Note
This module is part of the fortinet.fortimanager collection (version 2.10.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_pm_config_pblock_firewall_proxypolicy.
New in fortinet.fortimanager 2.7.0
Parameter | Comments |
|---|---|
access_token string | The token to access FortiManager without using username and password. |
adom string / required | The parameter (adom) in requested url. |
bypass_validation boolean | Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. Choices:
|
enable_log boolean | Enable/Disable logging for task. Choices:
|
forticloud_access_token string | Authenticate Ansible client with forticloud API access token. |
pblock string / required | The parameter (pblock) in requested url. |
pm_config_pblock_firewall_proxypolicy dictionary | The top level parameters set. |
|
_policy_block integer |
Assigned policy block. |
|
access_proxy aliases: access-proxy list / elements=string |
IPv4 access proxy. |
|
access_proxy6 aliases: access-proxy6 list / elements=string |
IPv6 access proxy. |
|
action string |
Accept or deny traffic matching the policy parameters. Choices:
|
|
application_list aliases: application-list list / elements=string |
Name of an existing Application list. |
|
av_profile aliases: av-profile list / elements=string |
Name of an existing Antivirus profile. |
|
block_notification aliases: block-notification string |
Enable/disable block notification. Choices:
|
|
casb_profile aliases: casb-profile list / elements=string |
Name of an existing CASB profile. |
|
cifs_profile aliases: cifs-profile list / elements=string |
Name of an existing CIFS profile. |
|
comments string |
Optional comments. |
|
decrypted_traffic_mirror aliases: decrypted-traffic-mirror list / elements=string |
Decrypted traffic mirror. |
|
detect_https_in_http_request aliases: detect-https-in-http-request string |
Enable/disable detection of HTTPS in HTTP request. Choices:
|
|
device_ownership aliases: device-ownership string |
When enabled, the ownership enforcement will be done at policy level. Choices:
|
|
diameter_filter_profile aliases: diameter-filter-profile list / elements=string |
Name of an existing Diameter filter profile. |
|
disclaimer string |
Web proxy disclaimer setting Choices:
|
|
dlp_profile aliases: dlp-profile list / elements=string |
Name of an existing DLP profile. |
|
dlp_sensor aliases: dlp-sensor list / elements=string |
Name of an existing DLP sensor. |
|
dnsfilter_profile aliases: dnsfilter-profile list / elements=string |
Name of an existing DNS filter profile. |
|
dstaddr list / elements=string |
Destination address objects. |
|
dstaddr6 list / elements=string |
IPv6 destination address objects. |
|
dstaddr_negate aliases: dstaddr-negate string |
When enabled, destination addresses match against any address EXCEPT the specified destination addresses. Choices:
|
|
dstintf list / elements=string |
Destination interface names. |
|
emailfilter_profile aliases: emailfilter-profile list / elements=string |
Name of an existing email filter profile. |
|
file_filter_profile aliases: file-filter-profile list / elements=string |
Name of an existing file-filter profile. |
|
global_label aliases: global-label string |
Global web-based manager visible label. |
|
groups list / elements=string |
Names of group objects. |
|
http_tunnel_auth aliases: http-tunnel-auth string |
Enable/disable HTTP tunnel authentication. Choices:
|
|
https_sub_category aliases: https-sub-category string |
Enable/disable HTTPS sub-category policy matching. Choices:
|
|
icap_profile aliases: icap-profile list / elements=string |
Name of an existing ICAP profile. |
|
internet_service aliases: internet-service string |
Enable/disable use of Internet Services for this policy. Choices:
|
|
internet_service6 aliases: internet-service6 string |
Enable/disable use of Internet Services IPv6 for this policy. Choices:
|
|
internet_service6_custom aliases: internet-service6-custom list / elements=string |
Custom Internet Service IPv6 name. |
|
internet_service6_custom_group aliases: internet-service6-custom-group list / elements=string |
Custom Internet Service IPv6 group name. |
|
internet_service6_group aliases: internet-service6-group list / elements=string |
Internet Service IPv6 group name. |
|
internet_service6_name aliases: internet-service6-name list / elements=string |
Internet Service IPv6 name. |
|
internet_service6_negate aliases: internet-service6-negate string |
When enabled, Internet Services match against any internet service IPv6 EXCEPT the selected Internet Service IPv6. Choices:
|
|
internet_service_custom aliases: internet-service-custom list / elements=string |
Custom Internet Service name. |
|
internet_service_custom_group aliases: internet-service-custom-group list / elements=string |
Custom Internet Service group name. |
|
internet_service_group aliases: internet-service-group list / elements=string |
Internet Service group name. |
|
internet_service_id aliases: internet-service-id list / elements=string |
Internet Service ID. |
|
internet_service_name aliases: internet-service-name list / elements=string |
Internet Service name. |
|
internet_service_negate aliases: internet-service-negate string |
When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. Choices:
|
|
ips_sensor aliases: ips-sensor list / elements=string |
Name of an existing IPS sensor. |
|
ips_voip_filter aliases: ips-voip-filter list / elements=string |
Name of an existing VoIP |
|
isolator_server aliases: isolator-server list / elements=string |
Isolator server name. |
|
label string |
VDOM-specific GUI visible label. |
|
log_http_transaction aliases: log-http-transaction string |
Enable/disable HTTP transaction log. Choices:
|
|
logtraffic string |
Enable/disable logging traffic through the policy. Choices:
|
|
logtraffic_start aliases: logtraffic-start string |
Enable/disable policy log traffic start. Choices:
|
|
mms_profile aliases: mms-profile list / elements=string |
Name of an existing MMS profile. |
|
name string |
Policy name. |
|
policyid integer / required |
Policy ID. |
|
poolname list / elements=string |
Name of IP pool object. |
|
profile_group aliases: profile-group list / elements=string |
Name of profile group. |
|
profile_protocol_options aliases: profile-protocol-options list / elements=string |
Name of an existing Protocol options profile. |
|
profile_type aliases: profile-type string |
Determine whether the firewall policy allows security profile groups or single profiles only. Choices:
|
|
proxy string |
Type of explicit proxy. Choices:
|
|
redirect_url aliases: redirect-url string |
Redirect URL for further explicit web proxy processing. |
|
replacemsg_override_group aliases: replacemsg-override-group list / elements=string |
Authentication replacement message override group. |
|
schedule list / elements=string |
Name of schedule object. |
|
sctp_filter_profile aliases: sctp-filter-profile list / elements=string |
Name of an existing SCTP filter profile. |
|
service list / elements=string |
Name of service objects. |
|
service_negate aliases: service-negate string |
When enabled, services match against any service EXCEPT the specified destination services. Choices:
|
|
session_ttl aliases: session-ttl string |
TTL in seconds for sessions accepted by this policy |
|
srcaddr list / elements=string |
Source address objects. |
|
srcaddr6 list / elements=string |
IPv6 source address objects. |
|
srcaddr_negate aliases: srcaddr-negate string |
When enabled, source addresses match against any address EXCEPT the specified source addresses. Choices:
|
|
srcintf list / elements=string |
Source interface names. |
|
ssh_filter_profile aliases: ssh-filter-profile list / elements=string |
Name of an existing SSH filter profile. |
|
ssh_policy_redirect aliases: ssh-policy-redirect string |
Redirect SSH traffic to matching transparent proxy policy. Choices:
|
|
ssl_ssh_profile aliases: ssl-ssh-profile list / elements=string |
Name of an existing SSL SSH profile. |
|
status string |
Enable/disable the active status of the policy. Choices:
|
|
telemetry_profile aliases: telemetry-profile list / elements=string |
Name of an existing telemetry profile. |
|
transparent string |
Enable to use the IP address of the client to connect to the server. Choices:
|
|
url_risk aliases: url-risk list / elements=string |
URL risk level name. |
|
users list / elements=string |
Names of user objects. |
|
utm_status aliases: utm-status string |
Enable the use of UTM profiles/sensors/lists. Choices:
|
|
uuid string |
Universally Unique Identifier |
|
videofilter_profile aliases: videofilter-profile list / elements=string |
Name of an existing VideoFilter profile. |
|
virtual_patch_profile aliases: virtual-patch-profile list / elements=string |
Virtual patch profile. |
|
voip_profile aliases: voip-profile list / elements=string |
Name of an existing VoIP profile. |
|
waf_profile aliases: waf-profile list / elements=string |
Name of an existing Web application firewall profile. |
|
webcache string |
Enable/disable web caching. Choices:
|
|
webcache_https aliases: webcache-https string |
Enable/disable web caching for HTTPS Choices:
|
|
webfilter_profile aliases: webfilter-profile list / elements=string |
Name of an existing Web filter profile. |
|
webproxy_forward_server aliases: webproxy-forward-server list / elements=string |
Web proxy forward server name. |
|
webproxy_profile aliases: webproxy-profile list / elements=string |
Name of web proxy profile. |
|
ztna_ems_tag aliases: ztna-ems-tag list / elements=string |
ZTNA EMS Tag names. |
|
ztna_ems_tag_negate aliases: ztna-ems-tag-negate string |
When enabled, ZTNA EMS tags match against any tag EXCEPT the specified ZTNA EMS tags. Choices:
|
|
ztna_proxy aliases: ztna-proxy list / elements=string |
IPv4 ZTNA traffic forward proxy. |
|
ztna_tags_match_logic aliases: ztna-tags-match-logic string |
ZTNA tag matching logic. Choices:
|
proposed_method string | The overridden method for the underlying Json RPC request. Choices:
|
rc_failed list / elements=integer | The rc codes list with which the conditions to fail will be overriden. |
rc_succeeded list / elements=integer | The rc codes list with which the conditions to succeed will be overriden. |
state string / required | The directive to create, update or delete an object. Choices:
|
workspace_locking_adom string | The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. |
workspace_locking_timeout integer | The maximum time in seconds to wait for other user to release the workspace lock. Default: |
Note
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
gather_facts: false
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure proxy policies.
fortinet.fortimanager.fmgr_pm_config_pblock_firewall_proxypolicy:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
adom: <your own value>
pblock: <your own value>
state: present # <value in [present, absent]>
pm_config_pblock_firewall_proxypolicy:
policyid: 0 # Required variable, integer
# _policy_block: <integer>
# access_proxy: <list or string>
# access_proxy6: <list or string>
# action: <value in [accept, deny, redirect, ...]>
# application_list: <list or string>
# av_profile: <list or string>
# block_notification: <value in [disable, enable]>
# casb_profile: <list or string>
# comments: <string>
# decrypted_traffic_mirror: <list or string>
# detect_https_in_http_request: <value in [disable, enable]>
# device_ownership: <value in [disable, enable]>
# disclaimer: <value in [disable, domain, policy, ...]>
# dlp_profile: <list or string>
# dnsfilter_profile: <list or string>
# dstaddr: <list or string>
# dstaddr_negate: <value in [disable, enable]>
# dstaddr6: <list or string>
# dstintf: <list or string>
# emailfilter_profile: <list or string>
# file_filter_profile: <list or string>
# global_label: <string>
# groups: <list or string>
# http_tunnel_auth: <value in [disable, enable]>
# icap_profile: <list or string>
# internet_service: <value in [disable, enable]>
# internet_service_custom: <list or string>
# internet_service_custom_group: <list or string>
# internet_service_group: <list or string>
# internet_service_name: <list or string>
# internet_service_negate: <value in [disable, enable]>
# internet_service6: <value in [disable, enable]>
# internet_service6_custom: <list or string>
# internet_service6_custom_group: <list or string>
# internet_service6_group: <list or string>
# internet_service6_name: <list or string>
# internet_service6_negate: <value in [disable, enable]>
# ips_sensor: <list or string>
# ips_voip_filter: <list or string>
# label: <string>
# log_http_transaction: <value in [disable, enable]>
# logtraffic: <value in [disable, all, utm]>
# logtraffic_start: <value in [disable, enable]>
# name: <string>
# poolname: <list or string>
# profile_group: <list or string>
# profile_protocol_options: <list or string>
# profile_type: <value in [single, group]>
# proxy: <value in [explicit-web, transparent-web, ftp, ...]>
# redirect_url: <string>
# replacemsg_override_group: <list or string>
# schedule: <list or string>
# sctp_filter_profile: <list or string>
# service: <list or string>
# service_negate: <value in [disable, enable]>
# session_ttl: <string>
# srcaddr: <list or string>
# srcaddr_negate: <value in [disable, enable]>
# srcaddr6: <list or string>
# srcintf: <list or string>
# ssh_filter_profile: <list or string>
# ssh_policy_redirect: <value in [disable, enable]>
# ssl_ssh_profile: <list or string>
# status: <value in [disable, enable]>
# transparent: <value in [disable, enable]>
# users: <list or string>
# utm_status: <value in [disable, enable]>
# uuid: <string>
# videofilter_profile: <list or string>
# waf_profile: <list or string>
# webcache: <value in [disable, enable]>
# webcache_https: <value in [disable, enable]>
# webfilter_profile: <list or string>
# webproxy_forward_server: <list or string>
# webproxy_profile: <list or string>
# ztna_ems_tag: <list or string>
# ztna_proxy: <list or string>
# ztna_tags_match_logic: <value in [or, and]>
# diameter_filter_profile: <list or string>
# virtual_patch_profile: <list or string>
# voip_profile: <list or string>
# dlp_sensor: <list or string>
# cifs_profile: <list or string>
# internet_service_id: <list or string>
# mms_profile: <list or string>
# isolator_server: <list or string>
# url_risk: <list or string>
# ztna_ems_tag_negate: <value in [disable, enable]>
# https_sub_category: <value in [disable, enable]>
# telemetry_profile: <list or string>
Common return values are documented here, the following are the fields unique to this module:
Key | Description |
|---|---|
meta dictionary | The result of the request. Returned: always |
|
request_url string |
The full url requested. Returned: always Sample: |
|
response_code integer |
The status of api request. Returned: always Sample: |
|
response_data list / elements=string |
The api response. Returned: always |
|
response_message string |
The descriptive message of the api response. Returned: always Sample: |
|
system_information dictionary |
The information of the target system. Returned: always |
rc integer | The status the request. Returned: always Sample: |
version_check_warning list / elements=string | Warning if the parameters used in the playbook are not supported by the current FortiManager version. Returned: complex |
© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortimanager/fmgr_pm_config_pblock_firewall_proxypolicy_module.html