Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings
.
New in version 2.10: of fortinet.fortios
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||||
enable_log boolean |
| Enable/Disable logging for task. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |||
vpn_ssl_settings dictionary | Configure SSL VPN. | ||||
algorithm string |
| Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. | |||
auth_session_check_source_ip string |
| Enable/disable checking of source IP for authentication session. | |||
auth_timeout integer | SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). | ||||
authentication_rule list / elements=string | Authentication rule for SSL VPN. | ||||
auth string |
| SSL VPN authentication method restriction. | |||
cipher string |
| SSL VPN cipher strength. | |||
client_cert string |
| Enable/disable SSL VPN client certificate restrictive. | |||
groups list / elements=string | User groups. | ||||
name string / required | Group name. Source user.group.name. | ||||
id integer / required | ID (0 - 4294967295). | ||||
portal string | SSL VPN portal. Source vpn.ssl.web.portal.name. | ||||
realm string | SSL VPN realm. Source vpn.ssl.web.realm.url-path. | ||||
source_address list / elements=string | Source address of incoming traffic. | ||||
name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
source_address6 list / elements=string | IPv6 source address of incoming traffic. | ||||
name string / required | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
source_address6_negate string |
| Enable/disable negated source IPv6 address match. | |||
source_address_negate string |
| Enable/disable negated source address match. | |||
source_interface list / elements=string | SSL VPN source interface of incoming traffic. | ||||
name string / required | Interface name. Source system.interface.name system.zone.name. | ||||
user_peer string | Name of user peer. Source user.peer.name. | ||||
users list / elements=string | User name. | ||||
name string / required | User name. Source user.local.name. | ||||
auto_tunnel_static_route string |
| Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. | |||
banned_cipher list / elements=string |
| Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. | |||
check_referer string |
| Enable/disable verification of referer field in HTTP request header. | |||
ciphersuite list / elements=string |
| Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. | |||
client_sigalgs string |
| Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. | |||
default_portal string | Default SSL VPN portal. Source vpn.ssl.web.portal.name. | ||||
deflate_compression_level integer | Compression level (0~9). | ||||
deflate_min_data_size integer | Minimum amount of data that triggers compression (200 - 65535 bytes). | ||||
dns_server1 string | DNS server 1. | ||||
dns_server2 string | DNS server 2. | ||||
dns_suffix string | DNS suffix used for SSL-VPN clients. | ||||
dtls_hello_timeout integer | SSLVPN maximum DTLS hello timeout (10 - 60 sec). | ||||
dtls_max_proto_ver string |
| DTLS maximum protocol version. | |||
dtls_min_proto_ver string |
| DTLS minimum protocol version. | |||
dtls_tunnel string |
| Enable DTLS to prevent eavesdropping, tampering, or message forgery. | |||
dual_stack_mode string |
| Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. | |||
encode_2f_sequence string |
| Encode 2F sequence to forward slash in URLs. | |||
encrypt_and_store_password string |
| Encrypt and store user passwords for SSL VPN web sessions. | |||
force_two_factor_auth string |
| Enable to force two-factor authentication for all SSL-VPNs. | |||
header_x_forwarded_for string |
| Forward the same, add, or remove HTTP header. | |||
hsts_include_subdomains string |
| Add HSTS includeSubDomains response header. | |||
http_compression string |
| Enable to allow HTTP compression over SSL-VPN tunnels. | |||
http_only_cookie string |
| Enable/disable SSL-VPN support for HttpOnly cookies. | |||
http_request_body_timeout integer | SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). | ||||
http_request_header_timeout integer | SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). | ||||
https_redirect string |
| Enable/disable redirect of port 80 to SSL-VPN port. | |||
idle_timeout integer | SSL VPN disconnects if idle for specified time in seconds. | ||||
ipv6_dns_server1 string | IPv6 DNS server 1. | ||||
ipv6_dns_server2 string | IPv6 DNS server 2. | ||||
ipv6_wins_server1 string | IPv6 WINS server 1. | ||||
ipv6_wins_server2 string | IPv6 WINS server 2. | ||||
login_attempt_limit integer | SSL VPN maximum login attempt times before block (0 - 10). | ||||
login_block_time integer | Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). | ||||
login_timeout integer | SSLVPN maximum login timeout (10 - 180 sec). | ||||
port integer | SSL-VPN access port (1 - 65535). | ||||
port_precedence string |
| Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. | |||
reqclientcert string |
| Enable to require client certificates for all SSL-VPN users. | |||
route_source_interface string |
| Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. | |||
servercert string | Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. | ||||
source_address list / elements=string | Source address of incoming traffic. | ||||
name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
source_address6 list / elements=string | IPv6 source address of incoming traffic. | ||||
name string / required | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
source_address6_negate string |
| Enable/disable negated source IPv6 address match. | |||
source_address_negate string |
| Enable/disable negated source address match. | |||
source_interface list / elements=string | SSL VPN source interface of incoming traffic. | ||||
name string / required | Interface name. Source system.interface.name system.zone.name. | ||||
ssl_client_renegotiation string |
| Enable to allow client renegotiation by the server if the tunnel goes down. | |||
ssl_insert_empty_fragment string |
| Enable/disable insertion of empty fragment. | |||
ssl_max_proto_ver string |
| SSL maximum protocol version. | |||
ssl_min_proto_ver string |
| SSL minimum protocol version. | |||
tlsv1_0 string |
| Enable/disable TLSv1.0. | |||
tlsv1_1 string |
| Enable/disable TLSv1.1. | |||
tlsv1_2 string |
| Enable/disable TLSv1.2. | |||
tlsv1_3 string |
| tlsv1-3 | |||
transform_backward_slashes string |
| Transform backward slashes to forward slashes in URLs. | |||
tunnel_addr_assigned_method string |
| Method used for assigning address for tunnel. | |||
tunnel_connect_without_reauth string |
| Enable/disable tunnel connection without re-authorization if previous connection dropped. | |||
tunnel_ip_pools list / elements=string | Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. | ||||
name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
tunnel_ipv6_pools list / elements=string | Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. | ||||
name string / required | Address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
tunnel_user_session_timeout integer | Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec). | ||||
unsafe_legacy_renegotiation string |
| Enable/disable unsafe legacy re-negotiation. | |||
url_obscuration string |
| Enable to obscure the host name of the URL of the web browser display. | |||
user_peer string | Name of user peer. Source user.peer.name. | ||||
wins_server1 string | WINS server 1. | ||||
wins_server2 string | WINS server 2. | ||||
x_content_type_options string |
| Add HTTP X-Content-Type-Options header. |
Note
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure SSL VPN. fortios_vpn_ssl_settings: vdom: "{{ vdom }}" vpn_ssl_settings: algorithm: "high" auth_session_check_source_ip: "enable" auth_timeout: "5" authentication_rule: - auth: "any" cipher: "any" client_cert: "enable" groups: - name: "default_name_11 (source user.group.name)" id: "12" portal: "<your_own_value> (source vpn.ssl.web.portal.name)" realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)" source_address: - name: "default_name_16 (source firewall.address.name firewall.addrgrp.name)" source_address_negate: "enable" source_address6: - name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name)" source_address6_negate: "enable" source_interface: - name: "default_name_22 (source system.interface.name system.zone.name)" user_peer: "<your_own_value> (source user.peer.name)" users: - name: "default_name_25 (source user.local.name)" auto_tunnel_static_route: "enable" banned_cipher: "RSA" check_referer: "enable" ciphersuite: "TLS-AES-128-GCM-SHA256" client_sigalgs: "no-rsa-pss" default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)" deflate_compression_level: "32" deflate_min_data_size: "33" dns_server1: "<your_own_value>" dns_server2: "<your_own_value>" dns_suffix: "<your_own_value>" dtls_hello_timeout: "37" dtls_max_proto_ver: "dtls1-0" dtls_min_proto_ver: "dtls1-0" dtls_tunnel: "enable" dual_stack_mode: "enable" encode_2f_sequence: "enable" encrypt_and_store_password: "enable" force_two_factor_auth: "enable" header_x_forwarded_for: "pass" hsts_include_subdomains: "enable" http_compression: "enable" http_only_cookie: "enable" http_request_body_timeout: "49" http_request_header_timeout: "50" https_redirect: "enable" idle_timeout: "52" ipv6_dns_server1: "<your_own_value>" ipv6_dns_server2: "<your_own_value>" ipv6_wins_server1: "<your_own_value>" ipv6_wins_server2: "<your_own_value>" login_attempt_limit: "57" login_block_time: "58" login_timeout: "59" port: "60" port_precedence: "enable" reqclientcert: "enable" route_source_interface: "enable" servercert: "<your_own_value> (source vpn.certificate.local.name)" source_address: - name: "default_name_66 (source firewall.address.name firewall.addrgrp.name)" source_address_negate: "enable" source_address6: - name: "default_name_69 (source firewall.address6.name firewall.addrgrp6.name)" source_address6_negate: "enable" source_interface: - name: "default_name_72 (source system.interface.name system.zone.name)" ssl_client_renegotiation: "disable" ssl_insert_empty_fragment: "enable" ssl_max_proto_ver: "tls1-0" ssl_min_proto_ver: "tls1-0" tlsv1_0: "enable" tlsv1_1: "enable" tlsv1_2: "enable" tlsv1_3: "enable" transform_backward_slashes: "enable" tunnel_addr_assigned_method: "first-available" tunnel_connect_without_reauth: "enable" tunnel_ip_pools: - name: "default_name_85 (source firewall.address.name firewall.addrgrp.name)" tunnel_ipv6_pools: - name: "default_name_87 (source firewall.address6.name firewall.addrgrp6.name)" tunnel_user_session_timeout: "88" unsafe_legacy_renegotiation: "enable" url_obscuration: "enable" user_peer: "<your_own_value> (source user.peer.name)" wins_server1: "<your_own_value>" wins_server2: "<your_own_value>" x_content_type_options: "enable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_vpn_ssl_settings_module.html