fmgr_secprof_appctrl – Manage application control security profiles

New in version 2.8.

Synopsis

  • Manage application control security profiles within FortiManager

Parameters

Parameter Choices/Defaults Comments
adom
-
Default:
"root"
The ADOM the configuration should belong to.
app_replacemsg
-
    Choices:
  • disable
  • enable
Enable/disable replacement messages for blocked applications.
choice | disable | Disable replacement messages for blocked applications.
choice | enable | Enable replacement messages for blocked applications.
comment
-
comments
deep_app_inspection
-
    Choices:
  • disable
  • enable
Enable/disable deep application inspection.
choice | disable | Disable deep application inspection.
choice | enable | Enable deep application inspection.
entries
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, OMIT THE USE OF THIS PARAMETER
AND USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
entries_action
-
    Choices:
  • pass
  • block
  • reset
Pass or block traffic, or reset connection for traffic from this application.
choice | pass | Pass or allow matching traffic.
choice | block | Block or drop matching traffic.
choice | reset | Reset sessions for matching traffic.
entries_application
-
ID of allowed applications.
entries_behavior
-
Application behavior filter.
entries_category
-
Category ID list.
entries_log
-
    Choices:
  • disable
  • enable
Enable/disable logging for this application list.
choice | disable | Disable logging.
choice | enable | Enable logging.
entries_log_packet
-
    Choices:
  • disable
  • enable
Enable/disable packet logging.
choice | disable | Disable packet logging.
choice | enable | Enable packet logging.
entries_parameters_value
-
Parameter value.
entries_per_ip_shaper
-
Per-IP traffic shaper.
entries_popularity
-
    Choices:
  • 1
  • 2
  • 3
  • 4
  • 5
Application popularity filter (1 - 5, from least to most popular).
FLAG Based Options. Specify multiple in list form.
flag | 1 | Popularity level 1.
flag | 2 | Popularity level 2.
flag | 3 | Popularity level 3.
flag | 4 | Popularity level 4.
flag | 5 | Popularity level 5.
entries_protocols
-
Application protocol filter.
entries_quarantine
-
    Choices:
  • none
  • attacker
Quarantine method.
choice | none | Quarantine is disabled.
choice | attacker | Block all traffic sent from attacker's IP address.
The attacker's IP address is also added to the banned user list. The target's address is not affected.
entries_quarantine_expiry
-
Duration of quarantine. (Format
Requires quarantine set to attacker.
entries_quarantine_log
-
    Choices:
  • disable
  • enable
Enable/disable quarantine logging.
choice | disable | Disable quarantine logging.
choice | enable | Enable quarantine logging.
entries_rate_count
-
Count of the rate.
entries_rate_duration
-
Duration (sec) of the rate.
entries_rate_mode
-
    Choices:
  • periodical
  • continuous
Rate limit mode.
choice | periodical | Allow configured number of packets every rate-duration.
choice | continuous | Block packets once the rate is reached.
entries_rate_track
-
    Choices:
  • none
  • src-ip
  • dest-ip
  • dhcp-client-mac
  • dns-domain
Track the packet protocol field.
choice | none |
choice | src-ip | Source IP.
choice | dest-ip | Destination IP.
choice | dhcp-client-mac | DHCP client.
choice | dns-domain | DNS domain.
entries_risk
-
Risk, or impact, of allowing traffic from this application to occur 1 - 5;
(Low, Elevated, Medium, High, and Critical).
entries_session_ttl
-
Session TTL (0 = default).
entries_shaper
-
Traffic shaper.
entries_shaper_reverse
-
Reverse traffic shaper.
entries_sub_category
-
Application Sub-category ID list.
entries_technology
-
Application technology filter.
entries_vendor
-
Application vendor filter.
extended_log
-
    Choices:
  • disable
  • enable
Enable/disable extended logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
mode
-
    Choices:
  • add ←
  • set
  • delete
  • update
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
name
-
List name.
options
-
    Choices:
  • allow-dns
  • allow-icmp
  • allow-http
  • allow-ssl
  • allow-quic
NO DESCRIPTION PARSED ENTER MANUALLY
FLAG Based Options. Specify multiple in list form.
flag | allow-dns | Allow DNS.
flag | allow-icmp | Allow ICMP.
flag | allow-http | Allow generic HTTP web browsing.
flag | allow-ssl | Allow generic SSL communication.
flag | allow-quic | Allow QUIC.
other_application_action
-
    Choices:
  • pass
  • block
Action for other applications.
choice | pass | Allow sessions matching an application in this application list.
choice | block | Block sessions matching an application in this application list.
other_application_log
-
    Choices:
  • disable
  • enable
Enable/disable logging for other applications.
choice | disable | Disable logging for other applications.
choice | enable | Enable logging for other applications.
p2p_black_list
-
    Choices:
  • skype
  • edonkey
  • bittorrent
NO DESCRIPTION PARSED ENTER MANUALLY
FLAG Based Options. Specify multiple in list form.
flag | skype | Skype.
flag | edonkey | Edonkey.
flag | bittorrent | Bit torrent.
replacemsg_group
-
Replacement message group.
unknown_application_action
-
    Choices:
  • pass
  • block
Pass or block traffic from unknown applications.
choice | pass | Pass or allow unknown applications.
choice | block | Drop or block unknown applications.
unknown_application_log
-
    Choices:
  • disable
  • enable
Enable/disable logging for unknown applications.
choice | disable | Disable logging for unknown applications.
choice | enable | Enable logging for unknown applications.

Notes

Examples

- name: DELETE Profile
  fmgr_secprof_appctrl:
    name: "Ansible_Application_Control_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "delete"

- name: CREATE Profile
  fmgr_secprof_appctrl:
    name: "Ansible_Application_Control_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"
    entries: [{
              action: "block",
              log: "enable",
              log-packet: "enable",
              protocols: ["1"],
              quarantine: "attacker",
              quarantine-log: "enable",
              },
              {action: "pass",
              category: ["2","3","4"]},
            ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_result
string
always
full API response, includes status code and message



Status

Authors

  • Luke Weighall (@lweighall)

  • Andrew Welsh (@Ghilli3)

  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation you can edit this document to improve it.