Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_access_proxy
.
New in version 2.10: of fortinet.fortios
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||||
enable_log boolean |
| Enable/Disable logging for task. | |||
firewall_access_proxy dictionary | Configure Access Proxy. | ||||
api_gateway list / elements=string | Set API Gateway. | ||||
http_cookie_age integer | Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. | ||||
http_cookie_domain string | Domain that HTTP cookie persistence should apply to. | ||||
http_cookie_domain_from_host string |
| Enable/disable use of HTTP cookie domain from host field in HTTP. | |||
http_cookie_generation integer | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | ||||
http_cookie_path string | Limit HTTP cookie persistence to the specified path. | ||||
http_cookie_share string |
| Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. | |||
https_cookie_secure string |
| Enable/disable verification that inserted HTTPS cookies are secure. | |||
id integer / required | API Gateway ID. | ||||
ldb_method string |
| Method used to distribute sessions to real servers. | |||
persistence string |
| Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. | |||
realservers list / elements=string | Select the real servers that this Access Proxy will distribute traffic to. | ||||
address string | Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name. | ||||
health_check string |
| Enable to check the responsiveness of the real server before forwarding traffic. | |||
health_check_proto string |
| Protocol of the health check monitor to use when polling to determine server"s connectivity status. | |||
http_host string | HTTP server domain name in HTTP header. | ||||
id integer / required | Real server ID. | ||||
ip string | IP address of the real server. | ||||
mappedport string | Port for communicating with the real server. | ||||
port integer | Port for communicating with the real server. | ||||
status string |
| Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. | |||
weight integer | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | ||||
saml_server string | SAML service provider configuration for VIP authentication. Source user.saml.name. | ||||
service string |
| Service. | |||
ssl_algorithm string |
| Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. | |||
ssl_cipher_suites list / elements=string | SSL/TLS cipher suites to offer to a server, ordered by priority. | ||||
cipher string |
| Cipher suite name. | |||
priority integer / required | SSL/TLS cipher suites priority. | ||||
versions string |
| SSL/TLS versions that the cipher suite can be used with. | |||
ssl_dh_bits string |
| Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. | |||
ssl_max_version string |
| Highest SSL/TLS version acceptable from a server. | |||
ssl_min_version string |
| Lowest SSL/TLS version acceptable from a server. | |||
url_map string | URL pattern to match. | ||||
url_map_type string |
| Type of url-map. | |||
virtual_host string | Virtual host. Source firewall.access-proxy-virtual-host.name. | ||||
client_cert string |
| Enable/disable to request client certificate. | |||
empty_cert_action string |
| Action of an empty client certificate. | |||
ldb_method string |
| Method used to distribute sessions to SSL real servers. | |||
name string / required | Access Proxy name. | ||||
realservers list / elements=string | Select the SSL real servers that this Access Proxy will distribute traffic to. | ||||
id integer / required | Real server ID. | ||||
ip string | IP address of the real server. | ||||
port integer | Port for communicating with the real server. | ||||
status string |
| Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. | |||
weight integer | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | ||||
server_pubkey_auth string |
| Enable/disable SSH real server public key authentication. | |||
server_pubkey_auth_settings dictionary | Server SSH public key authentication settings. | ||||
auth_ca string | Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name. | ||||
cert_extension list / elements=string | Configure certificate extension for user certificate. | ||||
critical string |
| Critical option. | |||
data string | Name of certificate extension. | ||||
name string / required | Name of certificate extension. | ||||
type string |
| Type of certificate extension. | |||
permit_agent_forwarding string |
| Enable/disable appending permit-agent-forwarding certificate extension. | |||
permit_port_forwarding string |
| Enable/disable appending permit-port-forwarding certificate extension. | |||
permit_pty string |
| Enable/disable appending permit-pty certificate extension. | |||
permit_user_rc string |
| Enable/disable appending permit-user-rc certificate extension. | |||
permit_x11_forwarding string |
| Enable/disable appending permit-x11-forwarding certificate extension. | |||
source_address string |
| Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address. | |||
vip string | Virtual IP name. Source firewall.vip.name. | ||||
state string / required |
| Indicates whether to create or remove the object. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Note
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure Access Proxy. fortios_firewall_access_proxy: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" firewall_access_proxy: api_gateway: - http_cookie_age: "4" http_cookie_domain: "<your_own_value>" http_cookie_domain_from_host: "disable" http_cookie_generation: "7" http_cookie_path: "<your_own_value>" http_cookie_share: "disable" https_cookie_secure: "disable" id: "11" ldb_method: "static" persistence: "none" realservers: - address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)" health_check: "disable" health_check_proto: "ping" http_host: "myhostname" id: "19" ip: "<your_own_value>" mappedport: "<your_own_value>" port: "22" status: "active" weight: "24" saml_server: "<your_own_value> (source user.saml.name)" service: "http" ssl_algorithm: "high" ssl_cipher_suites: - cipher: "TLS-AES-128-GCM-SHA256" priority: "30" versions: "tls-1.0" ssl_dh_bits: "768" ssl_max_version: "tls-1.0" ssl_min_version: "tls-1.0" url_map: "<your_own_value>" url_map_type: "sub-string" virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)" client_cert: "disable" empty_cert_action: "accept" ldb_method: "static" name: "default_name_41" realservers: - id: "43" ip: "<your_own_value>" port: "45" status: "active" weight: "47" server_pubkey_auth: "disable" server_pubkey_auth_settings: auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)" cert_extension: - critical: "no" data: "<your_own_value>" name: "default_name_54" type: "fixed" permit_agent_forwarding: "enable" permit_port_forwarding: "enable" permit_pty: "enable" permit_user_rc: "enable" permit_x11_forwarding: "enable" source_address: "enable" vip: "<your_own_value> (source firewall.vip.name)"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_access_proxy_module.html