Try SpotterVPN certificate setting in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of lix_fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install lix_fortinet.fortios:==102.2.120
collections:
- name: lix_fortinet.fortios
version: 102.2.120This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: VPN certificate setting.
fortios_vpn_certificate_setting:
vdom: "{{ vdom }}"
vpn_certificate_setting:
cert_expire_warning: "14"
certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa521: "<your_own_value> (source vpn.certificate.local.name)"
certname_ed25519: "<your_own_value> (source vpn.certificate.local.name)"
certname_ed448: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa4096: "<your_own_value> (source vpn.certificate.local.name)"
check_ca_cert: "enable"
check_ca_chain: "enable"
cmp_key_usage_checking: "enable"
cmp_save_extra_certs: "enable"
cn_allow_multi: "disable"
cn_match: "substring"
crl_verification:
chain_crl_absence: "ignore"
expiry: "ignore"
leaf_crl_absence: "ignore"
interface: "<your_own_value> (source system.interface.name)"
interface_select_method: "auto"
ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)"
ocsp_option: "certificate"
ocsp_status: "enable"
ssl_min_proto_version: "default"
ssl_ocsp_option: "certificate"
ssl_ocsp_source_ip: "<your_own_value>"
ssl_ocsp_status: "enable"
strict_crl_check: "enable"
strict_ocsp_check: "enable"
subject_match: "substring"
subject_set: "subset"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
vpn_certificate_setting:
default: null
description:
- VPN certificate setting.
suboptions:
cert_expire_warning:
description:
- Number of days before a certificate expires to send a warning. Set to 0 to disable
sending of the warning (0 - 100).
type: int
certname_dsa1024:
description:
- 1024 bit DSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_dsa2048:
description:
- 2048 bit DSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_ecdsa256:
description:
- 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_ecdsa384:
description:
- 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_ecdsa521:
description:
- 521 bit ECDSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_ed25519:
description:
- 253 bit EdDSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_ed448:
description:
- 456 bit EdDSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_rsa1024:
description:
- 1024 bit RSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_rsa2048:
description:
- 2048 bit RSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
certname_rsa4096:
description:
- 4096 bit RSA key certificate for re-signing server certificates for SSL inspection.
Source vpn.certificate.local.name.
type: str
check_ca_cert:
choices:
- enable
- disable
description:
- Enable/disable verification of the user certificate and pass authentication
if any CA in the chain is trusted .
type: str
check_ca_chain:
choices:
- enable
- disable
description:
- Enable/disable verification of the entire certificate chain and pass authentication
only if the chain is complete and all of the CAs in the chain are trusted .
type: str
cmp_key_usage_checking:
choices:
- enable
- disable
description:
- Enable/disable server certificate key usage checking in CMP mode .
type: str
cmp_save_extra_certs:
choices:
- enable
- disable
description:
- Enable/disable saving extra certificates in CMP mode .
type: str
cn_allow_multi:
choices:
- disable
- enable
description:
- When searching for a matching certificate, allow multiple CN fields in certificate
subject name .
type: str
cn_match:
choices:
- substring
- value
description:
- When searching for a matching certificate, control how to do CN value matching
with certificate subject name .
type: str
crl_verification:
description:
- CRL verification options.
suboptions:
chain_crl_absence:
choices:
- ignore
- revoke
description:
- CRL verification option when CRL of any certificate in chain is absent .
type: str
expiry:
choices:
- ignore
- revoke
description:
- CRL verification option when CRL is expired .
type: str
leaf_crl_absence:
choices:
- ignore
- revoke
description:
- CRL verification option when leaf CRL is absent .
type: str
type: dict
interface:
description:
- Specify outgoing interface to reach server. Source system.interface.name.
type: str
interface_select_method:
choices:
- auto
- sdwan
- specify
description:
- Specify how to select outgoing interface to reach server.
type: str
ocsp_default_server:
description:
- Default OCSP server. Source vpn.certificate.ocsp-server.name.
type: str
ocsp_option:
choices:
- certificate
- server
description:
- Specify whether the OCSP URL is from certificate or configured OCSP server.
type: str
ocsp_status:
choices:
- enable
- disable
description:
- Enable/disable receiving certificates using the OCSP.
type: str
ssl_min_proto_version:
choices:
- default
- SSLv3
- TLSv1
- TLSv1-1
- TLSv1-2
description:
- Minimum supported protocol version for SSL/TLS connections .
type: str
ssl_ocsp_option:
choices:
- certificate
- server
description:
- Specify whether the OCSP URL is from the certificate or the default OCSP server.
type: str
ssl_ocsp_source_ip:
description:
- Source IP address to use to communicate with the OCSP server.
type: str
ssl_ocsp_status:
choices:
- enable
- disable
description:
- Enable/disable SSL OCSP.
type: str
strict_crl_check:
choices:
- enable
- disable
description:
- Enable/disable strict mode CRL checking.
type: str
strict_ocsp_check:
choices:
- enable
- disable
description:
- Enable/disable strict mode OCSP checking.
type: str
subject_match:
choices:
- substring
- value
description:
- When searching for a matching certificate, control how to do RDN value matching
with certificate subject name .
type: str
subject_set:
choices:
- subset
- superset
description:
- When searching for a matching certificate, control how to do RDN set matching
with certificate subject name .
type: str
type: dict
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str