Note
This plugin is part of the fortinet.fortios collection.
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings.
New in version 2.8: of fortinet.fortios
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | ||||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | |||
| password string | Default: "" | FortiOS or FortiGate password. | |||
| ssl_verify boolean added in 2.9 of fortinet.fortios |
| Ensures FortiGate certificate must be verified by a proper CA. | |||
| username string | FortiOS or FortiGate username. | ||||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |||
| vpn_ssl_settings dictionary | Configure SSL VPN. | ||||
| algorithm string |
| Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. | |||
| auth_timeout integer | SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). | ||||
| authentication_rule list / elements=string | Authentication rule for SSL VPN. | ||||
| auth string |
| SSL VPN authentication method restriction. | |||
| cipher string |
| SSL VPN cipher strength. | |||
| client_cert string |
| Enable/disable SSL VPN client certificate restrictive. | |||
| groups list / elements=string | User groups. | ||||
| name string / required | Group name. Source user.group.name. | ||||
| id integer / required | ID (0 - 4294967295). | ||||
| portal string | SSL VPN portal. Source vpn.ssl.web.portal.name. | ||||
| realm string | SSL VPN realm. Source vpn.ssl.web.realm.url-path. | ||||
| source_address list / elements=string | Source address of incoming traffic. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| source_address6 list / elements=string | IPv6 source address of incoming traffic. | ||||
| name string / required | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
| source_address6_negate string |
| Enable/disable negated source IPv6 address match. | |||
| source_address_negate string |
| Enable/disable negated source address match. | |||
| source_interface list / elements=string | SSL VPN source interface of incoming traffic. | ||||
| name string / required | Interface name. Source system.interface.name system.zone.name. | ||||
| users list / elements=string | User name. | ||||
| name string / required | User name. Source user.local.name. | ||||
| auto_tunnel_static_route string |
| Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. | |||
| banned_cipher list / elements=string |
| Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. | |||
| check_referer string |
| Enable/disable verification of referer field in HTTP request header. | |||
| default_portal string | Default SSL VPN portal. Source vpn.ssl.web.portal.name. | ||||
| deflate_compression_level integer | Compression level (0~9). | ||||
| deflate_min_data_size integer | Minimum amount of data that triggers compression (200 - 65535 bytes). | ||||
| dns_server1 string | DNS server 1. | ||||
| dns_server2 string | DNS server 2. | ||||
| dns_suffix string | DNS suffix used for SSL-VPN clients. | ||||
| dtls_hello_timeout integer | SSLVPN maximum DTLS hello timeout (10 - 60 sec). | ||||
| dtls_tunnel string |
| Enable DTLS to prevent eavesdropping, tampering, or message forgery. | |||
| force_two_factor_auth string |
| Enable to force two-factor authentication for all SSL-VPNs. | |||
| header_x_forwarded_for string |
| Forward the same, add, or remove HTTP header. | |||
| http_compression string |
| Enable to allow HTTP compression over SSL-VPN tunnels. | |||
| http_only_cookie string |
| Enable/disable SSL-VPN support for HttpOnly cookies. | |||
| http_request_body_timeout integer | SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). | ||||
| http_request_header_timeout integer | SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). | ||||
| https_redirect string |
| Enable/disable redirect of port 80 to SSL-VPN port. | |||
| idle_timeout integer | SSL VPN disconnects if idle for specified time in seconds. | ||||
| ipv6_dns_server1 string | IPv6 DNS server 1. | ||||
| ipv6_dns_server2 string | IPv6 DNS server 2. | ||||
| ipv6_wins_server1 string | IPv6 WINS server 1. | ||||
| ipv6_wins_server2 string | IPv6 WINS server 2. | ||||
| login_attempt_limit integer | SSL VPN maximum login attempt times before block (0 - 10). | ||||
| login_block_time integer | Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). | ||||
| login_timeout integer | SSLVPN maximum login timeout (10 - 180 sec). | ||||
| port integer | SSL-VPN access port (1 - 65535). | ||||
| port_precedence string |
| Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. | |||
| reqclientcert string |
| Enable to require client certificates for all SSL-VPN users. | |||
| route_source_interface string |
| Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. | |||
| servercert string | Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. | ||||
| source_address list / elements=string | Source address of incoming traffic. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| source_address6 list / elements=string | IPv6 source address of incoming traffic. | ||||
| name string / required | IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
| source_address6_negate string |
| Enable/disable negated source IPv6 address match. | |||
| source_address_negate string |
| Enable/disable negated source address match. | |||
| source_interface list / elements=string | SSL VPN source interface of incoming traffic. | ||||
| name string / required | Interface name. Source system.interface.name system.zone.name. | ||||
| ssl_big_buffer string |
| Disable use of the big SSLv3 buffer feature to save memory and force higher security. | |||
| ssl_client_renegotiation string |
| Enable to allow client renegotiation by the server if the tunnel goes down. | |||
| ssl_insert_empty_fragment string |
| Enable/disable insertion of empty fragment. | |||
| sslv3 string |
| sslv3 | |||
| tlsv1_0 string |
| Enable/disable TLSv1.0. | |||
| tlsv1_1 string |
| Enable/disable TLSv1.1. | |||
| tlsv1_2 string |
| Enable/disable TLSv1.2. | |||
| tunnel_ip_pools list / elements=string | Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. | ||||
| name string / required | Address name. Source firewall.address.name firewall.addrgrp.name. | ||||
| tunnel_ipv6_pools list / elements=string | Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. | ||||
| name string / required | Address name. Source firewall.address6.name firewall.addrgrp6.name. | ||||
| unsafe_legacy_renegotiation string |
| Enable/disable unsafe legacy re-negotiation. | |||
| url_obscuration string |
| Enable to obscure the host name of the URL of the web browser display. | |||
| wins_server1 string | WINS server 1. | ||||
| wins_server2 string | WINS server 2. | ||||
| x_content_type_options string |
| Add HTTP X-Content-Type-Options header. | |||
Note
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_timeout: "4"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_10 (source user.group.name)"
id: "11"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_15 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_18 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_21 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_23 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "28"
deflate_min_data_size: "29"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "33"
dtls_tunnel: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "39"
http_request_header_timeout: "40"
https_redirect: "enable"
idle_timeout: "42"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "47"
login_block_time: "48"
login_timeout: "49"
port: "50"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_56 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_59 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_62 (source system.interface.name system.zone.name)"
ssl_big_buffer: "enable"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
sslv3: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tunnel_ip_pools:
-
name: "default_name_71 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_73 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_vpn_ssl_settings_module.html