fortinet.fortios.fortios_firewall_policy – Configure IPv4 policies in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 1.1.9).

To install it use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_firewall_policy.

New in version 2.8: of fortinet.fortios

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.9.0

Parameters

Parameter			Choices/Defaults	Comments
access_token string				Token-based authentication. Generated from GUI of Fortigate.
action string			Choices: move	the action indiactor to move an object in the list
after string				mkey of target identifier
before string				mkey of target identifier
firewall_policy dictionary				Configure IPv4 policies.
	action string		Choices: accept deny ipsec	Policy action (allow/deny/ipsec).
	app_category list / elements=string			Application category ID list.
		id integer / required		Category IDs.
	app_group list / elements=string			Application group names.
		name string / required		Application group names. Source application.group.name.
	application list / elements=string			Application ID list.
		id integer / required		Application IDs.
	application_list string			Name of an existing Application list. Source application.list.name.
	auth_cert string			HTTPS server certificate for policy authentication. Source vpn.certificate.local.name.
	auth_path string		Choices: enable disable	Enable/disable authentication-based routing.
	auth_redirect_addr string			HTTP-to-HTTPS redirect address for firewall authentication.
	av_profile string			Name of an existing Antivirus profile. Source antivirus.profile.name.
	block_notification string		Choices: enable disable	Enable/disable block notification.
	captive_portal_exempt string		Choices: enable disable	Enable to exempt some users from the captive portal.
	capture_packet string		Choices: enable disable	Enable/disable capture packets.
	comments string			Comment.
	custom_log_fields list / elements=string			Custom fields to append to log messages for this policy.
		field_id string		Custom log field. Source log.custom-field.id.
	delay_tcp_npu_session string		Choices: enable disable	Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
	devices list / elements=string			Names of devices or device groups that can be matched by the policy.
		name string / required		Device or group name. Source user.device.alias user.device-group.name user.device-category.name.
	diffserv_forward string		Choices: enable disable	Enable to change packet"s DiffServ values to the specified diffservcode-forward value.
	diffserv_reverse string		Choices: enable disable	Enable to change packet"s reverse (reply) DiffServ values to the specified diffservcode-rev value.
	diffservcode_forward string			Change packet"s DiffServ to this value.
	diffservcode_rev string			Change packet"s reverse (reply) DiffServ to this value.
	disclaimer string		Choices: enable disable	Enable/disable user authentication disclaimer.
	dlp_sensor string			Name of an existing DLP sensor. Source dlp.sensor.name.
	dnsfilter_profile string			Name of an existing DNS filter profile. Source dnsfilter.profile.name.
	dscp_match string		Choices: enable disable	Enable DSCP check.
	dscp_negate string		Choices: enable disable	Enable negated DSCP match.
	dscp_value string			DSCP value.
	dsri string		Choices: enable disable	Enable DSRI to ignore HTTP server responses.
	dstaddr list / elements=string			Destination address and address group names.
		name string / required		Address name. Source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name.
	dstaddr_negate string		Choices: enable disable	When enabled dstaddr specifies what the destination address must NOT be.
	dstintf list / elements=string			Outgoing (egress) interface.
		name string / required		Interface name. Source system.interface.name system.zone.name.
	firewall_session_dirty string		Choices: check-all check-new	How to handle sessions if the configuration of this firewall policy changes.
	fixedport string		Choices: enable disable	Enable to prevent source NAT from changing a session"s source port.
	fsso string		Choices: enable disable	Enable/disable Fortinet Single Sign-On.
	fsso_agent_for_ntlm string			FSSO agent to use for NTLM authentication. Source user.fsso.name.
	global_label string			Label for the policy that appears when the GUI is in Global View mode.
	groups list / elements=string			Names of user groups that can authenticate with this policy.
		name string / required		Group name. Source user.group.name.
	icap_profile string			Name of an existing ICAP profile. Source icap.profile.name.
	identity_based_route string			Name of identity-based routing rule. Source firewall.identity-based-route.name.
	inbound string		Choices: enable disable	Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
	internet_service string		Choices: enable disable	Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
	internet_service_custom list / elements=string			Custom Internet Service name.
		name string / required		Custom Internet Service name. Source firewall.internet-service-custom.name.
	internet_service_id list / elements=string			Internet Service ID.
		id integer / required		Internet Service ID. Source firewall.internet-service.id.
	internet_service_negate string		Choices: enable disable	When enabled internet-service specifies what the service must NOT be.
	internet_service_src string		Choices: enable disable	Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
	internet_service_src_custom list / elements=string			Custom Internet Service source name.
		name string / required		Custom Internet Service name. Source firewall.internet-service-custom.name.
	internet_service_src_id list / elements=string			Internet Service source ID.
		id integer / required		Internet Service ID. Source firewall.internet-service.id.
	internet_service_src_negate string		Choices: enable disable	When enabled internet-service-src specifies what the service must NOT be.
	ippool string		Choices: enable disable	Enable to use IP Pools for source NAT.
	ips_sensor string			Name of an existing IPS sensor. Source ips.sensor.name.
	label string			Label for the policy that appears when the GUI is in Section View mode.
	learning_mode string		Choices: enable disable	Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
	logtraffic string		Choices: all utm disable	Enable or disable logging. Log all sessions or security profile sessions.
	logtraffic_start string		Choices: enable disable	Record logs when a session starts and ends.
	match_vip string		Choices: enable disable	Enable to match packets that have had their destination addresses changed by a VIP.
	name string			Policy name.
	nat string		Choices: enable disable	Enable/disable source NAT.
	natinbound string		Choices: enable disable	Policy-based IPsec VPN: apply destination NAT to inbound traffic.
	natip string			Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
	natoutbound string		Choices: enable disable	Policy-based IPsec VPN: apply source NAT to outbound traffic.
	ntlm string		Choices: enable disable	Enable/disable NTLM authentication.
	ntlm_enabled_browsers list / elements=string			HTTP-User-Agent value of supported browsers.
		user_agent_string string		User agent string.
	ntlm_guest string		Choices: enable disable	Enable/disable NTLM guest user access.
	outbound string		Choices: enable disable	Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
	per_ip_shaper string			Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
	permit_any_host string		Choices: enable disable	Accept UDP packets from any host.
	permit_stun_host string		Choices: enable disable	Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
	policyid integer / required			Policy ID.
	poolname list / elements=string			IP Pool names.
		name string / required		IP pool name. Source firewall.ippool.name.
	profile_group string			Name of profile group. Source firewall.profile-group.name.
	profile_protocol_options string			Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
	profile_type string		Choices: single group	Determine whether the firewall policy allows security profile groups or single profiles only.
	radius_mac_auth_bypass string		Choices: enable disable	Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
	redirect_url string			URL users are directed to after seeing and accepting the disclaimer or authenticating.
	replacemsg_override_group string			Override the default replacement message group for this policy. Source system.replacemsg-group.name.
	rsso string		Choices: enable disable	Enable/disable RADIUS single sign-on (RSSO).
	rtp_addr list / elements=string			Address names if this is an RTP NAT policy.
		name string / required		Address name. Source firewall.address.name firewall.addrgrp.name.
	rtp_nat string		Choices: disable enable	Enable Real Time Protocol (RTP) NAT.
	scan_botnet_connections string		Choices: disable block monitor	Block or monitor connections to Botnet servers or disable Botnet scanning.
	schedule string			Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
	schedule_timeout string		Choices: enable disable	Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
	send_deny_packet string		Choices: disable enable	Enable to send a reply when a session is denied or blocked by a firewall policy.
	service list / elements=string			Service and service group names.
		name string / required		Service and service group names. Source firewall.service.custom.name firewall.service.group.name.
	service_negate string		Choices: enable disable	When enabled service specifies what the service must NOT be.
	session_ttl integer			TTL in seconds for sessions accepted by this policy (0 means use the system ).
	spamfilter_profile string			Name of an existing Spam filter profile. Source spamfilter.profile.name.
	srcaddr list / elements=string			Source address and address group names.
		name string / required		Address name. Source firewall.address.name firewall.addrgrp.name.
	srcaddr_negate string		Choices: enable disable	When enabled srcaddr specifies what the source address must NOT be.
	srcintf list / elements=string			Incoming (ingress) interface.
		name string / required		Interface name. Source system.interface.name system.zone.name.
	ssh_filter_profile string			Name of an existing SSH filter profile. Source ssh-filter.profile.name.
	ssl_mirror string		Choices: enable disable	Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
	ssl_mirror_intf list / elements=string			SSL mirror interface name.
		name string / required		Mirror Interface name. Source system.interface.name system.zone.name.
	ssl_ssh_profile string			Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
	state string		Choices: present absent	Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object.
	status string		Choices: enable disable	Enable or disable this policy.
	tcp_mss_receiver integer			Receiver TCP maximum segment size (MSS).
	tcp_mss_sender integer			Sender TCP maximum segment size (MSS).
	tcp_session_without_syn string		Choices: all data-only disable	Enable/disable creation of TCP session without SYN flag.
	timeout_send_rst string		Choices: enable disable	Enable/disable sending RST packets when TCP sessions expire.
	traffic_shaper string			Traffic shaper. Source firewall.shaper.traffic-shaper.name.
	traffic_shaper_reverse string			Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
	url_category list / elements=string			URL category ID list.
		id integer / required		URL category ID.
	users list / elements=string			Names of individual users that can authenticate with this policy.
		name string / required		Names of individual users that can authenticate with this policy. Source user.local.name.
	utm_status string		Choices: enable disable	Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
	uuid string			Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
	vlan_cos_fwd integer			VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
	vlan_cos_rev integer			VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest..
	vlan_filter string			Set VLAN filters.
	voip_profile string			Name of an existing VoIP profile. Source voip.profile.name.
	vpntunnel string			Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.
	waf_profile string			Name of an existing Web application firewall profile. Source waf.profile.name.
	wanopt string		Choices: enable disable	Enable/disable WAN optimization.
	wanopt_detection string		Choices: active passive False	WAN optimization auto-detection mode.
	wanopt_passive_opt string		Choices: default transparent non-transparent	WAN optimization passive mode options. This option decides what IP address will be used to connect server.
	wanopt_peer string			WAN optimization peer. Source wanopt.peer.peer-host-id.
	wanopt_profile string			WAN optimization profile. Source wanopt.profile.name.
	wccp string		Choices: enable disable	Enable/disable forwarding traffic matching this policy to a configured WCCP server.
	webcache string		Choices: enable disable	Enable/disable web cache.
	webcache_https string		Choices: disable enable	Enable/disable web cache for HTTPS.
	webfilter_profile string			Name of an existing Web filter profile. Source webfilter.profile.name.
	wsso string		Choices: enable disable	Enable/disable WiFi Single Sign On (WSSO).
self string				mkey of self identifier
state string added in 2.9 of fortinet.fortios			Choices: present absent	Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
vdom string			Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

• Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

• Adjust object order by moving self after(before) another.

• Only one of [after, before] must be specified when action is moving an object.

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure IPv4 policies.
    fortios_firewall_policy:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_policy:
        action: "accept"
        app_category:
         -
            id:  "5"
        app_group:
         -
            name: "default_name_7 (source application.group.name)"
        application:
         -
            id:  "9"
        application_list: "<your_own_value> (source application.list.name)"
        auth_cert: "<your_own_value> (source vpn.certificate.local.name)"
        auth_path: "enable"
        auth_redirect_addr: "<your_own_value>"
        av_profile: "<your_own_value> (source antivirus.profile.name)"
        block_notification: "enable"
        captive_portal_exempt: "enable"
        capture_packet: "enable"
        comments: "<your_own_value>"
        custom_log_fields:
         -
            field_id: "<your_own_value> (source log.custom-field.id)"
        delay_tcp_npu_session: "enable"
        devices:
         -
            name: "default_name_23 (source user.device.alias user.device-group.name user.device-category.name)"
        diffserv_forward: "enable"
        diffserv_reverse: "enable"
        diffservcode_forward: "<your_own_value>"
        diffservcode_rev: "<your_own_value>"
        disclaimer: "enable"
        dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
        dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
        dscp_match: "enable"
        dscp_negate: "enable"
        dscp_value: "<your_own_value>"
        dsri: "enable"
        dstaddr:
         -
            name: "default_name_36 (source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name)"
        dstaddr_negate: "enable"
        dstintf:
         -
            name: "default_name_39 (source system.interface.name system.zone.name)"
        firewall_session_dirty: "check-all"
        fixedport: "enable"
        fsso: "enable"
        fsso_agent_for_ntlm: "<your_own_value> (source user.fsso.name)"
        global_label: "<your_own_value>"
        groups:
         -
            name: "default_name_46 (source user.group.name)"
        icap_profile: "<your_own_value> (source icap.profile.name)"
        identity_based_route: "<your_own_value> (source firewall.identity-based-route.name)"
        inbound: "enable"
        internet_service: "enable"
        internet_service_custom:
         -
            name: "default_name_52 (source firewall.internet-service-custom.name)"
        internet_service_id:
         -
            id:  "54 (source firewall.internet-service.id)"
        internet_service_negate: "enable"
        internet_service_src: "enable"
        internet_service_src_custom:
         -
            name: "default_name_58 (source firewall.internet-service-custom.name)"
        internet_service_src_id:
         -
            id:  "60 (source firewall.internet-service.id)"
        internet_service_src_negate: "enable"
        ippool: "enable"
        ips_sensor: "<your_own_value> (source ips.sensor.name)"
        label: "<your_own_value>"
        learning_mode: "enable"
        logtraffic: "all"
        logtraffic_start: "enable"
        match_vip: "enable"
        name: "default_name_69"
        nat: "enable"
        natinbound: "enable"
        natip: "<your_own_value>"
        natoutbound: "enable"
        ntlm: "enable"
        ntlm_enabled_browsers:
         -
            user_agent_string: "<your_own_value>"
        ntlm_guest: "enable"
        outbound: "enable"
        per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
        permit_any_host: "enable"
        permit_stun_host: "enable"
        policyid: "82"
        poolname:
         -
            name: "default_name_84 (source firewall.ippool.name)"
        profile_group: "<your_own_value> (source firewall.profile-group.name)"
        profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
        profile_type: "single"
        radius_mac_auth_bypass: "enable"
        redirect_url: "<your_own_value>"
        replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
        rsso: "enable"
        rtp_addr:
         -
            name: "default_name_93 (source firewall.address.name firewall.addrgrp.name)"
        rtp_nat: "disable"
        scan_botnet_connections: "disable"
        schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
        schedule_timeout: "enable"
        send_deny_packet: "disable"
        service:
         -
            name: "default_name_100 (source firewall.service.custom.name firewall.service.group.name)"
        service_negate: "enable"
        session_ttl: "102"
        spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
        srcaddr:
         -
            name: "default_name_105 (source firewall.address.name firewall.addrgrp.name)"
        srcaddr_negate: "enable"
        srcintf:
         -
            name: "default_name_108 (source system.interface.name system.zone.name)"
        ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
        ssl_mirror: "enable"
        ssl_mirror_intf:
         -
            name: "default_name_112 (source system.interface.name system.zone.name)"
        ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
        status: "enable"
        tcp_mss_receiver: "115"
        tcp_mss_sender: "116"
        tcp_session_without_syn: "all"
        timeout_send_rst: "enable"
        traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
        traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
        url_category:
         -
            id:  "122"
        users:
         -
            name: "default_name_124 (source user.local.name)"
        utm_status: "enable"
        uuid: "<your_own_value>"
        vlan_cos_fwd: "127"
        vlan_cos_rev: "128"
        vlan_filter: "<your_own_value>"
        voip_profile: "<your_own_value> (source voip.profile.name)"
        vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
        waf_profile: "<your_own_value> (source waf.profile.name)"
        wanopt: "enable"
        wanopt_detection: "active"
        wanopt_passive_opt: "default"
        wanopt_peer: "<your_own_value> (source wanopt.peer.peer-host-id)"
        wanopt_profile: "<your_own_value> (source wanopt.profile.name)"
        wccp: "enable"
        webcache: "enable"
        webcache_https: "disable"
        webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
        wsso: "enable"

  - name: move firewall.policy
    fortios_firewall_policy:
      vdom:  "root"
      action: "move"
      self: "<mkey of self identifier>"
      after: "<mkey of target identifier>"
     #before: "<mkey of target identifier>"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Authors

• Link Zheng (@chillancezen)

• Jie Xue (@JieX19)

• Hongbin Lu (@fgtdev-hblu)

• Frank Shen (@frankshen01)

• Miguel Angel Munoz (@mamunozgonzalez)

• Nicolas Thomas (@thomnico)