fmgr_pm_config_pblock_firewall_policy – Configure IPv4/IPv6 policies.
Added in version 2.1.0.
Warning
Starting in version 3.0.0, all input arguments will be named using the underscore naming convention (snake_case).
Argument name before 3.0.0:
var-name
,var name
,var.name
New argument name starting in 3.0.0:
var_name
FortiManager Ansible v2.4+ supports both previous argument name and new underscore name. You will receive deprecation warnings if you keep using the previous argument name. You can ignore the warning by setting deprecation_warnings=False in ansible.cfg.
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values need to be adjusted to data sources before usage.
Tested with FortiManager v7.x.
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15.0
FortiManager Version Compatibility
Supported Version Ranges: v7.0.3 -> latest
Parameters
- access_token -The token to access FortiManager without using username and password. type: str required: false
- bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
- proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
- rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
- rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
- state - The directive to create, update or delete an object type: str required: true choices: present, absent
- workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
- workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
- adom - The parameter in requested url type: str required: true
- pblock - The parameter in requested url type: str required: true
- pm_config_pblock_firewall_policy - Configure IPv4/IPv6 policies. type: dict
- _policy_block Assigned policy block. type: int more...
- action Policy action (accept/deny/ipsec). type: str choices: [deny, accept, ipsec, ssl-vpn, redirect, isolate] more...
- anti_replay (Alias name: anti-replay) Enable/disable anti-replay check. type: str choices: [disable, enable] more...
- application_list (Alias name: application-list) Name of an existing application list. type: str more...
- auth_cert (Alias name: auth-cert) Https server certificate for policy authentication. type: str more...
- auth_path (Alias name: auth-path) Enable/disable authentication-based routing. type: str choices: [disable, enable] more...
- auth_redirect_addr (Alias name: auth-redirect-addr) Http-to-https redirect address for firewall authentication. type: str more...
- auto_asic_offload (Alias name: auto-asic-offload) Enable/disable policy traffic asic offloading. type: str choices: [disable, enable] more...
- av_profile (Alias name: av-profile) Name of an existing antivirus profile. type: str more...
- block_notification (Alias name: block-notification) Enable/disable block notification. type: str choices: [disable, enable] more...
- captive_portal_exempt (Alias name: captive-portal-exempt) Enable to exempt some users from the captive portal. type: str choices: [disable, enable] more...
- capture_packet (Alias name: capture-packet) Enable/disable capture packets. type: str choices: [disable, enable] more...
- cifs_profile (Alias name: cifs-profile) Name of an existing cifs profile. type: str more...
- comments Comment. type: str more...
- custom_log_fields (Alias name: custom-log-fields) Custom fields to append to log messages for this policy. type: list more...
- decrypted_traffic_mirror (Alias name: decrypted-traffic-mirror) Decrypted traffic mirror. type: str more...
- delay_tcp_npu_session (Alias name: delay-tcp-npu-session) Enable tcp npu session delay to guarantee packet order of 3-way handshake. type: str choices: [disable, enable] more...
- diffserv_forward (Alias name: diffserv-forward) Enable to change packets diffserv values to the specified diffservcode-forward value. type: str choices: [disable, enable] more...
- diffserv_reverse (Alias name: diffserv-reverse) Enable to change packets reverse (reply) diffserv values to the specified diffservcode-rev value. type: str choices: [disable, enable] more...
- diffservcode_forward (Alias name: diffservcode-forward) Change packets diffserv to this value. type: str more...
- diffservcode_rev (Alias name: diffservcode-rev) Change packets reverse (reply) diffserv to this value. type: str more...
- disclaimer Enable/disable user authentication disclaimer. type: str choices: [disable, enable, user, domain, policy] more...
- dlp_profile (Alias name: dlp-profile) Name of an existing dlp profile. type: str more...
- dnsfilter_profile (Alias name: dnsfilter-profile) Name of an existing dns filter profile. type: str more...
- dsri Enable dsri to ignore http server responses. type: str choices: [disable, enable] more...
- dstaddr Destination ipv4 address and address group names. type: list more...
- dstaddr_negate (Alias name: dstaddr-negate) When enabled dstaddr/dstaddr6 specifies what the destination address must not be. type: str choices: [disable, enable] more...
- dstaddr6 Destination ipv6 address name and address group names. type: list more...
- dstintf Outgoing (egress) interface. type: list more...
- dynamic_shaping (Alias name: dynamic-shaping) Enable/disable dynamic radius defined traffic shaping. type: str choices: [disable, enable] more...
- email_collect (Alias name: email-collect) Enable/disable email collection. type: str choices: [disable, enable] more...
- emailfilter_profile (Alias name: emailfilter-profile) Name of an existing email filter profile. type: str more...
- fec Enable/disable forward error correction on traffic matching this policy on a fec device. type: str choices: [disable, enable] more...
- file_filter_profile (Alias name: file-filter-profile) Name of an existing file-filter profile. type: str more...
- firewall_session_dirty (Alias name: firewall-session-dirty) How to handle sessions if the configuration of this firewall policy changes. type: str choices: [check-all, check-new] more...
- fixedport Enable to prevent source nat from changing a sessions source port. type: str choices: [disable, enable] more...
- fsso_agent_for_ntlm (Alias name: fsso-agent-for-ntlm) Fsso agent to use for ntlm authentication. type: str more...
- fsso_groups (Alias name: fsso-groups) Names of fsso groups. type: list more...
- geoip_anycast (Alias name: geoip-anycast) Enable/disable recognition of anycast ip addresses using the geography ip database. type: str choices: [disable, enable] more...
- geoip_match (Alias name: geoip-match) Match geography address based either on its physical location or registered location. type: str choices: [physical-location, registered-location] more...
- global_label (Alias name: global-label) Label for the policy that appears when the gui is in global view mode. type: str more...
- groups Names of user groups that can authenticate with this policy. type: list more...
- gtp_profile (Alias name: gtp-profile) Gtp profile. type: str more...
- http_policy_redirect (Alias name: http-policy-redirect) Redirect http(s) traffic to matching transparent web proxy policy. type: str choices: [disable, enable] more...
- icap_profile (Alias name: icap-profile) Name of an existing icap profile. type: str more...
- identity_based_route (Alias name: identity-based-route) Name of identity-based routing rule. type: str more...
- inbound Policy-based ipsec vpn: only traffic from the remote network can initiate a vpn. type: str choices: [disable, enable] more...
- inspection_mode (Alias name: inspection-mode) Policy inspection mode (flow/proxy). type: str choices: [proxy, flow] more...
- internet_service (Alias name: internet-service) Enable/disable use of internet services for this policy. type: str choices: [disable, enable] more...
- internet_service_custom (Alias name: internet-service-custom) Custom internet service name. type: list more...
- internet_service_custom_group (Alias name: internet-service-custom-group) Custom internet service group name. type: list more...
- internet_service_group (Alias name: internet-service-group) Internet service group name. type: list more...
- internet_service_name (Alias name: internet-service-name) Internet service name. type: list more...
- internet_service_negate (Alias name: internet-service-negate) When enabled internet-service specifies what the service must not be. type: str choices: [disable, enable] more...
- internet_service_src (Alias name: internet-service-src) Enable/disable use of internet services in source for this policy. type: str choices: [disable, enable] more...
- internet_service_src_custom (Alias name: internet-service-src-custom) Custom internet service source name. type: list more...
- internet_service_src_custom_group (Alias name: internet-service-src-custom-group) Custom internet service source group name. type: list more...
- internet_service_src_group (Alias name: internet-service-src-group) Internet service source group name. type: list more...
- internet_service_src_name (Alias name: internet-service-src-name) Internet service source name. type: list more...
- internet_service_src_negate (Alias name: internet-service-src-negate) When enabled internet-service-src specifies what the service must not be. type: str choices: [disable, enable] more...
- ippool Enable to use ip pools for source nat. type: str choices: [disable, enable] more...
- ips_sensor (Alias name: ips-sensor) Name of an existing ips sensor. type: str more...
- label Label for the policy that appears when the gui is in section view mode. type: str more...
- logtraffic Enable or disable logging. type: str choices: [disable, enable, all, utm] more...
- logtraffic_start (Alias name: logtraffic-start) Record logs when a session starts. type: str choices: [disable, enable] more...
- match_vip (Alias name: match-vip) Enable to match packets that have had their destination addresses changed by a vip. type: str choices: [disable, enable] more...
- match_vip_only (Alias name: match-vip-only) Enable/disable matching of only those packets that have had their destination addresses changed by a vip. type: str choices: [disable, enable] more...
- name Policy name. type: str more...
- nat Enable/disable source nat. type: str choices: [disable, enable] more...
- nat46 Enable/disable nat46. type: str choices: [disable, enable] more...
- nat64 Enable/disable nat64. type: str choices: [disable, enable] more...
- natinbound Policy-based ipsec vpn: apply destination nat to inbound traffic. type: str choices: [disable, enable] more...
- natip Policy-based ipsec vpn: source nat ip address for outgoing traffic. type: str more...
- natoutbound Policy-based ipsec vpn: apply source nat to outbound traffic. type: str choices: [disable, enable] more...
- np_acceleration (Alias name: np-acceleration) Enable/disable utm network processor acceleration. type: str choices: [disable, enable] more...
- ntlm Enable/disable ntlm authentication. type: str choices: [disable, enable] more...
- ntlm_enabled_browsers (Alias name: ntlm-enabled-browsers) Http-user-agent value of supported browsers. type: list more...
- ntlm_guest (Alias name: ntlm-guest) Enable/disable ntlm guest user access. type: str choices: [disable, enable] more...
- outbound Policy-based ipsec vpn: only traffic from the internal network can initiate a vpn. type: str choices: [disable, enable] more...
- passive_wan_health_measurement (Alias name: passive-wan-health-measurement) Enable/disable passive wan health measurement. type: str choices: [disable, enable] more...
- per_ip_shaper (Alias name: per-ip-shaper) Per-ip traffic shaper. type: str more...
- permit_any_host (Alias name: permit-any-host) Accept udp packets from any host. type: str choices: [disable, enable] more...
- permit_stun_host (Alias name: permit-stun-host) Accept udp packets from any session traversal utilities for nat (stun) host. type: str choices: [disable, enable] more...
- pfcp_profile (Alias name: pfcp-profile) Pfcp profile. type: str more...
- policy_expiry (Alias name: policy-expiry) Enable/disable policy expiry. type: str choices: [disable, enable] more...
- policy_expiry_date (Alias name: policy-expiry-date) Policy expiry date (yyyy-mm-dd hh:mm:ss). type: str more...
- policyid Policy id (0 - 4294967294). type: int more...
- poolname Ip pool names. type: list more...
- poolname6 Ipv6 pool names. type: list more...
- profile_group (Alias name: profile-group) Name of profile group. type: str more...
- profile_protocol_options (Alias name: profile-protocol-options) Name of an existing protocol options profile. type: str more...
- profile_type (Alias name: profile-type) Determine whether the firewall policy allows security profile groups or single profiles only. type: str choices: [single, group] more...
- radius_mac_auth_bypass (Alias name: radius-mac-auth-bypass) Enable mac authentication bypass. type: str choices: [disable, enable] more...
- redirect_url (Alias name: redirect-url) Url users are directed to after seeing and accepting the disclaimer or authenticating. type: str more...
- replacemsg_override_group (Alias name: replacemsg-override-group) Override the default replacement message group for this policy. type: str more...
- reputation_direction (Alias name: reputation-direction) Direction of the initial traffic for reputation to take effect. type: str choices: [source, destination] more...
- reputation_minimum (Alias name: reputation-minimum) Minimum reputation to take action. type: int more...
- rtp_addr (Alias name: rtp-addr) Address names if this is an rtp nat policy. type: list more...
- rtp_nat (Alias name: rtp-nat) Enable real time protocol (rtp) nat. type: str choices: [disable, enable] more...
- schedule Schedule name. type: str more...
- schedule_timeout (Alias name: schedule-timeout) Enable to force current sessions to end when the schedule object times out. type: str choices: [disable, enable] more...
- sctp_filter_profile (Alias name: sctp-filter-profile) Name of an existing sctp filter profile. type: str more...
- send_deny_packet (Alias name: send-deny-packet) Enable to send a reply when a session is denied or blocked by a firewall policy. type: str choices: [disable, enable] more...
- service Service and service group names. type: list more...
- service_negate (Alias name: service-negate) When enabled service specifies what the service must not be. type: str choices: [disable, enable] more...
- session_ttl (Alias name: session-ttl) Ttl in seconds for sessions accepted by this policy (0 means use the system default session ttl). type: int or str more...
- sgt Security group tags. type: list more...
- sgt_check (Alias name: sgt-check) Enable/disable security group tags (sgt) check. type: str choices: [disable, enable] more...
- src_vendor_mac (Alias name: src-vendor-mac) Vendor mac source id. type: list more...
- srcaddr Source ipv4 address and address group names. type: list more...
- srcaddr_negate (Alias name: srcaddr-negate) When enabled srcaddr/srcaddr6 specifies what the source address must not be. type: str choices: [disable, enable] more...
- srcaddr6 Source ipv6 address name and address group names. type: list more...
- srcintf Incoming (ingress) interface. type: list more...
- ssh_filter_profile (Alias name: ssh-filter-profile) Name of an existing ssh filter profile. type: str more...
- ssh_policy_redirect (Alias name: ssh-policy-redirect) Redirect ssh traffic to matching transparent proxy policy. type: str choices: [disable, enable] more...
- ssl_ssh_profile (Alias name: ssl-ssh-profile) Name of an existing ssl ssh profile. type: str more...
- status Enable or disable this policy. type: str choices: [disable, enable] more...
- tcp_mss_receiver (Alias name: tcp-mss-receiver) Receiver tcp maximum segment size (mss). type: int more...
- tcp_mss_sender (Alias name: tcp-mss-sender) Sender tcp maximum segment size (mss). type: int more...
- tcp_session_without_syn (Alias name: tcp-session-without-syn) Enable/disable creation of tcp session without syn flag. type: str choices: [all, data-only, disable] more...
- timeout_send_rst (Alias name: timeout-send-rst) Enable/disable sending rst packets when tcp sessions expire. type: str choices: [disable, enable] more...
- tos Tos (type of service) value used for comparison. type: str more...
- tos_mask (Alias name: tos-mask) Non-zero bit positions are used for comparison while zero bit positions are ignored. type: str more...
- tos_negate (Alias name: tos-negate) Enable negated tos match. type: str choices: [disable, enable] more...
- traffic_shaper (Alias name: traffic-shaper) Traffic shaper. type: str more...
- traffic_shaper_reverse (Alias name: traffic-shaper-reverse) Reverse traffic shaper. type: str more...
- users Names of individual users that can authenticate with this policy. type: list more...
- utm_status (Alias name: utm-status) Enable to add one or more security profiles (av, ips, etc. type: str choices: [disable, enable] more...
- uuid Universally unique identifier (uuid; automatically assigned but can be manually reset). type: str more...
- videofilter_profile (Alias name: videofilter-profile) Name of an existing videofilter profile. type: str more...
- vlan_cos_fwd (Alias name: vlan-cos-fwd) Vlan forward direction user priority: 255 passthrough, 0 lowest, 7 highest. type: int more...
- vlan_cos_rev (Alias name: vlan-cos-rev) Vlan reverse direction user priority: 255 passthrough, 0 lowest, 7 highest. type: int more...
- vlan_filter (Alias name: vlan-filter) Set vlan filters. type: str more...
- voip_profile (Alias name: voip-profile) Name of an existing voip profile. type: str more...
- vpntunnel Policy-based ipsec vpn: name of the ipsec vpn phase 1. type: str more...
- waf_profile (Alias name: waf-profile) Name of an existing web application firewall profile. type: str more...
- wanopt Enable/disable wan optimization. type: str choices: [disable, enable] more...
- wanopt_detection (Alias name: wanopt-detection) Wan optimization auto-detection mode. type: str choices: [active, passive, off] more...
- wanopt_passive_opt (Alias name: wanopt-passive-opt) Wan optimization passive mode options. type: str choices: [default, transparent, non-transparent] more...
- wanopt_peer (Alias name: wanopt-peer) Wan optimization peer. type: str more...
- wanopt_profile (Alias name: wanopt-profile) Wan optimization profile. type: str more...
- wccp Enable/disable forwarding traffic matching this policy to a configured wccp server. type: str choices: [disable, enable] more...
- webcache Enable/disable web cache. type: str choices: [disable, enable] more...
- webcache_https (Alias name: webcache-https) Enable/disable web cache for https. type: str choices: [disable, ssl-server, any, enable] more...
- webfilter_profile (Alias name: webfilter-profile) Name of an existing web filter profile. type: str more...
- webproxy_forward_server (Alias name: webproxy-forward-server) Webproxy forward server name. type: str more...
- webproxy_profile (Alias name: webproxy-profile) Webproxy profile name. type: str more...
- ztna_ems_tag (Alias name: ztna-ems-tag) Source ztna-ems-tag names. type: list more...
- ztna_geo_tag (Alias name: ztna-geo-tag) Source ztna-geo-tag names. type: list more...
- ztna_status (Alias name: ztna-status) Enable/disable zero trust access. type: str choices: [disable, enable] more...
- policy_offload (Alias name: policy-offload) Enable/disable hardware session setup for cgnat. type: str choices: [disable, enable] more...
- cgn_session_quota (Alias name: cgn-session-quota) Session quota type: int more...
- tcp_timeout_pid (Alias name: tcp-timeout-pid) Tcp timeout profile id type: str more...
- udp_timeout_pid (Alias name: udp-timeout-pid) Udp timeout profile id type: str more...
- dlp_sensor (Alias name: dlp-sensor) Name of an existing dlp sensor. type: str more...
- cgn_eif (Alias name: cgn-eif) Enable/disable cgn endpoint independent filtering. type: str choices: [disable, enable] more...
- cgn_log_server_grp (Alias name: cgn-log-server-grp) Np log server group name type: str more...
- cgn_resource_quota (Alias name: cgn-resource-quota) Resource quota type: int more...
- cgn_eim (Alias name: cgn-eim) Enable/disable cgn endpoint independent mapping type: str choices: [disable, enable] more...
- mms_profile (Alias name: mms-profile) Name of an existing mms profile. type: str more...
- app_category (Alias name: app-category) Application category id list. type: list more...
- internet_service_src_id (Alias name: internet-service-src-id) Internet service source id. type: list more...
- rsso Enable/disable radius single sign-on (rsso). type: str choices: [disable, enable] more...
- internet_service_id (Alias name: internet-service-id) Internet service id. type: list more...
- best_route (Alias name: best-route) Best route. type: str choices: [disable, enable] more...
- fsso Enable/disable fortinet single sign-on. type: str choices: [disable, enable] more...
- url_category (Alias name: url-category) Url category id list. type: list more...
- app_group (Alias name: app-group) Application group names. type: list more...
- ssl_mirror_intf (Alias name: ssl-mirror-intf) Ssl mirror interface name. type: list more...
- wsso Enable/disable wifi single sign on (wsso). type: str choices: [disable, enable] more...
- ssl_mirror (Alias name: ssl-mirror) Enable to copy decrypted ssl traffic to a fortigate interface (called ssl mirroring). type: str choices: [disable, enable] more...
- application Application id list. type: list more...
- dscp_negate (Alias name: dscp-negate) Enable negated dscp match. type: str choices: [disable, enable] more...
- learning_mode (Alias name: learning-mode) Enable to allow everything, but log all of the meaningful data for security information gathering. type: str choices: [disable, enable] more...
- devices Names of devices or device groups that can be matched by the policy. type: list more...
- dscp_value (Alias name: dscp-value) Dscp value. type: str more...
- spamfilter_profile (Alias name: spamfilter-profile) Name of an existing spam filter profile. type: str more...
- scan_botnet_connections (Alias name: scan-botnet-connections) Block or monitor connections to botnet servers or disable botnet scanning. type: str choices: [disable, block, monitor] more...
- dscp_match (Alias name: dscp-match) Enable dscp check. type: str choices: [disable, enable] more...
- diffserv_copy (Alias name: diffserv-copy) Enable to copy packets diffserv values from sessions original direction to its reply direction. type: str choices: [disable, enable] more...
- dstaddr6_negate (Alias name: dstaddr6-negate) When enabled dstaddr6 specifies what the destination address must not be. type: str choices: [disable, enable] more...
- internet_service6 (Alias name: internet-service6) Enable/disable use of ipv6 internet services for this policy. type: str choices: [disable, enable] more...
- internet_service6_custom (Alias name: internet-service6-custom) Custom ipv6 internet service name. type: list more...
- internet_service6_custom_group (Alias name: internet-service6-custom-group) Custom internet service6 group name. type: list more...
- internet_service6_group (Alias name: internet-service6-group) Internet service group name. type: list more...
- internet_service6_name (Alias name: internet-service6-name) Ipv6 internet service name. type: list more...
- internet_service6_negate (Alias name: internet-service6-negate) When enabled internet-service6 specifies what the service must not be. type: str choices: [disable, enable] more...
- internet_service6_src (Alias name: internet-service6-src) Enable/disable use of ipv6 internet services in source for this policy. type: str choices: [disable, enable] more...
- internet_service6_src_custom (Alias name: internet-service6-src-custom) Custom ipv6 internet service source name. type: list more...
- internet_service6_src_custom_group (Alias name: internet-service6-src-custom-group) Custom internet service6 source group name. type: list more...
- internet_service6_src_group (Alias name: internet-service6-src-group) Internet service6 source group name. type: list more...
- internet_service6_src_name (Alias name: internet-service6-src-name) Ipv6 internet service source name. type: list more...
- internet_service6_src_negate (Alias name: internet-service6-src-negate) When enabled internet-service6-src specifies what the service must not be. type: str choices: [disable, enable] more...
- network_service_dynamic (Alias name: network-service-dynamic) Dynamic network service name. type: list more...
- network_service_src_dynamic (Alias name: network-service-src-dynamic) Dynamic network service source name. type: list more...
- reputation_direction6 (Alias name: reputation-direction6) Direction of the initial traffic for ipv6 reputation to take effect. type: str choices: [source, destination] more...
- reputation_minimum6 (Alias name: reputation-minimum6) Ipv6 minimum reputation to take action. type: int more...
- srcaddr6_negate (Alias name: srcaddr6-negate) When enabled srcaddr6 specifies what the source address must not be. type: str choices: [disable, enable] more...
- ip_version_type (Alias name: ip-version-type) Ip version of the policy. type: str more...
- ips_voip_filter (Alias name: ips-voip-filter) Name of an existing voip (ips) profile. type: str more...
- pcp_inbound (Alias name: pcp-inbound) Enable/disable pcp inbound dnat. type: str choices: [disable, enable] more...
- pcp_outbound (Alias name: pcp-outbound) Enable/disable pcp outbound snat. type: str choices: [disable, enable] more...
- pcp_poolname (Alias name: pcp-poolname) Pcp pool names. type: list more...
- policy_behaviour_type (Alias name: policy-behaviour-type) Behaviour of the policy. type: str more...
- policy_expiry_date_utc (Alias name: policy-expiry-date-utc) Policy expiry date and time, in epoch format. type: str more...
- ztna_device_ownership (Alias name: ztna-device-ownership) Enable/disable zero trust device ownership. type: str choices: [disable, enable] more...
- ztna_ems_tag_secondary (Alias name: ztna-ems-tag-secondary) Source ztna-ems-tag-secondary names. type: list more...
- ztna_policy_redirect (Alias name: ztna-policy-redirect) Redirect ztna traffic to matching access-proxy proxy-policy. type: str choices: [disable, enable] more...
- ztna_tags_match_logic (Alias name: ztna-tags-match-logic) Ztna tag matching logic. type: str choices: [or, and] more...
- casb_profile (Alias name: casb-profile) Name of an existing casb profile. type: str more...
- virtual_patch_profile (Alias name: virtual-patch-profile) Name of an existing virtual-patch profile. type: str more...
- diameter_filter_profile (Alias name: diameter-filter-profile) Name of an existing diameter filter profile. type: str more...
- port_preserve (Alias name: port-preserve) Enable/disable preservation of the original source port from source nat if it has not been used. type: str choices: [disable, enable] more...
- cgn_sw_eif_ctrl (Alias name: cgn-sw-eif-ctrl) Enable/disable software endpoint independent filtering control. type: str choices: [disable, enable] more...
- eif_check (Alias name: eif-check) Enable/disable check endpoint-independent-filtering pinhole. type: str choices: [disable, enable] more...
- eif_learn (Alias name: eif-learn) Enable/disable learning of end-point-independent filtering pinhole. type: str choices: [disable, enable] more...
- log_http_transaction (Alias name: log-http-transaction) Enable/disable http transaction log. type: str choices: [disable, enable, all, utm] more...
- radius_ip_auth_bypass (Alias name: radius-ip-auth-bypass) Enable ip authentication bypass. type: str choices: [disable, enable] more...
Notes
Note
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state: present directive.
To delete an object, use state: absent directive
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure IPv4/IPv6 policies.
fortinet.fortimanager.fmgr_pm_config_pblock_firewall_policy:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
pblock: <your own value>
state: present # <value in [present, absent]>
pm_config_pblock_firewall_policy:
_policy_block: <integer>
action: <value in [deny, accept, ipsec, ...]>
anti_replay: <value in [disable, enable]>
application_list: <string>
auth_cert: <string>
auth_path: <value in [disable, enable]>
auth_redirect_addr: <string>
auto_asic_offload: <value in [disable, enable]>
av_profile: <string>
block_notification: <value in [disable, enable]>
captive_portal_exempt: <value in [disable, enable]>
capture_packet: <value in [disable, enable]>
cifs_profile: <string>
comments: <string>
custom_log_fields: <list or string>
decrypted_traffic_mirror: <string>
delay_tcp_npu_session: <value in [disable, enable]>
diffserv_forward: <value in [disable, enable]>
diffserv_reverse: <value in [disable, enable]>
diffservcode_forward: <string>
diffservcode_rev: <string>
disclaimer: <value in [disable, enable, user, ...]>
dlp_profile: <string>
dnsfilter_profile: <string>
dsri: <value in [disable, enable]>
dstaddr: <list or string>
dstaddr_negate: <value in [disable, enable]>
dstaddr6: <list or string>
dstintf: <list or string>
dynamic_shaping: <value in [disable, enable]>
email_collect: <value in [disable, enable]>
emailfilter_profile: <string>
fec: <value in [disable, enable]>
file_filter_profile: <string>
firewall_session_dirty: <value in [check-all, check-new]>
fixedport: <value in [disable, enable]>
fsso_agent_for_ntlm: <string>
fsso_groups: <list or string>
geoip_anycast: <value in [disable, enable]>
geoip_match: <value in [physical-location, registered-location]>
global_label: <string>
groups: <list or string>
gtp_profile: <string>
http_policy_redirect: <value in [disable, enable]>
icap_profile: <string>
identity_based_route: <string>
inbound: <value in [disable, enable]>
inspection_mode: <value in [proxy, flow]>
internet_service: <value in [disable, enable]>
internet_service_custom: <list or string>
internet_service_custom_group: <list or string>
internet_service_group: <list or string>
internet_service_name: <list or string>
internet_service_negate: <value in [disable, enable]>
internet_service_src: <value in [disable, enable]>
internet_service_src_custom: <list or string>
internet_service_src_custom_group: <list or string>
internet_service_src_group: <list or string>
internet_service_src_name: <list or string>
internet_service_src_negate: <value in [disable, enable]>
ippool: <value in [disable, enable]>
ips_sensor: <string>
label: <string>
logtraffic: <value in [disable, enable, all, ...]>
logtraffic_start: <value in [disable, enable]>
match_vip: <value in [disable, enable]>
match_vip_only: <value in [disable, enable]>
name: <string>
nat: <value in [disable, enable]>
nat46: <value in [disable, enable]>
nat64: <value in [disable, enable]>
natinbound: <value in [disable, enable]>
natip: <string>
natoutbound: <value in [disable, enable]>
np_acceleration: <value in [disable, enable]>
ntlm: <value in [disable, enable]>
ntlm_enabled_browsers: <list or string>
ntlm_guest: <value in [disable, enable]>
outbound: <value in [disable, enable]>
passive_wan_health_measurement: <value in [disable, enable]>
per_ip_shaper: <string>
permit_any_host: <value in [disable, enable]>
permit_stun_host: <value in [disable, enable]>
pfcp_profile: <string>
policy_expiry: <value in [disable, enable]>
policy_expiry_date: <string>
policyid: <integer>
poolname: <list or string>
poolname6: <list or string>
profile_group: <string>
profile_protocol_options: <string>
profile_type: <value in [single, group]>
radius_mac_auth_bypass: <value in [disable, enable]>
redirect_url: <string>
replacemsg_override_group: <string>
reputation_direction: <value in [source, destination]>
reputation_minimum: <integer>
rtp_addr: <list or string>
rtp_nat: <value in [disable, enable]>
schedule: <string>
schedule_timeout: <value in [disable, enable]>
sctp_filter_profile: <string>
send_deny_packet: <value in [disable, enable]>
service: <list or string>
service_negate: <value in [disable, enable]>
session_ttl: <integer or string>
sgt: <list or integer>
sgt_check: <value in [disable, enable]>
src_vendor_mac: <list or string>
srcaddr: <list or string>
srcaddr_negate: <value in [disable, enable]>
srcaddr6: <list or string>
srcintf: <list or string>
ssh_filter_profile: <string>
ssh_policy_redirect: <value in [disable, enable]>
ssl_ssh_profile: <string>
status: <value in [disable, enable]>
tcp_mss_receiver: <integer>
tcp_mss_sender: <integer>
tcp_session_without_syn: <value in [all, data-only, disable]>
timeout_send_rst: <value in [disable, enable]>
tos: <string>
tos_mask: <string>
tos_negate: <value in [disable, enable]>
traffic_shaper: <string>
traffic_shaper_reverse: <string>
users: <list or string>
utm_status: <value in [disable, enable]>
uuid: <string>
videofilter_profile: <string>
vlan_cos_fwd: <integer>
vlan_cos_rev: <integer>
vlan_filter: <string>
voip_profile: <string>
vpntunnel: <string>
waf_profile: <string>
wanopt: <value in [disable, enable]>
wanopt_detection: <value in [active, passive, off]>
wanopt_passive_opt: <value in [default, transparent, non-transparent]>
wanopt_peer: <string>
wanopt_profile: <string>
wccp: <value in [disable, enable]>
webcache: <value in [disable, enable]>
webcache_https: <value in [disable, ssl-server, any, ...]>
webfilter_profile: <string>
webproxy_forward_server: <string>
webproxy_profile: <string>
ztna_ems_tag: <list or string>
ztna_geo_tag: <list or string>
ztna_status: <value in [disable, enable]>
policy_offload: <value in [disable, enable]>
cgn_session_quota: <integer>
tcp_timeout_pid: <string>
udp_timeout_pid: <string>
dlp_sensor: <string>
cgn_eif: <value in [disable, enable]>
cgn_log_server_grp: <string>
cgn_resource_quota: <integer>
cgn_eim: <value in [disable, enable]>
mms_profile: <string>
app_category: <list or string>
internet_service_src_id: <list or string>
rsso: <value in [disable, enable]>
internet_service_id: <list or string>
best_route: <value in [disable, enable]>
fsso: <value in [disable, enable]>
url_category: <list or string>
app_group: <list or string>
ssl_mirror_intf: <list or string>
wsso: <value in [disable, enable]>
ssl_mirror: <value in [disable, enable]>
application: <list or integer>
dscp_negate: <value in [disable, enable]>
learning_mode: <value in [disable, enable]>
devices: <list or string>
dscp_value: <string>
spamfilter_profile: <string>
scan_botnet_connections: <value in [disable, block, monitor]>
dscp_match: <value in [disable, enable]>
diffserv_copy: <value in [disable, enable]>
dstaddr6_negate: <value in [disable, enable]>
internet_service6: <value in [disable, enable]>
internet_service6_custom: <list or string>
internet_service6_custom_group: <list or string>
internet_service6_group: <list or string>
internet_service6_name: <list or string>
internet_service6_negate: <value in [disable, enable]>
internet_service6_src: <value in [disable, enable]>
internet_service6_src_custom: <list or string>
internet_service6_src_custom_group: <list or string>
internet_service6_src_group: <list or string>
internet_service6_src_name: <list or string>
internet_service6_src_negate: <value in [disable, enable]>
network_service_dynamic: <list or string>
network_service_src_dynamic: <list or string>
reputation_direction6: <value in [source, destination]>
reputation_minimum6: <integer>
srcaddr6_negate: <value in [disable, enable]>
ip_version_type: <string>
ips_voip_filter: <string>
pcp_inbound: <value in [disable, enable]>
pcp_outbound: <value in [disable, enable]>
pcp_poolname: <list or string>
policy_behaviour_type: <string>
policy_expiry_date_utc: <string>
ztna_device_ownership: <value in [disable, enable]>
ztna_ems_tag_secondary: <list or string>
ztna_policy_redirect: <value in [disable, enable]>
ztna_tags_match_logic: <value in [or, and]>
casb_profile: <string>
virtual_patch_profile: <string>
diameter_filter_profile: <string>
port_preserve: <value in [disable, enable]>
cgn_sw_eif_ctrl: <value in [disable, enable]>
eif_check: <value in [disable, enable]>
eif_learn: <value in [disable, enable]>
log_http_transaction: <value in [disable, enable, all, ...]>
radius_ip_auth_bypass: <value in [disable, enable]>
Return Values
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- meta - The result of the request.returned: always type: dict
- request_url - The full url requested. returned: always type: str sample: /sys/login/user
- response_code - The status of api request. returned: always type: int sample: 0
- response_data - The data body of the api response. returned: optional type: list or dict
- response_message - The descriptive message of the api response. returned: always type: str sample: OK
- system_information - The information of the target system. returned: always type: dict
- rc - The status the request. returned: always type: int sample: 0
- version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list
Status
This module is not guaranteed to have a backwards compatible interface.