fortinet.fortios.fortios_vpn_ssl_settings module – Configure SSL-VPN in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
|
Configure SSL-VPN. |
|
Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. Choices:
|
|
Enable/disable checking of source IP for authentication session. Choices:
|
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). |
|
Authentication rule for SSL-VPN. |
|
SSL-VPN authentication method restriction. Choices:
|
|
SSL-VPN cipher strength. Choices:
|
|
Enable/disable SSL-VPN client certificate restrictive. Choices:
|
|
User groups. |
|
Group name. Source user.group.name. |
|
ID (0 - 4294967295). |
|
SSL-VPN portal. Source vpn.ssl.web.portal.name. |
|
SSL-VPN realm. Source vpn.ssl.web.realm.url-path. |
|
Source address of incoming traffic. |
|
Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. |
|
IPv6 source address of incoming traffic. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. |
|
Enable/disable negated source IPv6 address match. Choices:
|
|
Enable/disable negated source address match. Choices:
|
|
SSL-VPN source interface of incoming traffic. |
|
Interface name. Source system.interface.name system.zone.name. |
|
Name of user peer. Source user.peer.name. |
|
User name. |
|
User name. Source user.local.name. |
|
Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses. Choices:
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below. Choices:
|
|
Enable/disable overriding the configured system language based on the preferred language of the browser. Choices:
|
|
Enable/disable verification of referer field in HTTP request header. Choices:
|
|
Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. Choices:
|
|
Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. Choices:
|
|
Default SSL-VPN portal. Source vpn.ssl.web.portal.name. |
|
Compression level (0~9). |
|
Minimum amount of data that triggers compression (200 - 65535 bytes). |
|
DNS server 1. |
|
DNS server 2. |
|
DNS suffix used for SSL-VPN clients. |
|
Number of missing heartbeats before the connection is considered dropped. |
|
Idle timeout before DTLS heartbeat is sent. |
|
Interval between DTLS heartbeat. |
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec). |
|
DTLS maximum protocol version. Choices:
|
|
DTLS minimum protocol version. Choices:
|
|
Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. Choices:
|
|
Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. Choices:
|
|
Encode 2F sequence to forward slash in URLs. Choices:
|
|
Encrypt and store user passwords for SSL-VPN web sessions. Choices:
|
|
Enable/disable only PKI users with two-factor authentication for SSL-VPNs. Choices:
|
|
Forward the same, add, or remove HTTP header. Choices:
|
|
Add HSTS includeSubDomains response header. Choices:
|
|
Enable/disable to allow HTTP compression over SSL-VPN tunnels. Choices:
|
|
Enable/disable SSL-VPN support for HttpOnly cookies. Choices:
|
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). |
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). |
|
Enable/disable redirect of port 80 to SSL-VPN port. Choices:
|
|
SSL-VPN disconnects if idle for specified time in seconds. |
|
IPv6 DNS server 1. |
|
IPv6 DNS server 2. |
|
IPv6 WINS server 1. |
|
IPv6 WINS server 2. |
|
SSL-VPN maximum login attempt times before block (0 - 10). |
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). |
|
SSLVPN maximum login timeout (10 - 180 sec). |
|
SSL-VPN access port (1 - 65535). |
|
Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. Choices:
|
|
Enable/disable to require client certificates for all SSL-VPN users. Choices:
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. Choices:
|
|
SAML local redirect port in the machine running FortiClient (0 - 65535). 0 is to disable redirection on FGT side. |
|
Server hostname for HTTPS. When set, will be used for SSL VPN web proxy host header for any redirection. |
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. |
|
Source address of incoming traffic. |
|
Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. |
|
IPv6 source address of incoming traffic. |
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. |
|
Enable/disable negated source IPv6 address match. Choices:
|
|
Enable/disable negated source address match. Choices:
|
|
SSL-VPN source interface of incoming traffic. |
|
Interface name. Source system.interface.name system.zone.name. |
|
Enable/disable to allow client renegotiation by the server if the tunnel goes down. Choices:
|
|
Enable/disable insertion of empty fragment. Choices:
|
|
SSL maximum protocol version. Choices:
|
|
SSL minimum protocol version. Choices:
|
|
Enable/disable SSL-VPN. Choices:
|
|
tlsv1-0 Choices:
|
|
tlsv1-1 Choices:
|
|
tlsv1-2 Choices:
|
|
tlsv1-3 Choices:
|
|
Transform backward slashes to forward slashes in URLs. Choices:
|
|
Method used for assigning address for tunnel. Choices:
|
|
Enable/disable tunnel connection without re-authorization if previous connection dropped. Choices:
|
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. |
|
Address name. Source firewall.address.name firewall.addrgrp.name. |
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. |
|
Address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec). |
|
Enable/disable unsafe legacy re-negotiation. Choices:
|
|
Enable/disable to obscure the host name of the URL of the web browser display. Choices:
|
|
Name of user peer. Source user.peer.name. |
|
Enable/disable use of IP pools defined in firewall policy while using web-mode. Choices:
|
|
WINS server 1. |
|
WINS server 2. |
|
Add HTTP X-Content-Type-Options header. Choices:
|
|
Enable/disable verification of device certificate for SSLVPN ZTNA session. Choices:
|
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL-VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_session_check_source_ip: "enable"
auth_timeout: "28800"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_11 (source user.group.name)"
id: "12"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_16 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_22 (source system.interface.name system.zone.name)"
user_peer: "<your_own_value> (source user.peer.name)"
users:
-
name: "default_name_25 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
browser_language_detection: "enable"
check_referer: "enable"
ciphersuite: "TLS-AES-128-GCM-SHA256"
client_sigalgs: "no-rsa-pss"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "6"
deflate_min_data_size: "300"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_heartbeat_fail_count: "3"
dtls_heartbeat_idle_timeout: "3"
dtls_heartbeat_interval: "3"
dtls_hello_timeout: "10"
dtls_max_proto_ver: "dtls1-0"
dtls_min_proto_ver: "dtls1-0"
dtls_tunnel: "enable"
dual_stack_mode: "enable"
encode_2f_sequence: "enable"
encrypt_and_store_password: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
hsts_include_subdomains: "enable"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "30"
http_request_header_timeout: "20"
https_redirect: "enable"
idle_timeout: "300"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "2"
login_block_time: "60"
login_timeout: "30"
port: "10443"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
saml_redirect_port: "8020"
server_hostname: "myhostname"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_72 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_75 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_78 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
ssl_max_proto_ver: "tls1-0"
ssl_min_proto_ver: "tls1-0"
status: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tlsv1_3: "enable"
transform_backward_slashes: "enable"
tunnel_addr_assigned_method: "first-available"
tunnel_connect_without_reauth: "enable"
tunnel_ip_pools:
-
name: "default_name_92 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_94 (source firewall.address6.name firewall.addrgrp6.name)"
tunnel_user_session_timeout: "30"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
user_peer: "<your_own_value> (source user.peer.name)"
web_mode_snat: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
ztna_trusted_client: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |