fmgr_vpn_ssl_settings – Configure SSL VPN.

New in version 2.10.

Synopsis

  • This module is able to configure a FortiManager device.
  • Examples include all parameters and values need to be adjusted to data sources before usage.

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

FortiManager Version Compatibility


6.4.2
vpn_ssl_settings yes

Parameters

  • enable_log - Enable/Disable logging for task type: bool required: false default: False
  • forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0 type: str required: false
  • proposed_method - The overridden method for the underlying Json RPC request type: str required: false choices: set, update, add
  • bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters type: bool required: false default: False
  • workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode type: str required: false choices: global, custom adom including root
  • workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock type: integer required: false default: 300
  • rc_succeeded - The rc codes list with which the conditions to succeed will be overriden type: list required: false
  • rc_failed - The rc codes list with which the conditions to fail will be overriden type: list required: false
  • device - The parameter in requested url type: str required: true
  • vdom - The parameter in requested url type: str required: true
  • vpn_ssl_settings - no description type: dict
    • algorithm - Force the SSL VPN security level. type: str choices: [default, high, low, medium] more...
    • auth-session-check-source-ip - Enable/disable checking of source IP for authentication session. type: str choices: [disable, enable] more...
    • auth-timeout - SSL VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int more...
    • authentication-rule - No description for the parameter type: array more...
      • auth - SSL VPN authentication method restriction. type: str choices: [any, local, radius, ldap, tacacs+] more...
      • cipher - SSL VPN cipher strength. type: str choices: [any, high, medium] more...
      • client-cert - Enable/disable SSL VPN client certificate restrictive. type: str choices: [disable, enable] more...
      • groups - User groups. type: str more...
      • id - ID (0 - 4294967295). type: int more...
      • portal - SSL VPN portal. type: str more...
      • realm - SSL VPN realm. type: str more...
      • source-address - Source address of incoming traffic. type: str more...
      • source-address-negate - Enable/disable negated source address match. type: str choices: [disable, enable] more...
      • source-address6 - IPv6 source address of incoming traffic. type: str more...
      • source-address6-negate - Enable/disable negated source IPv6 address match. type: str choices: [disable, enable] more...
      • source-interface - SSL VPN source interface of incoming traffic. type: str more...
      • user-peer - Name of user peer. type: str more...
      • users - User name. type: str more...
    • auto-tunnel-static-route - Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses. type: str choices: [disable, enable] more...
    • banned-cipher - No description for the parameter type: array choices: [RSA, DH, DHE, ECDH, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC] more...
    • check-referer - Enable/disable verification of referer field in HTTP request header. type: str choices: [disable, enable] more...
    • default-portal - Default SSL VPN portal. type: str more...
    • deflate-compression-level - Compression level (0~9). type: int more...
    • deflate-min-data-size - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int more...
    • dns-server1 - DNS server 1. type: str more...
    • dns-server2 - DNS server 2. type: str more...
    • dns-suffix - DNS suffix used for SSL VPN clients. type: str more...
    • dtls-hello-timeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10). type: int more...
    • dtls-max-proto-ver - DTLS maximum protocol version. type: str choices: [dtls1-0, dtls1-2] more...
    • dtls-min-proto-ver - DTLS minimum protocol version. type: str choices: [dtls1-0, dtls1-2] more...
    • dtls-tunnel - Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str choices: [disable, enable] more...
    • encode-2f-sequence - Encode \2F sequence to forward slash in URLs. type: str choices: [disable, enable] more...
    • encrypt-and-store-password - Encrypt and store user passwords for SSL VPN web sessions. type: str choices: [disable, enable] more...
    • force-two-factor-auth - Enable/disable only PKI users with two-factor authentication for SSL VPNs. type: str choices: [disable, enable] more...
    • header-x-forwarded-for - Forward the same, add, or remove HTTP header. type: str choices: [pass, add, remove] more...
    • hsts-include-subdomains - Add HSTS includeSubDomains response header. type: str choices: [disable, enable] more...
    • http-compression - Enable/disable to allow HTTP compression over SSL VPN tunnels. type: str choices: [disable, enable] more...
    • http-only-cookie - Enable/disable SSL VPN support for HttpOnly cookies. type: str choices: [disable, enable] more...
    • http-request-body-timeout - SSL VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20). type: int more...
    • http-request-header-timeout - SSL VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20). type: int more...
    • https-redirect - Enable/disable redirect of port 80 to SSL VPN port. type: str choices: [disable, enable] more...
    • idle-timeout - SSL VPN disconnects if idle for specified time in seconds. type: int more...
    • ipv6-dns-server1 - IPv6 DNS server 1. type: str more...
    • ipv6-dns-server2 - IPv6 DNS server 2. type: str more...
    • ipv6-wins-server1 - IPv6 WINS server 1. type: str more...
    • ipv6-wins-server2 - IPv6 WINS server 2. type: str more...
    • login-attempt-limit - SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit). type: int more...
    • login-block-time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60). type: int more...
    • login-timeout - SSLVPN maximum login timeout (10 - 180 sec, default = 30). type: int more...
    • port - SSL VPN access port (1 - 65535). type: int more...
    • port-precedence - Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str choices: [disable, enable] more...
    • reqclientcert - Enable/disable to require client certificates for all SSL VPN users. type: str choices: [disable, enable] more...
    • route-source-interface - Enable/disable to allow SSL VPN sessions to bypass routing and bind to the incoming interface. type: str choices: [disable, enable] more...
    • servercert - Name of the server certificate to be used for SSL VPNs. type: str more...
    • source-address - Source address of incoming traffic. type: str more...
    • source-address-negate - Enable/disable negated source address match. type: str choices: [disable, enable] more...
    • source-address6 - IPv6 source address of incoming traffic. type: str more...
    • source-address6-negate - Enable/disable negated source IPv6 address match. type: str choices: [disable, enable] more...
    • source-interface - SSL VPN source interface of incoming traffic. type: str more...
    • ssl-client-renegotiation - Enable/disable to allow client renegotiation by the server if the tunnel goes down. type: str choices: [disable, enable] more...
    • ssl-insert-empty-fragment - Enable/disable insertion of empty fragment. type: str choices: [disable, enable] more...
    • ssl-max-proto-ver - SSL maximum protocol version. type: str choices: [tls1-0, tls1-1, tls1-2, tls1-3] more...
    • ssl-min-proto-ver - SSL minimum protocol version. type: str choices: [tls1-0, tls1-1, tls1-2, tls1-3] more...
    • tlsv1-0 - No description for the parameter type: str choices: [disable, enable] more...
    • tlsv1-1 - No description for the parameter type: str choices: [disable, enable] more...
    • tlsv1-2 - No description for the parameter type: str choices: [disable, enable] more...
    • tlsv1-3 - No description for the parameter type: str choices: [disable, enable] more...
    • transform-backward-slashes - Transform backward slashes to forward slashes in URLs. type: str choices: [disable, enable] more...
    • tunnel-connect-without-reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. type: str choices: [disable, enable] more...
    • tunnel-ip-pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str more...
    • tunnel-ipv6-pools - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: str more...
    • tunnel-user-session-timeout - Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30). type: int more...
    • unsafe-legacy-renegotiation - Enable/disable unsafe legacy re-negotiation. type: str choices: [disable, enable] more...
    • url-obscuration - Enable/disable to obscure the host name of the URL of the web browser display. type: str choices: [disable, enable] more...
    • user-peer - Name of user peer. type: str more...
    • wins-server1 - WINS server 1. type: str more...
    • wins-server2 - WINS server 2. type: str more...
    • x-content-type-options - Add HTTP X-Content-Type-Options header. type: str choices: [disable, enable] more...

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
  • To create or update an object, use state: present directive.
  • To delete an object, use state: absent directive
  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: no description
     fmgr_vpn_ssl_settings:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        vpn_ssl_settings:
           algorithm: <value in [default, high, low, ...]>
           auth-session-check-source-ip: <value in [disable, enable]>
           auth-timeout: <value of integer>
           authentication-rule:
             -
                 auth: <value in [any, local, radius, ...]>
                 cipher: <value in [any, high, medium]>
                 client-cert: <value in [disable, enable]>
                 groups: <value of string>
                 id: <value of integer>
                 portal: <value of string>
                 realm: <value of string>
                 source-address: <value of string>
                 source-address-negate: <value in [disable, enable]>
                 source-address6: <value of string>
                 source-address6-negate: <value in [disable, enable]>
                 source-interface: <value of string>
                 user-peer: <value of string>
                 users: <value of string>
           auto-tunnel-static-route: <value in [disable, enable]>
           banned-cipher:
             - RSA
             - DH
             - DHE
             - ECDH
             - ECDHE
             - DSS
             - ECDSA
             - AES
             - AESGCM
             - CAMELLIA
             - 3DES
             - SHA1
             - SHA256
             - SHA384
             - STATIC
           check-referer: <value in [disable, enable]>
           default-portal: <value of string>
           deflate-compression-level: <value of integer>
           deflate-min-data-size: <value of integer>
           dns-server1: <value of string>
           dns-server2: <value of string>
           dns-suffix: <value of string>
           dtls-hello-timeout: <value of integer>
           dtls-max-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-min-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-tunnel: <value in [disable, enable]>
           encode-2f-sequence: <value in [disable, enable]>
           encrypt-and-store-password: <value in [disable, enable]>
           force-two-factor-auth: <value in [disable, enable]>
           header-x-forwarded-for: <value in [pass, add, remove]>
           hsts-include-subdomains: <value in [disable, enable]>
           http-compression: <value in [disable, enable]>
           http-only-cookie: <value in [disable, enable]>
           http-request-body-timeout: <value of integer>
           http-request-header-timeout: <value of integer>
           https-redirect: <value in [disable, enable]>
           idle-timeout: <value of integer>
           ipv6-dns-server1: <value of string>
           ipv6-dns-server2: <value of string>
           ipv6-wins-server1: <value of string>
           ipv6-wins-server2: <value of string>
           login-attempt-limit: <value of integer>
           login-block-time: <value of integer>
           login-timeout: <value of integer>
           port: <value of integer>
           port-precedence: <value in [disable, enable]>
           reqclientcert: <value in [disable, enable]>
           route-source-interface: <value in [disable, enable]>
           servercert: <value of string>
           source-address: <value of string>
           source-address-negate: <value in [disable, enable]>
           source-address6: <value of string>
           source-address6-negate: <value in [disable, enable]>
           source-interface: <value of string>
           ssl-client-renegotiation: <value in [disable, enable]>
           ssl-insert-empty-fragment: <value in [disable, enable]>
           ssl-max-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           ssl-min-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           tlsv1-0: <value in [disable, enable]>
           tlsv1-1: <value in [disable, enable]>
           tlsv1-2: <value in [disable, enable]>
           tlsv1-3: <value in [disable, enable]>
           transform-backward-slashes: <value in [disable, enable]>
           tunnel-connect-without-reauth: <value in [disable, enable]>
           tunnel-ip-pools: <value of string>
           tunnel-ipv6-pools: <value of string>
           tunnel-user-session-timeout: <value of integer>
           unsafe-legacy-renegotiation: <value in [disable, enable]>
           url-obscuration: <value in [disable, enable]>
           user-peer: <value of string>
           wins-server1: <value of string>
           wins-server2: <value of string>
           x-content-type-options: <value in [disable, enable]>

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • request_url - The full url requested returned: always type: str sample: /sys/login/user
  • response_code - The status of api request returned: always type: int sample: 0
  • response_message - The descriptive message of the api response returned: always type: str sample: OK
  • response_data - The data body of the api response returned: optional type: list or dict

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Frank Shen (@fshen01)
  • Hongbin Lu (@fgtdev-hblu)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.