fortios_firewall_ssl_ssh_profile – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate¶

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis ¶

This module is able to configure a FortiGate or FortiOS by allowing the user to configure firewall feature and ssl_ssh_profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements ¶

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters ¶

Parameter			Choices/Defaults	Comments
firewall_ssl_ssh_profile -			Default: null	Configure SSL/SSH protocol options.
	caname -			CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
	comment -			Optional comments.
	ftps -			Configure FTPS options.
		allow-invalid-server-cert -	Choices: enable disable	When enabled, allows SSL sessions whose server certificate validation failed.
		client-cert-request -	Choices: bypass inspect block	Action based on client certificate request.
		ports -		Ports to use for scanning (1 - 65535, default = 443).
		status -	Choices: disable deep-inspection	Configure protocol inspection status.
		unsupported-ssl -	Choices: bypass inspect block	Action based on the SSL encryption used being unsupported.
		untrusted-cert -	Choices: allow block ignore	Allow, ignore, or block the untrusted SSL session server certificate.
	https -			Configure HTTPS options.
		allow-invalid-server-cert -	Choices: enable disable	When enabled, allows SSL sessions whose server certificate validation failed.
		client-cert-request -	Choices: bypass inspect block	Action based on client certificate request.
		ports -		Ports to use for scanning (1 - 65535, default = 443).
		status -	Choices: disable certificate-inspection deep-inspection	Configure protocol inspection status.
		unsupported-ssl -	Choices: bypass inspect block	Action based on the SSL encryption used being unsupported.
		untrusted-cert -	Choices: allow block ignore	Allow, ignore, or block the untrusted SSL session server certificate.
	imaps -			Configure IMAPS options.
		allow-invalid-server-cert -	Choices: enable disable	When enabled, allows SSL sessions whose server certificate validation failed.
		client-cert-request -	Choices: bypass inspect block	Action based on client certificate request.
		ports -		Ports to use for scanning (1 - 65535, default = 443).
		status -	Choices: disable deep-inspection	Configure protocol inspection status.
		unsupported-ssl -	Choices: bypass inspect block	Action based on the SSL encryption used being unsupported.
		untrusted-cert -	Choices: allow block ignore	Allow, ignore, or block the untrusted SSL session server certificate.
	mapi-over-https -		Choices: enable disable	Enable/disable inspection of MAPI over HTTPS.
	name - / required			Name.
	pop3s -			Configure POP3S options.
		allow-invalid-server-cert -	Choices: enable disable	When enabled, allows SSL sessions whose server certificate validation failed.
		client-cert-request -	Choices: bypass inspect block	Action based on client certificate request.
		ports -		Ports to use for scanning (1 - 65535, default = 443).
		status -	Choices: disable deep-inspection	Configure protocol inspection status.
		unsupported-ssl -	Choices: bypass inspect block	Action based on the SSL encryption used being unsupported.
		untrusted-cert -	Choices: allow block ignore	Allow, ignore, or block the untrusted SSL session server certificate.
	rpc-over-https -		Choices: enable disable	Enable/disable inspection of RPC over HTTPS.
	server-cert -			Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name.
	server-cert-mode -		Choices: re-sign replace	Re-sign or replace the server's certificate.
	smtps -			Configure SMTPS options.
		allow-invalid-server-cert -	Choices: enable disable	When enabled, allows SSL sessions whose server certificate validation failed.
		client-cert-request -	Choices: bypass inspect block	Action based on client certificate request.
		ports -		Ports to use for scanning (1 - 65535, default = 443).
		status -	Choices: disable deep-inspection	Configure protocol inspection status.
		unsupported-ssl -	Choices: bypass inspect block	Action based on the SSL encryption used being unsupported.
		untrusted-cert -	Choices: allow block ignore	Allow, ignore, or block the untrusted SSL session server certificate.
	ssh -			Configure SSH options.
		inspect-all -	Choices: disable deep-inspection	Level of SSL inspection.
		ports -		Ports to use for scanning (1 - 65535, default = 443).
		ssh-algorithm -	Choices: compatible high-encryption	Relative strength of encryption algorithms accepted during negotiation.
		ssh-policy-check -	Choices: disable enable	Enable/disable SSH policy check.
		ssh-tun-policy-check -	Choices: disable enable	Enable/disable SSH tunnel policy check.
		status -	Choices: disable deep-inspection	Configure protocol inspection status.
		unsupported-version -	Choices: bypass block	Action based on SSH version being unsupported.
	ssl -			Configure SSL options.
		allow-invalid-server-cert -	Choices: enable disable	When enabled, allows SSL sessions whose server certificate validation failed.
		client-cert-request -	Choices: bypass inspect block	Action based on client certificate request.
		inspect-all -	Choices: disable certificate-inspection deep-inspection	Level of SSL inspection.
		unsupported-ssl -	Choices: bypass inspect block	Action based on the SSL encryption used being unsupported.
		untrusted-cert -	Choices: allow block ignore	Allow, ignore, or block the untrusted SSL session server certificate.
	ssl-anomalies-log -		Choices: disable enable	Enable/disable logging SSL anomalies.
	ssl-exempt -			Servers to exempt from SSL inspection.
		address -		IPv4 address object. Source firewall.address.name firewall.addrgrp.name.
		address6 -		IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name.
		fortiguard-category -		FortiGuard category ID.
		id - / required		ID number.
		regex -		Exempt servers by regular expression.
		type -	Choices: fortiguard-category address address6 wildcard-fqdn regex	Type of address object (IPv4 or IPv6) or FortiGuard category.
		wildcard-fqdn -		Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name.
	ssl-exemptions-log -		Choices: disable enable	Enable/disable logging SSL exemptions.
	ssl-server -			SSL servers.
		ftps-client-cert-request -	Choices: bypass inspect block	Action based on client certificate request during the FTPS handshake.
		https-client-cert-request -	Choices: bypass inspect block	Action based on client certificate request during the HTTPS handshake.
		id - / required		SSL server ID.
		imaps-client-cert-request -	Choices: bypass inspect block	Action based on client certificate request during the IMAPS handshake.
		ip -		IPv4 address of the SSL server.
		pop3s-client-cert-request -	Choices: bypass inspect block	Action based on client certificate request during the POP3S handshake.
		smtps-client-cert-request -	Choices: bypass inspect block	Action based on client certificate request during the SMTPS handshake.
		ssl-other-client-cert-request -	Choices: bypass inspect block	Action based on client certificate request during an SSL protocol handshake.
	state -		Choices: present absent	Indicates whether to create or remove the object
	untrusted-caname -			Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
	use-ssl-server -		Choices: disable enable	Enable/disable the use of SSL server table for SSL offloading.
	whitelist -		Choices: enable disable	Enable/disable exempting servers by FortiGuard whitelist.
host - / required				FortiOS or FortiGate ip adress.
https boolean			Choices: no yes ←	Indicates if the requests towards FortiGate must use HTTPS protocol
password -			Default: ""	FortiOS or FortiGate password.
username - / required				FortiOS or FortiGate username.
vdom -			Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes ¶

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples ¶

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure SSL/SSH protocol options.
    fortios_firewall_ssl_ssh_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      firewall_ssl_ssh_profile:
        state: "present"
        caname: "<your_own_value> (source vpn.certificate.local.name)"
        comment: "Optional comments."
        ftps:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "8"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        https:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "15"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        imaps:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "22"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        mapi-over-https: "enable"
        name: "default_name_27"
        pop3s:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "31"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        rpc-over-https: "enable"
        server-cert: "<your_own_value> (source vpn.certificate.local.name)"
        server-cert-mode: "re-sign"
        smtps:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "41"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        ssh:
            inspect-all: "disable"
            ports: "47"
            ssh-algorithm: "compatible"
            ssh-policy-check: "disable"
            ssh-tun-policy-check: "disable"
            status: "disable"
            unsupported-version: "bypass"
        ssl:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            inspect-all: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        ssl-anomalies-log: "disable"
        ssl-exempt:
         -
            address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
            fortiguard-category: "63"
            id:  "64"
            regex: "<your_own_value>"
            type: "fortiguard-category"
            wildcard-fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
        ssl-exemptions-log: "disable"
        ssl-server:
         -
            ftps-client-cert-request: "bypass"
            https-client-cert-request: "bypass"
            id:  "72"
            imaps-client-cert-request: "bypass"
            ip: "<your_own_value>"
            pop3s-client-cert-request: "bypass"
            smtps-client-cert-request: "bypass"
            ssl-other-client-cert-request: "bypass"
        untrusted-caname: "<your_own_value> (source vpn.certificate.local.name)"
        use-ssl-server: "disable"
        whitelist: "enable"

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors¶

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.

fortios_firewall_ssl_ssh_profile – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate¶

Synopsis¶

Requirements¶

Parameters¶

Notes¶

Examples¶

Return Values¶

Status¶