Note
This plugin is part of the fortinet.fortios collection.
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_system_settings.
New in version 2.8: of fortinet.fortios
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | |||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
| password string | Default: "" | FortiOS or FortiGate password. | ||
| ssl_verify boolean added in 2.9 of fortinet.fortios |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
| system_settings dictionary | Configure VDOM settings. | |||
| allow_subnet_overlap string |
| Enable/disable allowing interface subnets to use overlapping IP addresses. | ||
| asymroute string |
| Enable/disable IPv4 asymmetric routing. | ||
| asymroute6 string |
| Enable/disable asymmetric IPv6 routing. | ||
| asymroute6_icmp string |
| Enable/disable asymmetric ICMPv6 routing. | ||
| asymroute_icmp string |
| Enable/disable ICMP asymmetric routing. | ||
| bfd string |
| Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. | ||
| bfd_desired_min_tx integer | BFD desired minimal transmit interval (1 - 100000 ms). | |||
| bfd_detect_mult integer | BFD detection multiplier (1 - 50). | |||
| bfd_dont_enforce_src_port string |
| Enable to not enforce verifying the source port of BFD Packets. | ||
| bfd_required_min_rx integer | BFD required minimal receive interval (1 - 100000 ms). | |||
| block_land_attack string |
| Enable/disable blocking of land attacks. | ||
| central_nat string |
| Enable/disable central NAT. | ||
| comments string | VDOM comments. | |||
| compliance_check string |
| Enable/disable PCI DSS compliance checking. | ||
| default_voip_alg_mode string |
| Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn"t include a VoIP profile. | ||
| deny_tcp_with_icmp string |
| Enable/disable denying TCP by sending an ICMP communication prohibited packet. | ||
| device string | Interface to use for management access for NAT mode. Source system.interface.name. | |||
| dhcp6_server_ip string | DHCPv6 server IPv6 address. | |||
| dhcp_proxy string |
| Enable/disable the DHCP Proxy. | ||
| dhcp_server_ip string | DHCP Server IPv4 address. | |||
| discovered_device_timeout integer | Timeout for discovered devices (1 - 365 days). | |||
| ecmp_max_paths integer | Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100). | |||
| email_portal_check_dns string |
| Enable/disable using DNS to validate email addresses collected by a captive portal. | ||
| firewall_session_dirty string |
| Select how to manage sessions affected by firewall policy configuration changes. | ||
| fw_session_hairpin string |
| Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. | ||
| gateway string | Transparent mode IPv4 default gateway IP address. | |||
| gateway6 string | Transparent mode IPv4 default gateway IP address. | |||
| gui_advanced_policy string |
| Enable/disable advanced policy configuration on the GUI. | ||
| gui_allow_unnamed_policy string |
| Enable/disable the requirement for policy naming on the GUI. | ||
| gui_antivirus string |
| Enable/disable AntiVirus on the GUI. | ||
| gui_ap_profile string |
| Enable/disable FortiAP profiles on the GUI. | ||
| gui_application_control string |
| Enable/disable application control on the GUI. | ||
| gui_default_policy_columns list / elements=string | Default columns to display for policy lists on GUI. | |||
| name string / required | Select column name. | |||
| gui_dhcp_advanced string |
| Enable/disable advanced DHCP options on the GUI. | ||
| gui_dlp string |
| Enable/disable DLP on the GUI. | ||
| gui_dns_database string |
| Enable/disable DNS database settings on the GUI. | ||
| gui_dnsfilter string |
| Enable/disable DNS Filtering on the GUI. | ||
| gui_domain_ip_reputation string |
| Enable/disable Domain and IP Reputation on the GUI. | ||
| gui_dos_policy string |
| Enable/disable DoS policies on the GUI. | ||
| gui_dynamic_profile_display string |
| Enable/disable RADIUS Single Sign On (RSSO) on the GUI. | ||
| gui_dynamic_routing string |
| Enable/disable dynamic routing on the GUI. | ||
| gui_email_collection string |
| Enable/disable email collection on the GUI. | ||
| gui_endpoint_control string |
| Enable/disable endpoint control on the GUI. | ||
| gui_endpoint_control_advanced string |
| Enable/disable advanced endpoint control options on the GUI. | ||
| gui_explicit_proxy string |
| Enable/disable the explicit proxy on the GUI. | ||
| gui_fortiap_split_tunneling string |
| Enable/disable FortiAP split tunneling on the GUI. | ||
| gui_fortiextender_controller string |
| Enable/disable FortiExtender on the GUI. | ||
| gui_icap string |
| Enable/disable ICAP on the GUI. | ||
| gui_implicit_policy string |
| Enable/disable implicit firewall policies on the GUI. | ||
| gui_ips string |
| Enable/disable IPS on the GUI. | ||
| gui_load_balance string |
| Enable/disable server load balancing on the GUI. | ||
| gui_local_in_policy string |
| Enable/disable Local-In policies on the GUI. | ||
| gui_local_reports string |
| Enable/disable local reports on the GUI. | ||
| gui_multicast_policy string |
| Enable/disable multicast firewall policies on the GUI. | ||
| gui_multiple_interface_policy string |
| Enable/disable adding multiple interfaces to a policy on the GUI. | ||
| gui_multiple_utm_profiles string |
| Enable/disable multiple UTM profiles on the GUI. | ||
| gui_nat46_64 string |
| Enable/disable NAT46 and NAT64 settings on the GUI. | ||
| gui_object_colors string |
| Enable/disable object colors on the GUI. | ||
| gui_policy_based_ipsec string |
| Enable/disable policy-based IPsec VPN on the GUI. | ||
| gui_policy_learning string |
| Enable/disable firewall policy learning mode on the GUI. | ||
| gui_replacement_message_groups string |
| Enable/disable replacement message groups on the GUI. | ||
| gui_spamfilter string |
| Enable/disable Antispam on the GUI. | ||
| gui_sslvpn_personal_bookmarks string |
| Enable/disable SSL-VPN personal bookmark management on the GUI. | ||
| gui_sslvpn_realms string |
| Enable/disable SSL-VPN realms on the GUI. | ||
| gui_switch_controller string |
| Enable/disable the switch controller on the GUI. | ||
| gui_threat_weight string |
| Enable/disable threat weight on the GUI. | ||
| gui_traffic_shaping string |
| Enable/disable traffic shaping on the GUI. | ||
| gui_voip_profile string |
| Enable/disable VoIP profiles on the GUI. | ||
| gui_vpn string |
| Enable/disable VPN tunnels on the GUI. | ||
| gui_waf_profile string |
| Enable/disable Web Application Firewall on the GUI. | ||
| gui_wan_load_balancing string |
| Enable/disable SD-WAN on the GUI. | ||
| gui_wanopt_cache string |
| Enable/disable WAN Optimization and Web Caching on the GUI. | ||
| gui_webfilter string |
| Enable/disable Web filtering on the GUI. | ||
| gui_webfilter_advanced string |
| Enable/disable advanced web filtering on the GUI. | ||
| gui_wireless_controller string |
| Enable/disable the wireless controller on the GUI. | ||
| http_external_dest string |
| Offload HTTP traffic to FortiWeb or FortiCache. | ||
| ike_dn_format string |
| Configure IKE ASN.1 Distinguished Name format conventions. | ||
| ike_quick_crash_detect string |
| Enable/disable IKE quick crash detection (RFC 6290). | ||
| ike_session_resume string |
| Enable/disable IKEv2 session resumption (RFC 5723). | ||
| implicit_allow_dns string |
| Enable/disable implicitly allowing DNS traffic. | ||
| inspection_mode string |
| Inspection mode (proxy-based or flow-based). | ||
| ip string | IP address and netmask. | |||
| ip6 string | IPv6 address prefix for NAT mode. | |||
| link_down_access string |
| Enable/disable link down access traffic. | ||
| lldp_transmission string |
| Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM. | ||
| mac_ttl integer | Duration of MAC addresses in Transparent mode (300 - 8640000 sec). | |||
| manageip string | Transparent mode IPv4 management IP address and netmask. | |||
| manageip6 string | Transparent mode IPv6 management IP address and netmask. | |||
| multicast_forward string |
| Enable/disable multicast forwarding. | ||
| multicast_skip_policy string |
| Enable/disable allowing multicast traffic through the FortiGate without a policy check. | ||
| multicast_ttl_notchange string |
| Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. | ||
| ngfw_mode string |
| Next Generation Firewall (NGFW) mode. | ||
| opmode string |
| Firewall operation mode (NAT or Transparent). | ||
| sccp_port integer | TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535). | |||
| ses_denied_traffic string |
| Enable/disable including denied session in the session table. | ||
| sip_helper string |
| Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG). | ||
| sip_nat_trace string |
| Enable/disable recording the original SIP source IP address when NAT is used. | ||
| sip_ssl_port integer | TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535). | |||
| sip_tcp_port integer | TCP port the SIP proxy monitors for SIP traffic (0 - 65535). | |||
| sip_udp_port integer | UDP port the SIP proxy monitors for SIP traffic (0 - 65535). | |||
| snat_hairpin_traffic string |
| Enable/disable source NAT (SNAT) for hairpin traffic. | ||
| ssl_ssh_profile string | Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name. | |||
| status string |
| Enable/disable this VDOM. | ||
| strict_src_check string |
| Enable/disable strict source verification. | ||
| tcp_session_without_syn string |
| Enable/disable allowing TCP session without SYN flags. | ||
| utf8_spam_tagging string |
| Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. | ||
| v4_ecmp_mode string |
| IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. | ||
| vpn_stats_log string |
| Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. | ||
| vpn_stats_period integer | Period to send VPN log statistics (60 - 86400 sec). | |||
| wccp_cache_engine string |
| Enable/disable WCCP cache engine. | ||
| username string | FortiOS or FortiGate username. | |||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
Note
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
vdom: "{{ vdom }}"
system_settings:
allow_subnet_overlap: "enable"
asymroute: "enable"
asymroute_icmp: "enable"
asymroute6: "enable"
asymroute6_icmp: "enable"
bfd: "enable"
bfd_desired_min_tx: "9"
bfd_detect_mult: "10"
bfd_dont_enforce_src_port: "enable"
bfd_required_min_rx: "12"
block_land_attack: "disable"
central_nat: "enable"
comments: "<your_own_value>"
compliance_check: "enable"
default_voip_alg_mode: "proxy-based"
deny_tcp_with_icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp_proxy: "enable"
dhcp_server_ip: "<your_own_value>"
dhcp6_server_ip: "<your_own_value>"
discovered_device_timeout: "23"
ecmp_max_paths: "24"
email_portal_check_dns: "disable"
firewall_session_dirty: "check-all"
fw_session_hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gui_advanced_policy: "enable"
gui_allow_unnamed_policy: "enable"
gui_antivirus: "enable"
gui_ap_profile: "enable"
gui_application_control: "enable"
gui_default_policy_columns:
-
name: "default_name_36"
gui_dhcp_advanced: "enable"
gui_dlp: "enable"
gui_dns_database: "enable"
gui_dnsfilter: "enable"
gui_domain_ip_reputation: "enable"
gui_dos_policy: "enable"
gui_dynamic_profile_display: "enable"
gui_dynamic_routing: "enable"
gui_email_collection: "enable"
gui_endpoint_control: "enable"
gui_endpoint_control_advanced: "enable"
gui_explicit_proxy: "enable"
gui_fortiap_split_tunneling: "enable"
gui_fortiextender_controller: "enable"
gui_icap: "enable"
gui_implicit_policy: "enable"
gui_ips: "enable"
gui_load_balance: "enable"
gui_local_in_policy: "enable"
gui_local_reports: "enable"
gui_multicast_policy: "enable"
gui_multiple_interface_policy: "enable"
gui_multiple_utm_profiles: "enable"
gui_nat46_64: "enable"
gui_object_colors: "enable"
gui_policy_based_ipsec: "enable"
gui_policy_learning: "enable"
gui_replacement_message_groups: "enable"
gui_spamfilter: "enable"
gui_sslvpn_personal_bookmarks: "enable"
gui_sslvpn_realms: "enable"
gui_switch_controller: "enable"
gui_threat_weight: "enable"
gui_traffic_shaping: "enable"
gui_voip_profile: "enable"
gui_vpn: "enable"
gui_waf_profile: "enable"
gui_wan_load_balancing: "enable"
gui_wanopt_cache: "enable"
gui_webfilter: "enable"
gui_webfilter_advanced: "enable"
gui_wireless_controller: "enable"
http_external_dest: "fortiweb"
ike_dn_format: "with-space"
ike_quick_crash_detect: "enable"
ike_session_resume: "enable"
implicit_allow_dns: "enable"
inspection_mode: "proxy"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link_down_access: "enable"
lldp_transmission: "enable"
mac_ttl: "89"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast_forward: "enable"
multicast_skip_policy: "enable"
multicast_ttl_notchange: "enable"
ngfw_mode: "profile-based"
opmode: "nat"
sccp_port: "97"
ses_denied_traffic: "enable"
sip_helper: "enable"
sip_nat_trace: "enable"
sip_ssl_port: "101"
sip_tcp_port: "102"
sip_udp_port: "103"
snat_hairpin_traffic: "enable"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
strict_src_check: "enable"
tcp_session_without_syn: "enable"
utf8_spam_tagging: "enable"
v4_ecmp_mode: "source-ip-based"
vpn_stats_log: "ipsec"
vpn_stats_period: "112"
wccp_cache_engine: "enable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_system_settings_module.html