fortios_system_settings – Configure VDOM settings in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to configure system feature and settings category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
host
-
/ required
|
FortiOS or FortiGate ip adress.
|
|||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
|
system_settings
-
|
Default: null
|
Configure VDOM settings.
|
||
|
allow-subnet-overlap
-
|
|
Enable/disable allowing interface subnets to use overlapping IP addresses.
|
||
|
asymroute
-
|
|
Enable/disable IPv4 asymmetric routing.
|
||
|
asymroute-icmp
-
|
|
Enable/disable ICMP asymmetric routing.
|
||
|
asymroute6
-
|
|
Enable/disable asymmetric IPv6 routing.
|
||
|
asymroute6-icmp
-
|
|
Enable/disable asymmetric ICMPv6 routing.
|
||
|
bfd
-
|
|
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
|
||
|
bfd-desired-min-tx
-
|
BFD desired minimal transmit interval (1 - 100000 ms, default = 50).
|
|||
|
bfd-detect-mult
-
|
BFD detection multiplier (1 - 50, default = 3).
|
|||
|
bfd-dont-enforce-src-port
-
|
|
Enable to not enforce verifying the source port of BFD Packets.
|
||
|
bfd-required-min-rx
-
|
BFD required minimal receive interval (1 - 100000 ms, default = 50).
|
|||
|
block-land-attack
-
|
|
Enable/disable blocking of land attacks.
|
||
|
central-nat
-
|
|
Enable/disable central NAT.
|
||
|
comments
-
|
VDOM comments.
|
|||
|
compliance-check
-
|
|
Enable/disable PCI DSS compliance checking.
|
||
|
default-voip-alg-mode
-
|
|
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
|
||
|
deny-tcp-with-icmp
-
|
|
Enable/disable denying TCP by sending an ICMP communication prohibited packet.
|
||
|
device
-
|
Interface to use for management access for NAT mode. Source system.interface.name.
|
|||
|
dhcp-proxy
-
|
|
Enable/disable the DHCP Proxy.
|
||
|
dhcp-server-ip
-
|
DHCP Server IPv4 address.
|
|||
|
dhcp6-server-ip
-
|
DHCPv6 server IPv6 address.
|
|||
|
discovered-device-timeout
-
|
Timeout for discovered devices (1 - 365 days, default = 28).
|
|||
|
ecmp-max-paths
-
|
Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100, default = 10).
|
|||
|
email-portal-check-dns
-
|
|
Enable/disable using DNS to validate email addresses collected by a captive portal.
|
||
|
firewall-session-dirty
-
|
|
Select how to manage sessions affected by firewall policy configuration changes.
|
||
|
fw-session-hairpin
-
|
|
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
|
||
|
gateway
-
|
Transparent mode IPv4 default gateway IP address.
|
|||
|
gateway6
-
|
Transparent mode IPv4 default gateway IP address.
|
|||
|
gui-advanced-policy
-
|
|
Enable/disable advanced policy configuration on the GUI.
|
||
|
gui-allow-unnamed-policy
-
|
|
Enable/disable the requirement for policy naming on the GUI.
|
||
|
gui-antivirus
-
|
|
Enable/disable AntiVirus on the GUI.
|
||
|
gui-ap-profile
-
|
|
Enable/disable FortiAP profiles on the GUI.
|
||
|
gui-application-control
-
|
|
Enable/disable application control on the GUI.
|
||
|
gui-default-policy-columns
-
|
Default columns to display for policy lists on GUI.
|
|||
|
name
-
/ required
|
Select column name.
|
|||
|
gui-dhcp-advanced
-
|
|
Enable/disable advanced DHCP options on the GUI.
|
||
|
gui-dlp
-
|
|
Enable/disable DLP on the GUI.
|
||
|
gui-dns-database
-
|
|
Enable/disable DNS database settings on the GUI.
|
||
|
gui-dnsfilter
-
|
|
Enable/disable DNS Filtering on the GUI.
|
||
|
gui-domain-ip-reputation
-
|
|
Enable/disable Domain and IP Reputation on the GUI.
|
||
|
gui-dos-policy
-
|
|
Enable/disable DoS policies on the GUI.
|
||
|
gui-dynamic-profile-display
-
|
|
Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
|
||
|
gui-dynamic-routing
-
|
|
Enable/disable dynamic routing on the GUI.
|
||
|
gui-email-collection
-
|
|
Enable/disable email collection on the GUI.
|
||
|
gui-endpoint-control
-
|
|
Enable/disable endpoint control on the GUI.
|
||
|
gui-endpoint-control-advanced
-
|
|
Enable/disable advanced endpoint control options on the GUI.
|
||
|
gui-explicit-proxy
-
|
|
Enable/disable the explicit proxy on the GUI.
|
||
|
gui-fortiap-split-tunneling
-
|
|
Enable/disable FortiAP split tunneling on the GUI.
|
||
|
gui-fortiextender-controller
-
|
|
Enable/disable FortiExtender on the GUI.
|
||
|
gui-icap
-
|
|
Enable/disable ICAP on the GUI.
|
||
|
gui-implicit-policy
-
|
|
Enable/disable implicit firewall policies on the GUI.
|
||
|
gui-ips
-
|
|
Enable/disable IPS on the GUI.
|
||
|
gui-load-balance
-
|
|
Enable/disable server load balancing on the GUI.
|
||
|
gui-local-in-policy
-
|
|
Enable/disable Local-In policies on the GUI.
|
||
|
gui-local-reports
-
|
|
Enable/disable local reports on the GUI.
|
||
|
gui-multicast-policy
-
|
|
Enable/disable multicast firewall policies on the GUI.
|
||
|
gui-multiple-interface-policy
-
|
|
Enable/disable adding multiple interfaces to a policy on the GUI.
|
||
|
gui-multiple-utm-profiles
-
|
|
Enable/disable multiple UTM profiles on the GUI.
|
||
|
gui-nat46-64
-
|
|
Enable/disable NAT46 and NAT64 settings on the GUI.
|
||
|
gui-object-colors
-
|
|
Enable/disable object colors on the GUI.
|
||
|
gui-policy-based-ipsec
-
|
|
Enable/disable policy-based IPsec VPN on the GUI.
|
||
|
gui-policy-learning
-
|
|
Enable/disable firewall policy learning mode on the GUI.
|
||
|
gui-replacement-message-groups
-
|
|
Enable/disable replacement message groups on the GUI.
|
||
|
gui-spamfilter
-
|
|
Enable/disable Antispam on the GUI.
|
||
|
gui-sslvpn-personal-bookmarks
-
|
|
Enable/disable SSL-VPN personal bookmark management on the GUI.
|
||
|
gui-sslvpn-realms
-
|
|
Enable/disable SSL-VPN realms on the GUI.
|
||
|
gui-switch-controller
-
|
|
Enable/disable the switch controller on the GUI.
|
||
|
gui-threat-weight
-
|
|
Enable/disable threat weight on the GUI.
|
||
|
gui-traffic-shaping
-
|
|
Enable/disable traffic shaping on the GUI.
|
||
|
gui-voip-profile
-
|
|
Enable/disable VoIP profiles on the GUI.
|
||
|
gui-vpn
-
|
|
Enable/disable VPN tunnels on the GUI.
|
||
|
gui-waf-profile
-
|
|
Enable/disable Web Application Firewall on the GUI.
|
||
|
gui-wan-load-balancing
-
|
|
Enable/disable SD-WAN on the GUI.
|
||
|
gui-wanopt-cache
-
|
|
Enable/disable WAN Optimization and Web Caching on the GUI.
|
||
|
gui-webfilter
-
|
|
Enable/disable Web filtering on the GUI.
|
||
|
gui-webfilter-advanced
-
|
|
Enable/disable advanced web filtering on the GUI.
|
||
|
gui-wireless-controller
-
|
|
Enable/disable the wireless controller on the GUI.
|
||
|
http-external-dest
-
|
|
Offload HTTP traffic to FortiWeb or FortiCache.
|
||
|
ike-dn-format
-
|
|
Configure IKE ASN.1 Distinguished Name format conventions.
|
||
|
ike-quick-crash-detect
-
|
|
Enable/disable IKE quick crash detection (RFC 6290).
|
||
|
ike-session-resume
-
|
|
Enable/disable IKEv2 session resumption (RFC 5723).
|
||
|
implicit-allow-dns
-
|
|
Enable/disable implicitly allowing DNS traffic.
|
||
|
inspection-mode
-
|
|
Inspection mode (proxy-based or flow-based).
|
||
|
ip
-
|
IP address and netmask.
|
|||
|
ip6
-
|
IPv6 address prefix for NAT mode.
|
|||
|
link-down-access
-
|
|
Enable/disable link down access traffic.
|
||
|
lldp-transmission
-
|
|
Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
|
||
|
mac-ttl
-
|
Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).
|
|||
|
manageip
-
|
Transparent mode IPv4 management IP address and netmask.
|
|||
|
manageip6
-
|
Transparent mode IPv6 management IP address and netmask.
|
|||
|
multicast-forward
-
|
|
Enable/disable multicast forwarding.
|
||
|
multicast-skip-policy
-
|
|
Enable/disable allowing multicast traffic through the FortiGate without a policy check.
|
||
|
multicast-ttl-notchange
-
|
|
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
|
||
|
ngfw-mode
-
|
|
Next Generation Firewall (NGFW) mode.
|
||
|
opmode
-
|
|
Firewall operation mode (NAT or Transparent).
|
||
|
prp-trailer-action
-
|
|
Enable/disable action to take on PRP trailer.
|
||
|
sccp-port
-
|
TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).
|
|||
|
ses-denied-traffic
-
|
|
Enable/disable including denied session in the session table.
|
||
|
sip-helper
-
|
|
Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
|
||
|
sip-nat-trace
-
|
|
Enable/disable recording the original SIP source IP address when NAT is used.
|
||
|
sip-ssl-port
-
|
TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).
|
|||
|
sip-tcp-port
-
|
TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).
|
|||
|
sip-udp-port
-
|
UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).
|
|||
|
snat-hairpin-traffic
-
|
|
Enable/disable source NAT (SNAT) for hairpin traffic.
|
||
|
ssl-ssh-profile
-
|
Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name.
|
|||
|
status
-
|
|
Enable/disable this VDOM.
|
||
|
strict-src-check
-
|
|
Enable/disable strict source verification.
|
||
|
tcp-session-without-syn
-
|
|
Enable/disable allowing TCP session without SYN flags.
|
||
|
utf8-spam-tagging
-
|
|
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
|
||
|
v4-ecmp-mode
-
|
|
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
|
||
|
vpn-stats-log
-
|
|
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
|
||
|
vpn-stats-period
-
|
Period to send VPN log statistics (60 - 86400 sec).
|
|||
|
wccp-cache-engine
-
|
|
Enable/disable WCCP cache engine.
|
||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_settings:
allow-subnet-overlap: "enable"
asymroute: "enable"
asymroute-icmp: "enable"
asymroute6: "enable"
asymroute6-icmp: "enable"
bfd: "enable"
bfd-desired-min-tx: "9"
bfd-detect-mult: "10"
bfd-dont-enforce-src-port: "enable"
bfd-required-min-rx: "12"
block-land-attack: "disable"
central-nat: "enable"
comments: "<your_own_value>"
compliance-check: "enable"
default-voip-alg-mode: "proxy-based"
deny-tcp-with-icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp-proxy: "enable"
dhcp-server-ip: "<your_own_value>"
dhcp6-server-ip: "<your_own_value>"
discovered-device-timeout: "23"
ecmp-max-paths: "24"
email-portal-check-dns: "disable"
firewall-session-dirty: "check-all"
fw-session-hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gui-advanced-policy: "enable"
gui-allow-unnamed-policy: "enable"
gui-antivirus: "enable"
gui-ap-profile: "enable"
gui-application-control: "enable"
gui-default-policy-columns:
-
name: "default_name_36"
gui-dhcp-advanced: "enable"
gui-dlp: "enable"
gui-dns-database: "enable"
gui-dnsfilter: "enable"
gui-domain-ip-reputation: "enable"
gui-dos-policy: "enable"
gui-dynamic-profile-display: "enable"
gui-dynamic-routing: "enable"
gui-email-collection: "enable"
gui-endpoint-control: "enable"
gui-endpoint-control-advanced: "enable"
gui-explicit-proxy: "enable"
gui-fortiap-split-tunneling: "enable"
gui-fortiextender-controller: "enable"
gui-icap: "enable"
gui-implicit-policy: "enable"
gui-ips: "enable"
gui-load-balance: "enable"
gui-local-in-policy: "enable"
gui-local-reports: "enable"
gui-multicast-policy: "enable"
gui-multiple-interface-policy: "enable"
gui-multiple-utm-profiles: "enable"
gui-nat46-64: "enable"
gui-object-colors: "enable"
gui-policy-based-ipsec: "enable"
gui-policy-learning: "enable"
gui-replacement-message-groups: "enable"
gui-spamfilter: "enable"
gui-sslvpn-personal-bookmarks: "enable"
gui-sslvpn-realms: "enable"
gui-switch-controller: "enable"
gui-threat-weight: "enable"
gui-traffic-shaping: "enable"
gui-voip-profile: "enable"
gui-vpn: "enable"
gui-waf-profile: "enable"
gui-wan-load-balancing: "enable"
gui-wanopt-cache: "enable"
gui-webfilter: "enable"
gui-webfilter-advanced: "enable"
gui-wireless-controller: "enable"
http-external-dest: "fortiweb"
ike-dn-format: "with-space"
ike-quick-crash-detect: "enable"
ike-session-resume: "enable"
implicit-allow-dns: "enable"
inspection-mode: "proxy"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link-down-access: "enable"
lldp-transmission: "enable"
mac-ttl: "89"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast-forward: "enable"
multicast-skip-policy: "enable"
multicast-ttl-notchange: "enable"
ngfw-mode: "profile-based"
opmode: "nat"
prp-trailer-action: "enable"
sccp-port: "98"
ses-denied-traffic: "enable"
sip-helper: "enable"
sip-nat-trace: "enable"
sip-ssl-port: "102"
sip-tcp-port: "103"
sip-udp-port: "104"
snat-hairpin-traffic: "enable"
ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
strict-src-check: "enable"
tcp-session-without-syn: "enable"
utf8-spam-tagging: "enable"
v4-ecmp-mode: "source-ip-based"
vpn-stats-log: "ipsec"
vpn-stats-period: "113"
wccp-cache-engine: "enable"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]