fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
- / required
FortiOS or FortiGate ip address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
vpn_ssl_settings
-
Default:
null
Configure SSL VPN.
auth-timeout
-
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
authentication-rule
-
Authentication rule for SSL VPN.
auth
-
    Choices:
  • any
  • local
  • radius
  • tacacs+
  • ldap
SSL VPN authentication method restriction.
cipher
-
    Choices:
  • any
  • high
  • medium
SSL VPN cipher strength.
client-cert
-
    Choices:
  • enable
  • disable
Enable/disable SSL VPN client certificate restrictive.
groups
-
User groups.
name
- / required
Group name. Source user.group.name.
id
- / required
ID (0 - 4294967295).
portal
-
SSL VPN portal. Source vpn.ssl.web.portal.name.
realm
-
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
source-address
-
Source address of incoming traffic.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
source-address-negate
-
    Choices:
  • enable
  • disable
Enable/disable negated source address match.
source-address6
-
IPv6 source address of incoming traffic.
name
- / required
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
source-address6-negate
-
    Choices:
  • enable
  • disable
Enable/disable negated source IPv6 address match.
source-interface
-
SSL VPN source interface of incoming traffic.
name
- / required
Interface name. Source system.interface.name system.zone.name.
users
-
User name.
name
- / required
User name. Source user.local.name.
auto-tunnel-static-route
-
    Choices:
  • enable
  • disable
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
banned-cipher
-
    Choices:
  • RSA
  • DH
  • DHE
  • ECDH
  • ECDHE
  • DSS
  • ECDSA
  • AES
  • AESGCM
  • CAMELLIA
  • 3DES
  • SHA1
  • SHA256
  • SHA384
  • STATIC
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
check-referer
-
    Choices:
  • enable
  • disable
Enable/disable verification of referer field in HTTP request header.
default-portal
-
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
deflate-compression-level
-
Compression level (0~9).
deflate-min-data-size
-
Minimum amount of data that triggers compression (200 - 65535 bytes).
dns-server1
-
DNS server 1.
dns-server2
-
DNS server 2.
dns-suffix
-
DNS suffix used for SSL-VPN clients.
dtls-hello-timeout
-
SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-tunnel
-
    Choices:
  • enable
  • disable
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
force-two-factor-auth
-
    Choices:
  • enable
  • disable
Enable to force two-factor authentication for all SSL-VPNs.
header-x-forwarded-for
-
    Choices:
  • pass
  • add
  • remove
Forward the same, add, or remove HTTP header.
http-compression
-
    Choices:
  • enable
  • disable
Enable to allow HTTP compression over SSL-VPN tunnels.
http-only-cookie
-
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN support for HttpOnly cookies.
http-request-body-timeout
-
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
http-request-header-timeout
-
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
https-redirect
-
    Choices:
  • enable
  • disable
Enable/disable redirect of port 80 to SSL-VPN port.
idle-timeout
-
SSL VPN disconnects if idle for specified time in seconds.
ipv6-dns-server1
-
IPv6 DNS server 1.
ipv6-dns-server2
-
IPv6 DNS server 2.
ipv6-wins-server1
-
IPv6 WINS server 1.
ipv6-wins-server2
-
IPv6 WINS server 2.
login-attempt-limit
-
SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
login-block-time
-
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
login-timeout
-
SSLVPN maximum login timeout (10 - 180 sec, default = 30).
port
-
SSL-VPN access port (1 - 65535).
port-precedence
-
    Choices:
  • enable
  • disable
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
reqclientcert
-
    Choices:
  • enable
  • disable
Enable to require client certificates for all SSL-VPN users.
route-source-interface
-
    Choices:
  • enable
  • disable
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
servercert
-
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
source-address
-
Source address of incoming traffic.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
source-address-negate
-
    Choices:
  • enable
  • disable
Enable/disable negated source address match.
source-address6
-
IPv6 source address of incoming traffic.
name
- / required
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
source-address6-negate
-
    Choices:
  • enable
  • disable
Enable/disable negated source IPv6 address match.
source-interface
-
SSL VPN source interface of incoming traffic.
name
- / required
Interface name. Source system.interface.name system.zone.name.
ssl-client-renegotiation
-
    Choices:
  • disable
  • enable
Enable to allow client renegotiation by the server if the tunnel goes down.
ssl-insert-empty-fragment
-
    Choices:
  • enable
  • disable
Enable/disable insertion of empty fragment.
tlsv1-0
-
    Choices:
  • enable
  • disable
Enable/disable TLSv1.0.
tlsv1-1
-
    Choices:
  • enable
  • disable
Enable/disable TLSv1.1.
tlsv1-2
-
    Choices:
  • enable
  • disable
Enable/disable TLSv1.2.
tunnel-ip-pools
-
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
tunnel-ipv6-pools
-
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
name
- / required
Address name. Source firewall.address6.name firewall.addrgrp6.name.
unsafe-legacy-renegotiation
-
    Choices:
  • enable
  • disable
Enable/disable unsafe legacy re-negotiation.
url-obscuration
-
    Choices:
  • enable
  • disable
Enable to obscure the host name of the URL of the web browser display.
wins-server1
-
WINS server 1.
wins-server2
-
WINS server 2.
x-content-type-options
-
    Choices:
  • enable
  • disable
Add HTTP X-Content-Type-Options header.

Notes

Note

  • Requires fortiosapi library developed by Fortinet

  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure SSL VPN.
    fortios_vpn_ssl_settings:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      vpn_ssl_settings:
        auth-timeout: "3"
        authentication-rule:
         -
            auth: "any"
            cipher: "any"
            client-cert: "enable"
            groups:
             -
                name: "default_name_9 (source user.group.name)"
            id:  "10"
            portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
            realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
            source-address:
             -
                name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
            source-address-negate: "enable"
            source-address6:
             -
                name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
            source-address6-negate: "enable"
            source-interface:
             -
                name: "default_name_20 (source system.interface.name system.zone.name)"
            users:
             -
                name: "default_name_22 (source user.local.name)"
        auto-tunnel-static-route: "enable"
        banned-cipher: "RSA"
        check-referer: "enable"
        default-portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
        deflate-compression-level: "27"
        deflate-min-data-size: "28"
        dns-server1: "<your_own_value>"
        dns-server2: "<your_own_value>"
        dns-suffix: "<your_own_value>"
        dtls-hello-timeout: "32"
        dtls-tunnel: "enable"
        force-two-factor-auth: "enable"
        header-x-forwarded-for: "pass"
        http-compression: "enable"
        http-only-cookie: "enable"
        http-request-body-timeout: "38"
        http-request-header-timeout: "39"
        https-redirect: "enable"
        idle-timeout: "41"
        ipv6-dns-server1: "<your_own_value>"
        ipv6-dns-server2: "<your_own_value>"
        ipv6-wins-server1: "<your_own_value>"
        ipv6-wins-server2: "<your_own_value>"
        login-attempt-limit: "46"
        login-block-time: "47"
        login-timeout: "48"
        port: "49"
        port-precedence: "enable"
        reqclientcert: "enable"
        route-source-interface: "enable"
        servercert: "<your_own_value> (source vpn.certificate.local.name)"
        source-address:
         -
            name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
        source-address-negate: "enable"
        source-address6:
         -
            name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
        source-address6-negate: "enable"
        source-interface:
         -
            name: "default_name_61 (source system.interface.name system.zone.name)"
        ssl-client-renegotiation: "disable"
        ssl-insert-empty-fragment: "enable"
        tlsv1-0: "enable"
        tlsv1-1: "enable"
        tlsv1-2: "enable"
        tunnel-ip-pools:
         -
            name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
        tunnel-ipv6-pools:
         -
            name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
        unsafe-legacy-renegotiation: "enable"
        url-obscuration: "enable"
        wins-server1: "<your_own_value>"
        wins-server2: "<your_own_value>"
        x-content-type-options: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.