fortinet.fortios.fortios_firewall_access_proxy module – Configure IPv4 access proxy in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.8).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_access_proxy
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Configure IPv4 access proxy. |
|
Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel. Choices:
|
|
Set IPv4 API Gateway. |
|
SaaS application controlled by this Access Proxy. |
|
SaaS application name. |
|
HTTP2 support, default=Enable. Choices:
|
|
HTTP3/QUIC support, default=Disable. Choices:
|
|
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
|
Domain that HTTP cookie persistence should apply to. |
|
Enable/disable use of HTTP cookie domain from host field in HTTP. Choices:
|
|
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
|
Limit HTTP cookie persistence to the specified path. |
|
Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Choices:
|
|
Enable/disable verification that inserted HTTPS cookies are secure. Choices:
|
|
API Gateway ID. see <a href=’#notes’>Notes</a>. |
|
Method used to distribute sessions to real servers. Choices:
|
|
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Choices:
|
|
QUIC setting. |
|
ACK delay exponent (1 - 20). |
|
Active connection ID limit (1 - 8). |
|
Enable/disable active migration . Choices:
|
|
Enable/disable grease QUIC bit . Choices:
|
|
Maximum ACK delay in milliseconds (1 - 16383). |
|
Maximum datagram frame size in bytes (1 - 1500). |
|
Maximum idle timeout milliseconds (1 - 60000). |
|
Maximum UDP payload size in bytes (1200 - 1500). |
|
Select the real servers that this Access Proxy will distribute traffic to. |
|
Type of address. Choices:
|
|
Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name. |
|
Wildcard domain name of the real server. |
|
Enable/disable use of external browser as user-agent for SAML user authentication. Choices:
|
|
Enable to check the responsiveness of the real server before forwarding traffic. Choices:
|
|
Protocol of the health check monitor to use when polling to determine server”s connectivity status. Choices:
|
|
Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). Choices:
|
|
HTTP server domain name in HTTP header. |
|
Real server ID. see <a href=’#notes’>Notes</a>. |
|
IP address of the real server. |
|
Port for communicating with the real server. |
|
Port for communicating with the real server. |
|
Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name. |
|
One or more server host key. |
|
Server host key name. Source firewall.ssh.host-key.name. |
|
Enable/disable SSH real server host key validation. Choices:
|
|
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. Choices:
|
|
Enable/disable translation of hostname/IP from virtual server to real server. Choices:
|
|
Tunnel encryption. Choices:
|
|
TCP forwarding server type. Choices:
|
|
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
|
Enable/disable SAML redirection after successful authentication. Choices:
|
|
SAML service provider configuration for VIP authentication. Source user.saml.name. |
|
Service. Choices:
|
|
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Choices:
|
|
SSL/TLS cipher suites to offer to a server, ordered by priority. |
|
Cipher suite name. Choices:
|
|
SSL/TLS cipher suites priority. see <a href=’#notes’>Notes</a>. |
|
SSL/TLS versions that the cipher suite can be used with. Choices:
|
|
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. Choices:
|
|
Highest SSL/TLS version acceptable from a server. Choices:
|
|
Lowest SSL/TLS version acceptable from a server. Choices:
|
|
Enable/disable secure renegotiation to comply with RFC 5746. Choices:
|
|
SSL-VPN web portal. Source vpn.ssl.web.portal.name. |
|
URL pattern to match. |
|
Type of url-map. Choices:
|
|
Virtual host. Source firewall.access-proxy-virtual-host.name. |
|
Set IPv6 API Gateway. |
|
SaaS application controlled by this Access Proxy. |
|
SaaS application name. |
|
HTTP2 support, default=Enable. Choices:
|
|
HTTP3/QUIC support, default=Disable. Choices:
|
|
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
|
Domain that HTTP cookie persistence should apply to. |
|
Enable/disable use of HTTP cookie domain from host field in HTTP. Choices:
|
|
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
|
Limit HTTP cookie persistence to the specified path. |
|
Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. Choices:
|
|
Enable/disable verification that inserted HTTPS cookies are secure. Choices:
|
|
API Gateway ID. see <a href=’#notes’>Notes</a>. |
|
Method used to distribute sessions to real servers. Choices:
|
|
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. Choices:
|
|
QUIC setting. |
|
ACK delay exponent (1 - 20). |
|
Active connection ID limit (1 - 8). |
|
Enable/disable active migration . Choices:
|
|
Enable/disable grease QUIC bit . Choices:
|
|
Maximum ACK delay in milliseconds (1 - 16383). |
|
Maximum datagram frame size in bytes (1 - 1500). |
|
Maximum idle timeout milliseconds (1 - 60000). |
|
Maximum UDP payload size in bytes (1200 - 1500). |
|
Select the real servers that this Access Proxy will distribute traffic to. |
|
Type of address. Choices:
|
|
Address or address group of the real server. Source firewall.address6.name firewall.addrgrp6.name. |
|
Wildcard domain name of the real server. |
|
Enable/disable use of external browser as user-agent for SAML user authentication. Choices:
|
|
Enable to check the responsiveness of the real server before forwarding traffic. Choices:
|
|
Protocol of the health check monitor to use when polling to determine server”s connectivity status. Choices:
|
|
Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). Choices:
|
|
HTTP server domain name in HTTP header. |
|
Real server ID. see <a href=’#notes’>Notes</a>. |
|
IPv6 address of the real server. |
|
Port for communicating with the real server. |
|
Port for communicating with the real server. |
|
Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name. |
|
One or more server host key. |
|
Server host key name. Source firewall.ssh.host-key.name. |
|
Enable/disable SSH real server host key validation. Choices:
|
|
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. Choices:
|
|
Enable/disable translation of hostname/IP from virtual server to real server. Choices:
|
|
Tunnel encryption. Choices:
|
|
TCP forwarding server type. Choices:
|
|
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
|
Enable/disable SAML redirection after successful authentication. Choices:
|
|
SAML service provider configuration for VIP authentication. Source user.saml.name. |
|
Service. Choices:
|
|
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. Choices:
|
|
SSL/TLS cipher suites to offer to a server, ordered by priority. |
|
Cipher suite name. Choices:
|
|
SSL/TLS cipher suites priority. see <a href=’#notes’>Notes</a>. |
|
SSL/TLS versions that the cipher suite can be used with. Choices:
|
|
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. Choices:
|
|
Highest SSL/TLS version acceptable from a server. Choices:
|
|
Lowest SSL/TLS version acceptable from a server. Choices:
|
|
Enable/disable secure renegotiation to comply with RFC 5746. Choices:
|
|
SSL-VPN web portal. Source vpn.ssl.web.portal.name. |
|
URL pattern to match. |
|
Type of url-map. Choices:
|
|
Virtual host. Source firewall.access-proxy-virtual-host.name. |
|
Enable/disable authentication portal. Choices:
|
|
Virtual host for authentication portal. Source firewall.access-proxy-virtual-host.name. |
|
Enable/disable to request client certificate. Choices:
|
|
Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name. |
|
Action of an empty client certificate. Choices:
|
|
Maximum supported HTTP versions. default = HTTP2 Choices:
|
|
Method used to distribute sessions to SSL real servers. Choices:
|
|
Enable/disable logging of blocked traffic. Choices:
|
|
Access Proxy name. |
|
Select the SSL real servers that this Access Proxy will distribute traffic to. |
|
Real server ID. see <a href=’#notes’>Notes</a>. |
|
IP address of the real server. |
|
Port for communicating with the real server. |
|
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. Choices:
|
|
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
|
Enable/disable SSH real server public key authentication. Choices:
|
|
Server SSH public key authentication settings. |
|
Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name. |
|
Configure certificate extension for user certificate. |
|
Critical option. Choices:
|
|
Name of certificate extension. |
|
Name of certificate extension. |
|
Type of certificate extension. Choices:
|
|
Enable/disable appending permit-agent-forwarding certificate extension. Choices:
|
|
Enable/disable appending permit-port-forwarding certificate extension. Choices:
|
|
Enable/disable appending permit-pty certificate extension. Choices:
|
|
Enable/disable appending permit-user-rc certificate extension. Choices:
|
|
Enable/disable appending permit-x11-forwarding certificate extension. Choices:
|
|
Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address. Choices:
|
|
Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway. Choices:
|
|
Maximum number of concurrent requests that servers in server pool could handle . |
|
Maximum number of requests that servers in server pool handle before disconnecting . |
|
Time-to-live in the server pool for idle connections to servers. |
|
Enable/disable to detect device type by HTTP user-agent if no client certificate provided. Choices:
|
|
Virtual IP name. Source firewall.vip.name. |
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- name: Configure IPv4 access proxy.
fortinet.fortios.fortios_firewall_access_proxy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_access_proxy:
add_vhost_domain_to_dnsdb: "enable"
api_gateway:
-
application:
-
name: "default_name_6"
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "16"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
domain: "<your_own_value>"
external_auth: "enable"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "37"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_43 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
translate_host: "enable"
tunnel_encryption: "enable"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
api_gateway6:
-
application:
-
name: "default_name_68"
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "78"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
domain: "<your_own_value>"
external_auth: "enable"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "99"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_105 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
translate_host: "enable"
tunnel_encryption: "enable"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
auth_portal: "disable"
auth_virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
client_cert: "disable"
decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
empty_cert_action: "accept"
http_supported_max_version: "http1"
ldb_method: "static"
log_blocked_traffic: "enable"
name: "default_name_136"
realservers:
-
id: "138"
ip: "<your_own_value>"
port: "0"
status: "active"
weight: "1"
server_pubkey_auth: "disable"
server_pubkey_auth_settings:
auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
cert_extension:
-
critical: "no"
data: "<your_own_value>"
name: "default_name_149"
type: "fixed"
permit_agent_forwarding: "enable"
permit_port_forwarding: "enable"
permit_pty: "enable"
permit_user_rc: "enable"
permit_x11_forwarding: "enable"
source_address: "enable"
svr_pool_multiplex: "enable"
svr_pool_server_max_concurrent_request: "0"
svr_pool_server_max_request: "0"
svr_pool_ttl: "15"
user_agent_detect: "disable"
vip: "<your_own_value> (source firewall.vip.name)"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |