fortinet.fortios.fortios_system_settings module – Configure VDOM settings in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.1.6).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_system_settings.
New in version 2.0.0: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Configure VDOM settings. |
|
Enable/disable link down path. Choices:
|
|
Enable/disable allowing interface subnets to use overlapping IP addresses. Choices:
|
|
Enable/disable application bandwidth tracking. Choices:
|
|
Enable/disable IPv4 asymmetric routing. Choices:
|
|
Enable/disable asymmetric IPv6 routing. Choices:
|
|
Enable/disable asymmetric ICMPv6 routing. Choices:
|
|
Enable/disable ICMP asymmetric routing. Choices:
|
|
Enable/disable auxiliary session. Choices:
|
|
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. Choices:
|
|
BFD desired minimal transmit interval (1 - 100000 ms). |
|
BFD detection multiplier (1 - 50). |
|
Enable to not enforce verifying the source port of BFD Packets. Choices:
|
|
BFD required minimal receive interval (1 - 100000 ms). |
|
Enable/disable blocking of land attacks. Choices:
|
|
Enable/disable central NAT. Choices:
|
|
VDOM comments. |
|
Enable/disable PCI DSS compliance checking. Choices:
|
|
Consolidated firewall mode. Choices:
|
|
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn”t include a VoIP profile. Choices:
|
|
Enable/disable denying TCP by sending an ICMP communication prohibited packet. Choices:
|
|
Interface to use for management access for NAT mode. Source system.interface.name. |
|
DHCPv6 server IPv6 address. |
|
Enable/disable the DHCP Proxy. Choices:
|
|
Specify outgoing interface to reach server. Source system.interface.name. |
|
Specify how to select outgoing interface to reach server. Choices:
|
|
DHCP Server IPv4 address. |
|
Timeout for discovered devices (1 - 365 days). |
|
Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255). |
|
Enable/disable using DNS to validate email addresses collected by a captive portal. Choices:
|
|
Select how to manage sessions affected by firewall policy configuration changes. Choices:
|
|
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. Choices:
|
|
Transparent mode IPv4 default gateway IP address. |
|
Transparent mode IPv4 default gateway IP address. |
|
Enable/disable GTP asymmetric traffic handling on FGSP. Choices:
|
|
Enable/disable GTP monitor mode (VDOM level). Choices:
|
|
Enable/disable advanced policy configuration on the GUI. Choices:
|
|
Enable/disable the requirement for policy naming on the GUI. Choices:
|
|
Enable/disable AntiVirus on the GUI. Choices:
|
|
Enable/disable FortiAP profiles on the GUI. Choices:
|
|
Enable/disable application control on the GUI. Choices:
|
|
Default columns to display for policy lists on GUI. |
|
Select column name. |
|
Enable/disable advanced DHCP options on the GUI. Choices:
|
|
Enable/disable DLP on the GUI. Choices:
|
|
Enable/disable DNS database settings on the GUI. Choices:
|
|
Enable/disable DNS Filtering on the GUI. Choices:
|
|
Enable/disable Domain and IP Reputation on the GUI. Choices:
|
|
Enable/disable DoS policies on the GUI. Choices:
|
|
Enable/disable RADIUS Single Sign On (RSSO) on the GUI. Choices:
|
|
Enable/disable dynamic routing on the GUI. Choices:
|
|
Enable/disable email collection on the GUI. Choices:
|
|
Enable/disable endpoint control on the GUI. Choices:
|
|
Enable/disable advanced endpoint control options on the GUI. Choices:
|
|
Enable/disable the explicit proxy on the GUI. Choices:
|
|
Enable/disable File-filter on the GUI. Choices:
|
|
Enable/disable FortiAP split tunneling on the GUI. Choices:
|
|
Enable/disable FortiExtender on the GUI. Choices:
|
|
Enable/disable ICAP on the GUI. Choices:
|
|
Enable/disable implicit firewall policies on the GUI. Choices:
|
|
Enable/disable IPS on the GUI. Choices:
|
|
Enable/disable server load balancing on the GUI. Choices:
|
|
Enable/disable Local-In policies on the GUI. Choices:
|
|
Enable/disable local reports on the GUI. Choices:
|
|
Enable/disable multicast firewall policies on the GUI. Choices:
|
|
Enable/disable adding multiple interfaces to a policy on the GUI. Choices:
|
|
Enable/disable multiple UTM profiles on the GUI. Choices:
|
|
Enable/disable NAT46 and NAT64 settings on the GUI. Choices:
|
|
Enable/disable object colors on the GUI. Choices:
|
|
Enable/disable policy disclaimer on the GUI. Choices:
|
|
Enable/disable policy-based IPsec VPN on the GUI. Choices:
|
|
Enable/disable policy disclaimer on the GUI. Choices:
|
|
Enable/disable firewall policy learning mode on the GUI. Choices:
|
|
Enable/disable replacement message groups on the GUI. Choices:
|
|
Enable/disable Security Profile Groups on the GUI. Choices:
|
|
Enable/disable Antispam on the GUI. Choices:
|
|
Enable/disable SSL-VPN personal bookmark management on the GUI. Choices:
|
|
Enable/disable SSL-VPN realms on the GUI. Choices:
|
|
Enable/disable the switch controller on the GUI. Choices:
|
|
Enable/disable threat weight on the GUI. Choices:
|
|
Enable/disable traffic shaping on the GUI. Choices:
|
|
Enable/disable Video filtering on the GUI. Choices:
|
|
Enable/disable VoIP profiles on the GUI. Choices:
|
|
Enable/disable VPN tunnels on the GUI. Choices:
|
|
Enable/disable Web Application Firewall on the GUI. Choices:
|
|
Enable/disable SD-WAN on the GUI. Choices:
|
|
Enable/disable WAN Optimization and Web Caching on the GUI. Choices:
|
|
Enable/disable Web filtering on the GUI. Choices:
|
|
Enable/disable advanced web filtering on the GUI. Choices:
|
|
Enable/disable the wireless controller on the GUI. Choices:
|
|
Enable/disable Zero Trust Network Access features on the GUI. Choices:
|
|
Enable/disable H323 direct model. Choices:
|
|
Offload HTTP traffic to FortiWeb or FortiCache. Choices:
|
|
Configure IKE ASN.1 Distinguished Name format conventions. Choices:
|
|
Enable/disable IKE Policy Based Routing (PBR). Choices:
|
|
UDP port for IKE/IPsec traffic . |
|
Enable/disable IKE quick crash detection (RFC 6290). Choices:
|
|
Enable/disable IKEv2 session resumption (RFC 5723). Choices:
|
|
Enable/disable implicitly allowing DNS traffic. Choices:
|
|
Inspection mode (proxy-based or flow-based). Choices:
|
|
IP address and netmask. |
|
IPv6 address prefix for NAT mode. |
|
Enable/disable link down access traffic. Choices:
|
|
Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM. Choices:
|
|
Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM. Choices:
|
|
Local location ID in the form of an IPv4 address. |
|
Duration of MAC addresses in Transparent mode (300 - 8640000 sec). |
|
Transparent mode IPv4 management IP address and netmask. |
|
Transparent mode IPv6 management IP address and netmask. |
|
Enable/disable multicast forwarding. Choices:
|
|
Enable/disable allowing multicast traffic through the FortiGate without a policy check. Choices:
|
|
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. Choices:
|
|
Next Generation Firewall (NGFW) mode. Choices:
|
|
Firewall operation mode (NAT or Transparent). Choices:
|
|
Enable/disable PFCP monitor mode (VDOM level). Choices:
|
|
Enable/disable action to take on PRP trailer. Choices:
|
|
TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535). |
|
Enable/disable SCTP session creation without SCTP INIT. Choices:
|
|
Enable/disable including denied session in the session table. Choices:
|
|
Enable/disable the SIP kernel session helper to create an expectation for port 5060. Choices:
|
|
Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG). Choices:
|
|
Enable/disable recording the original SIP source IP address when NAT is used. Choices:
|
|
TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535). |
|
TCP port the SIP proxy monitors for SIP traffic (0 - 65535). |
|
UDP port the SIP proxy monitors for SIP traffic (0 - 65535). |
|
Enable/disable source NAT (SNAT) for hairpin traffic. Choices:
|
|
Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name. |
|
Enable/disable this VDOM. Choices:
|
|
Enable/disable strict source verification. Choices:
|
|
Enable/disable allowing TCP session without SYN flags. Choices:
|
|
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. Choices:
|
|
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. Choices:
|
|
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. Choices:
|
|
Period to send VPN log statistics (0 or 60 - 86400 sec). |
|
Enable/disable WCCP cache engine. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
vdom: "{{ vdom }}"
system_settings:
allow_linkdown_path: "enable"
allow_subnet_overlap: "enable"
application_bandwidth_tracking: "disable"
asymroute: "enable"
asymroute_icmp: "enable"
asymroute6: "enable"
asymroute6_icmp: "enable"
auxiliary_session: "enable"
bfd: "enable"
bfd_desired_min_tx: "12"
bfd_detect_mult: "13"
bfd_dont_enforce_src_port: "enable"
bfd_required_min_rx: "15"
block_land_attack: "disable"
central_nat: "enable"
comments: "<your_own_value>"
compliance_check: "enable"
consolidated_firewall_mode: "enable"
default_voip_alg_mode: "proxy-based"
deny_tcp_with_icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp_proxy: "enable"
dhcp_proxy_interface: "<your_own_value> (source system.interface.name)"
dhcp_proxy_interface_select_method: "auto"
dhcp_server_ip: "<your_own_value>"
dhcp6_server_ip: "<your_own_value>"
discovered_device_timeout: "29"
ecmp_max_paths: "30"
email_portal_check_dns: "disable"
firewall_session_dirty: "check-all"
fw_session_hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gtp_asym_fgsp: "disable"
gtp_monitor_mode: "enable"
gui_advanced_policy: "enable"
gui_allow_unnamed_policy: "enable"
gui_antivirus: "enable"
gui_ap_profile: "enable"
gui_application_control: "enable"
gui_default_policy_columns:
-
name: "default_name_44"
gui_dhcp_advanced: "enable"
gui_dlp: "enable"
gui_dns_database: "enable"
gui_dnsfilter: "enable"
gui_domain_ip_reputation: "enable"
gui_dos_policy: "enable"
gui_dynamic_profile_display: "enable"
gui_dynamic_routing: "enable"
gui_email_collection: "enable"
gui_endpoint_control: "enable"
gui_endpoint_control_advanced: "enable"
gui_explicit_proxy: "enable"
gui_file_filter: "enable"
gui_fortiap_split_tunneling: "enable"
gui_fortiextender_controller: "enable"
gui_icap: "enable"
gui_implicit_policy: "enable"
gui_ips: "enable"
gui_load_balance: "enable"
gui_local_in_policy: "enable"
gui_local_reports: "enable"
gui_multicast_policy: "enable"
gui_multiple_interface_policy: "enable"
gui_multiple_utm_profiles: "enable"
gui_nat46_64: "enable"
gui_object_colors: "enable"
gui_per_policy_disclaimer: "enable"
gui_policy_based_ipsec: "enable"
gui_policy_disclaimer: "enable"
gui_policy_learning: "enable"
gui_replacement_message_groups: "enable"
gui_security_profile_group: "enable"
gui_spamfilter: "enable"
gui_sslvpn_personal_bookmarks: "enable"
gui_sslvpn_realms: "enable"
gui_switch_controller: "enable"
gui_threat_weight: "enable"
gui_traffic_shaping: "enable"
gui_videofilter: "enable"
gui_voip_profile: "enable"
gui_vpn: "enable"
gui_waf_profile: "enable"
gui_wan_load_balancing: "enable"
gui_wanopt_cache: "enable"
gui_webfilter: "enable"
gui_webfilter_advanced: "enable"
gui_wireless_controller: "enable"
gui_ztna: "enable"
h323_direct_model: "disable"
http_external_dest: "fortiweb"
ike_dn_format: "with-space"
ike_policy_route: "enable"
ike_port: "97"
ike_quick_crash_detect: "enable"
ike_session_resume: "enable"
implicit_allow_dns: "enable"
inspection_mode: "proxy"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link_down_access: "enable"
lldp_reception: "enable"
lldp_transmission: "enable"
location_id: "<your_own_value>"
mac_ttl: "108"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast_forward: "enable"
multicast_skip_policy: "enable"
multicast_ttl_notchange: "enable"
ngfw_mode: "profile-based"
opmode: "nat"
pfcp_monitor_mode: "enable"
prp_trailer_action: "enable"
sccp_port: "118"
sctp_session_without_init: "enable"
ses_denied_traffic: "enable"
sip_expectation: "enable"
sip_helper: "enable"
sip_nat_trace: "enable"
sip_ssl_port: "124"
sip_tcp_port: "125"
sip_udp_port: "126"
snat_hairpin_traffic: "enable"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
strict_src_check: "enable"
tcp_session_without_syn: "enable"
utf8_spam_tagging: "enable"
v4_ecmp_mode: "source-ip-based"
vpn_stats_log: "ipsec"
vpn_stats_period: "135"
wccp_cache_engine: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)