fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
||||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
|||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
|||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
||||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|||
|
vpn_ssl_settings
-
|
Default: null
|
Configure SSL VPN.
|
|||
|
auth-timeout
-
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
|
||||
|
authentication-rule
-
|
Authentication rule for SSL VPN.
|
||||
|
auth
-
|
|
SSL VPN authentication method restriction.
|
|||
|
cipher
-
|
|
SSL VPN cipher strength.
|
|||
|
client-cert
-
|
|
Enable/disable SSL VPN client certificate restrictive.
|
|||
|
groups
-
|
User groups.
|
||||
|
name
-
/ required
|
Group name. Source user.group.name.
|
||||
|
id
-
/ required
|
ID (0 - 4294967295).
|
||||
|
portal
-
|
SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
|
realm
-
|
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
|
||||
|
source-address
-
|
Source address of incoming traffic.
|
||||
|
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
|
source-address-negate
-
|
|
Enable/disable negated source address match.
|
|||
|
source-address6
-
|
IPv6 source address of incoming traffic.
|
||||
|
name
-
/ required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
|
source-address6-negate
-
|
|
Enable/disable negated source IPv6 address match.
|
|||
|
source-interface
-
|
SSL VPN source interface of incoming traffic.
|
||||
|
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
|
users
-
|
User name.
|
||||
|
name
-
/ required
|
User name. Source user.local.name.
|
||||
|
auto-tunnel-static-route
-
|
|
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
|
|||
|
banned-cipher
-
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
|
|||
|
check-referer
-
|
|
Enable/disable verification of referer field in HTTP request header.
|
|||
|
default-portal
-
|
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
|
deflate-compression-level
-
|
Compression level (0~9).
|
||||
|
deflate-min-data-size
-
|
Minimum amount of data that triggers compression (200 - 65535 bytes).
|
||||
|
dns-server1
-
|
DNS server 1.
|
||||
|
dns-server2
-
|
DNS server 2.
|
||||
|
dns-suffix
-
|
DNS suffix used for SSL-VPN clients.
|
||||
|
dtls-hello-timeout
-
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
|
||||
|
dtls-tunnel
-
|
|
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
|
|||
|
force-two-factor-auth
-
|
|
Enable to force two-factor authentication for all SSL-VPNs.
|
|||
|
header-x-forwarded-for
-
|
|
Forward the same, add, or remove HTTP header.
|
|||
|
http-compression
-
|
|
Enable to allow HTTP compression over SSL-VPN tunnels.
|
|||
|
http-only-cookie
-
|
|
Enable/disable SSL-VPN support for HttpOnly cookies.
|
|||
|
http-request-body-timeout
-
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
|
||||
|
http-request-header-timeout
-
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
|
||||
|
https-redirect
-
|
|
Enable/disable redirect of port 80 to SSL-VPN port.
|
|||
|
idle-timeout
-
|
SSL VPN disconnects if idle for specified time in seconds.
|
||||
|
ipv6-dns-server1
-
|
IPv6 DNS server 1.
|
||||
|
ipv6-dns-server2
-
|
IPv6 DNS server 2.
|
||||
|
ipv6-wins-server1
-
|
IPv6 WINS server 1.
|
||||
|
ipv6-wins-server2
-
|
IPv6 WINS server 2.
|
||||
|
login-attempt-limit
-
|
SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
|
||||
|
login-block-time
-
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
|
||||
|
login-timeout
-
|
SSLVPN maximum login timeout (10 - 180 sec, default = 30).
|
||||
|
port
-
|
SSL-VPN access port (1 - 65535).
|
||||
|
port-precedence
-
|
|
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
|
|||
|
reqclientcert
-
|
|
Enable to require client certificates for all SSL-VPN users.
|
|||
|
route-source-interface
-
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
|
|||
|
servercert
-
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
|
||||
|
source-address
-
|
Source address of incoming traffic.
|
||||
|
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
|
source-address-negate
-
|
|
Enable/disable negated source address match.
|
|||
|
source-address6
-
|
IPv6 source address of incoming traffic.
|
||||
|
name
-
/ required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
|
source-address6-negate
-
|
|
Enable/disable negated source IPv6 address match.
|
|||
|
source-interface
-
|
SSL VPN source interface of incoming traffic.
|
||||
|
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
|
ssl-client-renegotiation
-
|
|
Enable to allow client renegotiation by the server if the tunnel goes down.
|
|||
|
ssl-insert-empty-fragment
-
|
|
Enable/disable insertion of empty fragment.
|
|||
|
tlsv1-0
-
|
|
Enable/disable TLSv1.0.
|
|||
|
tlsv1-1
-
|
|
Enable/disable TLSv1.1.
|
|||
|
tlsv1-2
-
|
|
Enable/disable TLSv1.2.
|
|||
|
tunnel-ip-pools
-
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
|
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
|
tunnel-ipv6-pools
-
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
|
name
-
/ required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
|
unsafe-legacy-renegotiation
-
|
|
Enable/disable unsafe legacy re-negotiation.
|
|||
|
url-obscuration
-
|
|
Enable to obscure the host name of the URL of the web browser display.
|
|||
|
wins-server1
-
|
WINS server 1.
|
||||
|
wins-server2
-
|
WINS server 2.
|
||||
|
x-content-type-options
-
|
|
Add HTTP X-Content-Type-Options header.
|
|||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ssl_settings:
auth-timeout: "3"
authentication-rule:
-
auth: "any"
cipher: "any"
client-cert: "enable"
groups:
-
name: "default_name_9 (source user.group.name)"
id: "10"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source-address:
-
name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
source-address-negate: "enable"
source-address6:
-
name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
source-address6-negate: "enable"
source-interface:
-
name: "default_name_20 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_22 (source user.local.name)"
auto-tunnel-static-route: "enable"
banned-cipher: "RSA"
check-referer: "enable"
default-portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate-compression-level: "27"
deflate-min-data-size: "28"
dns-server1: "<your_own_value>"
dns-server2: "<your_own_value>"
dns-suffix: "<your_own_value>"
dtls-hello-timeout: "32"
dtls-tunnel: "enable"
force-two-factor-auth: "enable"
header-x-forwarded-for: "pass"
http-compression: "enable"
http-only-cookie: "enable"
http-request-body-timeout: "38"
http-request-header-timeout: "39"
https-redirect: "enable"
idle-timeout: "41"
ipv6-dns-server1: "<your_own_value>"
ipv6-dns-server2: "<your_own_value>"
ipv6-wins-server1: "<your_own_value>"
ipv6-wins-server2: "<your_own_value>"
login-attempt-limit: "46"
login-block-time: "47"
login-timeout: "48"
port: "49"
port-precedence: "enable"
reqclientcert: "enable"
route-source-interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source-address:
-
name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
source-address-negate: "enable"
source-address6:
-
name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
source-address6-negate: "enable"
source-interface:
-
name: "default_name_61 (source system.interface.name system.zone.name)"
ssl-client-renegotiation: "disable"
ssl-insert-empty-fragment: "enable"
tlsv1-0: "enable"
tlsv1-1: "enable"
tlsv1-2: "enable"
tunnel-ip-pools:
-
name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
tunnel-ipv6-pools:
-
name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe-legacy-renegotiation: "enable"
url-obscuration: "enable"
wins-server1: "<your_own_value>"
wins-server2: "<your_own_value>"
x-content-type-options: "enable"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]