fmgr_application_list – Configure application control lists.

New in version 2.10.

Synopsis

  • This module is able to configure a FortiManager device.
  • Examples include all parameters and values need to be adjusted to data sources before usage.
  • Tested with FortiManager v6.0.0.

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

FortiManager Version Compatibility


6.0.0 6.2.1 6.2.3 6.2.5 6.4.0 6.4.2 6.4.5 7.0.0
application_list yes yes yes yes yes yes yes yes

Parameters

  • enable_log - Enable/Disable logging for task type: bool required: false default: False
  • proposed_method - The overridden method for the underlying Json RPC request type: str required: false choices: set, update, add
  • bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters type: bool required: false default: False
  • workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode type: str required: false choices: global, custom adom including root
  • workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock type: integer required: false default: 300
  • rc_succeeded - The rc codes list with which the conditions to succeed will be overriden type: list required: false
  • rc_failed - The rc codes list with which the conditions to fail will be overriden type: list required: false
  • state - The directive to create, update or delete an object type: str required: true choices: present, absent
  • adom - The parameter in requested url type: str required: true
  • application_list - Configure application control lists. type: dict
    • app-replacemsg - Enable/disable replacement messages for blocked applications. type: str choices: [disable, enable] more...
    • comment - comments type: str more...
    • deep-app-inspection - Enable/disable deep application inspection. type: str choices: [disable, enable] more...
    • entries - No description for the parameter type: array more...
      • action - Pass or block traffic, or reset connection for traffic from this application. type: str choices: [pass, block, reset] more...
      • application - No description for the parameter type: int more...
      • behavior - No description for the parameter type: str more...
      • category - Category ID list. type: str more...
      • id - Entry ID. type: int more...
      • log - Enable/disable logging for this application list. type: str choices: [disable, enable] more...
      • log-packet - Enable/disable packet logging. type: str choices: [disable, enable] more...
      • parameters - No description for the parameter type: array more...
        • id - Parameter ID. type: int more...
        • value - Parameter value. type: str more...
        • members - No description for the parameter type: array more...
          • id - Parameter. type: int more...
          • name - Parameter name. type: str more...
          • value - Parameter value. type: str more...
      • per-ip-shaper - Per-IP traffic shaper. type: str more...
      • popularity - No description for the parameter type: array choices: [1, 2, 3, 4, 5] more...
      • protocols - No description for the parameter type: str more...
      • quarantine - Quarantine method. type: str choices: [none, attacker] more...
      • quarantine-expiry - Duration of quarantine. type: str more...
      • quarantine-log - Enable/disable quarantine logging. type: str choices: [disable, enable] more...
      • rate-count - Count of the rate. type: int more...
      • rate-duration - Duration (sec) of the rate. type: int more...
      • rate-mode - Rate limit mode. type: str choices: [periodical, continuous] more...
      • rate-track - Track the packet protocol field. type: str choices: [none, src-ip, dest-ip, dhcp-client-mac, dns-domain] more...
      • risk - No description for the parameter type: int more...
      • session-ttl - Session TTL (0 = default). type: int more...
      • shaper - Traffic shaper. type: str more...
      • shaper-reverse - Reverse traffic shaper. type: str more...
      • sub-category - No description for the parameter type: int more...
      • technology - No description for the parameter type: str more...
      • vendor - No description for the parameter type: str more...
      • exclusion - No description for the parameter type: int more...
    • extended-log - Enable/disable extended logging. type: str choices: [disable, enable] more...
    • name - List name. type: str more...
    • options - No description for the parameter type: array choices: [allow-dns, allow-icmp, allow-http, allow-ssl, allow-quic] more...
    • other-application-action - Action for other applications. type: str choices: [pass, block] more...
    • other-application-log - Enable/disable logging for other applications. type: str choices: [disable, enable] more...
    • p2p-black-list - No description for the parameter type: array choices: [skype, edonkey, bittorrent] more...
    • replacemsg-group - Replacement message group. type: str more...
    • unknown-application-action - Pass or block traffic from unknown applications. type: str choices: [pass, block] more...
    • unknown-application-log - Enable/disable logging for unknown applications. type: str choices: [disable, enable] more...
    • control-default-network-services - Enable/disable enforcement of protocols over selected ports. type: str choices: [disable, enable] more...
    • default-network-services - No description for the parameter type: array more...
      • id - Entry ID. type: int more...
      • port - Port number. type: int more...
      • services - No description for the parameter type: array choices: [http, ssh, telnet, ftp, dns, smtp, pop3, imap, snmp, nntp, https] more...
      • violation-action - Action for protocols not white listed under selected port. type: str choices: [block, monitor, pass] more...
    • enforce-default-app-port - Enable/disable default application port enforcement for allowed applications. type: str choices: [disable, enable] more...
    • force-inclusion-ssl-di-sigs - Enable/disable forced inclusion of SSL deep inspection signatures. type: str choices: [disable, enable] more...
    • p2p-block-list - No description for the parameter type: array choices: [skype, edonkey, bittorrent] more...

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
  • To create or update an object, use state: present directive.
  • To delete an object, use state: absent directive
  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure application control lists.
     fmgr_application_list:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        application_list:
           app-replacemsg: <value in [disable, enable]>
           comment: <value of string>
           deep-app-inspection: <value in [disable, enable]>
           entries:
             -
                 action: <value in [pass, block, reset]>
                 application: <value of integer>
                 behavior: <value of string>
                 category: <value of string>
                 id: <value of integer>
                 log: <value in [disable, enable]>
                 log-packet: <value in [disable, enable]>
                 parameters:
                   -
                       id: <value of integer>
                       value: <value of string>
                       members:
                         -
                             id: <value of integer>
                             name: <value of string>
                             value: <value of string>
                 per-ip-shaper: <value of string>
                 popularity:
                   - 1
                   - 2
                   - 3
                   - 4
                   - 5
                 protocols: <value of string>
                 quarantine: <value in [none, attacker]>
                 quarantine-expiry: <value of string>
                 quarantine-log: <value in [disable, enable]>
                 rate-count: <value of integer>
                 rate-duration: <value of integer>
                 rate-mode: <value in [periodical, continuous]>
                 rate-track: <value in [none, src-ip, dest-ip, ...]>
                 risk: <value of integer>
                 session-ttl: <value of integer>
                 shaper: <value of string>
                 shaper-reverse: <value of string>
                 sub-category: <value of integer>
                 technology: <value of string>
                 vendor: <value of string>
                 exclusion: <value of integer>
           extended-log: <value in [disable, enable]>
           name: <value of string>
           options:
             - allow-dns
             - allow-icmp
             - allow-http
             - allow-ssl
             - allow-quic
           other-application-action: <value in [pass, block]>
           other-application-log: <value in [disable, enable]>
           p2p-black-list:
             - skype
             - edonkey
             - bittorrent
           replacemsg-group: <value of string>
           unknown-application-action: <value in [pass, block]>
           unknown-application-log: <value in [disable, enable]>
           control-default-network-services: <value in [disable, enable]>
           default-network-services:
             -
                 id: <value of integer>
                 port: <value of integer>
                 services:
                   - http
                   - ssh
                   - telnet
                   - ftp
                   - dns
                   - smtp
                   - pop3
                   - imap
                   - snmp
                   - nntp
                   - https
                 violation-action: <value in [block, monitor, pass]>
           enforce-default-app-port: <value in [disable, enable]>
           force-inclusion-ssl-di-sigs: <value in [disable, enable]>
           p2p-block-list:
             - skype
             - edonkey
             - bittorrent

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • request_url - The full url requested returned: always type: str sample: /sys/login/user
  • response_code - The status of api request returned: always type: int sample: 0
  • response_message - The descriptive message of the api response returned: always type: str sample: OK
  • response_data - The data body of the api response returned: optional type: list or dict

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Frank Shen (@fshen01)
  • Hongbin Lu (@fgtdev-hblu)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.