fortinet.fortios.fortios_firewall_profile_protocol_options – Configure protocol options in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_firewall_profile_protocol_options.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and profile_protocol_options category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter

Comments

access_token

string

Token-based authentication. Generated from GUI of Fortigate.

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • no ← (default)

  • yes

firewall_profile_protocol_options

dictionary

Configure protocol options.

cifs

dictionary

Configure CIFS protocol options.

domain_controller

string

Domain for which to decrypt CIFS traffic. Source credential-store.domain-controller.server-name.

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • oversize

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

server_credential_type

string

CIFS server credential type.

Choices:

  • none

  • credential-replication

  • credential-keytab

server_keytab

string

Server keytab.

keytab

string

Base64 encoded keytab file containing credential of the server.

principal

string / required

Service principal. For example, “host/cifsserver.example.com@example.com”.

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

tcp_window_maximum

integer

Maximum dynamic TCP window size .

tcp_window_minimum

integer

Minimum dynamic TCP window size .

tcp_window_size

integer

Set TCP static window size .

tcp_window_type

string

Specify type of TCP window to use for this protocol.

Choices:

  • system

  • static

  • dynamic

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

comment

string

Optional comments.

dns

dictionary

Configure DNS protocol options.

ports

integer

Ports to scan for content (1 - 65535).

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

ftp

dictionary

Configure FTP protocol options.

comfort_amount

integer

Amount of data to send in a transmission for client comforting (1 - 10240 bytes).

comfort_interval

integer

Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec).

inspect_all

string

Enable/disable the inspection of all ports for the protocol.

Choices:

  • enable

  • disable

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • clientcomfort

  • oversize

  • splice

  • bypass-rest-command

  • bypass-mode-command

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

ssl_offloaded

string

SSL decryption and encryption performed by an external device.

Choices:

  • False

  • True

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

stream_based_uncompressed_limit

integer

Maximum stream-based uncompressed data size that will be scanned (MB, 0 = unlimited (default). Stream-based uncompression used only under certain conditions.).

tcp_window_maximum

integer

Maximum dynamic TCP window size.

tcp_window_minimum

integer

Minimum dynamic TCP window size.

tcp_window_size

integer

Set TCP static window size.

tcp_window_type

string

TCP window type to use for this protocol.

Choices:

  • system

  • static

  • dynamic

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

http

dictionary

Configure HTTP protocol options.

block_page_status_code

integer

Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599).

comfort_amount

integer

Amount of data to send in a transmission for client comforting (1 - 10240 bytes).

comfort_interval

integer

Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec).

fortinet_bar

string

Enable/disable Fortinet bar on HTML content.

Choices:

  • enable

  • disable

fortinet_bar_port

integer

Port for use by Fortinet Bar (1 - 65535).

http_policy

string

Enable/disable HTTP policy check.

Choices:

  • disable

  • enable

inspect_all

string

Enable/disable the inspection of all ports for the protocol.

Choices:

  • enable

  • disable

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • clientcomfort

  • servercomfort

  • oversize

  • chunkedbypass

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

post_lang

list / elements=string

ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).

Choices:

  • jisx0201

  • jisx0208

  • jisx0212

  • gb2312

  • ksc5601-ex

  • euc-jp

  • sjis

  • iso2022-jp

  • iso2022-jp-1

  • iso2022-jp-2

  • euc-cn

  • ces-gbk

  • hz

  • ces-big5

  • euc-kr

  • iso2022-jp-3

  • iso8859-1

  • tis620

  • cp874

  • cp1252

  • cp1251

proxy_after_tcp_handshake

string

Proxy traffic after the TCP 3-way handshake has been established (not before).

Choices:

  • enable

  • disable

range_block

string

Enable/disable blocking of partial downloads.

Choices:

  • disable

  • enable

retry_count

integer

Number of attempts to retry HTTP connection (0 - 100).

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

ssl_offloaded

string

SSL decryption and encryption performed by an external device.

Choices:

  • False

  • True

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

stream_based_uncompressed_limit

integer

Maximum stream-based uncompressed data size that will be scanned (MB, 0 = unlimited (default). Stream-based uncompression used only under certain conditions.).

streaming_content_bypass

string

Enable/disable bypassing of streaming content from buffering.

Choices:

  • enable

  • disable

strip_x_forwarded_for

string

Enable/disable stripping of HTTP X-Forwarded-For header.

Choices:

  • disable

  • enable

switching_protocols

string

Bypass from scanning, or block a connection that attempts to switch protocol.

Choices:

  • bypass

  • block

tcp_window_maximum

integer

Maximum dynamic TCP window size .

tcp_window_minimum

integer

Minimum dynamic TCP window size .

tcp_window_size

integer

Set TCP static window size .

tcp_window_type

string

Specify type of TCP window to use for this protocol.

Choices:

  • system

  • static

  • dynamic

tunnel_non_http

string

Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.

Choices:

  • enable

  • disable

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

unknown_http_version

string

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

Choices:

  • reject

  • tunnel

  • best-effort

imap

dictionary

Configure IMAP protocol options.

inspect_all

string

Enable/disable the inspection of all ports for the protocol.

Choices:

  • enable

  • disable

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • fragmail

  • oversize

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

proxy_after_tcp_handshake

string

Proxy traffic after the TCP 3-way handshake has been established (not before).

Choices:

  • enable

  • disable

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

ssl_offloaded

string

SSL decryption and encryption performed by an external device.

Choices:

  • False

  • True

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

mail_signature

dictionary

Configure Mail signature.

signature

string

Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).

status

string

Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.

Choices:

  • disable

  • enable

mapi

dictionary

Configure MAPI protocol options.

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • fragmail

  • oversize

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

name

string / required

Name.

nntp

dictionary

Configure NNTP protocol options.

inspect_all

string

Enable/disable the inspection of all ports for the protocol.

Choices:

  • enable

  • disable

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • oversize

  • splice

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

proxy_after_tcp_handshake

string

Proxy traffic after the TCP 3-way handshake has been established (not before).

Choices:

  • enable

  • disable

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

oversize_log

string

Enable/disable logging for antivirus oversize file blocking.

Choices:

  • disable

  • enable

pop3

dictionary

Configure POP3 protocol options.

inspect_all

string

Enable/disable the inspection of all ports for the protocol.

Choices:

  • enable

  • disable

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • fragmail

  • oversize

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

proxy_after_tcp_handshake

string

Proxy traffic after the TCP 3-way handshake has been established (not before).

Choices:

  • enable

  • disable

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

ssl_offloaded

string

SSL decryption and encryption performed by an external device.

Choices:

  • False

  • True

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

replacemsg_group

string

Name of the replacement message group to be used Source system.replacemsg-group.name.

rpc_over_http

string

Enable/disable inspection of RPC over HTTP.

Choices:

  • enable

  • disable

smtp

dictionary

Configure SMTP protocol options.

inspect_all

string

Enable/disable the inspection of all ports for the protocol.

Choices:

  • enable

  • disable

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • fragmail

  • oversize

  • splice

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

ports

integer

Ports to scan for content (1 - 65535).

proxy_after_tcp_handshake

string

Proxy traffic after the TCP 3-way handshake has been established (not before).

Choices:

  • enable

  • disable

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

server_busy

string

Enable/disable SMTP server busy when server not available.

Choices:

  • enable

  • disable

ssl_offloaded

string

SSL decryption and encryption performed by an external device.

Choices:

  • False

  • True

status

string

Enable/disable the active status of scanning for this protocol.

Choices:

  • enable

  • disable

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

ssh

dictionary

Configure SFTP and SCP protocol options.

comfort_amount

integer

Amount of data to send in a transmission for client comforting (1 - 65535 bytes).

comfort_interval

integer

Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec).

options

list / elements=string

One or more options that can be applied to the session.

Choices:

  • oversize

  • clientcomfort

  • servercomfort

oversize_limit

integer

Maximum in-memory file size that can be scanned (1 - 383 MB).

scan_bzip2

string

Enable/disable scanning of BZip2 compressed files.

Choices:

  • enable

  • disable

ssl_offloaded

string

SSL decryption and encryption performed by an external device.

Choices:

  • False

  • True

stream_based_uncompressed_limit

integer

Maximum stream-based uncompressed data size that will be scanned (MB, 0 = unlimited (default). Stream-based uncompression used only under certain conditions.).

tcp_window_maximum

integer

Maximum dynamic TCP window size.

tcp_window_minimum

integer

Minimum dynamic TCP window size.

tcp_window_size

integer

Set TCP static window size.

tcp_window_type

string

TCP window type to use for this protocol.

Choices:

  • system

  • static

  • dynamic

uncompressed_nest_limit

integer

Maximum nested levels of compression that can be uncompressed and scanned (2 - 100).

uncompressed_oversize_limit

integer

Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited).

switching_protocols_log

string

Enable/disable logging for HTTP/HTTPS switching protocols.

Choices:

  • disable

  • enable

member_path

string

Member attribute path to operate on.

Delimited by a slash character if there are more than one attribute.

Parameter marked with member_path is legitimate for doing member operation.

member_state

string

Add or delete a member under specified attribute path.

When member_state is specified, the state option is ignored.

Choices:

  • present

  • absent

state

string / required

Indicates whether to create or remove the object.

Choices:

  • present

  • absent

vdom

string

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Default: “root”

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- collections:
  - fortinet.fortios
  connection: httpapi
  hosts: fortigate01
  vars:
    ansible_httpapi_port: 443
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    vdom: root
  tasks:
  - name: fortios_firewall_profile_protocol_options
    fortios_firewall_profile_protocol_options:
      vdom: root
      state: present
      firewall_profile_protocol_options:
        comment: terraform
        dns:
        - ports: 53
          status: enable
        ftp:
        - comfort_amount: 1
          comfort_interval: 10
          inspect_all: disable
          options: splice
          oversize_limit: 10
          ports: 21
          scan_bzip2: enable
          status: enable
          stream_based_uncompressed_limit: 0
          tcp_window_maximum: 0
          tcp_window_minimum: 0
          tcp_window_size: 0
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        http:
        - block_page_status_code: 403
          comfort_amount: 1
          comfort_interval: 10
          fortinet_bar: disable
          fortinet_bar_port: 8011
          http_policy: disable
          inspect_all: disable
          oversize_limit: 10
          ports: 80
          range_block: disable
          retry_count: 0
          scan_bzip2: enable
          status: enable
          stream_based_uncompressed_limit: 0
          streaming_content_bypass: enable
          switching_protocols: bypass
          tcp_window_maximum: 0
          tcp_window_minimum: 0
          tcp_window_size: 0
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        imap:
        - inspect_all: disable
          options: fragmail
          oversize_limit: 10
          ports: 143
          scan_bzip2: enable
          status: enable
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        mail_signature:
        - status: disable
        mapi:
        - options: fragmail
          oversize_limit: 10
          ports: 135
          scan_bzip2: enable
          status: enable
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        name: firppo1
        nntp:
        - inspect_all: disable
          options: splice
          oversize_limit: 10
          ports: 119
          scan_bzip2: enable
          status: enable
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        oversize_log: disable
        pop3:
        - inspect_all: disable
          options: fragmail
          oversize_limit: 10
          ports: 110
          scan_bzip2: enable
          status: enable
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        rpc_over_http: disable
        smtp:
        - inspect_all: disable
          options: fragmail splice
          oversize_limit: 10
          ports: 25
          scan_bzip2: enable
          server_busy: disable
          status: enable
          uncompressed_nest_limit: 12
          uncompressed_oversize_limit: 10
        switching_protocols_log: disable

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

build

string

Build number of the fortigate image

Returned: always

Sample: “1547”

http_method

string

Last method used to provision the content into FortiGate

Returned: always

Sample: “PUT”

http_status

string

Last result given by FortiGate on last operation applied

Returned: always

Sample: “200”

mkey

string

Master key (id) used in the last call to FortiGate

Returned: success

Sample: “id”

name

string

Name of the table used to fulfill the request

Returned: always

Sample: “urlfilter”

path

string

Path of the table used to fulfill the request

Returned: always

Sample: “webfilter”

revision

string

Internal revision number

Returned: always

Sample: “17.0.2.10658”

serial

string

Serial number of the unit

Returned: always

Sample: “FGVMEVYYQT3AB5352”

status

string

Indication of the operation’s result

Returned: always

Sample: “success”

vdom

string

Virtual domain used

Returned: always

Sample: “root”

version

string

Version of the FortiGate

Returned: always

Sample: “v5.6.3”

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)