fmgr_firewall_sslsshprofile – Configure SSL/SSH protocol options.

Added in version 1.0.0.

Warning

Starting in version 3.0.0, all input arguments will be named using the underscore naming convention (snake_case).

• Argument name before 3.0.0: var-name, var name, var.name

• New argument name starting in 3.0.0: var_name

FortiManager Ansible v2.4+ supports both previous argument name and new underscore name. You will receive deprecation warnings if you keep using the previous argument name. You can ignore the warning by setting deprecation_warnings=False in ansible.cfg.

Synopsis

• This module is able to configure a FortiManager device.

• Examples include all parameters and values need to be adjusted to data sources before usage.

• Tested with FortiManager v6.x and v7.x.

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.15.0

FortiManager Version Compatibility

Supported Version Ranges: v6.0.0 -> latest

Parameters

• access_token -The token to access FortiManager without using username and password. type: str required: false
• bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
• enable_log - Enable/Disable logging for task. type: bool required: false default: False
• forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
• proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
• rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
• rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
• state - The directive to create, update or delete an object type: str required: true choices: present, absent
• workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
• workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
• adom - The parameter in requested url type: str required: true
• firewall_sslsshprofile - Configure SSL/SSH protocol options. type: dict
• caname Ca certificate used by ssl inspection. type: str more...

  Supported Version Ranges: v6.0.0 -> latest

• comment Optional comments. type: str more...

  Supported Version Ranges: v6.0.0 -> latest

• mapi_over_https (Alias name: mapi-over-https) Enable/disable inspection of mapi over https. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.0.0 -> latest

• name Name. type: str more...

  Supported Version Ranges: v6.0.0 -> latest

• rpc_over_https (Alias name: rpc-over-https) Enable/disable inspection of rpc over https. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.0.0 -> latest

• server_cert (Alias name: server-cert) Certificate used by ssl inspection to replace server certificate. type: list or str more...

  Supported Version Ranges: v6.0.0 -> latest

• server_cert_mode (Alias name: server-cert-mode) Re-sign or replace the servers certificate. type: str choices: [re-sign, replace] more...

  Supported Version Ranges: v6.0.0 -> latest

• ssl_anomalies_log (Alias name: ssl-anomalies-log) Enable/disable logging ssl anomalies. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.0.0 -> latest

• ssl_exempt (Alias name: ssl-exempt) Ssl-exempt. type: list more...

  Supported Version Ranges: v6.0.0 -> latest

  • address Ipv4 address object. type: str more...

    Supported Version Ranges: v6.0.0 -> latest

  • address6 Ipv6 address object. type: str more...

    Supported Version Ranges: v6.0.0 -> latest

  • fortiguard_category (Alias name: fortiguard-category) Fortiguard category id. type: str more...

    Supported Version Ranges: v6.0.0 -> latest

  • id Id number. type: int more...

    Supported Version Ranges: v6.0.0 -> latest

  • regex Exempt servers by regular expression. type: str more...

    Supported Version Ranges: v6.0.0 -> latest

  • type Type of address object (ipv4 or ipv6) or fortiguard category. type: str choices: [fortiguard-category, address, address6, wildcard-fqdn, regex, finger-print] more...

    Supported Version Ranges: v6.0.0 -> latest

  • wildcard_fqdn (Alias name: wildcard-fqdn) Exempt servers by wildcard fqdn. type: str more...

    Supported Version Ranges: v6.0.0 -> latest

• ssl_exemptions_log (Alias name: ssl-exemptions-log) Enable/disable logging ssl exemptions. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.0.0 -> latest

• ssl_server (Alias name: ssl-server) Ssl-server. type: list more...

  Supported Version Ranges: v6.0.0 -> latest

  • ftps_client_cert_request (Alias name: ftps-client-cert-request) Action based on client certificate request during the ftps handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.0.0 -> latest

  • https_client_cert_request (Alias name: https-client-cert-request) Action based on client certificate request during the https handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.0.0 -> latest

  • id Ssl server id. type: int more...

    Supported Version Ranges: v6.0.0 -> latest

  • imaps_client_cert_request (Alias name: imaps-client-cert-request) Action based on client certificate request during the imaps handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.0.0 -> latest

  • ip Ipv4 address of the ssl server. type: str more...

    Supported Version Ranges: v6.0.0 -> latest

  • pop3s_client_cert_request (Alias name: pop3s-client-cert-request) Action based on client certificate request during the pop3s handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.0.0 -> latest

  • smtps_client_cert_request (Alias name: smtps-client-cert-request) Action based on client certificate request during the smtps handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.0.0 -> latest

  • ssl_other_client_cert_request (Alias name: ssl-other-client-cert-request) Action based on client certificate request during an ssl protocol handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.0.0 -> latest

  • ftps_client_certificate (Alias name: ftps-client-certificate) Action based on received client certificate during the ftps handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.0 -> latest

  • https_client_certificate (Alias name: https-client-certificate) Action based on received client certificate during the https handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.0 -> latest

  • imaps_client_certificate (Alias name: imaps-client-certificate) Action based on received client certificate during the imaps handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.0 -> latest

  • pop3s_client_certificate (Alias name: pop3s-client-certificate) Action based on received client certificate during the pop3s handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.0 -> latest

  • smtps_client_certificate (Alias name: smtps-client-certificate) Action based on received client certificate during the smtps handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.0 -> latest

  • ssl_other_client_certificate (Alias name: ssl-other-client-certificate) Action based on received client certificate during an ssl protocol handshake. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.0 -> latest

• untrusted_caname (Alias name: untrusted-caname) Untrusted ca certificate used by ssl inspection. type: str more...

  Supported Version Ranges: v6.0.0 -> latest

• use_ssl_server (Alias name: use-ssl-server) Enable/disable the use of ssl server table for ssl offloading. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.0.0 -> latest

• whitelist Enable/disable exempting servers by fortiguard whitelist. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.0.0 -> latest

• block_blacklisted_certificates (Alias name: block-blacklisted-certificates) Enable/disable blocking ssl-based botnet communication by fortiguard certificate blacklist. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.2.0 -> latest

• certname Certificate containing the key to use when re-signing server certificates for ssl inspection. type: str more...

  Supported Version Ranges: v6.2.0 -> v6.2.12

• ssl_invalid_server_cert_log (Alias name: ssl-invalid-server-cert-log) Enable/disable ssl server certificate validation logging. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.2.0 -> v6.2.12

• ssl_negotiation_log (Alias name: ssl-negotiation-log) Enable/disable logging ssl negotiation. type: str choices: [disable, enable] more...

  Supported Version Ranges: v6.4.0 -> latest

• ftps type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • ports Ports to use for scanning (1 - 65535, default = 443). type: list more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [disable, enable, strict] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl (Alias name: unsupported-ssl) Action based on the ssl encryption used being unsupported. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • client_cert_request (Alias name: client-cert-request) Action based on client certificate request. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • invalid_server_cert (Alias name: invalid-server-cert) Allow or block the invalid ssl session server certificate. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • allow_invalid_server_cert (Alias name: allow-invalid-server-cert) When enabled, allows ssl sessions whose server certificate validation failed. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • untrusted_cert (Alias name: untrusted-cert) Allow, ignore, or block the untrusted ssl session server certificate. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) Minimum ssl version to be allowed. type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

• https type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • ports Ports to use for scanning (1 - 65535, default = 443). type: list more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • proxy_after_tcp_handshake (Alias name: proxy-after-tcp-handshake) Proxy traffic after the tcp 3-way handshake has been established (not before). type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.4.5 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [disable, enable, strict] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, certificate-inspection, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl (Alias name: unsupported-ssl) Action based on the ssl encryption used being unsupported. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • client_cert_request (Alias name: client-cert-request) Action based on client certificate request. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • invalid_server_cert (Alias name: invalid-server-cert) Allow or block the invalid ssl session server certificate. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • allow_invalid_server_cert (Alias name: allow-invalid-server-cert) When enabled, allows ssl sessions whose server certificate validation failed. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • untrusted_cert (Alias name: untrusted-cert) Allow, ignore, or block the untrusted ssl session server certificate. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • cert_probe_failure (Alias name: cert-probe-failure) Action based on certificate probe failure. type: str choices: [block, allow] more...

    Supported Version Ranges: v7.0.0 -> latest

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) Minimum ssl version to be allowed. type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

  • quic Enable/disable quic inspection (default = disable). type: str choices: [disable, enable, bypass, block, inspect] more...

    Supported Version Ranges: v7.4.1 -> latest

• imaps type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • ports Ports to use for scanning (1 - 65535, default = 443). type: list more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • proxy_after_tcp_handshake (Alias name: proxy-after-tcp-handshake) Proxy traffic after the tcp 3-way handshake has been established (not before). type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.4.5 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [disable, enable, strict] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl (Alias name: unsupported-ssl) Action based on the ssl encryption used being unsupported. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • client_cert_request (Alias name: client-cert-request) Action based on client certificate request. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • invalid_server_cert (Alias name: invalid-server-cert) Allow or block the invalid ssl session server certificate. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • allow_invalid_server_cert (Alias name: allow-invalid-server-cert) When enabled, allows ssl sessions whose server certificate validation failed. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • untrusted_cert (Alias name: untrusted-cert) Allow, ignore, or block the untrusted ssl session server certificate. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

• pop3s type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • ports Ports to use for scanning (1 - 65535, default = 443). type: list more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • proxy_after_tcp_handshake (Alias name: proxy-after-tcp-handshake) Proxy traffic after the tcp 3-way handshake has been established (not before). type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.4.5 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [disable, enable, strict] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl (Alias name: unsupported-ssl) Action based on the ssl encryption used being unsupported. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • client_cert_request (Alias name: client-cert-request) Action based on client certificate request. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • invalid_server_cert (Alias name: invalid-server-cert) Allow or block the invalid ssl session server certificate. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • allow_invalid_server_cert (Alias name: allow-invalid-server-cert) When enabled, allows ssl sessions whose server certificate validation failed. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • untrusted_cert (Alias name: untrusted-cert) Allow, ignore, or block the untrusted ssl session server certificate. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

• smtps type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • ports Ports to use for scanning (1 - 65535, default = 443). type: list more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • proxy_after_tcp_handshake (Alias name: proxy-after-tcp-handshake) Proxy traffic after the tcp 3-way handshake has been established (not before). type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.4.5 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [disable, enable, strict] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl (Alias name: unsupported-ssl) Action based on the ssl encryption used being unsupported. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • client_cert_request (Alias name: client-cert-request) Action based on client certificate request. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • invalid_server_cert (Alias name: invalid-server-cert) Allow or block the invalid ssl session server certificate. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • allow_invalid_server_cert (Alias name: allow-invalid-server-cert) When enabled, allows ssl sessions whose server certificate validation failed. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • untrusted_cert (Alias name: untrusted-cert) Allow, ignore, or block the untrusted ssl session server certificate. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

• ssh type: dict
  • inspect_all (Alias name: inspect-all) Level of ssl inspection. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • ports Ports to use for scanning (1 - 65535, default = 443). type: list more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • proxy_after_tcp_handshake (Alias name: proxy-after-tcp-handshake) Proxy traffic after the tcp 3-way handshake has been established (not before). type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.4.5 -> latest

  • ssh_algorithm (Alias name: ssh-algorithm) Relative strength of encryption algorithms accepted during negotiation. type: str choices: [compatible, high-encryption] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • ssh_tun_policy_check (Alias name: ssh-tun-policy-check) Enable/disable ssh tunnel policy check. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_version (Alias name: unsupported-version) Action based on ssh version being unsupported. type: str choices: [block, bypass] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • ssh_policy_check (Alias name: ssh-policy-check) Enable/disable ssh policy check. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • block type: list choices: [x11-filter, ssh-shell, exec, port-forward] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v6.4.14

  • log type: list choices: [x11-filter, ssh-shell, exec, port-forward] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v6.4.14

• ssl type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • inspect_all (Alias name: inspect-all) Level of ssl inspection. type: str choices: [disable, certificate-inspection, deep-inspection] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.4.5 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [disable, enable, strict] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.4.5 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • unsupported_ssl (Alias name: unsupported-ssl) Action based on the ssl encryption used being unsupported. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • client_cert_request (Alias name: client-cert-request) Action based on client certificate request. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • invalid_server_cert (Alias name: invalid-server-cert) Allow or block the invalid ssl session server certificate. type: str choices: [allow, block] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> latest

  • allow_invalid_server_cert (Alias name: allow-invalid-server-cert) When enabled, allows ssl sessions whose server certificate validation failed. type: str choices: [disable, enable] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • untrusted_cert (Alias name: untrusted-cert) Allow, ignore, or block the untrusted ssl session server certificate. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v6.2.8 -> v6.2.12, v6.4.5 -> v7.2.1

  • cert_probe_failure (Alias name: cert-probe-failure) Action based on certificate probe failure. type: str choices: [block, allow] more...

    Supported Version Ranges: v7.0.1 -> latest

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) Minimum ssl version to be allowed. type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

• allowlist Enable/disable exempting servers by fortiguard allowlist. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.0 -> latest

• block_blocklisted_certificates (Alias name: block-blocklisted-certificates) Enable/disable blocking ssl-based botnet communication by fortiguard certificate blocklist. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.0 -> latest

• dot type: dict
  • cert_validation_failure (Alias name: cert-validation-failure) Action based on certificate validation failure. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v7.0.0 -> latest

  • cert_validation_timeout (Alias name: cert-validation-timeout) Action based on certificate validation timeout. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v7.0.0 -> latest

  • client_certificate (Alias name: client-certificate) Action based on received client certificate. type: str choices: [bypass, inspect, block] more...

    Supported Version Ranges: v7.0.0 -> latest

  • expired_server_cert (Alias name: expired-server-cert) Action based on server certificate is expired. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v7.0.0 -> latest

  • proxy_after_tcp_handshake (Alias name: proxy-after-tcp-handshake) Proxy traffic after the tcp 3-way handshake has been established (not before). type: str choices: [disable, enable] more...

    Supported Version Ranges: v7.0.0 -> latest

  • revoked_server_cert (Alias name: revoked-server-cert) Action based on server certificate is revoked. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v7.0.0 -> latest

  • sni_server_cert_check (Alias name: sni-server-cert-check) Check the sni in the client hello message with the cn or san fields in the returned server certificate. type: str choices: [enable, strict, disable] more...

    Supported Version Ranges: v7.0.0 -> latest

  • status Configure protocol inspection status. type: str choices: [disable, deep-inspection] more...

    Supported Version Ranges: v7.0.0 -> latest

  • unsupported_ssl_cipher (Alias name: unsupported-ssl-cipher) Action based on the ssl cipher used being unsupported. type: str choices: [block, allow] more...

    Supported Version Ranges: v7.0.0 -> latest

  • unsupported_ssl_negotiation (Alias name: unsupported-ssl-negotiation) Action based on the ssl negotiation used being unsupported. type: str choices: [block, allow] more...

    Supported Version Ranges: v7.0.0 -> latest

  • untrusted_server_cert (Alias name: untrusted-server-cert) Action based on server certificate is not issued by a trusted ca. type: str choices: [allow, block, ignore] more...

    Supported Version Ranges: v7.0.0 -> latest

  • unsupported_ssl_version (Alias name: unsupported-ssl-version) Action based on the ssl version used being unsupported. type: str choices: [block, allow, inspect] more...

    Supported Version Ranges: v7.0.1 -> latest

  • min_allowed_ssl_version (Alias name: min-allowed-ssl-version) type: str choices: [ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3] more...

    Supported Version Ranges: v7.0.3 -> latest

  • quic Enable/disable quic inspection (default = disable). type: str choices: [disable, enable, bypass, block, inspect] more...

    Supported Version Ranges: v7.4.1 -> latest

• supported_alpn (Alias name: supported-alpn) Configure alpn option. type: str choices: [none, http1-1, http2, all] more...

  Supported Version Ranges: v7.0.0 -> latest

• ssl_anomaly_log (Alias name: ssl-anomaly-log) Enable/disable logging of ssl anomalies. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.2 -> latest

• ssl_exemption_ip_rating (Alias name: ssl-exemption-ip-rating) Enable/disable ip based url rating. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.4 -> latest

• ssl_exemption_log (Alias name: ssl-exemption-log) Enable/disable logging ssl exemptions. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.2 -> latest

• ssl_handshake_log (Alias name: ssl-handshake-log) Enable/disable logging of tls handshakes. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.1 -> latest

• ssl_server_cert_log (Alias name: ssl-server-cert-log) Enable/disable logging of server certificate information. type: str choices: [disable, enable] more...

  Supported Version Ranges: v7.0.1 -> latest

Notes

Note

• Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

• To create or update an object, use state: present directive.

• To delete an object, use state: absent directive

• Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure SSL/SSH protocol options.
      fortinet.fortimanager.fmgr_firewall_sslsshprofile:
        bypass_validation: false
        adom: ansible
        state: present
        firewall_sslsshprofile:
          comment: "ansible-comment1"
          mapi-over-https: disable # <value in [disable, enable]>
          name: "ansible-test"
          use-ssl-server: disable # <value in [disable, enable]>
          whitelist: enable # <value in [disable, enable]>

- name: Gathering fortimanager facts
  hosts: fortimanagers
  gather_facts: false
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Retrieve all the SSL/SSH protocol options
      fortinet.fortimanager.fmgr_fact:
        facts:
          selector: "firewall_sslsshprofile"
          params:
            adom: "ansible"
            ssl-ssh-profile: "your_value"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

• meta - The result of the request.returned: always type: dict
• request_url - The full url requested. returned: always type: str sample: /sys/login/user
• response_code - The status of api request. returned: always type: int sample: 0
• response_data - The data body of the api response. returned: optional type: list or dict
• response_message - The descriptive message of the api response. returned: always type: str sample: OK
• system_information - The information of the target system. returned: always type: dict
• rc - The status the request. returned: always type: int sample: 0
• version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least one parameter not supported by the current FortiManager version type: list

Status

• This module is not guaranteed to have a backwards compatible interface.

Authors

• Xinwei Du (@dux-fortinet)

• Xing Li (@lix-fortinet)

• Jie Xue (@JieX19)

• Link Zheng (@chillancezen)

• Frank Shen (@fshen01)

• Hongbin Lu (@fgtdev-hblu)