fortios_firewall_policy – Configure IPv4 policies in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
firewall_policy
dictionary
Default:
null
Configure IPv4 policies.
action
string
    Choices:
  • accept
  • deny
  • ipsec
Policy action (allow/deny/ipsec).
app_category
list
Application category ID list.
id
integer / required
Category IDs.
app_group
list
Application group names.
name
string / required
Application group names. Source application.group.name.
application
list
Application ID list.
id
integer / required
Application IDs.
application_list
string
Name of an existing Application list. Source application.list.name.
auth_cert
string
HTTPS server certificate for policy authentication. Source vpn.certificate.local.name.
auth_path
string
    Choices:
  • enable
  • disable
Enable/disable authentication-based routing.
auth_redirect_addr
string
HTTP-to-HTTPS redirect address for firewall authentication.
av_profile
string
Name of an existing Antivirus profile. Source antivirus.profile.name.
block_notification
string
    Choices:
  • enable
  • disable
Enable/disable block notification.
captive_portal_exempt
string
    Choices:
  • enable
  • disable
Enable to exempt some users from the captive portal.
capture_packet
string
    Choices:
  • enable
  • disable
Enable/disable capture packets.
comments
string
Comment.
custom_log_fields
list
Custom fields to append to log messages for this policy.
field_id
string
Custom log field. Source log.custom-field.id.
delay_tcp_npu_session
string
    Choices:
  • enable
  • disable
Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
devices
list
Names of devices or device groups that can be matched by the policy.
name
string / required
Device or group name. Source user.device.alias user.device-group.name user.device-category.name.
diffserv_forward
string
    Choices:
  • enable
  • disable
Enable to change packet's DiffServ values to the specified diffservcode-forward value.
diffserv_reverse
string
    Choices:
  • enable
  • disable
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
diffservcode_forward
string
Change packet's DiffServ to this value.
diffservcode_rev
string
Change packet's reverse (reply) DiffServ to this value.
disclaimer
string
    Choices:
  • enable
  • disable
Enable/disable user authentication disclaimer.
dlp_sensor
string
Name of an existing DLP sensor. Source dlp.sensor.name.
dnsfilter_profile
string
Name of an existing DNS filter profile. Source dnsfilter.profile.name.
dscp_match
string
    Choices:
  • enable
  • disable
Enable DSCP check.
dscp_negate
string
    Choices:
  • enable
  • disable
Enable negated DSCP match.
dscp_value
string
DSCP value.
dsri
string
    Choices:
  • enable
  • disable
Enable DSRI to ignore HTTP server responses.
dstaddr
list
Destination address and address group names.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name.
dstaddr_negate
string
    Choices:
  • enable
  • disable
When enabled dstaddr specifies what the destination address must NOT be.
dstintf
list
Outgoing (egress) interface.
name
string / required
Interface name. Source system.interface.name system.zone.name.
firewall_session_dirty
string
    Choices:
  • check-all
  • check-new
How to handle sessions if the configuration of this firewall policy changes.
fixedport
string
    Choices:
  • enable
  • disable
Enable to prevent source NAT from changing a session's source port.
fsso
string
    Choices:
  • enable
  • disable
Enable/disable Fortinet Single Sign-On.
fsso_agent_for_ntlm
string
FSSO agent to use for NTLM authentication. Source user.fsso.name.
global_label
string
Label for the policy that appears when the GUI is in Global View mode.
groups
list
Names of user groups that can authenticate with this policy.
name
string / required
Group name. Source user.group.name.
icap_profile
string
Name of an existing ICAP profile. Source icap.profile.name.
identity_based_route
string
Name of identity-based routing rule. Source firewall.identity-based-route.name.
inbound
string
    Choices:
  • enable
  • disable
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
internet_service
string
    Choices:
  • enable
  • disable
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
internet_service_custom
list
Custom Internet Service name.
name
string / required
Custom Internet Service name. Source firewall.internet-service-custom.name.
internet_service_id
list
Internet Service ID.
id
integer / required
Internet Service ID. Source firewall.internet-service.id.
internet_service_negate
string
    Choices:
  • enable
  • disable
When enabled internet-service specifies what the service must NOT be.
internet_service_src
string
    Choices:
  • enable
  • disable
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
internet_service_src_custom
list
Custom Internet Service source name.
name
string / required
Custom Internet Service name. Source firewall.internet-service-custom.name.
internet_service_src_id
list
Internet Service source ID.
id
integer / required
Internet Service ID. Source firewall.internet-service.id.
internet_service_src_negate
string
    Choices:
  • enable
  • disable
When enabled internet-service-src specifies what the service must NOT be.
ippool
string
    Choices:
  • enable
  • disable
Enable to use IP Pools for source NAT.
ips_sensor
string
Name of an existing IPS sensor. Source ips.sensor.name.
label
string
Label for the policy that appears when the GUI is in Section View mode.
learning_mode
string
    Choices:
  • enable
  • disable
Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
logtraffic
string
    Choices:
  • all
  • utm
  • disable
Enable or disable logging. Log all sessions or security profile sessions.
logtraffic_start
string
    Choices:
  • enable
  • disable
Record logs when a session starts and ends.
match_vip
string
    Choices:
  • enable
  • disable
Enable to match packets that have had their destination addresses changed by a VIP.
name
string
Policy name.
nat
string
    Choices:
  • enable
  • disable
Enable/disable source NAT.
natinbound
string
    Choices:
  • enable
  • disable
Policy-based IPsec VPN: apply destination NAT to inbound traffic.
natip
string
Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
natoutbound
string
    Choices:
  • enable
  • disable
Policy-based IPsec VPN: apply source NAT to outbound traffic.
ntlm
string
    Choices:
  • enable
  • disable
Enable/disable NTLM authentication.
ntlm_enabled_browsers
list
HTTP-User-Agent value of supported browsers.
user_agent_string
string
User agent string.
ntlm_guest
string
    Choices:
  • enable
  • disable
Enable/disable NTLM guest user access.
outbound
string
    Choices:
  • enable
  • disable
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
per_ip_shaper
string
Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
permit_any_host
string
    Choices:
  • enable
  • disable
Accept UDP packets from any host.
permit_stun_host
string
    Choices:
  • enable
  • disable
Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
policyid
integer / required
Policy ID.
poolname
list
IP Pool names.
name
string / required
IP pool name. Source firewall.ippool.name.
profile_group
string
Name of profile group. Source firewall.profile-group.name.
profile_protocol_options
string
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
profile_type
string
    Choices:
  • single
  • group
Determine whether the firewall policy allows security profile groups or single profiles only.
radius_mac_auth_bypass
string
    Choices:
  • enable
  • disable
Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
redirect_url
string
URL users are directed to after seeing and accepting the disclaimer or authenticating.
replacemsg_override_group
string
Override the default replacement message group for this policy. Source system.replacemsg-group.name.
rsso
string
    Choices:
  • enable
  • disable
Enable/disable RADIUS single sign-on (RSSO).
rtp_addr
list
Address names if this is an RTP NAT policy.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
rtp_nat
string
    Choices:
  • disable
  • enable
Enable Real Time Protocol (RTP) NAT.
scan_botnet_connections
string
    Choices:
  • disable
  • block
  • monitor
Block or monitor connections to Botnet servers or disable Botnet scanning.
schedule
string
Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
schedule_timeout
string
    Choices:
  • enable
  • disable
Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
send_deny_packet
string
    Choices:
  • disable
  • enable
Enable to send a reply when a session is denied or blocked by a firewall policy.
service
list
Service and service group names.
name
string / required
Service and service group names. Source firewall.service.custom.name firewall.service.group.name.
service_negate
string
    Choices:
  • enable
  • disable
When enabled service specifies what the service must NOT be.
session_ttl
integer
TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
spamfilter_profile
string
Name of an existing Spam filter profile. Source spamfilter.profile.name.
srcaddr
list
Source address and address group names.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
srcaddr_negate
string
    Choices:
  • enable
  • disable
When enabled srcaddr specifies what the source address must NOT be.
srcintf
list
Incoming (ingress) interface.
name
string / required
Interface name. Source system.interface.name system.zone.name.
ssh_filter_profile
string
Name of an existing SSH filter profile. Source ssh-filter.profile.name.
ssl_mirror
string
    Choices:
  • enable
  • disable
Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
ssl_mirror_intf
list
SSL mirror interface name.
name
string / required
Mirror Interface name. Source system.interface.name system.zone.name.
ssl_ssh_profile
string
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
state
string
    Choices:
  • present
  • absent
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.

Indicates whether to create or remove the object.
status
string
    Choices:
  • enable
  • disable
Enable or disable this policy.
tcp_mss_receiver
integer
Receiver TCP maximum segment size (MSS).
tcp_mss_sender
integer
Sender TCP maximum segment size (MSS).
tcp_session_without_syn
string
    Choices:
  • all
  • data-only
  • disable
Enable/disable creation of TCP session without SYN flag.
timeout_send_rst
string
    Choices:
  • enable
  • disable
Enable/disable sending RST packets when TCP sessions expire.
traffic_shaper
string
Traffic shaper. Source firewall.shaper.traffic-shaper.name.
traffic_shaper_reverse
string
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
url_category
list
URL category ID list.
id
integer / required
URL category ID.
users
list
Names of individual users that can authenticate with this policy.
name
string / required
Names of individual users that can authenticate with this policy. Source user.local.name.
utm_status
string
    Choices:
  • enable
  • disable
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
uuid
string
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
vlan_cos_fwd
integer
VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
vlan_cos_rev
integer
VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest..
vlan_filter
string
Set VLAN filters.
voip_profile
string
Name of an existing VoIP profile. Source voip.profile.name.
vpntunnel
string
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.
waf_profile
string
Name of an existing Web application firewall profile. Source waf.profile.name.
wanopt
string
    Choices:
  • enable
  • disable
Enable/disable WAN optimization.
wanopt_detection
string
    Choices:
  • active
  • passive
  • no
WAN optimization auto-detection mode.
wanopt_passive_opt
string
    Choices:
  • default
  • transparent
  • non-transparent
WAN optimization passive mode options. This option decides what IP address will be used to connect server.
wanopt_peer
string
WAN optimization peer. Source wanopt.peer.peer-host-id.
wanopt_profile
string
WAN optimization profile. Source wanopt.profile.name.
wccp
string
    Choices:
  • enable
  • disable
Enable/disable forwarding traffic matching this policy to a configured WCCP server.
webcache
string
    Choices:
  • enable
  • disable
Enable/disable web cache.
webcache_https
string
    Choices:
  • disable
  • enable
Enable/disable web cache for HTTPS.
webfilter_profile
string
Name of an existing Web filter profile. Source webfilter.profile.name.
wsso
string
    Choices:
  • enable
  • disable
Enable/disable WiFi Single Sign On (WSSO).
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes ←
Ensures FortiGate certificate must be verified by a proper CA.
state
string
added in 2.9
    Choices:
  • present
  • absent
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet

  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure IPv4 policies.
    fortios_firewall_policy:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      firewall_policy:
        action: "accept"
        app_category:
         -
            id:  "5"
        app_group:
         -
            name: "default_name_7 (source application.group.name)"
        application:
         -
            id:  "9"
        application_list: "<your_own_value> (source application.list.name)"
        auth_cert: "<your_own_value> (source vpn.certificate.local.name)"
        auth_path: "enable"
        auth_redirect_addr: "<your_own_value>"
        av_profile: "<your_own_value> (source antivirus.profile.name)"
        block_notification: "enable"
        captive_portal_exempt: "enable"
        capture_packet: "enable"
        comments: "<your_own_value>"
        custom_log_fields:
         -
            field_id: "<your_own_value> (source log.custom-field.id)"
        delay_tcp_npu_session: "enable"
        devices:
         -
            name: "default_name_23 (source user.device.alias user.device-group.name user.device-category.name)"
        diffserv_forward: "enable"
        diffserv_reverse: "enable"
        diffservcode_forward: "<your_own_value>"
        diffservcode_rev: "<your_own_value>"
        disclaimer: "enable"
        dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
        dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
        dscp_match: "enable"
        dscp_negate: "enable"
        dscp_value: "<your_own_value>"
        dsri: "enable"
        dstaddr:
         -
            name: "default_name_36 (source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name)"
        dstaddr_negate: "enable"
        dstintf:
         -
            name: "default_name_39 (source system.interface.name system.zone.name)"
        firewall_session_dirty: "check-all"
        fixedport: "enable"
        fsso: "enable"
        fsso_agent_for_ntlm: "<your_own_value> (source user.fsso.name)"
        global_label: "<your_own_value>"
        groups:
         -
            name: "default_name_46 (source user.group.name)"
        icap_profile: "<your_own_value> (source icap.profile.name)"
        identity_based_route: "<your_own_value> (source firewall.identity-based-route.name)"
        inbound: "enable"
        internet_service: "enable"
        internet_service_custom:
         -
            name: "default_name_52 (source firewall.internet-service-custom.name)"
        internet_service_id:
         -
            id:  "54 (source firewall.internet-service.id)"
        internet_service_negate: "enable"
        internet_service_src: "enable"
        internet_service_src_custom:
         -
            name: "default_name_58 (source firewall.internet-service-custom.name)"
        internet_service_src_id:
         -
            id:  "60 (source firewall.internet-service.id)"
        internet_service_src_negate: "enable"
        ippool: "enable"
        ips_sensor: "<your_own_value> (source ips.sensor.name)"
        label: "<your_own_value>"
        learning_mode: "enable"
        logtraffic: "all"
        logtraffic_start: "enable"
        match_vip: "enable"
        name: "default_name_69"
        nat: "enable"
        natinbound: "enable"
        natip: "<your_own_value>"
        natoutbound: "enable"
        ntlm: "enable"
        ntlm_enabled_browsers:
         -
            user_agent_string: "<your_own_value>"
        ntlm_guest: "enable"
        outbound: "enable"
        per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
        permit_any_host: "enable"
        permit_stun_host: "enable"
        policyid: "82"
        poolname:
         -
            name: "default_name_84 (source firewall.ippool.name)"
        profile_group: "<your_own_value> (source firewall.profile-group.name)"
        profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
        profile_type: "single"
        radius_mac_auth_bypass: "enable"
        redirect_url: "<your_own_value>"
        replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
        rsso: "enable"
        rtp_addr:
         -
            name: "default_name_93 (source firewall.address.name firewall.addrgrp.name)"
        rtp_nat: "disable"
        scan_botnet_connections: "disable"
        schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
        schedule_timeout: "enable"
        send_deny_packet: "disable"
        service:
         -
            name: "default_name_100 (source firewall.service.custom.name firewall.service.group.name)"
        service_negate: "enable"
        session_ttl: "102"
        spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
        srcaddr:
         -
            name: "default_name_105 (source firewall.address.name firewall.addrgrp.name)"
        srcaddr_negate: "enable"
        srcintf:
         -
            name: "default_name_108 (source system.interface.name system.zone.name)"
        ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
        ssl_mirror: "enable"
        ssl_mirror_intf:
         -
            name: "default_name_112 (source system.interface.name system.zone.name)"
        ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
        status: "enable"
        tcp_mss_receiver: "115"
        tcp_mss_sender: "116"
        tcp_session_without_syn: "all"
        timeout_send_rst: "enable"
        traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
        traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
        url_category:
         -
            id:  "122"
        users:
         -
            name: "default_name_124 (source user.local.name)"
        utm_status: "enable"
        uuid: "<your_own_value>"
        vlan_cos_fwd: "127"
        vlan_cos_rev: "128"
        vlan_filter: "<your_own_value>"
        voip_profile: "<your_own_value> (source voip.profile.name)"
        vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
        waf_profile: "<your_own_value> (source waf.profile.name)"
        wanopt: "enable"
        wanopt_detection: "active"
        wanopt_passive_opt: "default"
        wanopt_peer: "<your_own_value> (source wanopt.peer.peer-host-id)"
        wanopt_profile: "<your_own_value> (source wanopt.profile.name)"
        wccp: "enable"
        webcache: "enable"
        webcache_https: "disable"
        webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
        wsso: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.