Note
This plugin is part of the fortinet.fortios collection.
To install it use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_vip6
.
New in version 2.8: of fortinet.fortios
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
firewall_vip6 dictionary | Configure virtual IP for IPv6. | |||
arp_reply string |
| Enable to respond to ARP requests for this virtual IP address. Enabled by default. | ||
color integer | Color of icon on the GUI. | |||
comment string | Comment. | |||
extip string | IP address or address range on the external interface that you want to map to an address or address range on the destination network. | |||
extport string | Incoming port number range that you want to map to a port number range on the destination network. | |||
http_cookie_age integer | Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. | |||
http_cookie_domain string | Domain that HTTP cookie persistence should apply to. | |||
http_cookie_domain_from_host string |
| Enable/disable use of HTTP cookie domain from host field in HTTP. | ||
http_cookie_generation integer | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | |||
http_cookie_path string | Limit HTTP cookie persistence to the specified path. | |||
http_cookie_share string |
| Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. | ||
http_ip_header string |
| For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. | ||
http_ip_header_name string | For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. | |||
http_multiplex string |
| Enable/disable HTTP multiplexing. | ||
https_cookie_secure string |
| Enable/disable verification that inserted HTTPS cookies are secure. | ||
id integer | Custom defined ID. | |||
ldb_method string |
| Method used to distribute sessions to real servers. | ||
mappedip string | Mapped IP address range in the format startIP-endIP. | |||
mappedport string | Port number range on the destination network to which the external port number range is mapped. | |||
max_embryonic_connections integer | Maximum number of incomplete connections. | |||
monitor list / elements=string | Name of the health check monitor to use when polling to determine a virtual server"s connectivity status. | |||
name string / required | Health monitor name. Source firewall.ldb-monitor.name. | |||
name string / required | Virtual ip6 name. | |||
outlook_web_access string |
| Enable to add the Front-End-Https header for Microsoft Outlook Web Access. | ||
persistence string |
| Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. | ||
portforward string |
| Enable port forwarding. | ||
protocol string |
| Protocol to use when forwarding packets. | ||
realservers list / elements=string | Select the real servers that this server load balancing VIP will distribute traffic to. | |||
client_ip string | Only clients in this IP range can connect to this real server. | |||
healthcheck string |
| Enable to check the responsiveness of the real server before forwarding traffic. | ||
holddown_interval integer | Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. | |||
http_host string | HTTP server domain name in HTTP header. | |||
id integer / required | Real server ID. | |||
ip string | IPv6 address of the real server. | |||
max_connections integer | Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. | |||
monitor string | Name of the health check monitor to use when polling to determine a virtual server"s connectivity status. Source firewall .ldb-monitor.name. | |||
port integer | Port for communicating with the real server. Required if port forwarding is enabled. | |||
status string |
| Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. | ||
weight integer | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | |||
server_type string |
| Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). | ||
src_filter list / elements=string | Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces. | |||
range string / required | Source-filter range. | |||
ssl_algorithm string |
| Permitted encryption algorithms for SSL sessions according to encryption strength. | ||
ssl_certificate string | The name of the SSL certificate to use for SSL acceleration. Source vpn.certificate.local.name. | |||
ssl_cipher_suites list / elements=string | SSL/TLS cipher suites acceptable from a client, ordered by priority. | |||
cipher string |
| Cipher suite name. | ||
priority integer / required | SSL/TLS cipher suites priority. | |||
versions string |
| SSL/TLS versions that the cipher suite can be used with. | ||
ssl_client_fallback string |
| Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). | ||
ssl_client_renegotiation string |
| Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. | ||
ssl_client_session_state_max integer | Maximum number of client to FortiGate SSL session states to keep. | |||
ssl_client_session_state_timeout integer | Number of minutes to keep client to FortiGate SSL session state. | |||
ssl_client_session_state_type string |
| How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. | ||
ssl_dh_bits string |
| Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. | ||
ssl_hpkp string |
| Enable/disable including HPKP header in response. | ||
ssl_hpkp_age integer | Number of minutes the web browser should keep HPKP. | |||
ssl_hpkp_backup string | Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | |||
ssl_hpkp_include_subdomains string |
| Indicate that HPKP header applies to all subdomains. | ||
ssl_hpkp_primary string | Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. | |||
ssl_hpkp_report_uri string | URL to report HPKP violations to. | |||
ssl_hsts string |
| Enable/disable including HSTS header in response. | ||
ssl_hsts_age integer | Number of seconds the client should honour the HSTS setting. | |||
ssl_hsts_include_subdomains string |
| Indicate that HSTS header applies to all subdomains. | ||
ssl_http_location_conversion string |
| Enable to replace HTTP with HTTPS in the reply"s Location HTTP header field. | ||
ssl_http_match_host string |
| Enable/disable HTTP host matching for location conversion. | ||
ssl_max_version string |
| Highest SSL/TLS version acceptable from a client. | ||
ssl_min_version string |
| Lowest SSL/TLS version acceptable from a client. | ||
ssl_mode string |
| Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). | ||
ssl_pfs string |
| Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. | ||
ssl_send_empty_frags string |
| Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. | ||
ssl_server_algorithm string |
| Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. | ||
ssl_server_cipher_suites list / elements=string | SSL/TLS cipher suites to offer to a server, ordered by priority. | |||
cipher string |
| Cipher suite name. | ||
priority integer / required | SSL/TLS cipher suites priority. | |||
versions string |
| SSL/TLS versions that the cipher suite can be used with. | ||
ssl_server_max_version string |
| Highest SSL/TLS version acceptable from a server. Use the client setting by default. | ||
ssl_server_min_version string |
| Lowest SSL/TLS version acceptable from a server. Use the client setting by default. | ||
ssl_server_session_state_max integer | Maximum number of FortiGate to Server SSL session states to keep. | |||
ssl_server_session_state_timeout integer | Number of minutes to keep FortiGate to Server SSL session state. | |||
ssl_server_session_state_type string |
| How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. | ||
state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | ||
type string |
| Configure a static NAT or server load balance VIP. | ||
uuid string | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | |||
weblogic_server string |
| Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. | ||
websphere_server string |
| Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. | ||
host string | FortiOS or FortiGate IP address. | |||
https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
password string | Default: "" | FortiOS or FortiGate password. | ||
ssl_verify boolean added in 2.9 of fortinet.fortios |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
state string added in 2.9 of fortinet.fortios |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | ||
username string | FortiOS or FortiGate username. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. |
Note
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure virtual IP for IPv6. fortios_firewall_vip6: vdom: "{{ vdom }}" state: "present" firewall_vip6: arp_reply: "disable" color: "4" comment: "Comment." extip: "<your_own_value>" extport: "<your_own_value>" http_cookie_age: "8" http_cookie_domain: "<your_own_value>" http_cookie_domain_from_host: "disable" http_cookie_generation: "11" http_cookie_path: "<your_own_value>" http_cookie_share: "disable" http_ip_header: "enable" http_ip_header_name: "<your_own_value>" http_multiplex: "enable" https_cookie_secure: "disable" id: "18" ldb_method: "static" mappedip: "<your_own_value>" mappedport: "<your_own_value>" max_embryonic_connections: "22" monitor: - name: "default_name_24 (source firewall.ldb-monitor.name)" name: "default_name_25" outlook_web_access: "disable" persistence: "none" portforward: "disable" protocol: "tcp" realservers: - client_ip: "<your_own_value>" healthcheck: "disable" holddown_interval: "33" http_host: "myhostname" id: "35" ip: "<your_own_value>" max_connections: "37" monitor: "<your_own_value> (source firewall.ldb-monitor.name)" port: "39" status: "active" weight: "41" server_type: "http" src_filter: - range: "<your_own_value>" ssl_algorithm: "high" ssl_certificate: "<your_own_value> (source vpn.certificate.local.name)" ssl_cipher_suites: - cipher: "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" priority: "49" versions: "ssl-3.0" ssl_client_fallback: "disable" ssl_client_renegotiation: "allow" ssl_client_session_state_max: "53" ssl_client_session_state_timeout: "54" ssl_client_session_state_type: "disable" ssl_dh_bits: "768" ssl_hpkp: "disable" ssl_hpkp_age: "58" ssl_hpkp_backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)" ssl_hpkp_include_subdomains: "disable" ssl_hpkp_primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)" ssl_hpkp_report_uri: "<your_own_value>" ssl_hsts: "disable" ssl_hsts_age: "64" ssl_hsts_include_subdomains: "disable" ssl_http_location_conversion: "enable" ssl_http_match_host: "enable" ssl_max_version: "ssl-3.0" ssl_min_version: "ssl-3.0" ssl_mode: "half" ssl_pfs: "require" ssl_send_empty_frags: "enable" ssl_server_algorithm: "high" ssl_server_cipher_suites: - cipher: "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" priority: "76" versions: "ssl-3.0" ssl_server_max_version: "ssl-3.0" ssl_server_min_version: "ssl-3.0" ssl_server_session_state_max: "80" ssl_server_session_state_timeout: "81" ssl_server_session_state_type: "disable" type: "static-nat" uuid: "<your_own_value>" weblogic_server: "disable" websphere_server: "disable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_firewall_vip6_module.html