fortinet.fortimanager.fmgr_pkg_footer_policy module – Configure IPv4/IPv6 policies.

Note

This module is part of the fortinet.fortimanager collection (version 2.8.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_pkg_footer_policy.

New in fortinet.fortimanager 2.0.0

Synopsis

• This module is able to configure a FortiManager device.

• Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter	Comments
access_token string	The token to access FortiManager without using username and password.
bypass_validation boolean	Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. Choices: false ← (default) true
enable_log boolean	Enable/Disable logging for task. Choices: false ← (default) true
forticloud_access_token string	Authenticate Ansible client with forticloud API access token.
pkg string / required	The parameter (pkg) in requested url.
pkg_footer_policy dictionary	The top level parameters set.
_policy_block integer	Assigned policy block.
access_proxy any	(list) Access proxy.
action string	Action. Choices: "deny" "accept" "ipsec" "ssl-vpn" "redirect" "isolate"
active_auth_method string	Active auth method. Choices: "ntlm" "basic" "digest" "form"
anti_replay string	Anti replay. Choices: "disable" "enable"
app_category any	(list or str) App category.
app_group any	(list or str) App group.
application any	(list) Application.
application_charts list / elements=string	Application charts. Choices: "top10-app" "top10-p2p-user" "top10-media-user"
application_list string	Application list.
auth_cert string	Auth cert.
auth_method string	Auth method. Choices: "basic" "digest" "ntlm" "fsae" "form" "fsso" "rsso"
auth_path string	Auth path. Choices: "disable" "enable"
auth_portal string	Auth portal. Choices: "disable" "enable"
auth_redirect_addr string	Auth redirect addr.
auto_asic_offload string	Auto asic offload. Choices: "disable" "enable"
av_profile string	Av profile.
bandwidth string	Bandwidth. Choices: "disable" "enable"
best_route string	Best route. Choices: "disable" "enable"
block_notification string	Block notification. Choices: "disable" "enable"
captive_portal_exempt string	Captive portal exempt. Choices: "disable" "enable"
capture_packet string	Capture packet. Choices: "disable" "enable"
casb_profile string	Name of an existing CASB profile.
casi_profile any	(list or str) Casi profile.
central_nat string	Central nat. Choices: "disable" "enable"
cgn_eif string	Enable/Disable CGN endpoint independent filtering. Choices: "disable" "enable"
cgn_eim string	Enable/Disable CGN endpoint independent mapping Choices: "disable" "enable"
cgn_log_server_grp any	(list or str) NP log server group name
cgn_resource_quota integer	Resource quota
cgn_session_quota integer	Session quota
cgn_sw_eif_ctrl string	Enable/disable software endpoint independent filtering control. Choices: "disable" "enable"
cifs_profile string	Cifs profile.
client_reputation string	Client reputation. Choices: "disable" "enable"
client_reputation_mode string	Client reputation mode. Choices: "learning" "monitoring"
comments any	(dict or str) Comments.
custom_log_fields any	(list or str) Custom log fields.
decrypted_traffic_mirror string	Decrypted traffic mirror.
deep_inspection_options any	(list or str) Deep inspection options.
delay_tcp_npu_session string	Delay tcp npu session. Choices: "disable" "enable"
delay_tcp_npu_sessoin string	Delay tcp npu sessoin. Choices: "disable" "enable"
detect_https_in_http_request string	Detect https in http request. Choices: "disable" "enable"
device_detection_portal string	Device detection portal. Choices: "disable" "enable"
device_ownership string	Device ownership. Choices: "disable" "enable"
devices any	(list or str) Devices.
diameter_filter_profile string	Name of an existing Diameter filter profile.
diffserv_copy string	Enable to copy packets DiffServ values from sessions original direction to its reply direction. Choices: "disable" "enable"
diffserv_forward string	Diffserv forward. Choices: "disable" "enable"
diffserv_reverse string	Diffserv reverse. Choices: "disable" "enable"
diffservcode_forward string	Diffservcode forward.
diffservcode_rev string	Diffservcode rev.
disclaimer string	Disclaimer. Choices: "disable" "enable" "user" "domain" "policy"
dlp_profile string	Name of an existing DLP profile.
dlp_sensor any	(list or str) Dlp sensor.
dnsfilter_profile string	Dnsfilter profile.
dponly string	Dponly. Choices: "disable" "enable"
dscp_match string	Dscp match. Choices: "disable" "enable"
dscp_negate string	Dscp negate. Choices: "disable" "enable"
dscp_value string	Dscp value.
dsri string	Dsri. Choices: "disable" "enable"
dstaddr any	(list or str) Dstaddr.
dstaddr6 any	(list or str) Dstaddr6.
dstaddr6_negate string	When enabled dstaddr6 specifies what the destination address must NOT be. Choices: "disable" "enable"
dstaddr_negate string	Dstaddr negate. Choices: "disable" "enable"
dstintf any	(list or str) Dstintf.
dynamic_bypass string	Dynamic bypass. Choices: "disable" "enable"
dynamic_profile string	Dynamic profile. Choices: "disable" "enable"
dynamic_profile_access list / elements=string	Dynamic profile access. Choices: "imap" "smtp" "pop3" "http" "ftp" "im" "nntp" "imaps" "smtps" "pop3s" "https" "ftps" "ssh"
dynamic_profile_fallthrough string	Dynamic profile fallthrough. Choices: "disable" "enable"
dynamic_profile_group any	(list or str) Dynamic profile group.
dynamic_shaping string	Enable/disable dynamic RADIUS defined traffic shaping. Choices: "disable" "enable"
eif_check string	Enable/Disable check endpoint-independent-filtering pinhole. Choices: "disable" "enable"
eif_learn string	Enable/Disable learning of end-point-independent filtering pinhole. Choices: "disable" "enable"
email_collect string	Email collect. Choices: "disable" "enable"
email_collection_portal string	Email collection portal. Choices: "disable" "enable"
emailfilter_profile string	Emailfilter profile.
endpoint_check string	Endpoint check. Choices: "disable" "enable"
endpoint_compliance string	Endpoint compliance. Choices: "disable" "enable"
endpoint_keepalive_interface any	(list or str) Endpoint keepalive interface.
endpoint_profile any	(list or str) Endpoint profile.
extended_log string	Extended log. Choices: "disable" "enable"
failed_connection string	Failed connection. Choices: "disable" "enable"
fall_through_unauthenticated string	Fall through unauthenticated. Choices: "disable" "enable"
fec string	Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Choices: "disable" "enable"
file_filter_profile string	File filter profile.
firewall_session_dirty string	Firewall session dirty. Choices: "check-all" "check-new"
fixedport string	Fixedport. Choices: "disable" "enable"
force_proxy string	Force proxy. Choices: "disable" "enable"
forticlient_compliance_devices list / elements=string	Forticlient compliance devices. Choices: "windows-pc" "mac" "iphone-ipad" "android"
forticlient_compliance_enforcement_portal string	Forticlient compliance enforcement portal. Choices: "disable" "enable"
fsae string	Fsae. Choices: "disable" "enable"
fsae_server_for_ntlm any	(list or str) Fsae server for ntlm.
fsso string	Fsso. Choices: "disable" "enable"
fsso_agent_for_ntlm string	Fsso agent for ntlm.
fsso_groups any	(list or str) Fsso groups.
geo_location string	Geo location. Choices: "disable" "enable"
geoip_anycast string	Geoip anycast. Choices: "disable" "enable"
geoip_match string	Geoip match. Choices: "physical-location" "registered-location"
global_label string	Global label.
groups any	(list or str) Groups.
gtp_profile string	Gtp profile.
http_policy_redirect string	Http policy redirect. Choices: "disable" "enable"
http_tunnel_auth string	Http tunnel auth. Choices: "disable" "enable"
ia_profile any	(list) Ia profile.
icap_profile string	Icap profile.
identity_based string	Identity based. Choices: "disable" "enable"
identity_based_policy list / elements=dictionary	Identity based policy.
action string	Action. Choices: "deny" "accept"
application_charts list / elements=string	Application charts. Choices: "top10-app" "top10-p2p-user" "top10-media-user"
application_list string	Application list.
av_profile string	Av profile.
capture_packet string	Capture packet. Choices: "disable" "enable"
deep_inspection_options string	Deep inspection options.
devices string	Devices.
dlp_sensor string	Dlp sensor.
dstaddr string	Dstaddr.
dstaddr_negate string	Dstaddr negate. Choices: "disable" "enable"
endpoint_compliance string	Endpoint compliance. Choices: "disable" "enable"
groups string	Groups.
icap_profile string	Icap profile.
id integer	Id.
ips_sensor string	Ips sensor.
logtraffic string	Logtraffic. Choices: "disable" "enable" "all" "utm"
logtraffic_app string	Logtraffic app. Choices: "disable" "enable"
logtraffic_start string	Logtraffic start. Choices: "disable" "enable"
mms_profile string	Mms profile.
per_ip_shaper string	Per ip shaper.
profile_group string	Profile group.
profile_protocol_options string	Profile protocol options.
profile_type string	Profile type. Choices: "single" "group"
replacemsg_group string	Replacemsg group.
schedule string	Schedule.
send_deny_packet string	Send deny packet. Choices: "disable" "enable"
service string	Service.
service_negate string	Service negate. Choices: "disable" "enable"
spamfilter_profile string	Spamfilter profile.
sslvpn_portal string	Sslvpn portal.
sslvpn_realm string	Sslvpn realm.
traffic_shaper string	Traffic shaper.
traffic_shaper_reverse string	Traffic shaper reverse.
users string	Users.
utm_status string	Utm status. Choices: "disable" "enable"
voip_profile string	Voip profile.
webfilter_profile string	Webfilter profile.
identity_based_route string	Identity based route.
identity_from string	Identity from. Choices: "auth" "device"
implicit_proxy_detection string	Implicit proxy detection. Choices: "disable" "enable"
inbound string	Inbound. Choices: "disable" "enable"
inspection_mode string	Inspection mode. Choices: "proxy" "flow"
internet_service string	Internet service. Choices: "disable" "enable"
internet_service6 string	Enable/disable use of IPv6 Internet Services for this policy. Choices: "disable" "enable"
internet_service6_custom any	(list) Custom IPv6 Internet Service name.
internet_service6_custom_group any	(list) Custom Internet Service6 group name.
internet_service6_group any	(list) Internet Service group name.
internet_service6_name any	(list) IPv6 Internet Service name.
internet_service6_negate string	When enabled internet-service6 specifies what the service must NOT be. Choices: "disable" "enable"
internet_service6_src string	Enable/disable use of IPv6 Internet Services in source for this policy. Choices: "disable" "enable"
internet_service6_src_custom any	(list) Custom IPv6 Internet Service source name.
internet_service6_src_custom_group any	(list) Custom Internet Service6 source group name.
internet_service6_src_group any	(list) Internet Service6 source group name.
internet_service6_src_name any	(list) IPv6 Internet Service source name.
internet_service6_src_negate string	When enabled internet-service6-src specifies what the service must NOT be. Choices: "disable" "enable"
internet_service_custom any	(list or str) Internet service custom.
internet_service_custom_group any	(list or str) Internet service custom group.
internet_service_group any	(list or str) Internet service group.
internet_service_id any	(list or str) Internet service id.
internet_service_name any	(list or str) Internet service name.
internet_service_negate string	Internet service negate. Choices: "disable" "enable"
internet_service_src string	Internet service src. Choices: "disable" "enable"
internet_service_src_custom any	(list or str) Internet service src custom.
internet_service_src_custom_group any	(list or str) Internet service src custom group.
internet_service_src_group any	(list or str) Internet service src group.
internet_service_src_id any	(list or str) Internet service src id.
internet_service_src_name any	(list or str) Internet service src name.
internet_service_src_negate string	Internet service src negate. Choices: "disable" "enable"
ip_based string	Ip based. Choices: "disable" "enable"
ip_version_type string	IP version of the policy.
ippool string	Ippool. Choices: "disable" "enable"
ips_sensor string	Ips sensor.
ips_voip_filter string	Name of an existing VoIP
isolator_profile any	(list) Isolator profile.
isolator_server any	(list) Isolator server.
label string	Label.
learning_mode string	Learning mode. Choices: "disable" "enable"
log_http_transaction string	Log http transaction. Choices: "disable" "enable" "all" "utm"
log_unmatched_traffic string	Log unmatched traffic. Choices: "disable" "enable"
logtraffic string	Logtraffic. Choices: "disable" "enable" "all" "utm"
logtraffic_app string	Logtraffic app. Choices: "disable" "enable"
logtraffic_start string	Logtraffic start. Choices: "disable" "enable"
match_vip string	Match vip. Choices: "disable" "enable"
match_vip_only string	Match vip only. Choices: "disable" "enable"
max_session_per_user integer	Max session per user.
mms_profile any	(list or str) Mms profile.
name string	Name.
nat string	Nat. Choices: "disable" "enable"
nat46 string	Enable/disable NAT46. Choices: "disable" "enable"
nat64 string	Enable/disable NAT64. Choices: "disable" "enable"
natinbound string	Natinbound. Choices: "disable" "enable"
natip string	Natip.
natoutbound string	Natoutbound. Choices: "disable" "enable"
network_service_dynamic any	(list) Dynamic Network Service name.
network_service_src_dynamic any	(list) Dynamic Network Service source name.
np_accelation string	Np accelation. Choices: "disable" "enable"
np_acceleration string	Np acceleration. Choices: "disable" "enable"
ntlm string	Ntlm. Choices: "disable" "enable"
ntlm_enabled_browsers any	(list) Ntlm enabled browsers.
ntlm_guest string	Ntlm guest. Choices: "disable" "enable"
outbound string	Outbound. Choices: "disable" "enable"
pass_through string	Pass through. Choices: "disable" "enable"
passive_wan_health_measurement string	Enable/disable passive WAN health measurement. Choices: "disable" "enable"
pcp_inbound string	Enable/disable PCP inbound DNAT. Choices: "disable" "enable"
pcp_outbound string	Enable/disable PCP outbound SNAT. Choices: "disable" "enable"
pcp_poolname any	(list) PCP pool names.
per_ip_shaper string	Per ip shaper.
permit_any_host string	Permit any host. Choices: "disable" "enable"
permit_stun_host string	Permit stun host. Choices: "disable" "enable"
pfcp_profile string	PFCP profile.
policy_behaviour_type string	Behaviour of the policy.
policy_expiry string	Enable/disable policy expiry. Choices: "disable" "enable"
policy_expiry_date string	Policy expiry date
policy_expiry_date_utc string	Policy expiry date and time, in epoch format.
policy_offload string	Enable/Disable hardware session setup for CGNAT. Choices: "disable" "enable"
policyid integer / required	Policyid.
poolname any	(list or str) Poolname.
poolname6 any	(list or str) Poolname6.
port_preserve string	Enable/disable preservation of the original source port from source NAT if it has not been used. Choices: "disable" "enable"
profile_group string	Profile group.
profile_protocol_options string	Profile protocol options.
profile_type string	Profile type. Choices: "single" "group"
radius_ip_auth_bypass string	Enable IP authentication bypass. Choices: "disable" "enable"
radius_mac_auth_bypass string	Radius mac auth bypass. Choices: "disable" "enable"
redirect_profile any	(list) Redirect profile.
redirect_url string	Redirect url.
replacemsg_group any	(list or str) Replacemsg group.
replacemsg_override_group string	Replacemsg override group.
reputation_direction string	Reputation direction. Choices: "source" "destination"
reputation_direction6 string	Direction of the initial traffic for IPv6 reputation to take effect. Choices: "source" "destination"
reputation_minimum integer	Reputation minimum.
reputation_minimum6 integer	IPv6 Minimum Reputation to take action.
require_tfa string	Require tfa. Choices: "disable" "enable"
reverse_cache string	Reverse cache. Choices: "disable" "enable"
rsso string	Rsso. Choices: "disable" "enable"
rtp_addr any	(list or str) Rtp addr.
rtp_nat string	Rtp nat. Choices: "disable" "enable"
scan_botnet_connections string	Scan botnet connections. Choices: "disable" "block" "monitor"
schedule string	Schedule.
schedule_timeout string	Schedule timeout. Choices: "disable" "enable"
sctp_filter_profile string	Name of an existing SCTP filter profile.
send_deny_packet string	Send deny packet. Choices: "disable" "enable"
service any	(list or str) Service.
service_negate string	Service negate. Choices: "disable" "enable"
session_ttl any	(int or str) Session ttl.
sessions string	Sessions. Choices: "disable" "enable"
sgt any	(list) Security group tags.
sgt_check string	Enable/disable security group tags Choices: "disable" "enable"
spamfilter_profile any	(list or str) Spamfilter profile.
src_vendor_mac any	(list or str) Src vendor mac.
srcaddr any	(list or str) Srcaddr.
srcaddr6 any	(list or str) Srcaddr6.
srcaddr6_negate string	When enabled srcaddr6 specifies what the source address must NOT be. Choices: "disable" "enable"
srcaddr_negate string	Srcaddr negate. Choices: "disable" "enable"
srcintf any	(list or str) Srcintf.
ssh_filter_profile string	Ssh filter profile.
ssh_policy_check string	Ssh policy check. Choices: "disable" "enable"
ssh_policy_redirect string	Ssh policy redirect. Choices: "disable" "enable"
ssl_mirror string	Ssl mirror. Choices: "disable" "enable"
ssl_mirror_intf any	(list or str) Ssl mirror intf.
ssl_ssh_profile string	Ssl ssh profile.
sslvpn_auth string	Sslvpn auth. Choices: "any" "local" "radius" "ldap" "tacacs+"
sslvpn_ccert string	Sslvpn ccert. Choices: "disable" "enable"
sslvpn_cipher string	Sslvpn cipher. Choices: "any" "high" "medium"
sso_auth_method string	Sso auth method. Choices: "fsso" "rsso"
status string	Status. Choices: "disable" "enable"
tags any	(list or str) Tags.
tcp_mss_receiver integer	Tcp mss receiver.
tcp_mss_sender integer	Tcp mss sender.
tcp_reset string	Tcp reset. Choices: "disable" "enable"
tcp_session_without_syn string	Tcp session without syn. Choices: "all" "data-only" "disable"
tcp_timeout_pid any	(list) TCP timeout profile ID
timeout_send_rst string	Timeout send rst. Choices: "disable" "enable"
tos string	Tos.
tos_mask string	Tos mask.
tos_negate string	Tos negate. Choices: "disable" "enable"
traffic_shaper string	Traffic shaper.
traffic_shaper_reverse string	Traffic shaper reverse.
transaction_based string	Transaction based. Choices: "disable" "enable"
transparent string	Transparent. Choices: "disable" "enable"
type string	Type. Choices: "explicit-web" "transparent" "explicit-ftp" "ssh-tunnel" "ssh" "wanopt" "access-proxy"
udp_timeout_pid any	(list) UDP timeout profile ID
url_category any	(list or str) Url category.
url_risk any	(list) Url risk.
users any	(list or str) Users.
utm_inspection_mode string	Utm inspection mode. Choices: "proxy" "flow"
utm_status string	Utm status. Choices: "disable" "enable"
uuid string	Uuid.
uuid_idx integer	Uuid idx.
vendor_mac any	(list or str) Vendor mac.
videofilter_profile string	Name of an existing VideoFilter profile.
virtual_patch_profile string	Name of an existing virtual-patch profile.
vlan_cos_fwd integer	Vlan cos fwd.
vlan_cos_rev integer	Vlan cos rev.
vlan_filter string	Vlan filter.
voip_profile string	Voip profile.
vpntunnel string	Vpntunnel.
waf_profile string	Waf profile.
wanopt string	Wanopt. Choices: "disable" "enable"
wanopt_detection string	Wanopt detection. Choices: "active" "passive" "off"
wanopt_passive_opt string	Wanopt passive opt. Choices: "default" "transparent" "non-transparent"
wanopt_peer string	Wanopt peer.
wanopt_profile string	Wanopt profile.
wccp string	Wccp. Choices: "disable" "enable"
web_auth_cookie string	Web auth cookie. Choices: "disable" "enable"
webcache string	Webcache. Choices: "disable" "enable"
webcache_https string	Webcache https. Choices: "disable" "ssl-server" "any" "enable"
webfilter_profile string	Webfilter profile.
webproxy_forward_server string	Webproxy forward server.
webproxy_profile string	Webproxy profile.
wsso string	Wsso. Choices: "disable" "enable"
ztna_device_ownership string	Enable/disable zero trust device ownership. Choices: "disable" "enable"
ztna_ems_tag any	(list or str) Source ztna-ems-tag names.
ztna_ems_tag_secondary any	(list) Source ztna-ems-tag-secondary names.
ztna_geo_tag any	(list or str) Source ztna-geo-tag names.
ztna_policy_redirect string	Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Choices: "disable" "enable"
ztna_status string	Enable/disable zero trust access. Choices: "disable" "enable"
ztna_tags_match_logic string	Ztna tags match logic. Choices: "or" "and"
proposed_method string	The overridden method for the underlying Json RPC request. Choices: "update" "set" "add"
rc_failed list / elements=integer	The rc codes list with which the conditions to fail will be overriden.
rc_succeeded list / elements=integer	The rc codes list with which the conditions to succeed will be overriden.
state string / required	The directive to create, update or delete an object. Choices: "present" "absent"
workspace_locking_adom string	The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.
workspace_locking_timeout integer	The maximum time in seconds to wait for other user to release the workspace lock. Default: 300

Notes

Note

• Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

• Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

• To create or update an object, use state present directive.

• To delete an object, use state absent directive.

• Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure IPv4 footer policies.
      fortinet.fortimanager.fmgr_pkg_footer_policy:
        bypass_validation: false
        pkg: ansible
        state: present
        pkg_footer_policy:
          action: accept # <value in [deny, accept, ipsec, ...]>
          dstaddr: gall
          dstintf: any
          name: ansible-test-footer
          policyid: 1074741836 # must larger than 2^30(1074741824), since header/footer policy is a special policy
          schedule: galways
          service: gALL
          srcaddr: gall
          srcintf: any
          status: enable

- name: Gathering fortimanager facts
  hosts: fortimanagers
  gather_facts: false
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Retrieve all the IPv4 footer policies
      fortinet.fortimanager.fmgr_fact:
        facts:
          selector: "pkg_footer_policy"
          params:
            pkg: "ansible"
            policy: "your_value"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
meta dictionary	The result of the request. Returned: always
request_url string	The full url requested. Returned: always Sample: "/sys/login/user"
response_code integer	The status of api request. Returned: always Sample: 0
response_data list / elements=string	The api response. Returned: always
response_message string	The descriptive message of the api response. Returned: always Sample: "OK."
system_information dictionary	The information of the target system. Returned: always
rc integer	The status the request. Returned: always Sample: 0
version_check_warning list / elements=string	Warning if the parameters used in the playbook are not supported by the current FortiManager version. Returned: complex

Authors

• Xinwei Du (@dux-fortinet)

• Xing Li (@lix-fortinet)

• Jie Xue (@JieX19)

• Link Zheng (@chillancezen)

• Frank Shen (@fshen01)

• Hongbin Lu (@fgtdev-hblu)

Collection links

• Issue Tracker
• Homepage
• Repository (Sources)