fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify endpoint_control feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
endpoint_control_profile
dictionary
Default:
null
Configure FortiClient endpoint control profiles.
description
string
Description.
device_groups
list
Device groups.
name
string / required
Device group object from available options. Source user.device-group.name user.device-category.name.
forticlient_android_settings
dictionary
FortiClient settings for Android platform.
disable_wf_when_protected
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient web category filtering when protected by FortiGate.
forticlient_advanced_vpn
string
    Choices:
  • enable
  • disable
Enable/disable advanced FortiClient VPN configuration.
forticlient_advanced_vpn_buffer
string
Advanced FortiClient VPN configuration.
forticlient_vpn_provisioning
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient VPN provisioning.
forticlient_vpn_settings
list
FortiClient VPN settings.
auth_method
string
    Choices:
  • psk
  • certificate
Authentication method.
name
string / required
VPN name.
preshared_key
string
Pre-shared secret for PSK authentication.
remote_gw
string
IP address or FQDN of the remote VPN gateway.
sslvpn_access_port
integer
SSL VPN access port (1 - 65535).
sslvpn_require_certificate
string
    Choices:
  • enable
  • disable
Enable/disable requiring SSL VPN client certificate.
type
string
    Choices:
  • ipsec
  • ssl
VPN type (IPsec or SSL VPN).
forticlient_wf
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient web filtering.
forticlient_wf_profile
string
The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient_ios_settings
dictionary
FortiClient settings for iOS platform.
client_vpn_provisioning
string
    Choices:
  • enable
  • disable
FortiClient VPN provisioning.
client_vpn_settings
list
FortiClient VPN settings.
auth_method
string
    Choices:
  • psk
  • certificate
Authentication method.
name
string / required
VPN name.
preshared_key
string
Pre-shared secret for PSK authentication.
remote_gw
string
IP address or FQDN of the remote VPN gateway.
sslvpn_access_port
integer
SSL VPN access port (1 - 65535).
sslvpn_require_certificate
string
    Choices:
  • enable
  • disable
Enable/disable requiring SSL VPN client certificate.
type
string
    Choices:
  • ipsec
  • ssl
VPN type (IPsec or SSL VPN).
vpn_configuration_content
string
Content of VPN configuration.
vpn_configuration_name
string
Name of VPN configuration.
configuration_content
string
Content of configuration profile.
configuration_name
string
Name of configuration profile.
disable_wf_when_protected
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient web category filtering when protected by FortiGate.
distribute_configuration_profile
string
    Choices:
  • enable
  • disable
Enable/disable configuration profile (.mobileconfig file) distribution.
forticlient_wf
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient web filtering.
forticlient_wf_profile
string
The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient_winmac_settings
dictionary
FortiClient settings for Windows/Mac platform.
av_realtime_protection
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient AntiVirus real-time protection.
av_signature_up_to_date
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient AV signature updates.
forticlient_application_firewall
string
    Choices:
  • enable
  • disable
Enable/disable the FortiClient application firewall.
forticlient_application_firewall_list
string
FortiClient application firewall rule list. Source application.list.name.
forticlient_av
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient AntiVirus scanning.
forticlient_ems_compliance
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
forticlient_ems_compliance_action
string
    Choices:
  • block
  • warning
FortiClient EMS compliance action.
forticlient_ems_entries
list
FortiClient EMS entries.
name
string / required
FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
forticlient_linux_ver
string
Minimum FortiClient Linux version.
forticlient_log_upload
string
    Choices:
  • enable
  • disable
Enable/disable uploading FortiClient logs.
forticlient_log_upload_level
string
    Choices:
  • traffic
  • vulnerability
  • event
Select the FortiClient logs to upload.
forticlient_log_upload_server
string
IP address or FQDN of the server to which to upload FortiClient logs.
forticlient_mac_ver
string
Minimum FortiClient Mac OS version.
forticlient_minimum_software_version
string
    Choices:
  • enable
  • disable
Enable/disable requiring clients to run FortiClient with a minimum software version number.
forticlient_operating_system
list
FortiClient operating system.
id
integer / required
Operating system entry ID.
os_name
string
Customize operating system name or Mac OS format:x.x.x
os_type
string
    Choices:
  • custom
  • mac-os
  • win-7
  • win-80
  • win-81
  • win-10
  • win-2000
  • win-home-svr
  • win-svr-10
  • win-svr-2003
  • win-svr-2003-r2
  • win-svr-2008
  • win-svr-2008-r2
  • win-svr-2012
  • win-svr-2012-r2
  • win-sto-svr-2003
  • win-vista
  • win-xp
  • ubuntu-linux
  • centos-linux
  • redhat-linux
  • fedora-linux
Operating system type.
forticlient_own_file
list
Checking the path and filename of the FortiClient application.
file
string
File path and name.
id
integer / required
File ID.
forticlient_registration_compliance_action
string
    Choices:
  • block
  • warning
FortiClient registration compliance action.
forticlient_registry_entry
list
FortiClient registry entry.
id
integer / required
Registry entry ID.
registry_entry
string
Registry entry.
forticlient_running_app
list
Use FortiClient to verify if the listed applications are running on the client.
app_name
string
Application name.
app_sha256_signature
string
App's SHA256 signature.
app_sha256_signature2
string
App's SHA256 Signature.
app_sha256_signature3
string
App's SHA256 Signature.
app_sha256_signature4
string
App's SHA256 Signature.
application_check_rule
string
    Choices:
  • present
  • absent
Application check rule.
id
integer / required
Application ID.
process_name
string
Process name.
process_name2
string
Process name.
process_name3
string
Process name.
process_name4
string
Process name.
forticlient_security_posture
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient security posture check options.
forticlient_security_posture_compliance_action
string
    Choices:
  • block
  • warning
FortiClient security posture compliance action.
forticlient_system_compliance
string
    Choices:
  • enable
  • disable
Enable/disable enforcement of FortiClient system compliance.
forticlient_system_compliance_action
string
    Choices:
  • block
  • warning
Block or warn clients not compliant with FortiClient requirements.
forticlient_vuln_scan
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient vulnerability scanning.
forticlient_vuln_scan_compliance_action
string
    Choices:
  • block
  • warning
FortiClient vulnerability compliance action.
forticlient_vuln_scan_enforce
string
    Choices:
  • critical
  • high
  • medium
  • low
  • info
Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
forticlient_vuln_scan_enforce_grace
integer
FortiClient vulnerability scan enforcement grace period (0 - 30 days).
forticlient_vuln_scan_exempt
string
    Choices:
  • enable
  • disable
Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
forticlient_wf
string
    Choices:
  • enable
  • disable
Enable/disable FortiClient web filtering.
forticlient_wf_profile
string
The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient_win_ver
string
Minimum FortiClient Windows version.
os_av_software_installed
string
    Choices:
  • enable
  • disable
Enable/disable checking for OS recognized AntiVirus software.
sandbox_address
string
FortiSandbox address.
sandbox_analysis
string
    Choices:
  • enable
  • disable
Enable/disable sending files to FortiSandbox for analysis.
on_net_addr
list
Addresses for on-net detection.
name
string / required
Address object from available options. Source firewall.address.name firewall.addrgrp.name.
profile_name
string
Profile name.
replacemsg_override_group
string
Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name.
src_addr
list
Source addresses.
name
string / required
Address object from available options. Source firewall.address.name firewall.addrgrp.name.
state
string
    Choices:
  • present
  • absent
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.

Indicates whether to create or remove the object.
user_groups
list
User groups.
name
string / required
User group name. Source user.group.name.
users
list
Users.
name
string / required
User name. Source user.local.name.
host
string
FortiOS or FortiGate IP address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol.
password
string
Default:
""
FortiOS or FortiGate password.
ssl_verify
boolean
added in 2.9
    Choices:
  • no
  • yes ←
Ensures FortiGate certificate must be verified by a proper CA.
state
string
added in 2.9
    Choices:
  • present
  • absent
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username
string
FortiOS or FortiGate username.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure FortiClient endpoint control profiles.
    fortios_endpoint_control_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      endpoint_control_profile:
        description: "<your_own_value>"
        device_groups:
         -
            name: "default_name_5 (source user.device-group.name user.device-category.name)"
        forticlient_android_settings:
            disable_wf_when_protected: "enable"
            forticlient_advanced_vpn: "enable"
            forticlient_advanced_vpn_buffer: "<your_own_value>"
            forticlient_vpn_provisioning: "enable"
            forticlient_vpn_settings:
             -
                auth_method: "psk"
                name: "default_name_13"
                preshared_key: "<your_own_value>"
                remote_gw: "<your_own_value>"
                sslvpn_access_port: "16"
                sslvpn_require_certificate: "enable"
                type: "ipsec"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient_ios_settings:
            client_vpn_provisioning: "enable"
            client_vpn_settings:
             -
                auth_method: "psk"
                name: "default_name_25"
                preshared_key: "<your_own_value>"
                remote_gw: "<your_own_value>"
                sslvpn_access_port: "28"
                sslvpn_require_certificate: "enable"
                type: "ipsec"
                vpn_configuration_content: "<your_own_value>"
                vpn_configuration_name: "<your_own_value>"
            configuration_content: "<your_own_value>"
            configuration_name: "<your_own_value>"
            disable_wf_when_protected: "enable"
            distribute_configuration_profile: "enable"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient_winmac_settings:
            av_realtime_protection: "enable"
            av_signature_up_to_date: "enable"
            forticlient_application_firewall: "enable"
            forticlient_application_firewall_list: "<your_own_value> (source application.list.name)"
            forticlient_av: "enable"
            forticlient_ems_compliance: "enable"
            forticlient_ems_compliance_action: "block"
            forticlient_ems_entries:
             -
                name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
            forticlient_linux_ver: "<your_own_value>"
            forticlient_log_upload: "enable"
            forticlient_log_upload_level: "traffic"
            forticlient_log_upload_server: "<your_own_value>"
            forticlient_mac_ver: "<your_own_value>"
            forticlient_minimum_software_version: "enable"
            forticlient_operating_system:
             -
                id:  "56"
                os_name: "<your_own_value>"
                os_type: "custom"
            forticlient_own_file:
             -
                file: "<your_own_value>"
                id:  "61"
            forticlient_registration_compliance_action: "block"
            forticlient_registry_entry:
             -
                id:  "64"
                registry_entry: "<your_own_value>"
            forticlient_running_app:
             -
                app_name: "<your_own_value>"
                app_sha256_signature: "<your_own_value>"
                app_sha256_signature2: "<your_own_value>"
                app_sha256_signature3: "<your_own_value>"
                app_sha256_signature4: "<your_own_value>"
                application_check_rule: "present"
                id:  "73"
                process_name: "<your_own_value>"
                process_name2: "<your_own_value>"
                process_name3: "<your_own_value>"
                process_name4: "<your_own_value>"
            forticlient_security_posture: "enable"
            forticlient_security_posture_compliance_action: "block"
            forticlient_system_compliance: "enable"
            forticlient_system_compliance_action: "block"
            forticlient_vuln_scan: "enable"
            forticlient_vuln_scan_compliance_action: "block"
            forticlient_vuln_scan_enforce: "critical"
            forticlient_vuln_scan_enforce_grace: "85"
            forticlient_vuln_scan_exempt: "enable"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
            forticlient_win_ver: "<your_own_value>"
            os_av_software_installed: "enable"
            sandbox_address: "<your_own_value>"
            sandbox_analysis: "enable"
        on_net_addr:
         -
            name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
        profile_name: "<your_own_value>"
        replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
        src_addr:
         -
            name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
        user_groups:
         -
            name: "default_name_100 (source user.group.name)"
        users:
         -
            name: "default_name_102 (source user.local.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.