fortios_system_admin – Configure admin users in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify system feature and admin category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | ||||
|---|---|---|---|---|---|---|
|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||||
|
system_admin
-
|
Default: null
|
Configure admin users.
|
||||
|
accprofile
-
|
Access profile for this administrator. Access profiles control administrator access to FortiGate features. Source system.accprofile.name.
|
|||||
|
accprofile-override
-
|
|
Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.
|
||||
|
allow-remove-admin-session
-
|
|
Enable/disable allow admin session to be removed by privileged admin users.
|
||||
|
comments
-
|
Comment.
|
|||||
|
email-to
-
|
This administrator's email address.
|
|||||
|
force-password-change
-
|
|
Enable/disable force password change on next login.
|
||||
|
fortitoken
-
|
This administrator's FortiToken serial number.
|
|||||
|
guest-auth
-
|
|
Enable/disable guest authentication.
|
||||
|
guest-lang
-
|
Guest management portal language. Source system.custom-language.name.
|
|||||
|
guest-usergroups
-
|
Select guest user groups.
|
|||||
|
name
-
/ required
|
Select guest user groups.
|
|||||
|
gui-dashboard
-
|
GUI dashboards.
|
|||||
|
columns
-
|
Number of columns.
|
|||||
|
id
-
/ required
|
Dashboard ID.
|
|||||
|
layout-type
-
|
|
Layout type.
|
||||
|
name
-
|
Dashboard name.
|
|||||
|
scope
-
|
|
Dashboard scope.
|
||||
|
widget
-
|
Dashboard widgets.
|
|||||
|
fabric-device
-
|
Fabric device to monitor.
|
|||||
|
filters
-
|
FortiView filters.
|
|||||
|
id
-
/ required
|
FortiView Filter ID.
|
|||||
|
key
-
|
Filter key.
|
|||||
|
value
-
|
Filter value.
|
|||||
|
height
-
|
Height.
|
|||||
|
id
-
/ required
|
Widget ID.
|
|||||
|
industry
-
|
|
Security Audit Rating industry.
|
||||
|
interface
-
|
Interface to monitor. Source system.interface.name.
|
|||||
|
region
-
|
|
Security Audit Rating region.
|
||||
|
report-by
-
|
|
Field to aggregate the data by.
|
||||
|
sort-by
-
|
Field to sort the data by.
|
|||||
|
timeframe
-
|
|
Timeframe period of reported data.
|
||||
|
title
-
|
Widget title.
|
|||||
|
type
-
|
|
Widget type.
|
||||
|
visualization
-
|
|
Visualization to use.
|
||||
|
width
-
|
Width.
|
|||||
|
x-pos
-
|
X position.
|
|||||
|
y-pos
-
|
Y position.
|
|||||
|
gui-global-menu-favorites
-
|
Favorite GUI menu IDs for the global VDOM.
|
|||||
|
id
-
/ required
|
Select menu ID.
|
|||||
|
gui-vdom-menu-favorites
-
|
Favorite GUI menu IDs for VDOMs.
|
|||||
|
id
-
/ required
|
Select menu ID.
|
|||||
|
hidden
-
|
Admin user hidden attribute.
|
|||||
|
history0
-
|
history0
|
|||||
|
history1
-
|
history1
|
|||||
|
ip6-trusthost1
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost10
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost2
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost3
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost4
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost5
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost6
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost7
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost8
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
ip6-trusthost9
-
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
|
login-time
-
|
Record user login time.
|
|||||
|
last-failed-login
-
|
Last failed login time.
|
|||||
|
last-login
-
|
Last successful login time.
|
|||||
|
usr-name
-
/ required
|
User name.
|
|||||
|
name
-
/ required
|
User name.
|
|||||
|
password
-
|
Admin user password.
|
|||||
|
password-expire
-
|
Password expire time.
|
|||||
|
peer-auth
-
|
|
Set to enable peer certificate authentication (for HTTPS admin access).
|
||||
|
peer-group
-
|
Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).
|
|||||
|
radius-vdom-override
-
|
|
Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.
|
||||
|
remote-auth
-
|
|
Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.
|
||||
|
remote-group
-
|
User group name used for remote auth.
|
|||||
|
schedule
-
|
Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.
|
|||||
|
sms-custom-server
-
|
Custom SMS server to send SMS messages to. Source system.sms-server.name.
|
|||||
|
sms-phone
-
|
Phone number on which the administrator receives SMS messages.
|
|||||
|
sms-server
-
|
|
Send SMS messages using the FortiGuard SMS server or a custom server.
|
||||
|
ssh-certificate
-
|
Select the certificate to be used by the FortiGate for authentication with an SSH client. Source certificate.local.name.
|
|||||
|
ssh-public-key1
-
|
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
|
|||||
|
ssh-public-key2
-
|
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
|
|||||
|
ssh-public-key3
-
|
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
|
|||||
|
state
-
|
|
Indicates whether to create or remove the object
|
||||
|
trusthost1
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost10
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost2
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost3
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost4
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost5
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost6
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost7
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost8
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
trusthost9
-
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
|
two-factor
-
|
|
Enable/disable two-factor authentication.
|
||||
|
vdom
-
|
Virtual domain(s) that the administrator can access.
|
|||||
|
name
-
/ required
|
Virtual domain name. Source system.vdom.name.
|
|||||
|
wildcard
-
|
|
Enable/disable wildcard RADIUS authentication.
|
||||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
|||||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure admin users.
fortios_system_admin:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_admin:
state: "present"
accprofile: "<your_own_value> (source system.accprofile.name)"
accprofile-override: "enable"
allow-remove-admin-session: "enable"
comments: "<your_own_value>"
email-to: "<your_own_value>"
force-password-change: "enable"
fortitoken: "<your_own_value>"
guest-auth: "disable"
guest-lang: "<your_own_value> (source system.custom-language.name)"
guest-usergroups:
-
name: "default_name_13"
gui-dashboard:
-
columns: "15"
id: "16"
layout-type: "responsive"
name: "default_name_18"
scope: "global"
widget:
-
fabric-device: "<your_own_value>"
filters:
-
id: "23"
key: "<your_own_value>"
value: "<your_own_value>"
height: "26"
id: "27"
industry: "default"
interface: "<your_own_value> (source system.interface.name)"
region: "default"
report-by: "source"
sort-by: "<your_own_value>"
timeframe: "realtime"
title: "<your_own_value>"
type: "sysinfo"
visualization: "table"
width: "37"
x-pos: "38"
y-pos: "39"
gui-global-menu-favorites:
-
id: "41"
gui-vdom-menu-favorites:
-
id: "43"
hidden: "44"
history0: "<your_own_value>"
history1: "<your_own_value>"
ip6-trusthost1: "<your_own_value>"
ip6-trusthost10: "<your_own_value>"
ip6-trusthost2: "<your_own_value>"
ip6-trusthost3: "<your_own_value>"
ip6-trusthost4: "<your_own_value>"
ip6-trusthost5: "<your_own_value>"
ip6-trusthost6: "<your_own_value>"
ip6-trusthost7: "<your_own_value>"
ip6-trusthost8: "<your_own_value>"
ip6-trusthost9: "<your_own_value>"
login-time:
-
last-failed-login: "<your_own_value>"
last-login: "<your_own_value>"
usr-name: "<your_own_value>"
name: "default_name_61"
password: "<your_own_value>"
password-expire: "<your_own_value>"
peer-auth: "enable"
peer-group: "<your_own_value>"
radius-vdom-override: "enable"
remote-auth: "enable"
remote-group: "<your_own_value>"
schedule: "<your_own_value>"
sms-custom-server: "<your_own_value> (source system.sms-server.name)"
sms-phone: "<your_own_value>"
sms-server: "fortiguard"
ssh-certificate: "<your_own_value> (source certificate.local.name)"
ssh-public-key1: "<your_own_value>"
ssh-public-key2: "<your_own_value>"
ssh-public-key3: "<your_own_value>"
trusthost1: "<your_own_value>"
trusthost10: "<your_own_value>"
trusthost2: "<your_own_value>"
trusthost3: "<your_own_value>"
trusthost4: "<your_own_value>"
trusthost5: "<your_own_value>"
trusthost6: "<your_own_value>"
trusthost7: "<your_own_value>"
trusthost8: "<your_own_value>"
trusthost9: "<your_own_value>"
two-factor: "disable"
vdom:
-
name: "default_name_89 (source system.vdom.name)"
wildcard: "enable"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]