community.fortios.fmgr_secprof_appctrl module – Manage application control security profiles
Note
This module is part of the community.fortios collection (version 1.0.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.fortios
.
To use it in a playbook, specify: community.fortios.fmgr_secprof_appctrl
.
Parameters
Parameter |
Comments |
---|---|
The ADOM the configuration should belong to. Default: “root” |
|
Enable/disable replacement messages for blocked applications. choice | disable | Disable replacement messages for blocked applications. choice | enable | Enable replacement messages for blocked applications. Choices:
|
|
comments |
|
Enable/disable deep application inspection. choice | disable | Disable deep application inspection. choice | enable | Enable deep application inspection. Choices:
|
|
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, OMIT THE USE OF THIS PARAMETER AND USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS |
|
Pass or block traffic, or reset connection for traffic from this application. choice | pass | Pass or allow matching traffic. choice | block | Block or drop matching traffic. choice | reset | Reset sessions for matching traffic. Choices:
|
|
ID of allowed applications. |
|
Application behavior filter. |
|
Category ID list. |
|
Enable/disable logging for this application list. choice | disable | Disable logging. choice | enable | Enable logging. Choices:
|
|
Enable/disable packet logging. choice | disable | Disable packet logging. choice | enable | Enable packet logging. Choices:
|
|
Parameter value. |
|
Per-IP traffic shaper. |
|
Application popularity filter (1 - 5, from least to most popular). FLAG Based Options. Specify multiple in list form. flag | 1 | Popularity level 1. flag | 2 | Popularity level 2. flag | 3 | Popularity level 3. flag | 4 | Popularity level 4. flag | 5 | Popularity level 5. Choices:
|
|
Application protocol filter. |
|
Quarantine method. choice | none | Quarantine is disabled. choice | attacker | Block all traffic sent from attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected. Choices:
|
|
Duration of quarantine. (Format Requires quarantine set to attacker. |
|
Enable/disable quarantine logging. choice | disable | Disable quarantine logging. choice | enable | Enable quarantine logging. Choices:
|
|
Count of the rate. |
|
Duration (sec) of the rate. |
|
Rate limit mode. choice | periodical | Allow configured number of packets every rate-duration. choice | continuous | Block packets once the rate is reached. Choices:
|
|
Track the packet protocol field. choice | none | choice | src-ip | Source IP. choice | dest-ip | Destination IP. choice | dhcp-client-mac | DHCP client. choice | dns-domain | DNS domain. Choices:
|
|
Risk, or impact, of allowing traffic from this application to occur 1 - 5; (Low, Elevated, Medium, High, and Critical). |
|
Session TTL (0 = default). |
|
Traffic shaper. |
|
Reverse traffic shaper. |
|
Application Sub-category ID list. |
|
Application technology filter. |
|
Application vendor filter. |
|
Enable/disable extended logging. choice | disable | Disable setting. choice | enable | Enable setting. Choices:
|
|
Sets one of three modes for managing the object. Allows use of soft-adds instead of overwriting existing values Choices:
|
|
List name. |
|
NO DESCRIPTION PARSED ENTER MANUALLY FLAG Based Options. Specify multiple in list form. flag | allow-dns | Allow DNS. flag | allow-icmp | Allow ICMP. flag | allow-http | Allow generic HTTP web browsing. flag | allow-ssl | Allow generic SSL communication. flag | allow-quic | Allow QUIC. Choices:
|
|
Action for other applications. choice | pass | Allow sessions matching an application in this application list. choice | block | Block sessions matching an application in this application list. Choices:
|
|
Enable/disable logging for other applications. choice | disable | Disable logging for other applications. choice | enable | Enable logging for other applications. Choices:
|
|
NO DESCRIPTION PARSED ENTER MANUALLY FLAG Based Options. Specify multiple in list form. flag | skype | Skype. flag | edonkey | Edonkey. flag | bittorrent | Bit torrent. Choices:
|
|
Replacement message group. |
|
Pass or block traffic from unknown applications. choice | pass | Pass or allow unknown applications. choice | block | Drop or block unknown applications. Choices:
|
|
Enable/disable logging for unknown applications. choice | disable | Disable logging for unknown applications. choice | enable | Enable logging for unknown applications. Choices:
|
Notes
Note
Full Documentation at https://ftnt-ansible-docs.readthedocs.io/en/latest/.
Examples
- name: DELETE Profile
community.fortios.fmgr_secprof_appctrl:
name: "Ansible_Application_Control_Profile"
comment: "Created by Ansible Module TEST"
mode: "delete"
- name: CREATE Profile
community.fortios.fmgr_secprof_appctrl:
name: "Ansible_Application_Control_Profile"
comment: "Created by Ansible Module TEST"
mode: "set"
entries: [{
action: "block",
log: "enable",
log-packet: "enable",
protocols: ["1"],
quarantine: "attacker",
quarantine-log: "enable",
},
{action: "pass",
category: ["2","3","4"]},
]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
full API response, includes status code and message Returned: always |
Authors
Luke Weighall (@lweighall)
Andrew Welsh (@Ghilli3)
Jim Huber (@p4r4n0y1ng)