
- disable
- enable
description:
- Enable/disable detection of those special format files when using Data Leak
Protection.
type: str
speedtest_server:
choices:
- enable
- disable
description:
- Enable/disable speed test server.
type: str
split_port:
description:
- Split port(s) to multiple 10Gbps ports.
elements: str
type: list
ssd_trim_date:
description:
- Date within a month to run ssd trim.
type: int
ssd_trim_freq:
choices:
- never
- hourly
- daily
- weekly
- monthly
description:
- How often to run SSD Trim . SSD Trim prevents SSD drive data loss by finding
and isolating errors.
type: str
ssd_trim_hour:
description:
- Hour of the day on which to run SSD Trim (0 - 23).
type: int
ssd_trim_min:
description:
- Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
type: int
ssd_trim_weekday:
choices:
- sunday
- monday
- tuesday
- wednesday
- thursday
- friday
- saturday
description:
- Day of week to run SSD Trim.
type: str
ssh_cbc_cipher:
choices:
- enable
- disable
description:
- Enable/disable CBC cipher for SSH access.
type: str
ssh_enc_algo:
choices:
- chacha20-poly1305@openssh.com
- aes128-ctr
- aes192-ctr
- aes256-ctr
- arcfour256
- arcfour128
- aes128-cbc
- 3des-cbc
- blowfish-cbc
- cast128-cbc
- aes192-cbc
- aes256-cbc
- arcfour
- rijndael-cbc@lysator.liu.se
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
description:
- Select one or more SSH ciphers.
elements: str
type: list
ssh_hmac_md5:
choices:
- enable
- disable
description:
- Enable/disable HMAC-MD5 for SSH access.
type: str
ssh_kex_algo:
choices:
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group-exchange-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
description:
- Select one or more SSH kex algorithms.
elements: str
type: list
ssh_kex_sha1:
choices:
- enable
- disable
description:
- Enable/disable SHA1 key exchange for SSH access.
type: str
ssh_mac_algo:
choices:
- hmac-md5
- hmac-md5-etm@openssh.com
- hmac-md5-96
- hmac-md5-96-etm@openssh.com
- hmac-sha1
- hmac-sha1-etm@openssh.com
- hmac-sha2-256
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512
- hmac-sha2-512-etm@openssh.com
- hmac-ripemd160
- hmac-ripemd160@openssh.com
- hmac-ripemd160-etm@openssh.com
- umac-64@openssh.com
- umac-128@openssh.com
- umac-64-etm@openssh.com
- umac-128-etm@openssh.com
description:
- Select one or more SSH MAC algorithms.
elements: str
type: list
ssh_mac_weak:
choices:
- enable
- disable
description:
- Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
type: str
ssl_min_proto_version:
choices:
- SSLv3
- TLSv1
- TLSv1-1
- TLSv1-2
- TLSv1-3
description:
- Minimum supported protocol version for SSL/TLS connections .
type: str
ssl_static_key_ciphers:
choices:
- enable
- disable
description:
- Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA,
AES128-SHA256, AES256-SHA256).
type: str
sslvpn_cipher_hardware_acceleration:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN hardware acceleration.
type: str
sslvpn_ems_sn_check:
choices:
- enable
- disable
description:
- Enable/disable verification of EMS serial number in SSL-VPN connection.
type: str
sslvpn_kxp_hardware_acceleration:
choices:
- enable
- disable
description:
- Enable/disable SSL-VPN KXP hardware acceleration.
type: str
sslvpn_max_worker_count:
description:
- Maximum number of SSL-VPN processes. Upper limit for this value is the number
of CPUs and depends on the model. Default value of zero means the SSLVPN daemon
decides the number of worker processes.
type: int
sslvpn_plugin_version_check:
choices:
- enable
- disable
description:
- sslvpn-plugin-version-check
type: str
strict_dirty_session_check:
choices:
- enable
- disable
description:
- Enable to check the session against the original policy when revalidating. This
can prevent dropping of redirected sessions when web-filtering and authentication
are enabled together. If this option is enabled, the FortiGate unit deletes
a session if a routing or policy change causes the session to no longer match
the policy that originally allowed the session.
type: str
strong_crypto:
choices:
- enable
- disable
description:
- Enable to use strong encryption and only allow strong ciphers and digest for
HTTPS/SSH/TLS/SSL functions.
type: str
switch_controller:
choices:
- disable
- enable
description:
- Enable/disable switch controller feature. Switch controller allows you to manage
FortiSwitch from the FortiGate itself.
type: str
switch_controller_reserved_network:
description:
- Configure reserved network subnet for managed switches. This is available when
the switch controller is enabled.
type: str
sys_perf_log_interval:
description:
- Time in minutes between updates of performance statistics logging. (1 - 15 min).
type: int
tcp_halfclose_timer:
description:
- Number of seconds the FortiGate unit should wait to close a session after one
peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1
day)).
type: int
tcp_halfopen_timer:
description:
- Number of seconds the FortiGate unit should wait to close a session after one
peer has sent an open session packet but the other has not responded (1 - 86400
sec (1 day)).
type: int
tcp_option:
choices:
- enable
- disable
description:
- Enable SACK, timestamp and MSS TCP options.
type: str
tcp_rst_timer:
description:
- Length of the TCP CLOSE state in seconds (5 - 300 sec).
type: int
tcp_timewait_timer:
description:
- Length of the TCP TIME-WAIT state in seconds (1 - 300 sec).
type: int
tftp:
choices:
- enable
- disable
description:
- Enable/disable TFTP.
type: str
timezone:
choices:
- '01'
- '02'
- '03'
- '04'
- '05'
- '81'
- '06'
- '07'
- 08
- 09
- '10'
- '11'
- '12'
- '13'
- '74'
- '14'
- '77'
- '15'
- '87'
- '16'
- '17'
- '18'
- '19'
- '20'
- '75'
- '21'
- '22'
- '23'
- '24'
- '80'
- '79'
- '25'
- '26'
- '27'
- '28'
- '78'
- '29'
- '30'
- '31'
- '32'
- '33'
- '34'
- '35'
- '36'
- '37'
- '38'
- '83'
- '84'
- '40'
- '85'
- '39'
- '41'
- '42'
- '43'
- '44'
- '45'
- '46'
- '47'
- '51'
- '48'
- '49'
- '50'
- '52'
- '53'
- '54'
- '55'
- '56'
- '57'
- '58'
- '59'
- '60'
- '61'
- '62'
- '63'
- '64'
- '65'
- '66'
- '67'
- '68'
- '69'
- '70'
- '71'
- '72'
- '00'
- '82'
- '73'
- '86'
- '76'
description:
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to
view the list of time zones and the numbers that represent them.
type: str
tp_mc_skip_policy:
choices:
- enable
- disable
description:
- Enable/disable skip policy check and allow multicast through.
type: str
traffic_priority:
choices:
- tos
- dscp
description:
- Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for
traffic prioritization in traffic shaping.
type: str
traffic_priority_level:
choices:
- low
- medium
- high
description:
- Default system-wide level of priority for traffic prioritization.
type: str
two_factor_email_expiry:
description:
- Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes)).
type: int
two_factor_fac_expiry:
description:
- FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1
hour)).
type: int
two_factor_ftk_expiry:
description:
- FortiToken authentication session timeout (60 - 600 sec (10 minutes)).
type: int
two_factor_ftm_expiry:
description:
- FortiToken Mobile session timeout (1 - 168 hours (7 days)).
type: int
two_factor_sms_expiry:
description:
- SMS-based two-factor authentication session timeout (30 - 300 sec).
type: int
udp_idle_timer:
description:
- UDP connection session timeout. This command can be useful in managing CPU and
memory resources (1 - 86400 seconds (1 day)).
type: int
url_filter_affinity:
description:
- URL filter CPU affinity.
type: str
url_filter_count:
description:
- URL filter daemon count.
type: int
user_device_store_max_devices:
description:
- Maximum number of devices allowed in user device store.
type: int
user_device_store_max_unified_mem:
description:
- Maximum unified memory allowed in user device store.
type: int
user_device_store_max_users:
description:
- Maximum number of users allowed in user device store.
type: int
user_server_cert:
description:
- Certificate to use for https user authentication. Source certificate.local.name.
type: str
vdom_admin:
choices:
- enable
- disable
description:
- vdom-admin
type: str
vdom_mode:
choices:
- no-vdom
- multi-vdom
- split-vdom
description:
- Enable/disable support for multiple virtual domains (VDOMs).
type: str
vip_arp_range:
choices:
- unlimited
- restricted
description:
- Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP)
address range.
type: str
virtual_server_count:
description:
- Maximum number of virtual server processes to create. The maximum is the number
of CPU cores. This is not available on single-core CPUs.
type: int
virtual_server_hardware_acceleration:
choices:
- disable
- enable
description:
- Enable/disable virtual server hardware acceleration.
type: str
wad_affinity:
description:
- Affinity setting for wad (hexadecimal value up to 256 bits in the format of
xxxxxxxxxxxxxxxx).
type: str
wad_csvc_cs_count:
description:
- Number of concurrent WAD-cache-service object-cache processes.
type: int
wad_csvc_db_count:
description:
- Number of concurrent WAD-cache-service byte-cache processes.
type: int
wad_memory_change_granularity:
description:
- Minimum percentage change in system memory usage detected by the wad daemon
prior to adjusting TCP window size for any active connection.
type: int
wad_source_affinity:
choices:
- disable
- enable
description:
- Enable/disable dispatching traffic to WAD workers based on source affinity.
type: str
wad_worker_count:
description:
- Number of explicit proxy WAN optimization daemon (WAD) processes. By default
WAN optimization, explicit proxy, and web caching is handled by all of the CPU
cores in a FortiGate unit.
type: int
wifi_ca_certificate:
description:
- CA certificate that verifies the WiFi certificate. Source certificate.ca.name.
type: str
wifi_certificate:
description:
- Certificate to use for WiFi authentication. Source certificate.local.name.
type: str
wimax_4g_usb:
choices:
- enable
- disable
description:
- Enable/disable comparability with WiMAX 4G USB devices.
type: str
wireless_controller:
choices:
- enable
- disable
description:
- Enable/disable the wireless controller feature to use the FortiGate unit to
manage FortiAPs.
type: str
wireless_controller_port:
description:
- Port used for the control channel in wireless controller mode (wireless-mode
is ac). The data channel port is the control channel port number plus one (1024
- 49150).
type: int
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str