Documentation

fortios_ipv4_policy - Manage IPv4 policy objects on Fortinet FortiOS firewall devices

New in version 2.3.

Synopsis

  • This module provides management of firewall IPv4 policies on FortiOS devices.

Options

parameter required default choices comments
application_list
no
Specifies Application Control name.
av_profile
no
Specifies Antivirus profile name.
backup
no
  • yes
  • no
This argument will cause the module to create a backup of the current running-config from the remote device before any changes are made. The backup file is written to the i(backup) folder.
backup_filename
no
Specifies the backup filename. If omitted filename will be formated like [email protected]:MM:SS
backup_path
no
Specifies where to store backup files. Required if backup=yes.
comment
no
free text to describe policy.
config_file
(added in 2.4)
no
Path to configuration file. Required when file_mode is True.
dst_addr
no
Specifies destination address (or group) object name(s). Required when state=present.
dst_addr_negate
no
  • true
  • false
Negate destination address param.
dst_intf
no any
Specifies destination interface name.
file_mode
(added in 2.4)
no
  • yes
  • no
Don't connect to any device, only use config_file as input and Output.
fixedport
no
  • true
  • false
Use fixed port for nat.
host
no
Specifies the DNS hostname or IP address for connecting to the remote fortios device. Required when file_mode is False.
id
yes
Policy ID. Warning: policy ID number is different than Policy sequence number. The policy ID is the number assigned at policy creation. The sequence number represents the order in which the Fortigate will evaluate the rule for policy enforcement, and also the order in which rules are listed in the GUI and CLI. These two numbers do not necessarily correlate: this module is based off policy ID. TIP: policy ID can be viewed in the GUI by adding 'ID' to the display columns
ips_sensor
no
Specifies IPS Sensor profile name.
logtraffic
(added in 2.4)
no utm
  • disable
  • utm
  • all
Logs sessions that matched policy.
logtraffic_start
(added in 2.4)
no
  • true
  • false
Logs begining of session as well.
nat
no
  • true
  • false
Enable or disable Nat.
password
no
Specifies the password used to authenticate to the remote device. Required when file_mode is True.
policy_action
no
  • accept
  • deny
Specifies accept or deny action policy. Required when state=present.

aliases: action
poolname
no
Specifies NAT pool name.
schedule
no always
defines policy schedule.
service
no
Specifies policy service(s), could be a list (ex: ['MAIL','DNS']). Required when state=present.

aliases: services
service_negate
no
  • true
  • false
Negate policy service(s) defined in service value.
src_addr
no
Specifies source address (or group) object name(s). Required when state=present.
src_addr_negate
no
  • true
  • false
Negate source address param.
src_intf
no any
Specifies source interface name.
state
no present
  • present
  • absent
Specifies if policy id need to be added or deleted.
timeout
no 60
Timeout in seconds for connecting to the remote device.
username
no
Configures the username used to authenticate to the remote device. Required when file_mode is True.
vdom
no
Specifies on which vdom to apply configuration
webfilter_profile
no
Specifies Webfilter profile name.

Examples

- name: Allow external DNS call
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: internal_network
    dst_addr: all
    service: dns
    nat: True
    state: present
    policy_action: accept
    logtraffic: disable

- name: Public Web
  fortios_ipv4_policy:
    host: 192.168.0.254
    username: admin
    password: password
    id: 42
    src_addr: all
    dst_addr: webservers
    services:
      - http
      - https
    state: present
    policy_action: accept

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name description returned type sample
firewall_address_config full firewall adresses config string always string
change_string The commands executed by the module only if config changed string
msg_error_list List of errors returned by CLI (use -vvv for better readability). only when error string


Notes

Note

  • This module requires pyFG library.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Support

This module is community maintained without core committer oversight.

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.