fortios_firewall_profile_protocol_options – Configure protocol options in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to configure firewall feature and profile_protocol_options category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
firewall_profile_protocol_options
-
|
Default: null
|
Configure protocol options.
|
||
|
comment
-
|
Optional comments.
|
|||
|
dns
-
|
Configure DNS protocol options.
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 53).
|
|||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
ftp
-
|
Configure FTP protocol options.
|
|||
|
comfort-amount
-
|
Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1).
|
|||
|
comfort-interval
-
|
Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).
|
|||
|
inspect-all
-
|
|
Enable/disable the inspection of all ports for the protocol.
|
||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 21).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
http
-
|
Configure HTTP protocol options.
|
|||
|
block-page-status-code
-
|
Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599, default = 403).
|
|||
|
comfort-amount
-
|
Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1).
|
|||
|
comfort-interval
-
|
Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).
|
|||
|
fortinet-bar
-
|
|
Enable/disable Fortinet bar on HTML content.
|
||
|
fortinet-bar-port
-
|
Port for use by Fortinet Bar (1 - 65535, default = 8011).
|
|||
|
http-policy
-
|
|
Enable/disable HTTP policy check.
|
||
|
inspect-all
-
|
|
Enable/disable the inspection of all ports for the protocol.
|
||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 80).
|
|||
|
post-lang
-
|
|
ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).
|
||
|
range-block
-
|
|
Enable/disable blocking of partial downloads.
|
||
|
retry-count
-
|
Number of attempts to retry HTTP connection (0 - 100, default = 0).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
streaming-content-bypass
-
|
|
Enable/disable bypassing of streaming content from buffering.
|
||
|
strip-x-forwarded-for
-
|
|
Enable/disable stripping of HTTP X-Forwarded-For header.
|
||
|
switching-protocols
-
|
|
Bypass from scanning, or block a connection that attempts to switch protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
imap
-
|
Configure IMAP protocol options.
|
|||
|
inspect-all
-
|
|
Enable/disable the inspection of all ports for the protocol.
|
||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 143).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
mail-signature
-
|
Configure Mail signature.
|
|||
|
signature
-
|
Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).
|
|||
|
status
-
|
|
Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.
|
||
|
mapi
-
|
Configure MAPI protocol options.
|
|||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 135).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
name
-
/ required
|
Name.
|
|||
|
nntp
-
|
Configure NNTP protocol options.
|
|||
|
inspect-all
-
|
|
Enable/disable the inspection of all ports for the protocol.
|
||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 119).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
oversize-log
-
|
|
Enable/disable logging for antivirus oversize file blocking.
|
||
|
pop3
-
|
Configure POP3 protocol options.
|
|||
|
inspect-all
-
|
|
Enable/disable the inspection of all ports for the protocol.
|
||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 110).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
replacemsg-group
-
|
Name of the replacement message group to be used Source system.replacemsg-group.name.
|
|||
|
rpc-over-http
-
|
|
Enable/disable inspection of RPC over HTTP.
|
||
|
smtp
-
|
Configure SMTP protocol options.
|
|||
|
inspect-all
-
|
|
Enable/disable the inspection of all ports for the protocol.
|
||
|
options
-
|
|
One or more options that can be applied to the session.
|
||
|
oversize-limit
-
|
Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).
|
|||
|
ports
-
|
Ports to scan for content (1 - 65535, default = 25).
|
|||
|
scan-bzip2
-
|
|
Enable/disable scanning of BZip2 compressed files.
|
||
|
server-busy
-
|
|
Enable/disable SMTP server busy when server not available.
|
||
|
status
-
|
|
Enable/disable the active status of scanning for this protocol.
|
||
|
uncompressed-nest-limit
-
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).
|
|||
|
uncompressed-oversize-limit
-
|
Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).
|
|||
|
state
-
|
|
Indicates whether to create or remove the object
|
||
|
switching-protocols-log
-
|
|
Enable/disable logging for HTTP/HTTPS switching protocols.
|
||
|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure protocol options.
fortios_firewall_profile_protocol_options:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
firewall_profile_protocol_options:
state: "present"
comment: "Optional comments."
dns:
ports: "5"
status: "enable"
ftp:
comfort-amount: "8"
comfort-interval: "9"
inspect-all: "enable"
options: "clientcomfort"
oversize-limit: "12"
ports: "13"
scan-bzip2: "enable"
status: "enable"
uncompressed-nest-limit: "16"
uncompressed-oversize-limit: "17"
http:
block-page-status-code: "19"
comfort-amount: "20"
comfort-interval: "21"
fortinet-bar: "enable"
fortinet-bar-port: "23"
http-policy: "disable"
inspect-all: "enable"
options: "clientcomfort"
oversize-limit: "27"
ports: "28"
post-lang: "jisx0201"
range-block: "disable"
retry-count: "31"
scan-bzip2: "enable"
status: "enable"
streaming-content-bypass: "enable"
strip-x-forwarded-for: "disable"
switching-protocols: "bypass"
uncompressed-nest-limit: "37"
uncompressed-oversize-limit: "38"
imap:
inspect-all: "enable"
options: "fragmail"
oversize-limit: "42"
ports: "43"
scan-bzip2: "enable"
status: "enable"
uncompressed-nest-limit: "46"
uncompressed-oversize-limit: "47"
mail-signature:
signature: "<your_own_value>"
status: "disable"
mapi:
options: "fragmail"
oversize-limit: "53"
ports: "54"
scan-bzip2: "enable"
status: "enable"
uncompressed-nest-limit: "57"
uncompressed-oversize-limit: "58"
name: "default_name_59"
nntp:
inspect-all: "enable"
options: "oversize"
oversize-limit: "63"
ports: "64"
scan-bzip2: "enable"
status: "enable"
uncompressed-nest-limit: "67"
uncompressed-oversize-limit: "68"
oversize-log: "disable"
pop3:
inspect-all: "enable"
options: "fragmail"
oversize-limit: "73"
ports: "74"
scan-bzip2: "enable"
status: "enable"
uncompressed-nest-limit: "77"
uncompressed-oversize-limit: "78"
replacemsg-group: "<your_own_value> (source system.replacemsg-group.name)"
rpc-over-http: "enable"
smtp:
inspect-all: "enable"
options: "fragmail"
oversize-limit: "84"
ports: "85"
scan-bzip2: "enable"
server-busy: "enable"
status: "enable"
uncompressed-nest-limit: "89"
uncompressed-oversize-limit: "90"
switching-protocols-log: "disable"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]