W3cubDocs

/Ansible

fortinet.fortimanager.fmgr_firewall_accessproxy – Configure Access Proxy.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_firewall_accessproxy.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.
  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
adom
string / required
the parameter (adom) in requested url
bypass_validation
boolean
    Choices:
  • no
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
enable_log
boolean
    Choices:
  • no
  • yes
Enable/Disable logging for task
firewall_accessproxy
dictionary
the top level parameters set
api-gateway
list / elements=string
no description
http-cookie-age
integer
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.
http-cookie-domain
string
Domain that HTTP cookie persistence should apply to.
http-cookie-domain-from-host
string
    Choices:
  • disable
  • enable
Enable/disable use of HTTP cookie domain from host field in HTTP.
http-cookie-generation
integer
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
http-cookie-path
string
Limit HTTP cookie persistence to the specified path.
http-cookie-share
string
    Choices:
  • disable
  • same-ip
Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. ...
https-cookie-secure
string
    Choices:
  • disable
  • enable
Enable/disable verification that inserted HTTPS cookies are secure.
id
integer
API Gateway ID.
ldb-method
string
    Choices:
  • static
  • round-robin
  • weighted
  • least-session
  • least-rtt
  • first-alive
  • http-host
Method used to distribute sessions to real servers.
persistence
string
    Choices:
  • none
  • http-cookie
Configure how to make sure that clients connect to the same server every time they make a request that is part of the ...
realservers
list / elements=string
no description
address
string
Address or address group of the real server.
health-check
string
    Choices:
  • disable
  • enable
Enable to check the responsiveness of the real server before forwarding traffic.
health-check-proto
string
    Choices:
  • ping
  • http
  • tcp-connect
Protocol of the health check monitor to use when polling to determine servers connectivity status.
http-host
string
HTTP server domain name in HTTP header.
id
integer
Real server ID.
ip
string
IP address of the real server.
mappedport
string
Port for communicating with the real server.
port
integer
Port for communicating with the real server.
status
string
    Choices:
  • active
  • standby
  • disable
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no tra...
weight
integer
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more...
saml-server
string
SAML service provider configuration for VIP authentication.
service
string
    Choices:
  • http
  • https
  • tcp-forwarding
  • samlsp
Service.
ssl-algorithm
string
    Choices:
  • high
  • medium
  • low
  • custom
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
ssl-cipher-suites
list / elements=string
no description
cipher
string
    Choices:
  • TLS-RSA-WITH-RC4-128-MD5
  • TLS-RSA-WITH-RC4-128-SHA
  • TLS-RSA-WITH-DES-CBC-SHA
  • TLS-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA
  • TLS-RSA-WITH-AES-256-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA256
  • TLS-RSA-WITH-AES-256-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-RSA-WITH-SEED-CBC-SHA
  • TLS-RSA-WITH-ARIA-128-CBC-SHA256
  • TLS-RSA-WITH-ARIA-256-CBC-SHA384
  • TLS-DHE-RSA-WITH-DES-CBC-SHA
  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-SEED-CBC-SHA
  • TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
  • TLS-ECDHE-RSA-WITH-RC4-128-SHA
  • TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA
  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA
  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
  • TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
  • TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
  • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
  • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
  • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
  • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
  • TLS-RSA-WITH-AES-128-GCM-SHA256
  • TLS-RSA-WITH-AES-256-GCM-SHA384
  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-DSS-WITH-SEED-CBC-SHA
  • TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256
  • TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384
  • TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256
  • TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384
  • TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256
  • TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384
  • TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-DSS-WITH-DES-CBC-SHA
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
Cipher suite name.
priority
integer
SSL/TLS cipher suites priority.
versions
list / elements=string
    Choices:
  • tls-1.0
  • tls-1.1
  • tls-1.2
  • tls-1.3
no description
ssl-dh-bits
string
    Choices:
  • 768
  • 1024
  • 1536
  • 2048
  • 3072
  • 4096
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
ssl-max-version
string
    Choices:
  • tls-1.0
  • tls-1.1
  • tls-1.2
  • tls-1.3
Highest SSL/TLS version acceptable from a server.
ssl-min-version
string
    Choices:
  • tls-1.0
  • tls-1.1
  • tls-1.2
  • tls-1.3
Lowest SSL/TLS version acceptable from a server.
url-map
string
URL pattern to match.
url-map-type
string
    Choices:
  • sub-string
  • wildcard
  • regex
Type of url-map.
virtual-host
string
Virtual host.
client-cert
string
    Choices:
  • disable
  • enable
Enable/disable to request client certificate.
empty-cert-action
string
    Choices:
  • block
  • accept
Action of an empty client certificate.
ldb-method
string
    Choices:
  • static
  • round-robin
  • weighted
  • least-session
  • least-rtt
  • first-alive
Method used to distribute sessions to SSL real servers.
name
string
Access Proxy name.
realservers
list / elements=string
no description
id
integer
Real server ID.
ip
string
IP address of the real server.
port
integer
Port for communicating with the real server.
status
string
    Choices:
  • active
  • standby
  • disable
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is ...
weight
integer
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connect...
server-pubkey-auth
string
    Choices:
  • disable
  • enable
Enable/disable SSH real server public key authentication.
server-pubkey-auth-settings
dictionary
no description
auth-ca
string
Name of the SSH server public key authentication CA.
cert-extension
list / elements=string
no description
critical
string
    Choices:
  • no
  • yes
Critical option.
data
string
Name of certificate extension.
name
string
Name of certificate extension.
type
string
    Choices:
  • fixed
  • user
Type of certificate extension.
permit-agent-forwarding
string
    Choices:
  • disable
  • enable
Enable/disable appending permit-agent-forwarding certificate extension.
permit-port-forwarding
string
    Choices:
  • disable
  • enable
Enable/disable appending permit-port-forwarding certificate extension.
permit-pty
string
    Choices:
  • disable
  • enable
Enable/disable appending permit-pty certificate extension.
permit-user-rc
string
    Choices:
  • disable
  • enable
Enable/disable appending permit-user-rc certificate extension.
permit-x11-forwarding
string
    Choices:
  • disable
  • enable
Enable/disable appending permit-x11-forwarding certificate extension.
source-address
string
    Choices:
  • disable
  • enable
Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from...
vip
string
Virtual IP name.
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
  • To create or update an object, use state present directive.
  • To delete an object, use state absent directive.
  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure Access Proxy.
     fmgr_firewall_accessproxy:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        firewall_accessproxy:
           api-gateway:
             -
                 http-cookie-age: <value of integer>
                 http-cookie-domain: <value of string>
                 http-cookie-domain-from-host: <value in [disable, enable]>
                 http-cookie-generation: <value of integer>
                 http-cookie-path: <value of string>
                 http-cookie-share: <value in [disable, same-ip]>
                 https-cookie-secure: <value in [disable, enable]>
                 id: <value of integer>
                 ldb-method: <value in [static, round-robin, weighted, ...]>
                 persistence: <value in [none, http-cookie]>
                 realservers:
                   -
                       address: <value of string>
                       health-check: <value in [disable, enable]>
                       health-check-proto: <value in [ping, http, tcp-connect]>
                       http-host: <value of string>
                       id: <value of integer>
                       ip: <value of string>
                       mappedport: <value of string>
                       port: <value of integer>
                       status: <value in [active, standby, disable]>
                       weight: <value of integer>
                 saml-server: <value of string>
                 service: <value in [http, https, tcp-forwarding, ...]>
                 ssl-algorithm: <value in [high, medium, low, ...]>
                 ssl-cipher-suites:
                   -
                       cipher: <value in [TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-RSA-WITH-DES-CBC-SHA, ...]>
                       priority: <value of integer>
                       versions:
                         - tls-1.0
                         - tls-1.1
                         - tls-1.2
                         - tls-1.3
                 ssl-dh-bits: <value in [768, 1024, 1536, ...]>
                 ssl-max-version: <value in [tls-1.0, tls-1.1, tls-1.2, ...]>
                 ssl-min-version: <value in [tls-1.0, tls-1.1, tls-1.2, ...]>
                 url-map: <value of string>
                 url-map-type: <value in [sub-string, wildcard, regex]>
                 virtual-host: <value of string>
           client-cert: <value in [disable, enable]>
           empty-cert-action: <value in [block, accept]>
           ldb-method: <value in [static, round-robin, weighted, ...]>
           name: <value of string>
           realservers:
             -
                 id: <value of integer>
                 ip: <value of string>
                 port: <value of integer>
                 status: <value in [active, standby, disable]>
                 weight: <value of integer>
           server-pubkey-auth: <value in [disable, enable]>
           server-pubkey-auth-settings:
              auth-ca: <value of string>
              cert-extension:
                -
                    critical: <value in [no, yes]>
                    data: <value of string>
                    name: <value of string>
                    type: <value in [fixed, user]>
              permit-agent-forwarding: <value in [disable, enable]>
              permit-port-forwarding: <value in [disable, enable]>
              permit-pty: <value in [disable, enable]>
              permit-user-rc: <value in [disable, enable]>
              permit-x11-forwarding: <value in [disable, enable]>
              source-address: <value in [disable, enable]>
           vip: <value of string>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Frank Shen (@fshen01)
  • Hongbin Lu (@fgtdev-hblu)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortimanager/fmgr_firewall_accessproxy_module.html