fortinet.fortios.fortios_firewall_ssl_ssh_profile – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_ssl_ssh_profile
.
New in version 2.10: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and ssl_ssh_profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Configure SSL/SSH protocol options. |
|
Enable/disable exempting servers by FortiGuard allowlist. Choices:
|
|
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. Choices:
|
|
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. Choices:
|
|
CA certificate used by SSL Inspection. Source vpn.certificate.local.name. |
|
Optional comments. |
|
Configure DNS over TLS options. |
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Configure FTPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Configure HTTPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate probe failure. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Configure IMAPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Enable/disable inspection of MAPI over HTTPS. Choices:
|
|
Name. |
|
Configure POP3S options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Enable/disable inspection of RPC over HTTPS. Choices:
|
|
Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name. |
|
Re-sign or replace the server”s certificate. Choices:
|
|
Configure SMTPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Configure SSH options. |
|
Level of SSL inspection. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Relative strength of encryption algorithms accepted during negotiation. Choices:
|
|
Enable/disable SSH policy check. Choices:
|
|
Enable/disable SSH tunnel policy check. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on SSH version being unsupported. Choices:
|
|
Configure SSL options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate probe failure. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Level of SSL inspection. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Enable/disable logging SSL anomalies. Choices:
|
|
Servers to exempt from SSL inspection. |
|
IPv4 address object. Source firewall.address.name firewall.addrgrp.name. |
|
IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name. |
|
FortiGuard category ID. |
|
ID number. |
|
Exempt servers by regular expression. |
|
Type of address object (IPv4 or IPv6) or FortiGuard category. Choices:
|
|
Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name. |
|
Enable/disable logging SSL exemptions. Choices:
|
|
Enable/disable logging of TLS handshakes. Choices:
|
|
Enable/disable logging SSL negotiation. Choices:
|
|
SSL servers. |
|
Action based on client certificate request during the FTPS handshake. Choices:
|
|
Action based on received client certificate during the FTPS handshake. Choices:
|
|
Action based on client certificate request during the HTTPS handshake. Choices:
|
|
Action based on received client certificate during the HTTPS handshake. Choices:
|
|
SSL server ID. |
|
Action based on client certificate request during the IMAPS handshake. Choices:
|
|
Action based on received client certificate during the IMAPS handshake. Choices:
|
|
IPv4 address of the SSL server. |
|
Action based on client certificate request during the POP3S handshake. Choices:
|
|
Action based on received client certificate during the POP3S handshake. Choices:
|
|
Action based on client certificate request during the SMTPS handshake. Choices:
|
|
Action based on received client certificate during the SMTPS handshake. Choices:
|
|
Action based on client certificate request during an SSL protocol handshake. Choices:
|
|
Action based on received client certificate during an SSL protocol handshake. Choices:
|
|
Enable/disable logging of server certificate information. Choices:
|
|
Configure ALPN option. Choices:
|
|
Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name. |
|
Enable/disable the use of SSL server table for SSL offloading. Choices:
|
|
Enable/disable exempting servers by FortiGuard whitelist. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
Examples
- collections:
- fortinet.fortios
connection: httpapi
hosts: fortigate01
vars:
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
vdom: root
tasks:
- name: fortios_firewall_ssl_ssh_profile
fortios_firewall_ssl_ssh_profile:
vdom: root
state: present
firewall_ssl_ssh_profile:
block_blacklisted_certificates: enable
caname: Fortinet_CA_SSL
ftps:
- client_cert_request: bypass
invalid_server_cert: block
ports: 990
sni_server_cert_check: enable
status: deep-inspection
unsupported_ssl: bypass
untrusted_server_cert: allow
https:
- client_cert_request: bypass
invalid_server_cert: block
ports: 443
sni_server_cert_check: enable
status: deep-inspection
unsupported_ssl: bypass
untrusted_server_cert: allow
imaps:
- client_cert_request: inspect
invalid_server_cert: block
ports: 993
sni_server_cert_check: enable
status: deep-inspection
unsupported_ssl: bypass
untrusted_server_cert: allow
mapi_over_https: disable
name: terr-test-sslsshprf
pop3s:
client_cert_request: inspect
invalid_server_cert: block
ports: 995
sni_server_cert_check: enable
status: deep-inspection
unsupported_ssl: bypass
untrusted_server_cert: allow
rpc_over_https: disable
server_cert_mode: re-sign
smtps:
- client_cert_request: inspect
invalid_server_cert: block
ports: 465
sni_server_cert_check: enable
status: deep-inspection
unsupported_ssl: bypass
untrusted_server_cert: allow
ssh:
- inspect_all: disable
ports: 22
ssh_algorithm: compatible
ssh_tun_policy_check: disable
status: disable
unsupported_version: bypass
ssl:
- client_cert_request: bypass
inspect_all: disable
invalid_server_cert: block
sni_server_cert_check: enable
unsupported_ssl: bypass
untrusted_server_cert: allow
ssl_anomalies_log: enable
ssl_exempt:
- fortiguard_category: 31
id: 1
type: fortiguard-category
- fortiguard_category: 33
id: 2
type: fortiguard-category
- fortiguard_category: 87
id: 3
type: fortiguard-category
ssl_exemptions_log: disable
untrusted_caname: Fortinet_CA_SSL
use_ssl_server: disable
whitelist: disable
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)