Note
This module is part of the fortinet.fortios collection (version 2.4.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios. You need further requirements to be able to use this module, see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_ztna_web_proxy.
New in fortinet.fortios 2.0.0
The below requirements are needed on the host that executes this module.
Parameter | Comments |
|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. |
enable_log boolean | Enable/Disable logging for task. Choices:
|
member_path string | Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
member_state string | Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
state string / required | Indicates whether to create or remove the object. Choices:
|
vdom string | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
ztna_web_proxy dictionary | Configure ZTNA web-proxy. |
|
api_gateway list / elements=dictionary |
Set IPv4 API Gateway. |
|
h2_support string |
HTTP2 support, default=Enable. Choices:
|
|
h3_support string |
HTTP3/QUIC support, default=Disable. Choices:
|
|
http_cookie_age integer |
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
|
http_cookie_domain string |
Domain that HTTP cookie persistence should apply to. |
|
http_cookie_domain_from_host string |
Enable/disable use of HTTP cookie domain from host field in HTTP. Choices:
|
|
http_cookie_generation integer |
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
|
http_cookie_path string |
Limit HTTP cookie persistence to the specified path. |
|
string |
Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Choices:
|
|
https_cookie_secure string |
Enable/disable verification that inserted HTTPS cookies are secure. Choices:
|
|
id integer / required |
API Gateway ID. see <a href=’#notes’>Notes</a>. |
|
ldb_method string |
Method used to distribute sessions to real servers. Choices:
|
|
persistence string |
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Choices:
|
|
quic dictionary |
QUIC setting. |
|
ack_delay_exponent integer |
ACK delay exponent (1 - 20). |
|
active_connection_id_limit integer |
Active connection ID limit (1 - 8). |
|
active_migration string |
Enable/disable active migration . Choices:
|
|
grease_quic_bit string |
Enable/disable grease QUIC bit . Choices:
|
|
max_ack_delay integer |
Maximum ACK delay in milliseconds (1 - 16383). |
|
max_datagram_frame_size integer |
Maximum datagram frame size in bytes (1 - 1500). |
|
max_idle_timeout integer |
Maximum idle timeout milliseconds (1 - 60000). |
|
max_udp_payload_size integer |
Maximum UDP payload size in bytes (1200 - 1500). |
|
realservers list / elements=dictionary |
Select the real servers that this Access Proxy will distribute traffic to. |
|
addr_type string |
Type of address. Choices:
|
|
address string |
Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name. |
|
health_check string |
Enable to check the responsiveness of the real server before forwarding traffic. Choices:
|
|
health_check_proto string |
Protocol of the health check monitor to use when polling to determine server”s connectivity status. Choices:
|
|
holddown_interval string |
Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). Choices:
|
|
http_host string |
HTTP server domain name in HTTP header. |
|
id integer / required |
Real server ID. see <a href=’#notes’>Notes</a>. |
|
ip string |
IP address of the real server. |
|
port integer |
Port for communicating with the real server. |
|
status string |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. Choices:
|
|
translate_host string |
Enable/disable translation of hostname/IP from virtual server to real server. Choices:
|
|
weight integer |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
|
service string |
Service. Choices:
|
|
ssl_algorithm string |
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Choices:
|
|
ssl_cipher_suites list / elements=dictionary |
SSL/TLS cipher suites to offer to a server, ordered by priority. |
|
cipher string |
Cipher suite name. Choices:
|
|
priority integer / required |
SSL/TLS cipher suites priority. see <a href=’#notes’>Notes</a>. |
|
versions list / elements=string |
SSL/TLS versions that the cipher suite can be used with. Choices:
|
|
ssl_dh_bits string |
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. Choices:
|
|
ssl_max_version string |
Highest SSL/TLS version acceptable from a server. Choices:
|
|
ssl_min_version string |
Lowest SSL/TLS version acceptable from a server. Choices:
|
|
ssl_renegotiation string |
Enable/disable secure renegotiation to comply with RFC 5746. Choices:
|
|
url_map string |
URL pattern to match. |
|
url_map_type string |
Type of url-map. Choices:
|
|
api_gateway6 list / elements=dictionary |
Set IPv6 API Gateway. |
|
h2_support string |
HTTP2 support, default=Enable. Choices:
|
|
h3_support string |
HTTP3/QUIC support, default=Disable. Choices:
|
|
http_cookie_age integer |
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
|
http_cookie_domain string |
Domain that HTTP cookie persistence should apply to. |
|
http_cookie_domain_from_host string |
Enable/disable use of HTTP cookie domain from host field in HTTP. Choices:
|
|
http_cookie_generation integer |
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
|
http_cookie_path string |
Limit HTTP cookie persistence to the specified path. |
|
string |
Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Choices:
|
|
https_cookie_secure string |
Enable/disable verification that inserted HTTPS cookies are secure. Choices:
|
|
id integer / required |
API Gateway ID. see <a href=’#notes’>Notes</a>. |
|
ldb_method string |
Method used to distribute sessions to real servers. Choices:
|
|
persistence string |
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Choices:
|
|
quic dictionary |
QUIC setting. |
|
ack_delay_exponent integer |
ACK delay exponent (1 - 20). |
|
active_connection_id_limit integer |
Active connection ID limit (1 - 8). |
|
active_migration string |
Enable/disable active migration . Choices:
|
|
grease_quic_bit string |
Enable/disable grease QUIC bit . Choices:
|
|
max_ack_delay integer |
Maximum ACK delay in milliseconds (1 - 16383). |
|
max_datagram_frame_size integer |
Maximum datagram frame size in bytes (1 - 1500). |
|
max_idle_timeout integer |
Maximum idle timeout milliseconds (1 - 60000). |
|
max_udp_payload_size integer |
Maximum UDP payload size in bytes (1200 - 1500). |
|
realservers list / elements=dictionary |
Select the real servers that this Access Proxy will distribute traffic to. |
|
addr_type string |
Type of address. Choices:
|
|
address string |
Address or address group of the real server. Source firewall.address6.name firewall.addrgrp6.name. |
|
health_check string |
Enable to check the responsiveness of the real server before forwarding traffic. Choices:
|
|
health_check_proto string |
Protocol of the health check monitor to use when polling to determine server”s connectivity status. Choices:
|
|
holddown_interval string |
Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). Choices:
|
|
http_host string |
HTTP server domain name in HTTP header. |
|
id integer / required |
Real server ID. see <a href=’#notes’>Notes</a>. |
|
ip string |
IPv6 address of the real server. |
|
port integer |
Port for communicating with the real server. |
|
status string |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. Choices:
|
|
translate_host string |
Enable/disable translation of hostname/IP from virtual server to real server. Choices:
|
|
weight integer |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
|
service string |
Service. Choices:
|
|
ssl_algorithm string |
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Choices:
|
|
ssl_cipher_suites list / elements=dictionary |
SSL/TLS cipher suites to offer to a server, ordered by priority. |
|
cipher string |
Cipher suite name. Choices:
|
|
priority integer / required |
SSL/TLS cipher suites priority. see <a href=’#notes’>Notes</a>. |
|
versions list / elements=string |
SSL/TLS versions that the cipher suite can be used with. Choices:
|
|
ssl_dh_bits string |
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. Choices:
|
|
ssl_max_version string |
Highest SSL/TLS version acceptable from a server. Choices:
|
|
ssl_min_version string |
Lowest SSL/TLS version acceptable from a server. Choices:
|
|
ssl_renegotiation string |
Enable/disable secure renegotiation to comply with RFC 5746. Choices:
|
|
url_map string |
URL pattern to match. |
|
url_map_type string |
Type of url-map. Choices:
|
|
auth_portal string |
Enable/disable authentication portal. Choices:
|
|
auth_virtual_host string |
Virtual host for authentication portal. Source firewall.access-proxy-virtual-host.name. |
|
decrypted_traffic_mirror string |
Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name. |
|
host string |
Virtual or real host name. Source firewall.access-proxy-virtual-host.name. |
|
log_blocked_traffic string |
Enable/disable logging of blocked traffic. Choices:
|
|
name string / required |
ZTNA proxy name. |
|
svr_pool_multiplex string |
Enable/disable server pool multiplexing. Share connected server in HTTP and HTTPS api-gateways. Choices:
|
|
svr_pool_server_max_concurrent_request integer |
Maximum number of concurrent requests that servers in the server pool could handle . |
|
svr_pool_server_max_request integer |
Maximum number of requests that servers in the server pool handle before disconnecting . |
|
svr_pool_ttl integer |
Time-to-live in the server pool for idle connections to servers. |
|
vip string |
Virtual IP name. Source firewall.vip.name. |
|
vip6 string |
Virtual IPv6 name. Source firewall.vip6.name. |
Note
- name: Configure ZTNA web-proxy.
fortinet.fortios.fortios_ztna_web_proxy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
ztna_web_proxy:
api_gateway:
-
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "13"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "32"
ip: "<your_own_value>"
port: "443"
status: "active"
translate_host: "enable"
weight: "1"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
url_map: "<your_own_value>"
url_map_type: "sub-string"
api_gateway6:
-
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "60"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "79"
ip: "<your_own_value>"
port: "443"
status: "active"
translate_host: "enable"
weight: "1"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
url_map: "<your_own_value>"
url_map_type: "sub-string"
auth_portal: "disable"
auth_virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
host: "myhostname (source firewall.access-proxy-virtual-host.name)"
log_blocked_traffic: "disable"
name: "default_name_102"
svr_pool_multiplex: "enable"
svr_pool_server_max_concurrent_request: "0"
svr_pool_server_max_request: "0"
svr_pool_ttl: "15"
vip: "<your_own_value> (source firewall.vip.name)"
vip6: "<your_own_value> (source firewall.vip6.name)"
Common return values are documented here, the following are the fields unique to this module:
Key | Description |
|---|---|
build string | Build number of the fortigate image Returned: always Sample: |
http_method string | Last method used to provision the content into FortiGate Returned: always Sample: |
http_status string | Last result given by FortiGate on last operation applied Returned: always Sample: |
mkey string | Master key (id) used in the last call to FortiGate Returned: success Sample: |
name string | Name of the table used to fulfill the request Returned: always Sample: |
path string | Path of the table used to fulfill the request Returned: always Sample: |
revision string | Internal revision number Returned: always Sample: |
serial string | Serial number of the unit Returned: always Sample: |
status string | Indication of the operation’s result Returned: always Sample: |
vdom string | Virtual domain used Returned: always Sample: |
version string | Version of the FortiGate Returned: always Sample: |
© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_ztna_web_proxy_module.html