fortinet.fortios.fortios_firewall_access_proxy – Configure Access Proxy in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_firewall_access_proxy.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter

Comments

access_token

string

Token-based authentication. Generated from GUI of Fortigate.

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • no ← (default)

  • yes

firewall_access_proxy

dictionary

Configure Access Proxy.

api_gateway

list / elements=string

Set API Gateway.

integer

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

string

Domain that HTTP cookie persistence should apply to.

string

Enable/disable use of HTTP cookie domain from host field in HTTP.

Choices:

  • disable

  • enable

integer

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

string

Limit HTTP cookie persistence to the specified path.

string

Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

Choices:

  • disable

  • same-ip

string

Enable/disable verification that inserted HTTPS cookies are secure.

Choices:

  • disable

  • enable

id

integer / required

API Gateway ID.

ldb_method

string

Method used to distribute sessions to real servers.

Choices:

  • static

  • round-robin

  • weighted

  • least-session

  • least-rtt

  • first-alive

  • http-host

persistence

string

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

Choices:

  • none

  • http-cookie

realservers

list / elements=string

Select the real servers that this Access Proxy will distribute traffic to.

address

string

Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name.

health_check

string

Enable to check the responsiveness of the real server before forwarding traffic.

Choices:

  • disable

  • enable

health_check_proto

string

Protocol of the health check monitor to use when polling to determine server”s connectivity status.

Choices:

  • ping

  • http

  • tcp-connect

holddown_interval

string

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

Choices:

  • enable

  • disable

http_host

string

HTTP server domain name in HTTP header.

id

integer / required

Real server ID.

ip

string

IP address of the real server.

mappedport

string

Port for communicating with the real server.

port

integer

Port for communicating with the real server.

ssh_client_cert

string

Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name.

ssh_host_key

list / elements=string

One or more server host key.

name

string / required

Server host key name. Source firewall.ssh.host-key.name.

ssh_host_key_validation

string

Enable/disable SSH real server host key validation.

Choices:

  • disable

  • enable

status

string

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

Choices:

  • active

  • standby

  • disable

type

string

TCP forwarding server type.

Choices:

  • tcp-forwarding

  • ssh

weight

integer

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

saml_server

string

SAML service provider configuration for VIP authentication. Source user.saml.name.

service

string

Service.

Choices:

  • http

  • https

  • tcp-forwarding

  • samlsp

ssl_algorithm

string

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

Choices:

  • high

  • medium

  • low

  • custom

ssl_cipher_suites

list / elements=string

SSL/TLS cipher suites to offer to a server, ordered by priority.

cipher

string

Cipher suite name.

Choices:

  • TLS-AES-128-GCM-SHA256

  • TLS-AES-256-GCM-SHA384

  • TLS-CHACHA20-POLY1305-SHA256

  • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

  • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

  • TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA

  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA

  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA

  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA

  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

  • TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

  • TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

  • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

  • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

  • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

  • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

  • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

  • TLS-RSA-WITH-AES-128-CBC-SHA

  • TLS-RSA-WITH-AES-256-CBC-SHA

  • TLS-RSA-WITH-AES-128-CBC-SHA256

  • TLS-RSA-WITH-AES-128-GCM-SHA256

  • TLS-RSA-WITH-AES-256-CBC-SHA256

  • TLS-RSA-WITH-AES-256-GCM-SHA384

  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

  • TLS-DHE-RSA-WITH-SEED-CBC-SHA

  • TLS-DHE-DSS-WITH-SEED-CBC-SHA

  • TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

  • TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

  • TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

  • TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

  • TLS-RSA-WITH-SEED-CBC-SHA

  • TLS-RSA-WITH-ARIA-128-CBC-SHA256

  • TLS-RSA-WITH-ARIA-256-CBC-SHA384

  • TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

  • TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

  • TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

  • TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

  • TLS-ECDHE-RSA-WITH-RC4-128-SHA

  • TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

  • TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

  • TLS-RSA-WITH-3DES-EDE-CBC-SHA

  • TLS-RSA-WITH-RC4-128-MD5

  • TLS-RSA-WITH-RC4-128-SHA

  • TLS-DHE-RSA-WITH-DES-CBC-SHA

  • TLS-DHE-DSS-WITH-DES-CBC-SHA

  • TLS-RSA-WITH-DES-CBC-SHA

  • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

priority

integer / required

SSL/TLS cipher suites priority.

versions

string

SSL/TLS versions that the cipher suite can be used with.

Choices:

  • tls-1.0

  • tls-1.1

  • tls-1.2

  • tls-1.3

ssl_dh_bits

string

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

Choices:

  • 768

  • 1024

  • 1536

  • 2048

  • 3072

  • 4096

ssl_max_version

string

Highest SSL/TLS version acceptable from a server.

Choices:

  • tls-1.0

  • tls-1.1

  • tls-1.2

  • tls-1.3

ssl_min_version

string

Lowest SSL/TLS version acceptable from a server.

Choices:

  • tls-1.0

  • tls-1.1

  • tls-1.2

  • tls-1.3

url_map

string

URL pattern to match.

url_map_type

string

Type of url-map.

Choices:

  • sub-string

  • wildcard

  • regex

virtual_host

string

Virtual host. Source firewall.access-proxy-virtual-host.name.

api_gateway6

list / elements=string

Set IPv6 API Gateway.

integer

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

string

Domain that HTTP cookie persistence should apply to.

string

Enable/disable use of HTTP cookie domain from host field in HTTP.

Choices:

  • disable

  • enable

integer

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

string

Limit HTTP cookie persistence to the specified path.

string

Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

Choices:

  • disable

  • same-ip

string

Enable/disable verification that inserted HTTPS cookies are secure.

Choices:

  • disable

  • enable

id

integer / required

API Gateway ID.

ldb_method

string

Method used to distribute sessions to real servers.

Choices:

  • static

  • round-robin

  • weighted

  • first-alive

  • http-host

persistence

string

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

Choices:

  • none

  • http-cookie

realservers

list / elements=string

Select the real servers that this Access Proxy will distribute traffic to.

address

string

Address or address group of the real server. Source firewall.address6.name firewall.addrgrp6.name.

health_check

string

Enable to check the responsiveness of the real server before forwarding traffic.

Choices:

  • disable

  • enable

health_check_proto

string

Protocol of the health check monitor to use when polling to determine server”s connectivity status.

Choices:

  • ping

  • http

  • tcp-connect

holddown_interval

string

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

Choices:

  • enable

  • disable

http_host

string

HTTP server domain name in HTTP header.

id

integer / required

Real server ID.

ip

string

IPv6 address of the real server.

mappedport

string

Port for communicating with the real server.

port

integer

Port for communicating with the real server.

ssh_client_cert

string

Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name.

ssh_host_key

list / elements=string

One or more server host key.

name

string / required

Server host key name. Source firewall.ssh.host-key.name.

ssh_host_key_validation

string

Enable/disable SSH real server host key validation.

Choices:

  • disable

  • enable

status

string

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

Choices:

  • active

  • standby

  • disable

type

string

TCP forwarding server type.

Choices:

  • tcp-forwarding

  • ssh

weight

integer

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

saml_server

string

SAML service provider configuration for VIP authentication. Source user.saml.name.

service

string

Service.

Choices:

  • http

  • https

  • tcp-forwarding

  • samlsp

ssl_algorithm

string

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

Choices:

  • high

  • medium

  • low

ssl_cipher_suites

list / elements=string

SSL/TLS cipher suites to offer to a server, ordered by priority.

cipher

string

Cipher suite name.

Choices:

  • TLS-AES-128-GCM-SHA256

  • TLS-AES-256-GCM-SHA384

  • TLS-CHACHA20-POLY1305-SHA256

  • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

  • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

  • TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA

  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA

  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA

  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA

  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

  • TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

  • TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

  • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

  • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

  • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

  • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

  • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

  • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

  • TLS-RSA-WITH-AES-128-CBC-SHA

  • TLS-RSA-WITH-AES-256-CBC-SHA

  • TLS-RSA-WITH-AES-128-CBC-SHA256

  • TLS-RSA-WITH-AES-128-GCM-SHA256

  • TLS-RSA-WITH-AES-256-CBC-SHA256

  • TLS-RSA-WITH-AES-256-GCM-SHA384

  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

  • TLS-DHE-RSA-WITH-SEED-CBC-SHA

  • TLS-DHE-DSS-WITH-SEED-CBC-SHA

  • TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

  • TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

  • TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

  • TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

  • TLS-RSA-WITH-SEED-CBC-SHA

  • TLS-RSA-WITH-ARIA-128-CBC-SHA256

  • TLS-RSA-WITH-ARIA-256-CBC-SHA384

  • TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

  • TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

  • TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

  • TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

  • TLS-ECDHE-RSA-WITH-RC4-128-SHA

  • TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

  • TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

  • TLS-RSA-WITH-3DES-EDE-CBC-SHA

  • TLS-RSA-WITH-RC4-128-MD5

  • TLS-RSA-WITH-RC4-128-SHA

  • TLS-DHE-RSA-WITH-DES-CBC-SHA

  • TLS-DHE-DSS-WITH-DES-CBC-SHA

  • TLS-RSA-WITH-DES-CBC-SHA

priority

integer / required

SSL/TLS cipher suites priority.

versions

string

SSL/TLS versions that the cipher suite can be used with.

Choices:

  • tls-1.0

  • tls-1.1

  • tls-1.2

  • tls-1.3

ssl_dh_bits

string

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

Choices:

  • 768

  • 1024

  • 1536

  • 2048

  • 3072

  • 4096

ssl_max_version

string

Highest SSL/TLS version acceptable from a server.

Choices:

  • tls-1.0

  • tls-1.1

  • tls-1.2

  • tls-1.3

ssl_min_version

string

Lowest SSL/TLS version acceptable from a server.

Choices:

  • tls-1.0

  • tls-1.1

  • tls-1.2

  • tls-1.3

url_map

string

URL pattern to match.

url_map_type

string

Type of url-map.

Choices:

  • sub-string

  • wildcard

  • regex

virtual_host

string

Virtual host. Source firewall.access-proxy-virtual-host.name.

client_cert

string

Enable/disable to request client certificate.

Choices:

  • disable

  • enable

empty_cert_action

string

Action of an empty client certificate.

Choices:

  • accept

  • block

ldb_method

string

Method used to distribute sessions to SSL real servers.

Choices:

  • static

  • round-robin

  • weighted

  • least-session

  • least-rtt

  • first-alive

name

string / required

Access Proxy name.

realservers

list / elements=string

Select the SSL real servers that this Access Proxy will distribute traffic to.

id

integer / required

Real server ID.

ip

string

IP address of the real server.

port

integer

Port for communicating with the real server.

status

string

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

Choices:

  • active

  • standby

  • disable

weight

integer

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

server_pubkey_auth

string

Enable/disable SSH real server public key authentication.

Choices:

  • disable

  • enable

server_pubkey_auth_settings

dictionary

Server SSH public key authentication settings.

auth_ca

string

Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name.

cert_extension

list / elements=string

Configure certificate extension for user certificate.

critical

string

Critical option.

Choices:

  • False

  • True

data

string

Name of certificate extension.

name

string / required

Name of certificate extension.

type

string

Type of certificate extension.

Choices:

  • fixed

  • user

permit_agent_forwarding

string

Enable/disable appending permit-agent-forwarding certificate extension.

Choices:

  • enable

  • disable

permit_port_forwarding

string

Enable/disable appending permit-port-forwarding certificate extension.

Choices:

  • enable

  • disable

permit_pty

string

Enable/disable appending permit-pty certificate extension.

Choices:

  • enable

  • disable

permit_user_rc

string

Enable/disable appending permit-user-rc certificate extension.

Choices:

  • enable

  • disable

permit_x11_forwarding

string

Enable/disable appending permit-x11-forwarding certificate extension.

Choices:

  • enable

  • disable

source_address

string

Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address.

Choices:

  • enable

  • disable

vip

string

Virtual IP name. Source firewall.vip.name.

member_path

string

Member attribute path to operate on.

Delimited by a slash character if there are more than one attribute.

Parameter marked with member_path is legitimate for doing member operation.

member_state

string

Add or delete a member under specified attribute path.

When member_state is specified, the state option is ignored.

Choices:

  • present

  • absent

state

string / required

Indicates whether to create or remove the object.

Choices:

  • present

  • absent

vdom

string

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Default: “root”

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure Access Proxy.
    fortios_firewall_access_proxy:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_access_proxy:
        api_gateway:
         -
            http_cookie_age: "4"
            http_cookie_domain: "<your_own_value>"
            http_cookie_domain_from_host: "disable"
            http_cookie_generation: "7"
            http_cookie_path: "<your_own_value>"
            http_cookie_share: "disable"
            https_cookie_secure: "disable"
            id:  "11"
            ldb_method: "static"
            persistence: "none"
            realservers:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                health_check: "disable"
                health_check_proto: "ping"
                holddown_interval: "enable"
                http_host: "myhostname"
                id:  "20"
                ip: "<your_own_value>"
                mappedport: "<your_own_value>"
                port: "23"
                ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
                ssh_host_key:
                 -
                    name: "default_name_26 (source firewall.ssh.host-key.name)"
                ssh_host_key_validation: "disable"
                status: "active"
                type: "tcp-forwarding"
                weight: "30"
            saml_server: "<your_own_value> (source user.saml.name)"
            service: "http"
            ssl_algorithm: "high"
            ssl_cipher_suites:
             -
                cipher: "TLS-AES-128-GCM-SHA256"
                priority: "36"
                versions: "tls-1.0"
            ssl_dh_bits: "768"
            ssl_max_version: "tls-1.0"
            ssl_min_version: "tls-1.0"
            url_map: "<your_own_value>"
            url_map_type: "sub-string"
            virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
        api_gateway6:
         -
            http_cookie_age: "45"
            http_cookie_domain: "<your_own_value>"
            http_cookie_domain_from_host: "disable"
            http_cookie_generation: "48"
            http_cookie_path: "<your_own_value>"
            http_cookie_share: "disable"
            https_cookie_secure: "disable"
            id:  "52"
            ldb_method: "static"
            persistence: "none"
            realservers:
             -
                address: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
                health_check: "disable"
                health_check_proto: "ping"
                holddown_interval: "enable"
                http_host: "myhostname"
                id:  "61"
                ip: "<your_own_value>"
                mappedport: "<your_own_value>"
                port: "64"
                ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
                ssh_host_key:
                 -
                    name: "default_name_67 (source firewall.ssh.host-key.name)"
                ssh_host_key_validation: "disable"
                status: "active"
                type: "tcp-forwarding"
                weight: "71"
            saml_server: "<your_own_value> (source user.saml.name)"
            service: "http"
            ssl_algorithm: "high"
            ssl_cipher_suites:
             -
                cipher: "TLS-AES-128-GCM-SHA256"
                priority: "77"
                versions: "tls-1.0"
            ssl_dh_bits: "768"
            ssl_max_version: "tls-1.0"
            ssl_min_version: "tls-1.0"
            url_map: "<your_own_value>"
            url_map_type: "sub-string"
            virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
        client_cert: "disable"
        empty_cert_action: "accept"
        ldb_method: "static"
        name: "default_name_88"
        realservers:
         -
            id:  "90"
            ip: "<your_own_value>"
            port: "92"
            status: "active"
            weight: "94"
        server_pubkey_auth: "disable"
        server_pubkey_auth_settings:
            auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
            cert_extension:
             -
                critical: "no"
                data: "<your_own_value>"
                name: "default_name_101"
                type: "fixed"
            permit_agent_forwarding: "enable"
            permit_port_forwarding: "enable"
            permit_pty: "enable"
            permit_user_rc: "enable"
            permit_x11_forwarding: "enable"
            source_address: "enable"
        vip: "<your_own_value> (source firewall.vip.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

build

string

Build number of the fortigate image

Returned: always

Sample: “1547”

http_method

string

Last method used to provision the content into FortiGate

Returned: always

Sample: “PUT”

http_status

string

Last result given by FortiGate on last operation applied

Returned: always

Sample: “200”

mkey

string

Master key (id) used in the last call to FortiGate

Returned: success

Sample: “id”

name

string

Name of the table used to fulfill the request

Returned: always

Sample: “urlfilter”

path

string

Path of the table used to fulfill the request

Returned: always

Sample: “webfilter”

revision

string

Internal revision number

Returned: always

Sample: “17.0.2.10658”

serial

string

Serial number of the unit

Returned: always

Sample: “FGVMEVYYQT3AB5352”

status

string

Indication of the operation’s result

Returned: always

Sample: “success”

vdom

string

Virtual domain used

Returned: always

Sample: “root”

version

string

Version of the FortiGate

Returned: always

Sample: “v5.6.3”

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)