fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes ←
Ensures FortiGate certificate must be verified by a proper CA.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
vpn_ssl_settings
dictionary
Configure SSL VPN.
auth_timeout
integer
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
authentication_rule
list
Authentication rule for SSL VPN.
auth
string
    Choices:
  • any
  • local
  • radius
  • tacacs+
  • ldap
SSL VPN authentication method restriction.
cipher
string
    Choices:
  • any
  • high
  • medium
SSL VPN cipher strength.
client_cert
string
    Choices:
  • enable
  • disable
Enable/disable SSL VPN client certificate restrictive.
groups
list
User groups.
name
string / required
Group name. Source user.group.name.
id
integer / required
ID (0 - 4294967295).
portal
string
SSL VPN portal. Source vpn.ssl.web.portal.name.
realm
string
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
source_address
list
Source address of incoming traffic.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
source_address6
list
IPv6 source address of incoming traffic.
name
string / required
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
source_address6_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source IPv6 address match.
source_address_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source address match.
source_interface
list
SSL VPN source interface of incoming traffic.
name
string / required
Interface name. Source system.interface.name system.zone.name.
users
list
User name.
name
string / required
User name. Source user.local.name.
auto_tunnel_static_route
string
    Choices:
  • enable
  • disable
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
banned_cipher
string
    Choices:
  • RSA
  • DH
  • DHE
  • ECDH
  • ECDHE
  • DSS
  • ECDSA
  • AES
  • AESGCM
  • CAMELLIA
  • 3DES
  • SHA1
  • SHA256
  • SHA384
  • STATIC
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
check_referer
string
    Choices:
  • enable
  • disable
Enable/disable verification of referer field in HTTP request header.
default_portal
string
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
deflate_compression_level
integer
Compression level (0~9).
deflate_min_data_size
integer
Minimum amount of data that triggers compression (200 - 65535 bytes).
dns_server1
string
DNS server 1.
dns_server2
string
DNS server 2.
dns_suffix
string
DNS suffix used for SSL-VPN clients.
dtls_hello_timeout
integer
SSLVPN maximum DTLS hello timeout (10 - 60 sec).
dtls_tunnel
string
    Choices:
  • enable
  • disable
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
force_two_factor_auth
string
    Choices:
  • enable
  • disable
Enable to force two-factor authentication for all SSL-VPNs.
header_x_forwarded_for
string
    Choices:
  • pass
  • add
  • remove
Forward the same, add, or remove HTTP header.
http_compression
string
    Choices:
  • enable
  • disable
Enable to allow HTTP compression over SSL-VPN tunnels.
http_only_cookie
string
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN support for HttpOnly cookies.
http_request_body_timeout
integer
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec).
http_request_header_timeout
integer
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec).
https_redirect
string
    Choices:
  • enable
  • disable
Enable/disable redirect of port 80 to SSL-VPN port.
idle_timeout
integer
SSL VPN disconnects if idle for specified time in seconds.
ipv6_dns_server1
string
IPv6 DNS server 1.
ipv6_dns_server2
string
IPv6 DNS server 2.
ipv6_wins_server1
string
IPv6 WINS server 1.
ipv6_wins_server2
string
IPv6 WINS server 2.
login_attempt_limit
integer
SSL VPN maximum login attempt times before block (0 - 10).
login_block_time
integer
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec).
login_timeout
integer
SSLVPN maximum login timeout (10 - 180 sec).
port
integer
SSL-VPN access port (1 - 65535).
port_precedence
string
    Choices:
  • enable
  • disable
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
reqclientcert
string
    Choices:
  • enable
  • disable
Enable to require client certificates for all SSL-VPN users.
route_source_interface
string
    Choices:
  • enable
  • disable
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
servercert
string
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
source_address
list
Source address of incoming traffic.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
source_address6
list
IPv6 source address of incoming traffic.
name
string / required
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
source_address6_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source IPv6 address match.
source_address_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source address match.
source_interface
list
SSL VPN source interface of incoming traffic.
name
string / required
Interface name. Source system.interface.name system.zone.name.
ssl_client_renegotiation
string
    Choices:
  • disable
  • enable
Enable to allow client renegotiation by the server if the tunnel goes down.
ssl_insert_empty_fragment
string
    Choices:
  • enable
  • disable
Enable/disable insertion of empty fragment.
tlsv1_0
string
    Choices:
  • enable
  • disable
Enable/disable TLSv1.0.
tlsv1_1
string
    Choices:
  • enable
  • disable
Enable/disable TLSv1.1.
tlsv1_2
string
    Choices:
  • enable
  • disable
Enable/disable TLSv1.2.
tunnel_ip_pools
list
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
tunnel_ipv6_pools
list
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
name
string / required
Address name. Source firewall.address6.name firewall.addrgrp6.name.
unsafe_legacy_renegotiation
string
    Choices:
  • enable
  • disable
Enable/disable unsafe legacy re-negotiation.
url_obscuration
string
    Choices:
  • enable
  • disable
Enable to obscure the host name of the URL of the web browser display.
wins_server1
string
WINS server 1.
wins_server2
string
WINS server 2.
x_content_type_options
string
    Choices:
  • enable
  • disable
Add HTTP X-Content-Type-Options header.

Notes

Note

  • Requires fortiosapi library developed by Fortinet

  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure SSL VPN.
    fortios_vpn_ssl_settings:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      vpn_ssl_settings:
        auth_timeout: "3"
        authentication_rule:
         -
            auth: "any"
            cipher: "any"
            client_cert: "enable"
            groups:
             -
                name: "default_name_9 (source user.group.name)"
            id:  "10"
            portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
            realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
            source_address:
             -
                name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
            source_address_negate: "enable"
            source_address6:
             -
                name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
            source_address6_negate: "enable"
            source_interface:
             -
                name: "default_name_20 (source system.interface.name system.zone.name)"
            users:
             -
                name: "default_name_22 (source user.local.name)"
        auto_tunnel_static_route: "enable"
        banned_cipher: "RSA"
        check_referer: "enable"
        default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
        deflate_compression_level: "27"
        deflate_min_data_size: "28"
        dns_server1: "<your_own_value>"
        dns_server2: "<your_own_value>"
        dns_suffix: "<your_own_value>"
        dtls_hello_timeout: "32"
        dtls_tunnel: "enable"
        force_two_factor_auth: "enable"
        header_x_forwarded_for: "pass"
        http_compression: "enable"
        http_only_cookie: "enable"
        http_request_body_timeout: "38"
        http_request_header_timeout: "39"
        https_redirect: "enable"
        idle_timeout: "41"
        ipv6_dns_server1: "<your_own_value>"
        ipv6_dns_server2: "<your_own_value>"
        ipv6_wins_server1: "<your_own_value>"
        ipv6_wins_server2: "<your_own_value>"
        login_attempt_limit: "46"
        login_block_time: "47"
        login_timeout: "48"
        port: "49"
        port_precedence: "enable"
        reqclientcert: "enable"
        route_source_interface: "enable"
        servercert: "<your_own_value> (source vpn.certificate.local.name)"
        source_address:
         -
            name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
        source_address_negate: "enable"
        source_address6:
         -
            name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
        source_address6_negate: "enable"
        source_interface:
         -
            name: "default_name_61 (source system.interface.name system.zone.name)"
        ssl_client_renegotiation: "disable"
        ssl_insert_empty_fragment: "enable"
        tlsv1_0: "enable"
        tlsv1_1: "enable"
        tlsv1_2: "enable"
        tunnel_ip_pools:
         -
            name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
        tunnel_ipv6_pools:
         -
            name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
        unsafe_legacy_renegotiation: "enable"
        url_obscuration: "enable"
        wins_server1: "<your_own_value>"
        wins_server2: "<your_own_value>"
        x_content_type_options: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.