fmgr_vpn_ssl_settings – Configure SSL VPN.¶

New in version 2.1.0.

Synopsis
Requirements
FortiManager Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiManager device.
Examples include all parameters and values need to be adjusted to data sources before usage.
Tested with FortiManager v6.x and v7.x.

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

FortiManager Version Compatibility ¶

6.0.0

False

6.2.0 6.2.1 6.2.2 6.2.3 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11

False False False False False True True True True True True

6.4.0 6.4.1 6.4.2 6.4.3 6.4.4 6.4.5 6.4.6 6.4.7 6.4.8 6.4.9 6.4.10 6.4.11 6.4.12

False False True True True True True True True True True True True

7.0.0 7.0.1 7.0.2 7.0.3 7.0.4 7.0.5 7.0.6 7.0.7 7.0.8

True True True True True True True True True

7.2.0 7.2.1 7.2.2 7.2.3

True True True True

7.4.0

True

Parameters ¶

access_token -The token to access FortiManager without using username and password. type: str required: false
bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
enable_log - Enable/Disable logging for task. type: bool required: false default: False
forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
device - The parameter in requested url type: str required: true
vdom - The parameter in requested url type: str required: true
vpn_ssl_settings - Configure SSL VPN. type: dict

algorithm - Force the SSL VPN security level. type: str choices: [default, high, low, medium] more...

auth-session-check-source-ip - Enable/disable checking of source IP for authentication session. type: str choices: [disable, enable] more...

auth-timeout - SSL VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int more...

authentication-rule - No description for the parameter type: array more...

auth - SSL VPN authentication method restriction. type: str choices: [any, local, radius, ldap, tacacs+, peer] more...

cipher - SSL VPN cipher strength. type: str choices: [any, high, medium] more...

client-cert - Enable/disable SSL VPN client certificate restrictive. type: str choices: [disable, enable] more...

groups - User groups. type: str more...

id - ID (0 - 4294967295). type: int more...

portal - SSL VPN portal. type: str more...

realm - SSL VPN realm. type: str more...

source-address - Source address of incoming traffic. type: str more...

source-address-negate - Enable/disable negated source address match. type: str choices: [disable, enable] more...

source-address6 - IPv6 source address of incoming traffic. type: str more...

source-address6-negate - Enable/disable negated source IPv6 address match. type: str choices: [disable, enable] more...

source-interface - SSL VPN source interface of incoming traffic. type: str more...

user-peer - Name of user peer. type: str more...

users - User name. type: str more...

auto-tunnel-static-route - Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses. type: str choices: [disable, enable] more...

banned-cipher - No description for the parameter type: array choices: [RSA, DH, DHE, ECDH, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC, CHACHA20, ARIA, AESCCM] more...

check-referer - Enable/disable verification of referer field in HTTP request header. type: str choices: [disable, enable] more...

default-portal - Default SSL VPN portal. type: str more...

deflate-compression-level - Compression level (0~9). type: int more...

deflate-min-data-size - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int more...

dns-server1 - DNS server 1. type: str more...

dns-server2 - DNS server 2. type: str more...

dns-suffix - DNS suffix used for SSL VPN clients. type: str more...

dtls-hello-timeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). type: int more...

dtls-max-proto-ver - DTLS maximum protocol version. type: str choices: [dtls1-0, dtls1-2] more...

dtls-min-proto-ver - DTLS minimum protocol version. type: str choices: [dtls1-0, dtls1-2] more...

dtls-tunnel - Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str choices: [disable, enable] more...

encode-2f-sequence - Encode \2F sequence to forward slash in URLs. type: str choices: [disable, enable] more...

encrypt-and-store-password - Encrypt and store user passwords for SSL VPN web sessions. type: str choices: [disable, enable] more...

force-two-factor-auth - Enable/disable only PKI users with two-factor authentication for SSL VPNs. type: str choices: [disable, enable] more...

header-x-forwarded-for - Forward the same, add, or remove HTTP header. type: str choices: [pass, add, remove] more...

hsts-include-subdomains - Add HSTS includeSubDomains response header. type: str choices: [disable, enable] more...

http-compression - Enable/disable to allow HTTP compression over SSL VPN tunnels. type: str choices: [disable, enable] more...

http-only-cookie - Enable/disable SSL VPN support for HttpOnly cookies. type: str choices: [disable, enable] more...

http-request-body-timeout - SSL VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). type: int more...

http-request-header-timeout - SSL VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). type: int more...

https-redirect - Enable/disable redirect of port 80 to SSL VPN port. type: str choices: [disable, enable] more...

idle-timeout - SSL VPN disconnects if idle for specified time in seconds. type: int more...

ipv6-dns-server1 - IPv6 DNS server 1. type: str more...

ipv6-dns-server2 - IPv6 DNS server 2. type: str more...

ipv6-wins-server1 - IPv6 WINS server 1. type: str more...

ipv6-wins-server2 - IPv6 WINS server 2. type: str more...

login-attempt-limit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). type: int more...

login-block-time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). type: int more...

login-timeout - SSLVPN maximum login timeout (10 - 180 sec, default = 30). type: int more...

port - SSL VPN access port (1 - 65535). type: int more...

port-precedence - Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str choices: [disable, enable] more...

reqclientcert - Enable/disable to require client certificates for all SSL VPN users. type: str choices: [disable, enable] more...

route-source-interface - Enable/disable to allow SSL VPN sessions to bypass routing and bind to the incoming interface. type: str choices: [disable, enable] more...

servercert - Name of the server certificate to be used for SSL VPNs. type: str more...

source-address - Source address of incoming traffic. type: str more...

source-address-negate - Enable/disable negated source address match. type: str choices: [disable, enable] more...

source-address6 - IPv6 source address of incoming traffic. type: str more...

source-address6-negate - Enable/disable negated source IPv6 address match. type: str choices: [disable, enable] more...

source-interface - SSL VPN source interface of incoming traffic. type: str more...

ssl-client-renegotiation - Enable/disable to allow client renegotiation by the server if the tunnel goes down. type: str choices: [disable, enable] more...

ssl-insert-empty-fragment - Enable/disable insertion of empty fragment. type: str choices: [disable, enable] more...

ssl-max-proto-ver - SSL maximum protocol version. type: str choices: [tls1-0, tls1-1, tls1-2, tls1-3] more...

ssl-min-proto-ver - SSL minimum protocol version. type: str choices: [tls1-0, tls1-1, tls1-2, tls1-3] more...

tlsv1-0 - Enable/disable TLSv1. type: str choices: [disable, enable] more...

tlsv1-1 - Enable/disable TLSv1. type: str choices: [disable, enable] more...

tlsv1-2 - Enable/disable TLSv1. type: str choices: [disable, enable] more...

tlsv1-3 - No description for the parameter type: str choices: [disable, enable] more...

transform-backward-slashes - Transform backward slashes to forward slashes in URLs. type: str choices: [disable, enable] more...

tunnel-connect-without-reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. type: str choices: [disable, enable] more...

tunnel-ip-pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str more...

tunnel-ipv6-pools - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str more...

tunnel-user-session-timeout - Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). type: int more...

unsafe-legacy-renegotiation - Enable/disable unsafe legacy re-negotiation. type: str choices: [disable, enable] more...

url-obscuration - Enable/disable to obscure the host name of the URL of the web browser display. type: str choices: [disable, enable] more...

user-peer - Name of user peer. type: str more...

wins-server1 - WINS server 1. type: str more...

wins-server2 - WINS server 2. type: str more...

x-content-type-options - Add HTTP X-Content-Type-Options header. type: str choices: [disable, enable] more...

sslv3 - No description for the parameter type: str choices: [disable, enable] more...

ssl-big-buffer - Disable using the big SSLv3 buffer feature to save memory and force higher security. type: str choices: [disable, enable] more...

client-sigalgs - Set signature algorithms related to client authentication. type: str choices: [no-rsa-pss, all] more...

ciphersuite - No description for the parameter type: array choices: [TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-AES-128-CCM-SHA256, TLS-AES-128-CCM-8-SHA256] more...

dual-stack-mode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. type: str choices: [disable, enable] more...

tunnel-addr-assigned-method - Method used for assigning address for tunnel. type: str choices: [first-available, round-robin] more...

browser-language-detection - Enable/disable overriding the configured system language based on the preferred language of the browser. type: str choices: [disable, enable] more...

saml-redirect-port - SAML local redirect port in the machine running FortiClient (0 - 65535). type: int more...

status - Enable/disable SSL-VPN. type: str choices: [disable, enable] more...

web-mode-snat - Enable/disable use of IP pools defined in firewall policy while using web-mode. type: str choices: [disable, enable] more...

ztna-trusted-client - Enable/disable verification of device certificate for SSLVPN ZTNA session. type: str choices: [disable, enable] more...

dtls-heartbeat-fail-count - Number of missing heartbeats before the connection is considered dropped. type: int more...

dtls-heartbeat-idle-timeout - Idle timeout before DTLS heartbeat is sent. type: int more...

dtls-heartbeat-interval - Interval between DTLS heartbeat. type: int more...

server-hostname - Server hostname for HTTPS. type: str more...

Notes ¶

Note

Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state: present directive.
To delete an object, use state: absent directive
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples ¶

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure SSL VPN.
     fmgr_vpn_ssl_settings:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        vpn_ssl_settings:
           algorithm: <value in [default, high, low, ...]>
           auth-session-check-source-ip: <value in [disable, enable]>
           auth-timeout: <value of integer>
           authentication-rule:
             -
                 auth: <value in [any, local, radius, ...]>
                 cipher: <value in [any, high, medium]>
                 client-cert: <value in [disable, enable]>
                 groups: <value of string>
                 id: <value of integer>
                 portal: <value of string>
                 realm: <value of string>
                 source-address: <value of string>
                 source-address-negate: <value in [disable, enable]>
                 source-address6: <value of string>
                 source-address6-negate: <value in [disable, enable]>
                 source-interface: <value of string>
                 user-peer: <value of string>
                 users: <value of string>
           auto-tunnel-static-route: <value in [disable, enable]>
           banned-cipher:
             - RSA
             - DH
             - DHE
             - ECDH
             - ECDHE
             - DSS
             - ECDSA
             - AES
             - AESGCM
             - CAMELLIA
             - 3DES
             - SHA1
             - SHA256
             - SHA384
             - STATIC
             - CHACHA20
             - ARIA
             - AESCCM
           check-referer: <value in [disable, enable]>
           default-portal: <value of string>
           deflate-compression-level: <value of integer>
           deflate-min-data-size: <value of integer>
           dns-server1: <value of string>
           dns-server2: <value of string>
           dns-suffix: <value of string>
           dtls-hello-timeout: <value of integer>
           dtls-max-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-min-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-tunnel: <value in [disable, enable]>
           encode-2f-sequence: <value in [disable, enable]>
           encrypt-and-store-password: <value in [disable, enable]>
           force-two-factor-auth: <value in [disable, enable]>
           header-x-forwarded-for: <value in [pass, add, remove]>
           hsts-include-subdomains: <value in [disable, enable]>
           http-compression: <value in [disable, enable]>
           http-only-cookie: <value in [disable, enable]>
           http-request-body-timeout: <value of integer>
           http-request-header-timeout: <value of integer>
           https-redirect: <value in [disable, enable]>
           idle-timeout: <value of integer>
           ipv6-dns-server1: <value of string>
           ipv6-dns-server2: <value of string>
           ipv6-wins-server1: <value of string>
           ipv6-wins-server2: <value of string>
           login-attempt-limit: <value of integer>
           login-block-time: <value of integer>
           login-timeout: <value of integer>
           port: <value of integer>
           port-precedence: <value in [disable, enable]>
           reqclientcert: <value in [disable, enable]>
           route-source-interface: <value in [disable, enable]>
           servercert: <value of string>
           source-address: <value of string>
           source-address-negate: <value in [disable, enable]>
           source-address6: <value of string>
           source-address6-negate: <value in [disable, enable]>
           source-interface: <value of string>
           ssl-client-renegotiation: <value in [disable, enable]>
           ssl-insert-empty-fragment: <value in [disable, enable]>
           ssl-max-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           ssl-min-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           tlsv1-0: <value in [disable, enable]>
           tlsv1-1: <value in [disable, enable]>
           tlsv1-2: <value in [disable, enable]>
           tlsv1-3: <value in [disable, enable]>
           transform-backward-slashes: <value in [disable, enable]>
           tunnel-connect-without-reauth: <value in [disable, enable]>
           tunnel-ip-pools: <value of string>
           tunnel-ipv6-pools: <value of string>
           tunnel-user-session-timeout: <value of integer>
           unsafe-legacy-renegotiation: <value in [disable, enable]>
           url-obscuration: <value in [disable, enable]>
           user-peer: <value of string>
           wins-server1: <value of string>
           wins-server2: <value of string>
           x-content-type-options: <value in [disable, enable]>
           sslv3: <value in [disable, enable]>
           ssl-big-buffer: <value in [disable, enable]>
           client-sigalgs: <value in [no-rsa-pss, all]>
           ciphersuite:
             - TLS-AES-128-GCM-SHA256
             - TLS-AES-256-GCM-SHA384
             - TLS-CHACHA20-POLY1305-SHA256
             - TLS-AES-128-CCM-SHA256
             - TLS-AES-128-CCM-8-SHA256
           dual-stack-mode: <value in [disable, enable]>
           tunnel-addr-assigned-method: <value in [first-available, round-robin]>
           browser-language-detection: <value in [disable, enable]>
           saml-redirect-port: <value of integer>
           status: <value in [disable, enable]>
           web-mode-snat: <value in [disable, enable]>
           ztna-trusted-client: <value in [disable, enable]>
           dtls-heartbeat-fail-count: <value of integer>
           dtls-heartbeat-idle-timeout: <value of integer>
           dtls-heartbeat-interval: <value of integer>
           server-hostname: <value of string>

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

meta - The result of the request.returned: always type: dict

request_url - The full url requested. returned: always type: str sample: /sys/login/user
response_code - The status of api request. returned: always type: int sample: 0
response_data - The data body of the api response. returned: optional type: list or dict
response_message - The descriptive message of the api response. returned: always type: str sample: OK
system_information - The information of the target system. returned: always type: dict

rc - The status the request. returned: always type: int 0
version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least on parameter mpt supported by the current FortiManager version type: list 0

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Xinwei Du (@dux-fortinet)
Xing Li (@lix-fortinet)
Jie Xue (@JieX19)
Link Zheng (@chillancezen)
Frank Shen (@fshen01)
Hongbin Lu (@fgtdev-hblu)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.