Note
This plugin is part of the fortinet.fortios collection.
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_policy.
New in version 2.8: of fortinet.fortios
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| firewall_policy dictionary | Configure IPv4 policies. | |||
| action string |
| Policy action (allow/deny/ipsec). | ||
| app_category list / elements=string | Application category ID list. | |||
| id integer / required | Category IDs. | |||
| app_group list / elements=string | Application group names. | |||
| name string / required | Application group names. Source application.group.name. | |||
| application list / elements=string | Application ID list. | |||
| id integer / required | Application IDs. | |||
| application_list string | Name of an existing Application list. Source application.list.name. | |||
| auth_cert string | HTTPS server certificate for policy authentication. Source vpn.certificate.local.name. | |||
| auth_path string |
| Enable/disable authentication-based routing. | ||
| auth_redirect_addr string | HTTP-to-HTTPS redirect address for firewall authentication. | |||
| av_profile string | Name of an existing Antivirus profile. Source antivirus.profile.name. | |||
| block_notification string |
| Enable/disable block notification. | ||
| captive_portal_exempt string |
| Enable to exempt some users from the captive portal. | ||
| capture_packet string |
| Enable/disable capture packets. | ||
| comments string | Comment. | |||
| custom_log_fields list / elements=string | Custom fields to append to log messages for this policy. | |||
| field_id string | Custom log field. Source log.custom-field.id. | |||
| delay_tcp_npu_session string |
| Enable TCP NPU session delay to guarantee packet order of 3-way handshake. | ||
| devices list / elements=string | Names of devices or device groups that can be matched by the policy. | |||
| name string / required | Device or group name. Source user.device.alias user.device-group.name user.device-category.name. | |||
| diffserv_forward string |
| Enable to change packet"s DiffServ values to the specified diffservcode-forward value. | ||
| diffserv_reverse string |
| Enable to change packet"s reverse (reply) DiffServ values to the specified diffservcode-rev value. | ||
| diffservcode_forward string | Change packet"s DiffServ to this value. | |||
| diffservcode_rev string | Change packet"s reverse (reply) DiffServ to this value. | |||
| disclaimer string |
| Enable/disable user authentication disclaimer. | ||
| dlp_sensor string | Name of an existing DLP sensor. Source dlp.sensor.name. | |||
| dnsfilter_profile string | Name of an existing DNS filter profile. Source dnsfilter.profile.name. | |||
| dscp_match string |
| Enable DSCP check. | ||
| dscp_negate string |
| Enable negated DSCP match. | ||
| dscp_value string | DSCP value. | |||
| dsri string |
| Enable DSRI to ignore HTTP server responses. | ||
| dstaddr list / elements=string | Destination address and address group names. | |||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name. | |||
| dstaddr_negate string |
| When enabled dstaddr specifies what the destination address must NOT be. | ||
| dstintf list / elements=string | Outgoing (egress) interface. | |||
| name string / required | Interface name. Source system.interface.name system.zone.name. | |||
| firewall_session_dirty string |
| How to handle sessions if the configuration of this firewall policy changes. | ||
| fixedport string |
| Enable to prevent source NAT from changing a session"s source port. | ||
| fsso string |
| Enable/disable Fortinet Single Sign-On. | ||
| fsso_agent_for_ntlm string | FSSO agent to use for NTLM authentication. Source user.fsso.name. | |||
| global_label string | Label for the policy that appears when the GUI is in Global View mode. | |||
| groups list / elements=string | Names of user groups that can authenticate with this policy. | |||
| name string / required | Group name. Source user.group.name. | |||
| icap_profile string | Name of an existing ICAP profile. Source icap.profile.name. | |||
| identity_based_route string | Name of identity-based routing rule. Source firewall.identity-based-route.name. | |||
| inbound string |
| Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. | ||
| internet_service string |
| Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. | ||
| internet_service_custom list / elements=string | Custom Internet Service name. | |||
| name string / required | Custom Internet Service name. Source firewall.internet-service-custom.name. | |||
| internet_service_id list / elements=string | Internet Service ID. | |||
| id integer / required | Internet Service ID. Source firewall.internet-service.id. | |||
| internet_service_negate string |
| When enabled internet-service specifies what the service must NOT be. | ||
| internet_service_src string |
| Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. | ||
| internet_service_src_custom list / elements=string | Custom Internet Service source name. | |||
| name string / required | Custom Internet Service name. Source firewall.internet-service-custom.name. | |||
| internet_service_src_id list / elements=string | Internet Service source ID. | |||
| id integer / required | Internet Service ID. Source firewall.internet-service.id. | |||
| internet_service_src_negate string |
| When enabled internet-service-src specifies what the service must NOT be. | ||
| ippool string |
| Enable to use IP Pools for source NAT. | ||
| ips_sensor string | Name of an existing IPS sensor. Source ips.sensor.name. | |||
| label string | Label for the policy that appears when the GUI is in Section View mode. | |||
| learning_mode string |
| Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. | ||
| logtraffic string |
| Enable or disable logging. Log all sessions or security profile sessions. | ||
| logtraffic_start string |
| Record logs when a session starts and ends. | ||
| match_vip string |
| Enable to match packets that have had their destination addresses changed by a VIP. | ||
| name string | Policy name. | |||
| nat string |
| Enable/disable source NAT. | ||
| natinbound string |
| Policy-based IPsec VPN: apply destination NAT to inbound traffic. | ||
| natip string | Policy-based IPsec VPN: source NAT IP address for outgoing traffic. | |||
| natoutbound string |
| Policy-based IPsec VPN: apply source NAT to outbound traffic. | ||
| ntlm string |
| Enable/disable NTLM authentication. | ||
| ntlm_enabled_browsers list / elements=string | HTTP-User-Agent value of supported browsers. | |||
| user_agent_string string | User agent string. | |||
| ntlm_guest string |
| Enable/disable NTLM guest user access. | ||
| outbound string |
| Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. | ||
| per_ip_shaper string | Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name. | |||
| permit_any_host string |
| Accept UDP packets from any host. | ||
| permit_stun_host string |
| Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. | ||
| policyid integer / required | Policy ID. | |||
| poolname list / elements=string | IP Pool names. | |||
| name string / required | IP pool name. Source firewall.ippool.name. | |||
| profile_group string | Name of profile group. Source firewall.profile-group.name. | |||
| profile_protocol_options string | Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. | |||
| profile_type string |
| Determine whether the firewall policy allows security profile groups or single profiles only. | ||
| radius_mac_auth_bypass string |
| Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. | ||
| redirect_url string | URL users are directed to after seeing and accepting the disclaimer or authenticating. | |||
| replacemsg_override_group string | Override the default replacement message group for this policy. Source system.replacemsg-group.name. | |||
| rsso string |
| Enable/disable RADIUS single sign-on (RSSO). | ||
| rtp_addr list / elements=string | Address names if this is an RTP NAT policy. | |||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | |||
| rtp_nat string |
| Enable Real Time Protocol (RTP) NAT. | ||
| scan_botnet_connections string |
| Block or monitor connections to Botnet servers or disable Botnet scanning. | ||
| schedule string | Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. | |||
| schedule_timeout string |
| Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. | ||
| send_deny_packet string |
| Enable to send a reply when a session is denied or blocked by a firewall policy. | ||
| service list / elements=string | Service and service group names. | |||
| name string / required | Service and service group names. Source firewall.service.custom.name firewall.service.group.name. | |||
| service_negate string |
| When enabled service specifies what the service must NOT be. | ||
| session_ttl integer | TTL in seconds for sessions accepted by this policy (0 means use the system ). | |||
| spamfilter_profile string | Name of an existing Spam filter profile. Source spamfilter.profile.name. | |||
| srcaddr list / elements=string | Source address and address group names. | |||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | |||
| srcaddr_negate string |
| When enabled srcaddr specifies what the source address must NOT be. | ||
| srcintf list / elements=string | Incoming (ingress) interface. | |||
| name string / required | Interface name. Source system.interface.name system.zone.name. | |||
| ssh_filter_profile string | Name of an existing SSH filter profile. Source ssh-filter.profile.name. | |||
| ssl_mirror string |
| Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). | ||
| ssl_mirror_intf list / elements=string | SSL mirror interface name. | |||
| name string / required | Mirror Interface name. Source system.interface.name system.zone.name. | |||
| ssl_ssh_profile string | Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. | |||
| state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | ||
| status string |
| Enable or disable this policy. | ||
| tcp_mss_receiver integer | Receiver TCP maximum segment size (MSS). | |||
| tcp_mss_sender integer | Sender TCP maximum segment size (MSS). | |||
| tcp_session_without_syn string |
| Enable/disable creation of TCP session without SYN flag. | ||
| timeout_send_rst string |
| Enable/disable sending RST packets when TCP sessions expire. | ||
| traffic_shaper string | Traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||
| traffic_shaper_reverse string | Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name. | |||
| url_category list / elements=string | URL category ID list. | |||
| id integer / required | URL category ID. | |||
| users list / elements=string | Names of individual users that can authenticate with this policy. | |||
| name string / required | Names of individual users that can authenticate with this policy. Source user.local.name. | |||
| utm_status string |
| Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. | ||
| uuid string | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | |||
| vlan_cos_fwd integer | VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. | |||
| vlan_cos_rev integer | VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.. | |||
| vlan_filter string | Set VLAN filters. | |||
| voip_profile string | Name of an existing VoIP profile. Source voip.profile.name. | |||
| vpntunnel string | Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name. | |||
| waf_profile string | Name of an existing Web application firewall profile. Source waf.profile.name. | |||
| wanopt string |
| Enable/disable WAN optimization. | ||
| wanopt_detection string |
| WAN optimization auto-detection mode. | ||
| wanopt_passive_opt string |
| WAN optimization passive mode options. This option decides what IP address will be used to connect server. | ||
| wanopt_peer string | WAN optimization peer. Source wanopt.peer.peer-host-id. | |||
| wanopt_profile string | WAN optimization profile. Source wanopt.profile.name. | |||
| wccp string |
| Enable/disable forwarding traffic matching this policy to a configured WCCP server. | ||
| webcache string |
| Enable/disable web cache. | ||
| webcache_https string |
| Enable/disable web cache for HTTPS. | ||
| webfilter_profile string | Name of an existing Web filter profile. Source webfilter.profile.name. | |||
| wsso string |
| Enable/disable WiFi Single Sign On (WSSO). | ||
| host string | FortiOS or FortiGate IP address. | |||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
| password string | Default: "" | FortiOS or FortiGate password. | ||
| ssl_verify boolean added in 2.9 of fortinet.fortios |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
| state string added in 2.9 of fortinet.fortios |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | ||
| username string | FortiOS or FortiGate username. | |||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure IPv4 policies.
fortios_firewall_policy:
vdom: "{{ vdom }}"
state: "present"
firewall_policy:
action: "accept"
app_category:
-
id: "5"
app_group:
-
name: "default_name_7 (source application.group.name)"
application:
-
id: "9"
application_list: "<your_own_value> (source application.list.name)"
auth_cert: "<your_own_value> (source vpn.certificate.local.name)"
auth_path: "enable"
auth_redirect_addr: "<your_own_value>"
av_profile: "<your_own_value> (source antivirus.profile.name)"
block_notification: "enable"
captive_portal_exempt: "enable"
capture_packet: "enable"
comments: "<your_own_value>"
custom_log_fields:
-
field_id: "<your_own_value> (source log.custom-field.id)"
delay_tcp_npu_session: "enable"
devices:
-
name: "default_name_23 (source user.device.alias user.device-group.name user.device-category.name)"
diffserv_forward: "enable"
diffserv_reverse: "enable"
diffservcode_forward: "<your_own_value>"
diffservcode_rev: "<your_own_value>"
disclaimer: "enable"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
dscp_match: "enable"
dscp_negate: "enable"
dscp_value: "<your_own_value>"
dsri: "enable"
dstaddr:
-
name: "default_name_36 (source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name)"
dstaddr_negate: "enable"
dstintf:
-
name: "default_name_39 (source system.interface.name system.zone.name)"
firewall_session_dirty: "check-all"
fixedport: "enable"
fsso: "enable"
fsso_agent_for_ntlm: "<your_own_value> (source user.fsso.name)"
global_label: "<your_own_value>"
groups:
-
name: "default_name_46 (source user.group.name)"
icap_profile: "<your_own_value> (source icap.profile.name)"
identity_based_route: "<your_own_value> (source firewall.identity-based-route.name)"
inbound: "enable"
internet_service: "enable"
internet_service_custom:
-
name: "default_name_52 (source firewall.internet-service-custom.name)"
internet_service_id:
-
id: "54 (source firewall.internet-service.id)"
internet_service_negate: "enable"
internet_service_src: "enable"
internet_service_src_custom:
-
name: "default_name_58 (source firewall.internet-service-custom.name)"
internet_service_src_id:
-
id: "60 (source firewall.internet-service.id)"
internet_service_src_negate: "enable"
ippool: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
learning_mode: "enable"
logtraffic: "all"
logtraffic_start: "enable"
match_vip: "enable"
name: "default_name_69"
nat: "enable"
natinbound: "enable"
natip: "<your_own_value>"
natoutbound: "enable"
ntlm: "enable"
ntlm_enabled_browsers:
-
user_agent_string: "<your_own_value>"
ntlm_guest: "enable"
outbound: "enable"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
permit_any_host: "enable"
permit_stun_host: "enable"
policyid: "82"
poolname:
-
name: "default_name_84 (source firewall.ippool.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
radius_mac_auth_bypass: "enable"
redirect_url: "<your_own_value>"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
rsso: "enable"
rtp_addr:
-
name: "default_name_93 (source firewall.address.name firewall.addrgrp.name)"
rtp_nat: "disable"
scan_botnet_connections: "disable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
schedule_timeout: "enable"
send_deny_packet: "disable"
service:
-
name: "default_name_100 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "102"
spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_105 (source firewall.address.name firewall.addrgrp.name)"
srcaddr_negate: "enable"
srcintf:
-
name: "default_name_108 (source system.interface.name system.zone.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl_mirror: "enable"
ssl_mirror_intf:
-
name: "default_name_112 (source system.interface.name system.zone.name)"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp_mss_receiver: "115"
tcp_mss_sender: "116"
tcp_session_without_syn: "all"
timeout_send_rst: "enable"
traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
url_category:
-
id: "122"
users:
-
name: "default_name_124 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
vlan_cos_fwd: "127"
vlan_cos_rev: "128"
vlan_filter: "<your_own_value>"
voip_profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
waf_profile: "<your_own_value> (source waf.profile.name)"
wanopt: "enable"
wanopt_detection: "active"
wanopt_passive_opt: "default"
wanopt_peer: "<your_own_value> (source wanopt.peer.peer-host-id)"
wanopt_profile: "<your_own_value> (source wanopt.profile.name)"
wccp: "enable"
webcache: "enable"
webcache_https: "disable"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
wsso: "enable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_firewall_policy_module.html