fortinet.fortios.fortios_firewall_profile_protocol_options module – Configure protocol options in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.1.6).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_profile_protocol_options.
New in version 2.0.0: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and profile_protocol_options category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Configure protocol options. |
|
Configure CIFS protocol options. |
|
Domain for which to decrypt CIFS traffic. Source user.domain-controller.name credential-store.domain-controller.server-name. |
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
CIFS server credential type. Choices:
|
|
Server keytab. |
|
Base64 encoded keytab file containing credential of the server. |
|
Service principal. For example, host/cifsserver.example.com@example.com. |
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum dynamic TCP window size. |
|
Minimum dynamic TCP window size. |
|
Set TCP static window size. |
|
TCP window type to use for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Optional comments. |
|
Configure DNS protocol options. |
|
Ports to scan for content (1 - 65535). |
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Configure FTP protocol options. |
|
Amount of data to send in a transmission for client comforting (1 - 65535 bytes). |
|
Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). |
|
Enable/disable the inspection of all ports for the protocol. Choices:
|
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
SSL decryption and encryption performed by an external device. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). |
|
Maximum dynamic TCP window size. |
|
Minimum dynamic TCP window size. |
|
Set TCP static window size. |
|
TCP window type to use for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Configure HTTP protocol options. |
|
Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599). |
|
Amount of data to send in a transmission for client comforting (1 - 65535 bytes). |
|
Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). |
|
Enable/disable Fortinet bar on HTML content. Choices:
|
|
Port for use by Fortinet Bar (1 - 65535). |
|
Enable/disable HTTP policy check. Choices:
|
|
Enable/disable the inspection of all ports for the protocol. Choices:
|
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets). Choices:
|
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Enable/disable blocking of partial downloads. Choices:
|
|
Number of attempts to retry HTTP connection (0 - 100). |
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
SSL decryption and encryption performed by an external device. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). |
|
Enable/disable bypassing of streaming content from buffering. Choices:
|
|
Enable/disable stripping of HTTP X-Forwarded-For header. Choices:
|
|
Bypass from scanning, or block a connection that attempts to switch protocol. Choices:
|
|
Maximum dynamic TCP window size. |
|
Minimum dynamic TCP window size. |
|
Set TCP static window size. |
|
TCP window type to use for this protocol. Choices:
|
|
Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1. Choices:
|
|
Configure IMAP protocol options. |
|
Enable/disable the inspection of all ports for the protocol. Choices:
|
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
SSL decryption and encryption performed by an external device. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Configure Mail signature. |
|
Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks). |
|
Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate. Choices:
|
|
Configure MAPI protocol options. |
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Name. |
|
Configure NNTP protocol options. |
|
Enable/disable the inspection of all ports for the protocol. Choices:
|
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Enable/disable logging for antivirus oversize file blocking. Choices:
|
|
Configure POP3 protocol options. |
|
Enable/disable the inspection of all ports for the protocol. Choices:
|
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
SSL decryption and encryption performed by an external device. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Name of the replacement message group to be used. Source system.replacemsg-group.name. |
|
Enable/disable inspection of RPC over HTTP. Choices:
|
|
Configure SMTP protocol options. |
|
Enable/disable the inspection of all ports for the protocol. Choices:
|
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Ports to scan for content (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
Enable/disable SMTP server busy when server not available. Choices:
|
|
SSL decryption and encryption performed by an external device. Choices:
|
|
Enable/disable the active status of scanning for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Configure SFTP and SCP protocol options. |
|
Amount of data to send in a transmission for client comforting (1 - 65535 bytes). |
|
Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). |
|
One or more options that can be applied to the session. Choices:
|
|
Maximum in-memory file size that can be scanned (1 - 383 MB). |
|
Enable/disable scanning of BZip2 compressed files. Choices:
|
|
SSL decryption and encryption performed by an external device. Choices:
|
|
Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). |
|
Maximum dynamic TCP window size. |
|
Minimum dynamic TCP window size. |
|
Set TCP static window size. |
|
TCP window type to use for this protocol. Choices:
|
|
Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). |
|
Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). |
|
Enable/disable logging for HTTP/HTTPS switching protocols. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure protocol options.
fortios_firewall_profile_protocol_options:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_profile_protocol_options:
cifs:
domain_controller: "<your_own_value> (source user.domain-controller.name credential-store.domain-controller.server-name)"
options: "oversize"
oversize_limit: "6"
ports: "7"
scan_bzip2: "enable"
server_credential_type: "none"
server_keytab:
-
keytab: "<your_own_value>"
principal: "<your_own_value>"
status: "enable"
tcp_window_maximum: "14"
tcp_window_minimum: "15"
tcp_window_size: "16"
tcp_window_type: "system"
uncompressed_nest_limit: "18"
uncompressed_oversize_limit: "19"
comment: "Optional comments."
dns:
ports: "22"
status: "enable"
ftp:
comfort_amount: "25"
comfort_interval: "26"
inspect_all: "enable"
options: "clientcomfort"
oversize_limit: "29"
ports: "30"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
stream_based_uncompressed_limit: "34"
tcp_window_maximum: "35"
tcp_window_minimum: "36"
tcp_window_size: "37"
tcp_window_type: "system"
uncompressed_nest_limit: "39"
uncompressed_oversize_limit: "40"
http:
block_page_status_code: "42"
comfort_amount: "43"
comfort_interval: "44"
fortinet_bar: "enable"
fortinet_bar_port: "46"
http_policy: "disable"
inspect_all: "enable"
options: "clientcomfort"
oversize_limit: "50"
ports: "51"
post_lang: "jisx0201"
proxy_after_tcp_handshake: "enable"
range_block: "disable"
retry_count: "55"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
stream_based_uncompressed_limit: "59"
streaming_content_bypass: "enable"
strip_x_forwarded_for: "disable"
switching_protocols: "bypass"
tcp_window_maximum: "63"
tcp_window_minimum: "64"
tcp_window_size: "65"
tcp_window_type: "system"
tunnel_non_http: "enable"
uncompressed_nest_limit: "68"
uncompressed_oversize_limit: "69"
unknown_http_version: "reject"
imap:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "74"
ports: "75"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "80"
uncompressed_oversize_limit: "81"
mail_signature:
signature: "<your_own_value>"
status: "disable"
mapi:
options: "fragmail"
oversize_limit: "87"
ports: "88"
scan_bzip2: "enable"
status: "enable"
uncompressed_nest_limit: "91"
uncompressed_oversize_limit: "92"
name: "default_name_93"
nntp:
inspect_all: "enable"
options: "oversize"
oversize_limit: "97"
ports: "98"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
status: "enable"
uncompressed_nest_limit: "102"
uncompressed_oversize_limit: "103"
oversize_log: "disable"
pop3:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "108"
ports: "109"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "114"
uncompressed_oversize_limit: "115"
replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
rpc_over_http: "enable"
smtp:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "121"
ports: "122"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
server_busy: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "128"
uncompressed_oversize_limit: "129"
ssh:
comfort_amount: "131"
comfort_interval: "132"
options: "oversize"
oversize_limit: "134"
scan_bzip2: "enable"
ssl_offloaded: "no"
stream_based_uncompressed_limit: "137"
tcp_window_maximum: "138"
tcp_window_minimum: "139"
tcp_window_size: "140"
tcp_window_type: "system"
uncompressed_nest_limit: "142"
uncompressed_oversize_limit: "143"
switching_protocols_log: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)