fortinet.fortimanager.fmgr_vap_dynamicmapping – Configure Virtual Access Points
Note
This plugin is part of the fortinet.fortimanager collection (version 2.1.4).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_vap_dynamicmapping.
New in version 2.10: of fortinet.fortimanager
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
Parameter |
Comments |
|---|---|
the parameter (adom) in requested url |
|
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters Choices:
|
|
Enable/Disable logging for task Choices:
|
|
The overridden method for the underlying Json RPC request Choices:
|
|
the rc codes list with which the conditions to fail will be overriden |
|
the rc codes list with which the conditions to succeed will be overriden |
|
the directive to create, update or delete an object Choices:
|
|
the parameter (vap) in requested url |
|
the top level parameters set |
|
_Centmgmt. Choices:
|
|
_Dhcp_Svr_Id. |
|
no description Choices:
|
|
_Intf_Device-Access-List. |
|
_Intf_Device-Identification. Choices:
|
|
_Intf_Device-Netscan. Choices:
|
|
no description |
|
_Intf_Dhcp-Relay-Service. Choices:
|
|
_Intf_Dhcp-Relay-Type. Choices:
|
|
_Intf_Dhcp6-Relay-Ip. |
|
_Intf_Dhcp6-Relay-Service. Choices:
|
|
_Intf_Dhcp6-Relay-Type. Choices:
|
|
_Intf_Ip. |
|
_Intf_Ip6-Address. |
|
no description Choices:
|
|
_Intf_Listen-Forticlient-Connection. Choices:
|
|
no description |
|
Name. |
|
Vdom. |
|
Access-Control-List. |
|
WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0). |
|
no description Choices:
|
|
Address group ID. |
|
Alias. |
|
Airtime weight in percentage (default = 20). |
|
Authentication protocol. Choices:
|
|
Enable/disable broadcasting the SSID (default = enable). Choices:
|
|
no description Choices:
|
|
Bss-Color-Partial. Choices:
|
|
Enable/disable forcing of disassociation after the BSTM request timer has been reached (default = enable). Choices:
|
|
Time interval for client to voluntarily leave AP before forcing a disassociation due to AP load-balancing (0 to 30, default = … |
|
Time interval for client to voluntarily leave AP before forcing a disassociation due to low RSSI (0 to 2000, default = 200). |
|
Local-bridging captive portal ac-name. |
|
Captive-Portal-Auth-Timeout. |
|
no description |
|
Captive portal external RADIUS server domain name or IP address. |
|
no description |
|
Captive portal RADIUS server domain name or IP address. |
|
Session timeout interval (0 - 864000 sec, default = 0). |
|
Client-Count. |
|
Enable/disable DHCP address enforcement (default = disable). Choices:
|
|
DHCP lease time in seconds for NAT IP address. |
|
Dhcp-Option43-Insertion. Choices:
|
|
Enable/disable DHCP option 82 circuit-id insert (default = disable). Choices:
|
|
Enable/disable DHCP option 82 insert (default = disable). Choices:
|
|
Enable/disable DHCP option 82 remote-id insert (default = disable). Choices:
|
|
Enable/disable dynamic VLAN assignment. Choices:
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security. Choices:
|
|
EAP re-authentication interval (1800 - 864000 sec, default = 86400). |
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable). Choices:
|
|
Encryption protocol to use (only available when security is set to a WPA type). Choices:
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable). Choices:
|
|
URL of external authentication logout server. |
|
URL of external authentication web server. |
|
URL query parameter detection (default = auto-detect). Choices:
|
|
Enable/disable 802.11r Fast BSS Transition (FT) (default = disable). Choices:
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable). Choices:
|
|
Mobility domain identifier in FT (1 - 65535, default = 1000). |
|
Enable/disable FT over the Distribution System (DS). Choices:
|
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes. |
|
GAS comeback delay (0 or 100 - 10000 milliseconds, default = 500). |
|
GAS fragmentation limit (512 - 4096, default = 1024). |
|
Enable/disable GTK rekey for WPA security. Choices:
|
|
GTK rekey interval (1800 - 864000 sec, default = 86400). |
|
Enable/disable 802.11ax high efficiency (default = enable). Choices:
|
|
Hotspot 2.0 profile name. |
|
Enable/disable IGMP snooping. Choices:
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable). Choices:
|
|
IP address and subnet mask for the local standalone NAT subnet. |
|
no description Choices:
|
|
no description |
|
WEP key index (1 - 4). |
|
VAP low-density parity-check (LDPC) coding configuration. Choices:
|
|
Enable/disable AP local authentication. Choices:
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable). Choices:
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow). Choices:
|
|
Enable/disable AP local standalone (default = disable). Choices:
|
|
Enable/disable AP local standalone NAT mode. Choices:
|
|
Local-Switching. Choices:
|
|
Enable/disable MAC authentication bypass. Choices:
|
|
MAC called station delimiter (default = hyphen). Choices:
|
|
MAC calling station delimiter (default = hyphen). Choices:
|
|
MAC case (default = uppercase). Choices:
|
|
Enable/disable MAC filtering to block wireless clients by mac address. Choices:
|
|
Allow or block clients with MAC addresses that are not in the filter list. Choices:
|
|
MAC authentication password delimiter (default = hyphen). Choices:
|
|
MAC authentication username delimiter (default = hyphen). Choices:
|
|
Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation). |
|
Maximum number of clients that can connect simultaneously to the VAP per AP radio (default = 0, meaning no limitation). |
|
Enable/disable Multiband Operation (default = disable). Choices:
|
|
MBO cell data connection preference (0, 1, or 255, default = 1). Choices:
|
|
Disable multicast enhancement when this many clients are receiving multicast traffic. |
|
Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set t… Choices:
|
|
Enable/disable multiple PSK authentication. Choices:
|
|
Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535, default… |
|
Mpsk-Profile. |
|
Enable/disable Multi-user MIMO (default = enable). Choices:
|
|
Enable/disable converting multicast to unicast to improve performance (default = disable). Choices:
|
|
Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0). Choices:
|
|
Enable/disable network access control. Choices:
|
|
NAC profile name. |
|
Enable/disable dual-band neighbor report (default = disable). Choices:
|
|
Enable/disable Opportunistic Key Caching (OKC) (default = enable). Choices:
|
|
no description Choices:
|
|
Enable/disable OWE transition mode support. Choices:
|
|
OWE transition mode peer SSID. |
|
no description |
|
Protected Management Frames (PMF) support (default = disable). Choices:
|
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). |
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). |
|
Enable/disable LAN port MAC authentication (default = disable). Choices:
|
|
LAN port MAC authentication re-authentication timeout value (default = 7200 sec). |
|
LAN port MAC authentication idle timeout value (default = 600 sec). |
|
Replacement message group for this VAP (only available when security is set to a captive portal type). |
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. Choices:
|
|
Primary wireless access gateway profile name. |
|
Enable/disable probe response suppression (to ignore weak signals) (default = disable). Choices:
|
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80). |
|
Enable/disable PTK rekey for WPA-Enterprise security. Choices:
|
|
PTK rekey interval (1800 - 864000 sec, default = 86400). |
|
Quality of service profile name. |
|
Enable/disable station quarantine (default = enable). Choices:
|
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79). |
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76). |
|
Enable/disable software radio sensitivity (to ignore weak signals) (default = disable). Choices:
|
|
Enable/disable RADIUS-based MAC authentication of clients (default = disable). Choices:
|
|
RADIUS-based MAC authentication server. |
|
no description |
|
RADIUS server to be used to authenticate WiFi users. |
|
no description Choices:
|
|
no description Choices:
|
|
no description Choices:
|
|
no description Choices:
|
|
no description Choices:
|
|
no description Choices:
|
|
no description Choices:
|
|
no description |
|
Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid…. |
|
Secondary wireless access gateway profile name. |
|
Security mode for the wireless interface (default = wpa2-only-personal). Choices:
|
|
Optional security exempt list for captive portal authentication. |
|
Enable/disable obsolete security options. Choices:
|
|
Optional URL for redirecting users after they pass captive portal authentication. |
|
Selective user groups that are permitted to authenticate. |
|
Enable/disable split tunneling (default = disable). Choices:
|
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configur… |
|
Sticky-Client-Remove. Choices:
|
|
Sticky-Client-Threshold-2G. |
|
Sticky-Client-Threshold-5G. |
|
Enable/disable 802.11ax target wake time (default = enable). Choices:
|
|
Enable/disable TKIP counter measure. Choices:
|
|
The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec, default = 300). |
|
The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec, default = 7200). |
|
Firewall user group to be used to authenticate WiFi users. |
|
UTM profile name. |
|
Vdom. |
|
Enable/disable automatic management of SSID VLAN interface. Choices:
|
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When… Choices:
|
|
Optional VLAN ID. |
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable). Choices:
|
|
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root |
|
the maximum time in seconds to wait for other user to release the workspace lock Default: 300 |
Notes
Note
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state present directive.
To delete an object, use state absent directive.
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure Virtual Access Points
fmgr_vap_dynamicmapping:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
vap: <your own value>
state: <value in [present, absent]>
vap_dynamicmapping:
_centmgmt: <value in [disable, enable]>
_dhcp_svr_id: <value of string>
_intf_allowaccess:
- https
- ping
- ssh
- snmp
- http
- telnet
- fgfm
- auto-ipsec
- radius-acct
- probe-response
- capwap
_intf_device-identification: <value in [disable, enable]>
_intf_device-netscan: <value in [disable, enable]>
_intf_dhcp-relay-ip: <value of string>
_intf_dhcp-relay-service: <value in [disable, enable]>
_intf_dhcp-relay-type: <value in [regular, ipsec]>
_intf_dhcp6-relay-ip: <value of string>
_intf_dhcp6-relay-service: <value in [disable, enable]>
_intf_dhcp6-relay-type: <value in [regular]>
_intf_ip: <value of string>
_intf_ip6-address: <value of string>
_intf_ip6-allowaccess:
- https
- ping
- ssh
- snmp
- http
- telnet
- any
- fgfm
- capwap
_intf_listen-forticlient-connection: <value in [disable, enable]>
_scope:
-
name: <value of string>
vdom: <value of string>
acct-interim-interval: <value of integer>
address-group: <value of string>
alias: <value of string>
atf-weight: <value of integer>
auth: <value in [PSK, psk, RADIUS, ...]>
broadcast-ssid: <value in [disable, enable]>
broadcast-suppression:
- dhcp
- arp
- dhcp2
- arp2
- netbios-ns
- netbios-ds
- arp3
- dhcp-up
- dhcp-down
- arp-known
- arp-unknown
- arp-reply
- ipv6
- dhcp-starvation
- arp-poison
- all-other-mc
- all-other-bc
- arp-proxy
- dhcp-ucast
captive-portal-ac-name: <value of string>
captive-portal-macauth-radius-secret: <value of string>
captive-portal-macauth-radius-server: <value of string>
captive-portal-radius-secret: <value of string>
captive-portal-radius-server: <value of string>
captive-portal-session-timeout-interval: <value of integer>
client-count: <value of integer>
dhcp-lease-time: <value of integer>
dhcp-option82-circuit-id-insertion: <value in [disable, style-1, style-2, ...]>
dhcp-option82-insertion: <value in [disable, enable]>
dhcp-option82-remote-id-insertion: <value in [disable, style-1]>
dynamic-vlan: <value in [disable, enable]>
eap-reauth: <value in [disable, enable]>
eap-reauth-intv: <value of integer>
eapol-key-retries: <value in [disable, enable]>
encrypt: <value in [TKIP, AES, TKIP-AES]>
external-fast-roaming: <value in [disable, enable]>
external-logout: <value of string>
external-web: <value of string>
fast-bss-transition: <value in [disable, enable]>
fast-roaming: <value in [disable, enable]>
ft-mobility-domain: <value of integer>
ft-over-ds: <value in [disable, enable]>
ft-r0-key-lifetime: <value of integer>
gtk-rekey: <value in [disable, enable]>
gtk-rekey-intv: <value of integer>
hotspot20-profile: <value of string>
intra-vap-privacy: <value in [disable, enable]>
ip: <value of string>
key: <value of string>
keyindex: <value of integer>
ldpc: <value in [disable, tx, rx, ...]>
local-authentication: <value in [disable, enable]>
local-bridging: <value in [disable, enable]>
local-lan: <value in [deny, allow]>
local-standalone: <value in [disable, enable]>
local-standalone-nat: <value in [disable, enable]>
local-switching: <value in [disable, enable]>
mac-auth-bypass: <value in [disable, enable]>
mac-filter: <value in [disable, enable]>
mac-filter-policy-other: <value in [deny, allow]>
max-clients: <value of integer>
max-clients-ap: <value of integer>
me-disable-thresh: <value of integer>
mesh-backhaul: <value in [disable, enable]>
mpsk: <value in [disable, enable]>
mpsk-concurrent-clients: <value of integer>
multicast-enhance: <value in [disable, enable]>
multicast-rate: <value in [0, 6000, 12000, ...]>
okc: <value in [disable, enable]>
owe-groups:
- 19
- 20
- 21
owe-transition: <value in [disable, enable]>
owe-transition-ssid: <value of string>
passphrase: <value of string>
pmf: <value in [disable, enable, optional]>
pmf-assoc-comeback-timeout: <value of integer>
pmf-sa-query-retry-timeout: <value of integer>
portal-message-override-group: <value of string>
portal-type: <value in [auth, auth+disclaimer, disclaimer, ...]>
probe-resp-suppression: <value in [disable, enable]>
probe-resp-threshold: <value of string>
ptk-rekey: <value in [disable, enable]>
ptk-rekey-intv: <value of integer>
qos-profile: <value of string>
quarantine: <value in [disable, enable]>
radio-2g-threshold: <value of string>
radio-5g-threshold: <value of string>
radio-sensitivity: <value in [disable, enable]>
radius-mac-auth: <value in [disable, enable]>
radius-mac-auth-server: <value of string>
radius-mac-auth-usergroups: <value of string>
radius-server: <value of string>
rates-11a:
- 1
- 1-basic
- 2
- 2-basic
- 5.5
- 5.5-basic
- 6
- 6-basic
- 9
- 9-basic
- 12
- 12-basic
- 18
- 18-basic
- 24
- 24-basic
- 36
- 36-basic
- 48
- 48-basic
- 54
- 54-basic
- 11
- 11-basic
rates-11ac-ss12:
- mcs0/1
- mcs1/1
- mcs2/1
- mcs3/1
- mcs4/1
- mcs5/1
- mcs6/1
- mcs7/1
- mcs8/1
- mcs9/1
- mcs0/2
- mcs1/2
- mcs2/2
- mcs3/2
- mcs4/2
- mcs5/2
- mcs6/2
- mcs7/2
- mcs8/2
- mcs9/2
- mcs10/1
- mcs11/1
- mcs10/2
- mcs11/2
rates-11ac-ss34:
- mcs0/3
- mcs1/3
- mcs2/3
- mcs3/3
- mcs4/3
- mcs5/3
- mcs6/3
- mcs7/3
- mcs8/3
- mcs9/3
- mcs0/4
- mcs1/4
- mcs2/4
- mcs3/4
- mcs4/4
- mcs5/4
- mcs6/4
- mcs7/4
- mcs8/4
- mcs9/4
- mcs10/3
- mcs11/3
- mcs10/4
- mcs11/4
rates-11bg:
- 1
- 1-basic
- 2
- 2-basic
- 5.5
- 5.5-basic
- 6
- 6-basic
- 9
- 9-basic
- 12
- 12-basic
- 18
- 18-basic
- 24
- 24-basic
- 36
- 36-basic
- 48
- 48-basic
- 54
- 54-basic
- 11
- 11-basic
rates-11n-ss12:
- mcs0/1
- mcs1/1
- mcs2/1
- mcs3/1
- mcs4/1
- mcs5/1
- mcs6/1
- mcs7/1
- mcs8/2
- mcs9/2
- mcs10/2
- mcs11/2
- mcs12/2
- mcs13/2
- mcs14/2
- mcs15/2
rates-11n-ss34:
- mcs16/3
- mcs17/3
- mcs18/3
- mcs19/3
- mcs20/3
- mcs21/3
- mcs22/3
- mcs23/3
- mcs24/4
- mcs25/4
- mcs26/4
- mcs27/4
- mcs28/4
- mcs29/4
- mcs30/4
- mcs31/4
sae-groups:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 27
- 28
- 29
- 30
- 31
sae-password: <value of string>
schedule: <value of string>
security: <value in [None, WEP64, wep64, ...]>
security-exempt-list: <value of string>
security-obsolete-option: <value in [disable, enable]>
security-redirect-url: <value of string>
selected-usergroups: <value of string>
split-tunneling: <value in [disable, enable]>
ssid: <value of string>
tkip-counter-measure: <value in [disable, enable]>
usergroup: <value of string>
utm-profile: <value of string>
vdom: <value of string>
vlan-auto: <value in [disable, enable]>
vlan-pooling: <value in [wtp-group, round-robin, hash, ...]>
vlanid: <value of integer>
voice-enterprise: <value in [disable, enable]>
mu-mimo: <value in [disable, enable]>
_intf_device-access-list: <value of string>
external-web-format: <value in [auto-detect, no-query-string, partial-query-string]>
high-efficiency: <value in [disable, enable]>
primary-wag-profile: <value of string>
secondary-wag-profile: <value of string>
target-wake-time: <value in [disable, enable]>
tunnel-echo-interval: <value of integer>
tunnel-fallback-interval: <value of integer>
access-control-list: <value of string>
captive-portal-auth-timeout: <value of integer>
ipv6-rules:
- drop-icmp6ra
- drop-icmp6rs
- drop-llmnr6
- drop-icmp6mld2
- drop-dhcp6s
- drop-dhcp6c
- ndp-proxy
- drop-ns-dad
- drop-ns-nondad
sticky-client-remove: <value in [disable, enable]>
sticky-client-threshold-2g: <value of string>
sticky-client-threshold-5g: <value of string>
bss-color-partial: <value in [disable, enable]>
dhcp-option43-insertion: <value in [disable, enable]>
mpsk-profile: <value of string>
igmp-snooping: <value in [disable, enable]>
port-macauth: <value in [disable, radius, address-group]>
port-macauth-reauth-timeout: <value of integer>
port-macauth-timeout: <value of integer>
additional-akms:
- akm6
bstm-disassociation-imminent: <value in [disable, enable]>
bstm-load-balancing-disassoc-timer: <value of integer>
bstm-rssi-disassoc-timer: <value of integer>
dhcp-address-enforcement: <value in [disable, enable]>
gas-comeback-delay: <value of integer>
gas-fragmentation-limit: <value of integer>
mac-called-station-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
mac-calling-station-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
mac-case: <value in [uppercase, lowercase]>
mac-password-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
mac-username-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
mbo: <value in [disable, enable]>
mbo-cell-data-conn-pref: <value in [excluded, prefer-not, prefer-use]>
nac: <value in [disable, enable]>
nac-profile: <value of string>
neighbor-report-dual-band: <value in [disable, enable]>
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The full url requested Returned: always Sample: “/sys/login/user” |
|
The status of api request Returned: always Sample: 0 |
|
The descriptive message of the api response Returned: always Sample: “OK.” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Frank Shen (@fshen01)
Hongbin Lu (@fgtdev-hblu)