fortinet.fortimanager.fmgr_vpnsslweb_portal module – Portal.

Note

This module is part of the fortinet.fortimanager collection (version 2.1.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_vpnsslweb_portal.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

adom

string / required

the parameter (adom) in requested url

bypass_validation

boolean

only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters

Choices:

  • no ← (default)

  • yes

enable_log

boolean

Enable/Disable logging for task

Choices:

  • no ← (default)

  • yes

proposed_method

string

The overridden method for the underlying Json RPC request

Choices:

  • update

  • set

  • add

rc_failed

list / elements=string

the rc codes list with which the conditions to fail will be overriden

rc_succeeded

list / elements=string

the rc codes list with which the conditions to succeed will be overriden

state

string / required

the directive to create, update or delete an object

Choices:

  • present

  • absent

vpnsslweb_portal

dictionary

the top level parameters set

allow-user-access

list / elements=string

Allow user access to SSL-VPN applications.

Choices:

  • web

  • ftp

  • telnet

  • smb

  • vnc

  • rdp

  • ssh

  • ping

  • citrix

  • portforward

  • sftp

auto-connect

string

Enable/disable automatic connect by client when system is up.

Choices:

  • disable

  • enable

bookmark-group

list / elements=string

Bookmark-Group.

bookmarks

list / elements=string

Bookmarks.

additional-params

string

Additional parameters.

apptype

string

Application type.

Choices:

  • web

  • telnet

  • ssh

  • ftp

  • smb

  • vnc

  • rdp

  • citrix

  • rdpnative

  • portforward

  • sftp

description

string

Description.

domain

string

Login domain.

folder

string

Network shared file folder parameter.

form-data

list / elements=string

Form-Data.

name

string

Name.

value

string

Value.

host

string

Host name/IP parameter.

listening-port

integer

Listening port (0 - 65535).

load-balancing-info

string

The load balancing information or cookie which should be provided to the connection broker.

logon-password

string

Logon password.

logon-user

string

Logon user.

name

string

Bookmark name.

port

integer

Remote port.

preconnection-blob

string

An arbitrary string which identifies the RDP source.

preconnection-id

integer

The numeric ID of the RDP source (0-2147483648).

remote-port

integer

Remote port (0 - 65535).

security

string

Security mode for RDP connection.

Choices:

  • rdp

  • nla

  • tls

  • any

server-layout

string

Server side keyboard layout.

Choices:

  • en-us-qwerty

  • de-de-qwertz

  • fr-fr-azerty

  • it-it-qwerty

  • sv-se-qwerty

  • failsafe

  • en-gb-qwerty

  • es-es-qwerty

  • fr-ch-qwertz

  • ja-jp-qwerty

  • pt-br-qwerty

  • tr-tr-qwerty

  • fr-ca-qwerty

show-status-window

string

Enable/disable showing of status window.

Choices:

  • disable

  • enable

sso

string

Single Sign-On.

Choices:

  • disable

  • static

  • auto

sso-credential

string

Single sign-on credentials.

Choices:

  • sslvpn-login

  • alternative

sso-credential-sent-once

string

Single sign-on credentials are only sent once to remote server.

Choices:

  • disable

  • enable

sso-password

string

SSO password.

sso-username

string

SSO user name.

url

string

URL parameter.

name

string

Bookmark group name.

custom-lang

string

Change the web portal display language. Overrides config system global set language. You can use config system custom-language…

customize-forticlient-download-url

string

Enable support of customized download URL for FortiClient.

Choices:

  • disable

  • enable

display-bookmark

string

Enable to display the web portal bookmark widget.

Choices:

  • disable

  • enable

display-connection-tools

string

Enable to display the web portal connection tools widget.

Choices:

  • disable

  • enable

display-history

string

Enable to display the web portal user login history widget.

Choices:

  • disable

  • enable

display-status

string

Enable to display the web portal status widget.

Choices:

  • disable

  • enable

dns-server1

string

IPv4 DNS server 1.

dns-server2

string

IPv4 DNS server 2.

dns-suffix

string

DNS suffix.

exclusive-routing

string

Enable/disable all traffic go through tunnel only.

Choices:

  • disable

  • enable

forticlient-download

string

Enable/disable download option for FortiClient.

Choices:

  • disable

  • enable

forticlient-download-method

string

FortiClient download method.

Choices:

  • direct

  • ssl-vpn

heading

string

Web portal heading message.

hide-sso-credential

string

Enable to prevent SSO credential being sent to client.

Choices:

  • disable

  • enable

host-check

string

Type of host checking performed on endpoints.

Choices:

  • none

  • av

  • fw

  • av-fw

  • custom

host-check-interval

integer

Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.

host-check-policy

string

One or more policies to require the endpoint to have specific security software.

ip-mode

string

Method by which users of this SSL-VPN tunnel obtain IP addresses.

Choices:

  • range

  • user-group

ip-pools

string

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

ipv6-dns-server1

string

IPv6 DNS server 1.

ipv6-dns-server2

string

IPv6 DNS server 2.

ipv6-exclusive-routing

string

Enable/disable all IPv6 traffic go through tunnel only.

Choices:

  • disable

  • enable

ipv6-pools

string

IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.

ipv6-service-restriction

string

Enable/disable IPv6 tunnel service restriction.

Choices:

  • disable

  • enable

ipv6-split-tunneling

string

Enable/disable IPv6 split tunneling.

Choices:

  • disable

  • enable

ipv6-split-tunneling-routing-address

string

IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneli…

ipv6-split-tunneling-routing-negate

string

Enable to negate IPv6 split tunneling routing address.

Choices:

  • disable

  • enable

ipv6-tunnel-mode

string

Enable/disable IPv6 SSL-VPN tunnel mode.

Choices:

  • disable

  • enable

ipv6-wins-server1

string

IPv6 WINS server 1.

ipv6-wins-server2

string

IPv6 WINS server 2.

keep-alive

string

Enable/disable automatic reconnect for FortiClient connections.

Choices:

  • disable

  • enable

limit-user-logins

string

Enable to limit each user to one SSL-VPN session at a time.

Choices:

  • disable

  • enable

mac-addr-action

string

Client MAC address action.

Choices:

  • deny

  • allow

mac-addr-check

string

Enable/disable MAC address host checking.

Choices:

  • disable

  • enable

mac-addr-check-rule

list / elements=string

Mac-Addr-Check-Rule.

mac-addr-list

string

Client MAC address list.

mac-addr-mask

integer

Client MAC address mask.

name

string

Client MAC address check rule name.

macos-forticlient-download-url

string

Download URL for Mac FortiClient.

name

string

Portal name.

os-check

string

Enable to let the FortiGate decide action based on client OS.

Choices:

  • disable

  • enable

os-check-list

dictionary

no description

action

string

OS check options.

Choices:

  • allow

  • check-up-to-date

  • deny

latest-patch-level

string

Latest OS patch level.

name

string

Name.

tolerance

integer

OS patch level tolerance.

prefer-ipv6-dns

string

prefer to query IPv6 dns first if enabled.

Choices:

  • disable

  • enable

redir-url

string

Client login redirect URL.

rewrite-ip-uri-ui

string

Rewrite contents for URI contains IP and “/ui/”. (default = disable)

Choices:

  • disable

  • enable

save-password

string

Enable/disable FortiClient saving the users password.

Choices:

  • disable

  • enable

service-restriction

string

Enable/disable tunnel service restriction.

Choices:

  • disable

  • enable

skip-check-for-browser

string

Enable to skip host check for browser support.

Choices:

  • disable

  • enable

skip-check-for-unsupported-browser

string

Enable to skip host check if browser does not support it.

Choices:

  • disable

  • enable

skip-check-for-unsupported-os

string

Enable to skip host check if client OS does not support it.

Choices:

  • disable

  • enable

smb-max-version

string

SMB maximum client protocol version.

Choices:

  • smbv1

  • smbv2

  • smbv3

smb-min-version

string

SMB minimum client protocol version.

Choices:

  • smbv1

  • smbv2

  • smbv3

smb-ntlmv1-auth

string

Enable support of NTLMv1 for Samba authentication.

Choices:

  • disable

  • enable

smbv1

string

Enable/disable support of SMBv1 for Samba.

Choices:

  • disable

  • enable

split-dns

list / elements=string

Split-Dns.

dns-server1

string

DNS server 1.

dns-server2

string

DNS server 2.

domains

string

Split DNS domains used for SSL-VPN clients separated by comma(,).

id

integer

ID.

ipv6-dns-server1

string

IPv6 DNS server 1.

ipv6-dns-server2

string

IPv6 DNS server 2.

split-tunneling

string

Enable/disable IPv4 split tunneling.

Choices:

  • disable

  • enable

split-tunneling-routing-address

string

IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneli…

split-tunneling-routing-negate

string

Enable to negate split tunneling routing address.

Choices:

  • disable

  • enable

theme

string

Web portal color scheme.

Choices:

  • gray

  • blue

  • orange

  • crimson

  • steelblue

  • darkgrey

  • green

  • melongene

  • red

  • mariner

  • neutrino

  • jade

  • graphite

  • dark-matter

  • onyx

  • eclipse

transform-backward-slashes

string

Transform backward slashes to forward slashes in URLs.

Choices:

  • disable

  • enable

tunnel-mode

string

Enable/disable IPv4 SSL-VPN tunnel mode.

Choices:

  • disable

  • enable

use-sdwan

string

Use SD-WAN rules to get output interface.

Choices:

  • disable

  • enable

user-bookmark

string

Enable to allow web portal users to create their own bookmarks.

Choices:

  • disable

  • enable

user-group-bookmark

string

Enable to allow web portal users to create bookmarks for all users in the same user group.

Choices:

  • disable

  • enable

web-mode

string

Enable/disable SSL VPN web mode.

Choices:

  • disable

  • enable

windows-forticlient-download-url

string

Download URL for Windows FortiClient.

wins-server1

string

IPv4 WINS server 1.

wins-server2

string

IPv4 WINS server 1.

workspace_locking_adom

string

the adom to lock for FortiManager running in workspace mode, the value can be global and others including root

workspace_locking_timeout

integer

the maximum time in seconds to wait for other user to release the workspace lock

Default: 300

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Portal.
     fmgr_vpnsslweb_portal:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        vpnsslweb_portal:
           allow-user-access:
             - web
             - ftp
             - telnet
             - smb
             - vnc
             - rdp
             - ssh
             - ping
             - citrix
             - portforward
             - sftp
           auto-connect: <value in [disable, enable]>
           bookmark-group:
             -
                 bookmarks:
                   -
                       additional-params: <value of string>
                       apptype: <value in [web, telnet, ssh, ...]>
                       description: <value of string>
                       folder: <value of string>
                       form-data:
                         -
                             name: <value of string>
                             value: <value of string>
                       host: <value of string>
                       listening-port: <value of integer>
                       load-balancing-info: <value of string>
                       logon-password: <value of string>
                       logon-user: <value of string>
                       name: <value of string>
                       port: <value of integer>
                       preconnection-blob: <value of string>
                       preconnection-id: <value of integer>
                       remote-port: <value of integer>
                       security: <value in [rdp, nla, tls, ...]>
                       server-layout: <value in [en-us-qwerty, de-de-qwertz, fr-fr-azerty, ...]>
                       show-status-window: <value in [disable, enable]>
                       sso: <value in [disable, static, auto]>
                       sso-credential: <value in [sslvpn-login, alternative]>
                       sso-credential-sent-once: <value in [disable, enable]>
                       sso-password: <value of string>
                       sso-username: <value of string>
                       url: <value of string>
                       domain: <value of string>
                 name: <value of string>
           custom-lang: <value of string>
           customize-forticlient-download-url: <value in [disable, enable]>
           display-bookmark: <value in [disable, enable]>
           display-connection-tools: <value in [disable, enable]>
           display-history: <value in [disable, enable]>
           display-status: <value in [disable, enable]>
           dns-server1: <value of string>
           dns-server2: <value of string>
           dns-suffix: <value of string>
           exclusive-routing: <value in [disable, enable]>
           forticlient-download: <value in [disable, enable]>
           forticlient-download-method: <value in [direct, ssl-vpn]>
           heading: <value of string>
           hide-sso-credential: <value in [disable, enable]>
           host-check: <value in [none, av, fw, ...]>
           host-check-interval: <value of integer>
           host-check-policy: <value of string>
           ip-mode: <value in [range, user-group]>
           ip-pools: <value of string>
           ipv6-dns-server1: <value of string>
           ipv6-dns-server2: <value of string>
           ipv6-exclusive-routing: <value in [disable, enable]>
           ipv6-pools: <value of string>
           ipv6-service-restriction: <value in [disable, enable]>
           ipv6-split-tunneling: <value in [disable, enable]>
           ipv6-split-tunneling-routing-address: <value of string>
           ipv6-tunnel-mode: <value in [disable, enable]>
           ipv6-wins-server1: <value of string>
           ipv6-wins-server2: <value of string>
           keep-alive: <value in [disable, enable]>
           limit-user-logins: <value in [disable, enable]>
           mac-addr-action: <value in [deny, allow]>
           mac-addr-check: <value in [disable, enable]>
           mac-addr-check-rule:
             -
                 mac-addr-list: <value of string>
                 mac-addr-mask: <value of integer>
                 name: <value of string>
           macos-forticlient-download-url: <value of string>
           name: <value of string>
           os-check: <value in [disable, enable]>
           redir-url: <value of string>
           save-password: <value in [disable, enable]>
           service-restriction: <value in [disable, enable]>
           skip-check-for-unsupported-browser: <value in [disable, enable]>
           skip-check-for-unsupported-os: <value in [disable, enable]>
           smb-ntlmv1-auth: <value in [disable, enable]>
           smbv1: <value in [disable, enable]>
           split-dns:
             -
                 dns-server1: <value of string>
                 dns-server2: <value of string>
                 domains: <value of string>
                 id: <value of integer>
                 ipv6-dns-server1: <value of string>
                 ipv6-dns-server2: <value of string>
           split-tunneling: <value in [disable, enable]>
           split-tunneling-routing-address: <value of string>
           theme: <value in [gray, blue, orange, ...]>
           tunnel-mode: <value in [disable, enable]>
           user-bookmark: <value in [disable, enable]>
           user-group-bookmark: <value in [disable, enable]>
           web-mode: <value in [disable, enable]>
           windows-forticlient-download-url: <value of string>
           wins-server1: <value of string>
           wins-server2: <value of string>
           skip-check-for-browser: <value in [disable, enable]>
           smb-max-version: <value in [smbv1, smbv2, smbv3]>
           smb-min-version: <value in [smbv1, smbv2, smbv3]>
           transform-backward-slashes: <value in [disable, enable]>
           ipv6-split-tunneling-routing-negate: <value in [disable, enable]>
           split-tunneling-routing-negate: <value in [disable, enable]>
           os-check-list:
              action: <value in [allow, check-up-to-date, deny]>
              latest-patch-level: <value of string>
              name: <value of string>
              tolerance: <value of integer>
           use-sdwan: <value in [disable, enable]>
           prefer-ipv6-dns: <value in [disable, enable]>
           rewrite-ip-uri-ui: <value in [disable, enable]>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

request_url

string

The full url requested

Returned: always

Sample: “/sys/login/user”

response_code

integer

The status of api request

Returned: always

Sample: 0

response_message

string

The descriptive message of the api response

Returned: always

Sample: “OK.”

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)