fortinet.fortios.fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.3).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings.
New in version 2.10: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
|
Configure SSL VPN. |
|
Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Choices:
|
|
Enable/disable checking of source IP for authentication session. Choices:
|
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). |
|
Authentication rule for SSL VPN. |
|
SSL VPN authentication method restriction. Choices:
|
|
SSL VPN cipher strength. Choices:
|
|
Enable/disable SSL VPN client certificate restrictive. Choices:
|
|
User groups. |
|
Group name. Source user.group.name. |
|
ID (0 - 4294967295). |
|
SSL VPN portal. Source vpn.ssl.web.portal.name. |
|
SSL VPN realm. Source vpn.ssl.web.realm.url-path. |
|
Source address of incoming traffic. |
|
Address name. Source firewall.address.name firewall.addrgrp.name. |
|
IPv6 source address of incoming traffic. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Enable/disable negated source IPv6 address match. Choices:
|
|
Enable/disable negated source address match. Choices:
|
|
SSL VPN source interface of incoming traffic. |
|
Interface name. Source system.interface.name system.zone.name. |
|
Name of user peer. Source user.peer.name. |
|
User name. |
|
User name. Source user.local.name. |
|
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. Choices:
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Choices:
|
|
Enable/disable verification of referer field in HTTP request header. Choices:
|
|
Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Choices:
|
|
Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Choices:
|
|
Default SSL VPN portal. Source vpn.ssl.web.portal.name. |
|
Compression level (0~9). |
|
Minimum amount of data that triggers compression (200 - 65535 bytes). |
|
DNS server 1. |
|
DNS server 2. |
|
DNS suffix used for SSL-VPN clients. |
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec). |
|
DTLS maximum protocol version. Choices:
|
|
DTLS minimum protocol version. Choices:
|
|
Enable DTLS to prevent eavesdropping, tampering, or message forgery. Choices:
|
|
Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Choices:
|
|
Encode 2F sequence to forward slash in URLs. Choices:
|
|
Encrypt and store user passwords for SSL VPN web sessions. Choices:
|
|
Enable to force two-factor authentication for all SSL-VPNs. Choices:
|
|
Forward the same, add, or remove HTTP header. Choices:
|
|
Add HSTS includeSubDomains response header. Choices:
|
|
Enable to allow HTTP compression over SSL-VPN tunnels. Choices:
|
|
Enable/disable SSL-VPN support for HttpOnly cookies. Choices:
|
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). |
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). |
|
Enable/disable redirect of port 80 to SSL-VPN port. Choices:
|
|
SSL VPN disconnects if idle for specified time in seconds. |
|
IPv6 DNS server 1. |
|
IPv6 DNS server 2. |
|
IPv6 WINS server 1. |
|
IPv6 WINS server 2. |
|
SSL VPN maximum login attempt times before block (0 - 10). |
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). |
|
SSLVPN maximum login timeout (10 - 180 sec). |
|
SSL-VPN access port (1 - 65535). |
|
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Choices:
|
|
Enable to require client certificates for all SSL-VPN users. Choices:
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Choices:
|
|
SAML local redirect port in the machine running FCT (0 - 65535). 0 is to disable redirection on FGT side. |
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. |
|
Source address of incoming traffic. |
|
Address name. Source firewall.address.name firewall.addrgrp.name. |
|
IPv6 source address of incoming traffic. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Enable/disable negated source IPv6 address match. Choices:
|
|
Enable/disable negated source address match. Choices:
|
|
SSL VPN source interface of incoming traffic. |
|
Interface name. Source system.interface.name system.zone.name. |
|
Enable to allow client renegotiation by the server if the tunnel goes down. Choices:
|
|
Enable/disable insertion of empty fragment. Choices:
|
|
SSL maximum protocol version. Choices:
|
|
SSL minimum protocol version. Choices:
|
|
Enable/disable SSL-VPN. Choices:
|
|
Enable/disable TLSv1.0. Choices:
|
|
Enable/disable TLSv1.1. Choices:
|
|
Enable/disable TLSv1.2. Choices:
|
|
tlsv1-3 Choices:
|
|
Transform backward slashes to forward slashes in URLs. Choices:
|
|
Method used for assigning address for tunnel. Choices:
|
|
Enable/disable tunnel connection without re-authorization if previous connection dropped. Choices:
|
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. |
|
Address name. Source firewall.address.name firewall.addrgrp.name. |
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. |
|
Address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec). |
|
Enable/disable unsafe legacy re-negotiation. Choices:
|
|
Enable to obscure the host name of the URL of the web browser display. Choices:
|
|
Name of user peer. Source user.peer.name. |
|
WINS server 1. |
|
WINS server 2. |
|
Add HTTP X-Content-Type-Options header. Choices:
|
Examples
- collections:
- fortinet.fortios
connection: httpapi
hosts: fortigate01
vars:
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
vdom: root
tasks:
- name: fortios_vpn_ssl_settings
fortios_vpn_ssl_settings:
vdom: root
vpn_ssl_settings:
algorithm: high
auth_session_check_source_ip: enable
auth_timeout: 28800
auto_tunnel_static_route: enable
check_referer: disable
deflate_compression_level: 6
deflate_min_data_size: 300
dns_server1: 0.0.0.0
dns_server2: 0.0.0.0
dtls_hello_timeout: 10
dtls_max_proto_ver: dtls1-2
dtls_min_proto_ver: dtls1-0
dtls_tunnel: enable
encode_2f_sequence: disable
encrypt_and_store_password: disable
force_two_factor_auth: disable
header_x_forwarded_for: add
hsts_include_subdomains: disable
http_compression: disable
http_only_cookie: enable
http_request_body_timeout: 30
http_request_header_timeout: 20
https_redirect: disable
idle_timeout: 300
ipv6_dns_server1: '::'
ipv6_dns_server2: '::'
ipv6_wins_server1: '::'
ipv6_wins_server2: '::'
login_attempt_limit: 2
login_block_time: 60
login_timeout: 30
port: 443
port_precedence: enable
reqclientcert: disable
servercert: Fortinet_Factory
source_address6_negate: disable
source_address_negate: disable
ssl_client_renegotiation: disable
ssl_insert_empty_fragment: enable
ssl_max_proto_ver: tls1-3
ssl_min_proto_ver: tls1-2
transform_backward_slashes: disable
tunnel_connect_without_reauth: disable
tunnel_user_session_timeout: 30
unsafe_legacy_renegotiation: disable
url_obscuration: disable
wins_server1: 0.0.0.0
wins_server2: 0.0.0.0
x_content_type_options: enable
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)