fortios_system_settings – Configure VDOM settings in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes ←
Ensures FortiGate certificate must be verified by a proper CA.
system_settings
dictionary
Default:
null
Configure VDOM settings.
allow_linkdown_path
string
    Choices:
  • enable
  • disable
Enable/disable link down path.
allow_subnet_overlap
string
    Choices:
  • enable
  • disable
Enable/disable allowing interface subnets to use overlapping IP addresses.
asymroute
string
    Choices:
  • enable
  • disable
Enable/disable IPv4 asymmetric routing.
asymroute6
string
    Choices:
  • enable
  • disable
Enable/disable asymmetric IPv6 routing.
asymroute6_icmp
string
    Choices:
  • enable
  • disable
Enable/disable asymmetric ICMPv6 routing.
asymroute_icmp
string
    Choices:
  • enable
  • disable
Enable/disable ICMP asymmetric routing.
bfd
string
    Choices:
  • enable
  • disable
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
bfd_desired_min_tx
integer
BFD desired minimal transmit interval (1 - 100000 ms).
bfd_detect_mult
integer
BFD detection multiplier (1 - 50).
bfd_dont_enforce_src_port
string
    Choices:
  • enable
  • disable
Enable to not enforce verifying the source port of BFD Packets.
bfd_required_min_rx
integer
BFD required minimal receive interval (1 - 100000 ms).
block_land_attack
string
    Choices:
  • disable
  • enable
Enable/disable blocking of land attacks.
central_nat
string
    Choices:
  • enable
  • disable
Enable/disable central NAT.
comments
string
VDOM comments.
compliance_check
string
    Choices:
  • enable
  • disable
Enable/disable PCI DSS compliance checking.
default_voip_alg_mode
string
    Choices:
  • proxy-based
  • kernel-helper-based
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
deny_tcp_with_icmp
string
    Choices:
  • enable
  • disable
Enable/disable denying TCP by sending an ICMP communication prohibited packet.
device
string
Interface to use for management access for NAT mode. Source system.interface.name.
dhcp6_server_ip
string
DHCPv6 server IPv6 address.
dhcp_proxy
string
    Choices:
  • enable
  • disable
Enable/disable the DHCP Proxy.
dhcp_server_ip
string
DHCP Server IPv4 address.
discovered_device_timeout
integer
Timeout for discovered devices (1 - 365 days).
ecmp_max_paths
integer
Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100).
email_portal_check_dns
string
    Choices:
  • disable
  • enable
Enable/disable using DNS to validate email addresses collected by a captive portal.
firewall_session_dirty
string
    Choices:
  • check-all
  • check-new
  • check-policy-option
Select how to manage sessions affected by firewall policy configuration changes.
fw_session_hairpin
string
    Choices:
  • enable
  • disable
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
gateway
string
Transparent mode IPv4 default gateway IP address.
gateway6
string
Transparent mode IPv4 default gateway IP address.
gui_advanced_policy
string
    Choices:
  • enable
  • disable
Enable/disable advanced policy configuration on the GUI.
gui_allow_unnamed_policy
string
    Choices:
  • enable
  • disable
Enable/disable the requirement for policy naming on the GUI.
gui_antivirus
string
    Choices:
  • enable
  • disable
Enable/disable AntiVirus on the GUI.
gui_ap_profile
string
    Choices:
  • enable
  • disable
Enable/disable FortiAP profiles on the GUI.
gui_application_control
string
    Choices:
  • enable
  • disable
Enable/disable application control on the GUI.
gui_default_policy_columns
list
Default columns to display for policy lists on GUI.
name
string / required
Select column name.
gui_dhcp_advanced
string
    Choices:
  • enable
  • disable
Enable/disable advanced DHCP options on the GUI.
gui_dlp
string
    Choices:
  • enable
  • disable
Enable/disable DLP on the GUI.
gui_dns_database
string
    Choices:
  • enable
  • disable
Enable/disable DNS database settings on the GUI.
gui_dnsfilter
string
    Choices:
  • enable
  • disable
Enable/disable DNS Filtering on the GUI.
gui_domain_ip_reputation
string
    Choices:
  • enable
  • disable
Enable/disable Domain and IP Reputation on the GUI.
gui_dos_policy
string
    Choices:
  • enable
  • disable
Enable/disable DoS policies on the GUI.
gui_dynamic_profile_display
string
    Choices:
  • enable
  • disable
Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
gui_dynamic_routing
string
    Choices:
  • enable
  • disable
Enable/disable dynamic routing on the GUI.
gui_email_collection
string
    Choices:
  • enable
  • disable
Enable/disable email collection on the GUI.
gui_endpoint_control
string
    Choices:
  • enable
  • disable
Enable/disable endpoint control on the GUI.
gui_endpoint_control_advanced
string
    Choices:
  • enable
  • disable
Enable/disable advanced endpoint control options on the GUI.
gui_explicit_proxy
string
    Choices:
  • enable
  • disable
Enable/disable the explicit proxy on the GUI.
gui_fortiap_split_tunneling
string
    Choices:
  • enable
  • disable
Enable/disable FortiAP split tunneling on the GUI.
gui_fortiextender_controller
string
    Choices:
  • enable
  • disable
Enable/disable FortiExtender on the GUI.
gui_icap
string
    Choices:
  • enable
  • disable
Enable/disable ICAP on the GUI.
gui_implicit_policy
string
    Choices:
  • enable
  • disable
Enable/disable implicit firewall policies on the GUI.
gui_ips
string
    Choices:
  • enable
  • disable
Enable/disable IPS on the GUI.
gui_load_balance
string
    Choices:
  • enable
  • disable
Enable/disable server load balancing on the GUI.
gui_local_in_policy
string
    Choices:
  • enable
  • disable
Enable/disable Local-In policies on the GUI.
gui_local_reports
string
    Choices:
  • enable
  • disable
Enable/disable local reports on the GUI.
gui_multicast_policy
string
    Choices:
  • enable
  • disable
Enable/disable multicast firewall policies on the GUI.
gui_multiple_interface_policy
string
    Choices:
  • enable
  • disable
Enable/disable adding multiple interfaces to a policy on the GUI.
gui_multiple_utm_profiles
string
    Choices:
  • enable
  • disable
Enable/disable multiple UTM profiles on the GUI.
gui_nat46_64
string
    Choices:
  • enable
  • disable
Enable/disable NAT46 and NAT64 settings on the GUI.
gui_object_colors
string
    Choices:
  • enable
  • disable
Enable/disable object colors on the GUI.
gui_policy_based_ipsec
string
    Choices:
  • enable
  • disable
Enable/disable policy-based IPsec VPN on the GUI.
gui_policy_learning
string
    Choices:
  • enable
  • disable
Enable/disable firewall policy learning mode on the GUI.
gui_replacement_message_groups
string
    Choices:
  • enable
  • disable
Enable/disable replacement message groups on the GUI.
gui_spamfilter
string
    Choices:
  • enable
  • disable
Enable/disable Antispam on the GUI.
gui_sslvpn_personal_bookmarks
string
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN personal bookmark management on the GUI.
gui_sslvpn_realms
string
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN realms on the GUI.
gui_switch_controller
string
    Choices:
  • enable
  • disable
Enable/disable the switch controller on the GUI.
gui_threat_weight
string
    Choices:
  • enable
  • disable
Enable/disable threat weight on the GUI.
gui_traffic_shaping
string
    Choices:
  • enable
  • disable
Enable/disable traffic shaping on the GUI.
gui_voip_profile
string
    Choices:
  • enable
  • disable
Enable/disable VoIP profiles on the GUI.
gui_vpn
string
    Choices:
  • enable
  • disable
Enable/disable VPN tunnels on the GUI.
gui_waf_profile
string
    Choices:
  • enable
  • disable
Enable/disable Web Application Firewall on the GUI.
gui_wan_load_balancing
string
    Choices:
  • enable
  • disable
Enable/disable SD-WAN on the GUI.
gui_wanopt_cache
string
    Choices:
  • enable
  • disable
Enable/disable WAN Optimization and Web Caching on the GUI.
gui_webfilter
string
    Choices:
  • enable
  • disable
Enable/disable Web filtering on the GUI.
gui_webfilter_advanced
string
    Choices:
  • enable
  • disable
Enable/disable advanced web filtering on the GUI.
gui_wireless_controller
string
    Choices:
  • enable
  • disable
Enable/disable the wireless controller on the GUI.
http_external_dest
string
    Choices:
  • fortiweb
  • forticache
Offload HTTP traffic to FortiWeb or FortiCache.
ike_dn_format
string
    Choices:
  • with-space
  • no-space
Configure IKE ASN.1 Distinguished Name format conventions.
ike_quick_crash_detect
string
    Choices:
  • enable
  • disable
Enable/disable IKE quick crash detection (RFC 6290).
ike_session_resume
string
    Choices:
  • enable
  • disable
Enable/disable IKEv2 session resumption (RFC 5723).
implicit_allow_dns
string
    Choices:
  • enable
  • disable
Enable/disable implicitly allowing DNS traffic.
inspection_mode
string
    Choices:
  • proxy
  • flow
Inspection mode (proxy-based or flow-based).
ip
string
IP address and netmask.
ip6
string
IPv6 address prefix for NAT mode.
link_down_access
string
    Choices:
  • enable
  • disable
Enable/disable link down access traffic.
lldp_transmission
string
    Choices:
  • enable
  • disable
  • global
Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
mac_ttl
integer
Duration of MAC addresses in Transparent mode (300 - 8640000 sec).
manageip
string
Transparent mode IPv4 management IP address and netmask.
manageip6
string
Transparent mode IPv6 management IP address and netmask.
multicast_forward
string
    Choices:
  • enable
  • disable
Enable/disable multicast forwarding.
multicast_skip_policy
string
    Choices:
  • enable
  • disable
Enable/disable allowing multicast traffic through the FortiGate without a policy check.
multicast_ttl_notchange
string
    Choices:
  • enable
  • disable
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
ngfw_mode
string
    Choices:
  • profile-based
  • policy-based
Next Generation Firewall (NGFW) mode.
opmode
string
    Choices:
  • nat
  • transparent
Firewall operation mode (NAT or Transparent).
prp_trailer_action
string
    Choices:
  • enable
  • disable
Enable/disable action to take on PRP trailer.
sccp_port
integer
TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535).
ses_denied_traffic
string
    Choices:
  • enable
  • disable
Enable/disable including denied session in the session table.
sip_helper
string
    Choices:
  • enable
  • disable
Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
sip_nat_trace
string
    Choices:
  • enable
  • disable
Enable/disable recording the original SIP source IP address when NAT is used.
sip_ssl_port
integer
TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535).
sip_tcp_port
integer
TCP port the SIP proxy monitors for SIP traffic (0 - 65535).
sip_udp_port
integer
UDP port the SIP proxy monitors for SIP traffic (0 - 65535).
snat_hairpin_traffic
string
    Choices:
  • enable
  • disable
Enable/disable source NAT (SNAT) for hairpin traffic.
ssl_ssh_profile
string
Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name.
status
string
    Choices:
  • enable
  • disable
Enable/disable this VDOM.
strict_src_check
string
    Choices:
  • enable
  • disable
Enable/disable strict source verification.
tcp_session_without_syn
string
    Choices:
  • enable
  • disable
Enable/disable allowing TCP session without SYN flags.
utf8_spam_tagging
string
    Choices:
  • enable
  • disable
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
v4_ecmp_mode
string
    Choices:
  • source-ip-based
  • weight-based
  • usage-based
  • source-dest-ip-based
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
vpn_stats_log
string
    Choices:
  • ipsec
  • pptp
  • l2tp
  • ssl
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
vpn_stats_period
integer
Period to send VPN log statistics (60 - 86400 sec).
wccp_cache_engine
string
    Choices:
  • enable
  • disable
Enable/disable WCCP cache engine.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet

  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure VDOM settings.
    fortios_system_settings:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      system_settings:
        allow_linkdown_path: "enable"
        allow_subnet_overlap: "enable"
        asymroute: "enable"
        asymroute_icmp: "enable"
        asymroute6: "enable"
        asymroute6_icmp: "enable"
        bfd: "enable"
        bfd_desired_min_tx: "10"
        bfd_detect_mult: "11"
        bfd_dont_enforce_src_port: "enable"
        bfd_required_min_rx: "13"
        block_land_attack: "disable"
        central_nat: "enable"
        comments: "<your_own_value>"
        compliance_check: "enable"
        default_voip_alg_mode: "proxy-based"
        deny_tcp_with_icmp: "enable"
        device: "<your_own_value> (source system.interface.name)"
        dhcp_proxy: "enable"
        dhcp_server_ip: "<your_own_value>"
        dhcp6_server_ip: "<your_own_value>"
        discovered_device_timeout: "24"
        ecmp_max_paths: "25"
        email_portal_check_dns: "disable"
        firewall_session_dirty: "check-all"
        fw_session_hairpin: "enable"
        gateway: "<your_own_value>"
        gateway6: "<your_own_value>"
        gui_advanced_policy: "enable"
        gui_allow_unnamed_policy: "enable"
        gui_antivirus: "enable"
        gui_ap_profile: "enable"
        gui_application_control: "enable"
        gui_default_policy_columns:
         -
            name: "default_name_37"
        gui_dhcp_advanced: "enable"
        gui_dlp: "enable"
        gui_dns_database: "enable"
        gui_dnsfilter: "enable"
        gui_domain_ip_reputation: "enable"
        gui_dos_policy: "enable"
        gui_dynamic_profile_display: "enable"
        gui_dynamic_routing: "enable"
        gui_email_collection: "enable"
        gui_endpoint_control: "enable"
        gui_endpoint_control_advanced: "enable"
        gui_explicit_proxy: "enable"
        gui_fortiap_split_tunneling: "enable"
        gui_fortiextender_controller: "enable"
        gui_icap: "enable"
        gui_implicit_policy: "enable"
        gui_ips: "enable"
        gui_load_balance: "enable"
        gui_local_in_policy: "enable"
        gui_local_reports: "enable"
        gui_multicast_policy: "enable"
        gui_multiple_interface_policy: "enable"
        gui_multiple_utm_profiles: "enable"
        gui_nat46_64: "enable"
        gui_object_colors: "enable"
        gui_policy_based_ipsec: "enable"
        gui_policy_learning: "enable"
        gui_replacement_message_groups: "enable"
        gui_spamfilter: "enable"
        gui_sslvpn_personal_bookmarks: "enable"
        gui_sslvpn_realms: "enable"
        gui_switch_controller: "enable"
        gui_threat_weight: "enable"
        gui_traffic_shaping: "enable"
        gui_voip_profile: "enable"
        gui_vpn: "enable"
        gui_waf_profile: "enable"
        gui_wan_load_balancing: "enable"
        gui_wanopt_cache: "enable"
        gui_webfilter: "enable"
        gui_webfilter_advanced: "enable"
        gui_wireless_controller: "enable"
        http_external_dest: "fortiweb"
        ike_dn_format: "with-space"
        ike_quick_crash_detect: "enable"
        ike_session_resume: "enable"
        implicit_allow_dns: "enable"
        inspection_mode: "proxy"
        ip: "<your_own_value>"
        ip6: "<your_own_value>"
        link_down_access: "enable"
        lldp_transmission: "enable"
        mac_ttl: "90"
        manageip: "<your_own_value>"
        manageip6: "<your_own_value>"
        multicast_forward: "enable"
        multicast_skip_policy: "enable"
        multicast_ttl_notchange: "enable"
        ngfw_mode: "profile-based"
        opmode: "nat"
        prp_trailer_action: "enable"
        sccp_port: "99"
        ses_denied_traffic: "enable"
        sip_helper: "enable"
        sip_nat_trace: "enable"
        sip_ssl_port: "103"
        sip_tcp_port: "104"
        sip_udp_port: "105"
        snat_hairpin_traffic: "enable"
        ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
        status: "enable"
        strict_src_check: "enable"
        tcp_session_without_syn: "enable"
        utf8_spam_tagging: "enable"
        v4_ecmp_mode: "source-ip-based"
        vpn_stats_log: "ipsec"
        vpn_stats_period: "114"
        wccp_cache_engine: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.