fmgr_vpn_ssl_settings – Configure SSL VPN.¶

New in version 2.1.0.

Synopsis
Requirements
FortiManager Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiManager device.
Examples include all parameters and values need to be adjusted to data sources before usage.
Tested with FortiManager v6.x and v7.x.

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

FortiManager Version Compatibility ¶

`6.0.0`
False
`6.2.0`	`6.2.1`	`6.2.2`	`6.2.3`	`6.2.5`	`6.2.6`	`6.2.7`	`6.2.8`	`6.2.9`	`6.2.10`
False	False	False	False	False	True	True	True	True	True
`6.4.0`	`6.4.1`	`6.4.2`	`6.4.3`	`6.4.4`	`6.4.5`	`6.4.6`	`6.4.7`	`6.4.8`	`6.4.9`	`6.4.10`	`6.4.11`
False	False	True	True	True	True	True	True	True	True	True	True
`7.0.0`	`7.0.1`	`7.0.2`	`7.0.3`	`7.0.4`	`7.0.5`	`7.0.6`	`7.0.7`
True	True	True	True	True	True	True	True
`7.2.0`	`7.2.1`	`7.2.2`
True	True	True
`7.4.0`
True

Parameters ¶

access_token -The token to access FortiManager without using username and password. type: str required: false
bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
enable_log - Enable/Disable logging for task. type: bool required: false default: False
forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
device - The parameter in requested url type: str required: true
vdom - The parameter in requested url type: str required: true
vpn_ssl_settings - Configure SSL VPN. type: dict

algorithm - Force the SSL VPN security level. type: str choices: [default, high, low, medium] more...

auth-session-check-source-ip - Enable/disable checking of source IP for authentication session. type: str choices: [disable, enable] more...

auth-timeout - SSL VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int more...

authentication-rule - No description for the parameter type: array more...

auth - SSL VPN authentication method restriction. type: str choices: [any, local, radius, ldap, tacacs+, peer] more...

cipher - SSL VPN cipher strength. type: str choices: [any, high, medium] more...

client-cert - Enable/disable SSL VPN client certificate restrictive. type: str choices: [disable, enable] more...

groups - User groups. type: str more...

id - ID (0 - 4294967295). type: int more...

portal - SSL VPN portal. type: str more...

realm - SSL VPN realm. type: str more...

source-address - Source address of incoming traffic. type: str more...

source-address-negate - Enable/disable negated source address match. type: str choices: [disable, enable] more...

source-address6 - IPv6 source address of incoming traffic. type: str more...

source-address6-negate - Enable/disable negated source IPv6 address match. type: str choices: [disable, enable] more...

source-interface - SSL VPN source interface of incoming traffic. type: str more...

user-peer - Name of user peer. type: str more...

users - User name. type: str more...

auto-tunnel-static-route - Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses. type: str choices: [disable, enable] more...

banned-cipher - No description for the parameter type: array choices: [RSA, DH, DHE, ECDH, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC, CHACHA20, ARIA, AESCCM] more...

check-referer - Enable/disable verification of referer field in HTTP request header. type: str choices: [disable, enable] more...

default-portal - Default SSL VPN portal. type: str more...

deflate-compression-level - Compression level (0~9). type: int more...

deflate-min-data-size - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int more...

dns-server1 - DNS server 1. type: str more...

dns-server2 - DNS server 2. type: str more...

dns-suffix - DNS suffix used for SSL VPN clients. type: str more...

dtls-hello-timeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). type: int more...

dtls-max-proto-ver - DTLS maximum protocol version. type: str choices: [dtls1-0, dtls1-2] more...

dtls-min-proto-ver - DTLS minimum protocol version. type: str choices: [dtls1-0, dtls1-2] more...

dtls-tunnel - Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str choices: [disable, enable] more...

encode-2f-sequence - Encode \2F sequence to forward slash in URLs. type: str choices: [disable, enable] more...

encrypt-and-store-password - Encrypt and store user passwords for SSL VPN web sessions. type: str choices: [disable, enable] more...

force-two-factor-auth - Enable/disable only PKI users with two-factor authentication for SSL VPNs. type: str choices: [disable, enable] more...

header-x-forwarded-for - Forward the same, add, or remove HTTP header. type: str choices: [pass, add, remove] more...

hsts-include-subdomains - Add HSTS includeSubDomains response header. type: str choices: [disable, enable] more...

http-compression - Enable/disable to allow HTTP compression over SSL VPN tunnels. type: str choices: [disable, enable] more...

http-only-cookie - Enable/disable SSL VPN support for HttpOnly cookies. type: str choices: [disable, enable] more...

http-request-body-timeout - SSL VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). type: int more...

http-request-header-timeout - SSL VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). type: int more...

https-redirect - Enable/disable redirect of port 80 to SSL VPN port. type: str choices: [disable, enable] more...

idle-timeout - SSL VPN disconnects if idle for specified time in seconds. type: int more...

ipv6-dns-server1 - IPv6 DNS server 1. type: str more...

ipv6-dns-server2 - IPv6 DNS server 2. type: str more...

ipv6-wins-server1 - IPv6 WINS server 1. type: str more...

ipv6-wins-server2 - IPv6 WINS server 2. type: str more...

login-attempt-limit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). type: int more...

login-block-time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). type: int more...

login-timeout - SSLVPN maximum login timeout (10 - 180 sec, default = 30). type: int more...

port - SSL VPN access port (1 - 65535). type: int more...

port-precedence - Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str choices: [disable, enable] more...

reqclientcert - Enable/disable to require client certificates for all SSL VPN users. type: str choices: [disable, enable] more...

route-source-interface - Enable/disable to allow SSL VPN sessions to bypass routing and bind to the incoming interface. type: str choices: [disable, enable] more...

servercert - Name of the server certificate to be used for SSL VPNs. type: str more...

source-address - Source address of incoming traffic. type: str more...

source-address-negate - Enable/disable negated source address match. type: str choices: [disable, enable] more...

source-address6 - IPv6 source address of incoming traffic. type: str more...

source-address6-negate - Enable/disable negated source IPv6 address match. type: str choices: [disable, enable] more...

source-interface - SSL VPN source interface of incoming traffic. type: str more...

ssl-client-renegotiation - Enable/disable to allow client renegotiation by the server if the tunnel goes down. type: str choices: [disable, enable] more...

ssl-insert-empty-fragment - Enable/disable insertion of empty fragment. type: str choices: [disable, enable] more...

ssl-max-proto-ver - SSL maximum protocol version. type: str choices: [tls1-0, tls1-1, tls1-2, tls1-3] more...

ssl-min-proto-ver - SSL minimum protocol version. type: str choices: [tls1-0, tls1-1, tls1-2, tls1-3] more...

tlsv1-0 - Enable/disable TLSv1. type: str choices: [disable, enable] more...

tlsv1-1 - Enable/disable TLSv1. type: str choices: [disable, enable] more...

tlsv1-2 - Enable/disable TLSv1. type: str choices: [disable, enable] more...

tlsv1-3 - No description for the parameter type: str choices: [disable, enable] more...

transform-backward-slashes - Transform backward slashes to forward slashes in URLs. type: str choices: [disable, enable] more...

tunnel-connect-without-reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. type: str choices: [disable, enable] more...

tunnel-ip-pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str more...

tunnel-ipv6-pools - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str more...

tunnel-user-session-timeout - Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). type: int more...

unsafe-legacy-renegotiation - Enable/disable unsafe legacy re-negotiation. type: str choices: [disable, enable] more...

url-obscuration - Enable/disable to obscure the host name of the URL of the web browser display. type: str choices: [disable, enable] more...

user-peer - Name of user peer. type: str more...

wins-server1 - WINS server 1. type: str more...

wins-server2 - WINS server 2. type: str more...

x-content-type-options - Add HTTP X-Content-Type-Options header. type: str choices: [disable, enable] more...

ssl-big-buffer - Disable using the big SSLv3 buffer feature to save memory and force higher security. type: str choices: [disable, enable] more...

sslv3 - No description for the parameter type: str choices: [disable, enable] more...

client-sigalgs - Set signature algorithms related to client authentication. type: str choices: [no-rsa-pss, all] more...

ciphersuite - No description for the parameter type: array choices: [TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-AES-128-CCM-SHA256, TLS-AES-128-CCM-8-SHA256] more...

dual-stack-mode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. type: str choices: [disable, enable] more...

tunnel-addr-assigned-method - Method used for assigning address for tunnel. type: str choices: [first-available, round-robin] more...

browser-language-detection - Enable/disable overriding the configured system language based on the preferred language of the browser. type: str choices: [disable, enable] more...

saml-redirect-port - SAML local redirect port in the machine running FortiClient (0 - 65535). type: int more...

status - Enable/disable SSL-VPN. type: str choices: [disable, enable] more...

web-mode-snat - Enable/disable use of IP pools defined in firewall policy while using web-mode. type: str choices: [disable, enable] more...

ztna-trusted-client - Enable/disable verification of device certificate for SSLVPN ZTNA session. type: str choices: [disable, enable] more...

dtls-heartbeat-fail-count - Number of missing heartbeats before the connection is considered dropped. type: int more...

dtls-heartbeat-idle-timeout - Idle timeout before DTLS heartbeat is sent. type: int more...

dtls-heartbeat-interval - Interval between DTLS heartbeat. type: int more...

server-hostname - Server hostname for HTTPS. type: str more...

Notes ¶

Note

Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state: present directive.
To delete an object, use state: absent directive
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples ¶

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure SSL VPN.
     fmgr_vpn_ssl_settings:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        vpn_ssl_settings:
           algorithm: <value in [default, high, low, ...]>
           auth-session-check-source-ip: <value in [disable, enable]>
           auth-timeout: <value of integer>
           authentication-rule:
             -
                 auth: <value in [any, local, radius, ...]>
                 cipher: <value in [any, high, medium]>
                 client-cert: <value in [disable, enable]>
                 groups: <value of string>
                 id: <value of integer>
                 portal: <value of string>
                 realm: <value of string>
                 source-address: <value of string>
                 source-address-negate: <value in [disable, enable]>
                 source-address6: <value of string>
                 source-address6-negate: <value in [disable, enable]>
                 source-interface: <value of string>
                 user-peer: <value of string>
                 users: <value of string>
           auto-tunnel-static-route: <value in [disable, enable]>
           banned-cipher:
             - RSA
             - DH
             - DHE
             - ECDH
             - ECDHE
             - DSS
             - ECDSA
             - AES
             - AESGCM
             - CAMELLIA
             - 3DES
             - SHA1
             - SHA256
             - SHA384
             - STATIC
             - CHACHA20
             - ARIA
             - AESCCM
           check-referer: <value in [disable, enable]>
           default-portal: <value of string>
           deflate-compression-level: <value of integer>
           deflate-min-data-size: <value of integer>
           dns-server1: <value of string>
           dns-server2: <value of string>
           dns-suffix: <value of string>
           dtls-hello-timeout: <value of integer>
           dtls-max-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-min-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-tunnel: <value in [disable, enable]>
           encode-2f-sequence: <value in [disable, enable]>
           encrypt-and-store-password: <value in [disable, enable]>
           force-two-factor-auth: <value in [disable, enable]>
           header-x-forwarded-for: <value in [pass, add, remove]>
           hsts-include-subdomains: <value in [disable, enable]>
           http-compression: <value in [disable, enable]>
           http-only-cookie: <value in [disable, enable]>
           http-request-body-timeout: <value of integer>
           http-request-header-timeout: <value of integer>
           https-redirect: <value in [disable, enable]>
           idle-timeout: <value of integer>
           ipv6-dns-server1: <value of string>
           ipv6-dns-server2: <value of string>
           ipv6-wins-server1: <value of string>
           ipv6-wins-server2: <value of string>
           login-attempt-limit: <value of integer>
           login-block-time: <value of integer>
           login-timeout: <value of integer>
           port: <value of integer>
           port-precedence: <value in [disable, enable]>
           reqclientcert: <value in [disable, enable]>
           route-source-interface: <value in [disable, enable]>
           servercert: <value of string>
           source-address: <value of string>
           source-address-negate: <value in [disable, enable]>
           source-address6: <value of string>
           source-address6-negate: <value in [disable, enable]>
           source-interface: <value of string>
           ssl-client-renegotiation: <value in [disable, enable]>
           ssl-insert-empty-fragment: <value in [disable, enable]>
           ssl-max-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           ssl-min-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           tlsv1-0: <value in [disable, enable]>
           tlsv1-1: <value in [disable, enable]>
           tlsv1-2: <value in [disable, enable]>
           tlsv1-3: <value in [disable, enable]>
           transform-backward-slashes: <value in [disable, enable]>
           tunnel-connect-without-reauth: <value in [disable, enable]>
           tunnel-ip-pools: <value of string>
           tunnel-ipv6-pools: <value of string>
           tunnel-user-session-timeout: <value of integer>
           unsafe-legacy-renegotiation: <value in [disable, enable]>
           url-obscuration: <value in [disable, enable]>
           user-peer: <value of string>
           wins-server1: <value of string>
           wins-server2: <value of string>
           x-content-type-options: <value in [disable, enable]>
           ssl-big-buffer: <value in [disable, enable]>
           sslv3: <value in [disable, enable]>
           client-sigalgs: <value in [no-rsa-pss, all]>
           ciphersuite:
             - TLS-AES-128-GCM-SHA256
             - TLS-AES-256-GCM-SHA384
             - TLS-CHACHA20-POLY1305-SHA256
             - TLS-AES-128-CCM-SHA256
             - TLS-AES-128-CCM-8-SHA256
           dual-stack-mode: <value in [disable, enable]>
           tunnel-addr-assigned-method: <value in [first-available, round-robin]>
           browser-language-detection: <value in [disable, enable]>
           saml-redirect-port: <value of integer>
           status: <value in [disable, enable]>
           web-mode-snat: <value in [disable, enable]>
           ztna-trusted-client: <value in [disable, enable]>
           dtls-heartbeat-fail-count: <value of integer>
           dtls-heartbeat-idle-timeout: <value of integer>
           dtls-heartbeat-interval: <value of integer>
           server-hostname: <value of string>

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

meta - The result of the request.returned: always type: dict

request_url - The full url requested. returned: always type: str sample: /sys/login/user
response_code - The status of api request. returned: always type: int sample: 0
response_data - The data body of the api response. returned: optional type: list or dict
response_message - The descriptive message of the api response. returned: always type: str sample: OK
system_information - The information of the target system. returned: always type: dict

rc - The status the request. returned: always type: int 0
version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least on parameter mpt supported by the current FortiManager version type: list 0

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Xinwei Du (@dux-fortinet)
Xing Li (@lix-fortinet)
Jie Xue (@JieX19)
Link Zheng (@chillancezen)
Frank Shen (@fshen01)
Hongbin Lu (@fgtdev-hblu)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.