fortinet.fortios.fortios_firewall_proxy_policy module – Configure proxy policies in Fortinet’s FortiOS and FortiGate.

Note

This module is part of the fortinet.fortios collection (version 2.3.8).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: fortinet.fortios.fortios_firewall_proxy_policy.

New in fortinet.fortios 2.0.0

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and proxy_policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.15

Parameters

Parameter	Comments
access_token string	Token-based authentication. Generated from GUI of Fortigate.
enable_log boolean	Enable/Disable logging for task. Choices: false ← (default) true
firewall_proxy_policy dictionary	Configure proxy policies.
access_proxy list / elements=dictionary	IPv4 access proxy.
name string / required	Access Proxy name. Source firewall.access-proxy.name.
access_proxy6 list / elements=dictionary	IPv6 access proxy.
name string / required	Access proxy name. Source firewall.access-proxy6.name.
action string	Accept or deny traffic matching the policy parameters. Choices: "accept" "deny" "redirect"
application_list string	Name of an existing Application list. Source application.list.name.
av_profile string	Name of an existing Antivirus profile. Source antivirus.profile.name.
block_notification string	Enable/disable block notification. Choices: "enable" "disable"
casb_profile string	Name of an existing CASB profile. Source casb.profile.name.
cifs_profile string	Name of an existing CIFS profile. Source cifs.profile.name.
comments string	Optional comments.
decrypted_traffic_mirror string	Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name.
detect_https_in_http_request string	Enable/disable detection of HTTPS in HTTP request. Choices: "enable" "disable"
device_ownership string	When enabled, the ownership enforcement will be done at policy level. Choices: "enable" "disable"
diameter_filter_profile string	Name of an existing Diameter filter profile. Source diameter-filter.profile.name.
disclaimer string	Web proxy disclaimer setting: by domain, policy, or user. Choices: "disable" "domain" "policy" "user"
dlp_profile string	Name of an existing DLP profile. Source dlp.profile.name.
dlp_sensor string	Name of an existing DLP sensor. Source dlp.sensor.name.
dnsfilter_profile string	Name of an existing DNS filter profile. Source dnsfilter.profile.name.
dstaddr list / elements=dictionary	Destination address objects.
name string / required	Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip.name firewall.vipgrp.name system.external-resource.name.
dstaddr6 list / elements=dictionary	IPv6 destination address objects.
name string / required	Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system .external-resource.name.
dstaddr_negate string	When enabled, destination addresses match against any address EXCEPT the specified destination addresses. Choices: "enable" "disable"
dstintf list / elements=dictionary	Destination interface names.
name string / required	Interface name. Source system.interface.name system.zone.name system.sdwan.zone.name.
emailfilter_profile string	Name of an existing email filter profile. Source emailfilter.profile.name.
file_filter_profile string	Name of an existing file-filter profile. Source file-filter.profile.name.
global_label string	Global web-based manager visible label.
groups list / elements=dictionary	Names of group objects.
name string / required	Group name. Source user.group.name.
http_tunnel_auth string	Enable/disable HTTP tunnel authentication. Choices: "enable" "disable"
icap_profile string	Name of an existing ICAP profile. Source icap.profile.name.
internet_service string	Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Choices: "enable" "disable"
internet_service6 string	Enable/disable use of Internet Services IPv6 for this policy. If enabled, destination IPv6 address and service are not used. Choices: "enable" "disable"
internet_service6_custom list / elements=dictionary	Custom Internet Service IPv6 name.
name string / required	Custom Internet Service IPv6 name. Source firewall.internet-service-custom.name.
internet_service6_custom_group list / elements=dictionary	Custom Internet Service IPv6 group name.
name string / required	Custom Internet Service IPv6 group name. Source firewall.internet-service-custom-group.name.
internet_service6_group list / elements=dictionary	Internet Service IPv6 group name.
name string / required	Internet Service IPv6 group name. Source firewall.internet-service-group.name.
internet_service6_name list / elements=dictionary	Internet Service IPv6 name.
name string / required	Internet Service IPv6 name. Source firewall.internet-service-name.name.
internet_service6_negate string	When enabled, Internet Services match against any internet service IPv6 EXCEPT the selected Internet Service IPv6. Choices: "enable" "disable"
internet_service_custom list / elements=dictionary	Custom Internet Service name.
name string / required	Custom Internet Service name. Source firewall.internet-service-custom.name.
internet_service_custom_group list / elements=dictionary	Custom Internet Service group name.
name string / required	Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
internet_service_group list / elements=dictionary	Internet Service group name.
name string / required	Internet Service group name. Source firewall.internet-service-group.name.
internet_service_id list / elements=dictionary	Internet Service ID.
id integer / required	Internet Service ID. see <a href=’#notes’>Notes</a>. Source firewall.internet-service.id.
internet_service_name list / elements=dictionary	Internet Service name.
name string / required	Internet Service name. Source firewall.internet-service-name.name.
internet_service_negate string	When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. Choices: "enable" "disable"
ips_sensor string	Name of an existing IPS sensor. Source ips.sensor.name.
ips_voip_filter string	Name of an existing VoIP (ips) profile. Source voip.profile.name.
label string	VDOM-specific GUI visible label.
log_http_transaction string	Enable/disable HTTP transaction log. Choices: "enable" "disable"
logtraffic string	Enable/disable logging traffic through the policy. Choices: "all" "utm" "disable"
logtraffic_start string	Enable/disable policy log traffic start. Choices: "enable" "disable"
mms_profile string	Name of an existing MMS profile. Source firewall.mms-profile.name.
name string	Policy name.
policyid integer / required	Policy ID. see <a href=’#notes’>Notes</a>.
poolname list / elements=dictionary	Name of IP pool object.
name string / required	IP pool name. Source firewall.ippool.name.
profile_group string	Name of profile group. Source firewall.profile-group.name.
profile_protocol_options string	Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
profile_type string	Determine whether the firewall policy allows security profile groups or single profiles only. Choices: "single" "group"
proxy string	Type of explicit proxy. Choices: "explicit-web" "transparent-web" "ftp" "ssh" "ssh-tunnel" "access-proxy" "ztna-proxy" "wanopt"
redirect_url string	Redirect URL for further explicit web proxy processing.
replacemsg_override_group string	Authentication replacement message override group. Source system.replacemsg-group.name.
scan_botnet_connections string	Enable/disable scanning of connections to Botnet servers. Choices: "disable" "block" "monitor"
schedule string	Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
sctp_filter_profile string	Name of an existing SCTP filter profile. Source sctp-filter.profile.name.
service list / elements=dictionary	Name of service objects.
name string / required	Service name. Source firewall.service.custom.name firewall.service.group.name.
service_negate string	When enabled, services match against any service EXCEPT the specified destination services. Choices: "enable" "disable"
session_ttl integer	TTL in seconds for sessions accepted by this policy (0 means use the system ).
spamfilter_profile string	Name of an existing Spam filter profile. Source spamfilter.profile.name.
srcaddr list / elements=dictionary	Source address objects.
name string / required	Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system .external-resource.name.
srcaddr6 list / elements=dictionary	IPv6 source address objects.
name string / required	Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name.
srcaddr_negate string	When enabled, source addresses match against any address EXCEPT the specified source addresses. Choices: "enable" "disable"
srcintf list / elements=dictionary	Source interface names.
name string / required	Interface name. Source system.interface.name system.zone.name system.sdwan.zone.name.
ssh_filter_profile string	Name of an existing SSH filter profile. Source ssh-filter.profile.name.
ssh_policy_redirect string	Redirect SSH traffic to matching transparent proxy policy. Choices: "enable" "disable"
ssl_ssh_profile string	Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
status string	Enable/disable the active status of the policy. Choices: "enable" "disable"
transparent string	Enable to use the IP address of the client to connect to the server. Choices: "enable" "disable"
users list / elements=dictionary	Names of user objects.
name string / required	Group name. Source user.local.name user.certificate.name.
utm_status string	Enable the use of UTM profiles/sensors/lists. Choices: "enable" "disable"
uuid string	Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
videofilter_profile string	Name of an existing VideoFilter profile. Source videofilter.profile.name.
virtual_patch_profile string	Name of an existing virtual-patch profile. Source virtual-patch.profile.name.
voip_profile string	Name of an existing VoIP profile. Source voip.profile.name.
waf_profile string	Name of an existing Web application firewall profile. Source waf.profile.name.
webcache string	Enable/disable web caching. Choices: "enable" "disable"
webcache_https string	Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile). Choices: "disable" "enable"
webfilter_profile string	Name of an existing Web filter profile. Source webfilter.profile.name.
webproxy_forward_server string	Web proxy forward server name. Source web-proxy.forward-server.name web-proxy.forward-server-group.name.
webproxy_profile string	Name of web proxy profile. Source web-proxy.profile.name.
ztna_ems_tag list / elements=dictionary	ZTNA EMS Tag names.
name string / required	EMS Tag name. Source firewall.address.name firewall.addrgrp.name.
ztna_proxy list / elements=dictionary	IPv4 ZTNA traffic forward proxy.
name string / required	ZTNA Traffic Forward Proxy name. Source ztna.traffic-forward-proxy.name.
ztna_tags_match_logic string	ZTNA tag matching logic. Choices: "or" "and"
member_path string	Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation.
member_state string	Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices: "present" "absent"
state string / required	Indicates whether to create or remove the object. Choices: "present" "absent"
vdom string	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: "root"

Notes

Note

• We highly recommend using your own value as the policyid instead of 0, while ‘0’ is a special placeholder that allows the backend to assign the latest available number for the object, it does have limitations. Please find more details in Q&A.

• Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

• The module supports check_mode.

Examples

- name: Configure proxy policies.
  fortinet.fortios.fortios_firewall_proxy_policy:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_proxy_policy:
          access_proxy:
              -
                  name: "default_name_4 (source firewall.access-proxy.name)"
          access_proxy6:
              -
                  name: "default_name_6 (source firewall.access-proxy6.name)"
          action: "accept"
          application_list: "<your_own_value> (source application.list.name)"
          av_profile: "<your_own_value> (source antivirus.profile.name)"
          block_notification: "enable"
          casb_profile: "<your_own_value> (source casb.profile.name)"
          cifs_profile: "<your_own_value> (source cifs.profile.name)"
          comments: "<your_own_value>"
          decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
          detect_https_in_http_request: "enable"
          device_ownership: "enable"
          diameter_filter_profile: "<your_own_value> (source diameter-filter.profile.name)"
          disclaimer: "disable"
          dlp_profile: "<your_own_value> (source dlp.profile.name)"
          dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
          dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
          dstaddr:
              -
                  name: "default_name_23 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall
                    .vip.name firewall.vipgrp.name system.external-resource.name)"
          dstaddr_negate: "enable"
          dstaddr6:
              -
                  name: "default_name_26 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system
                    .external-resource.name)"
          dstintf:
              -
                  name: "default_name_28 (source system.interface.name system.zone.name system.sdwan.zone.name)"
          emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)"
          file_filter_profile: "<your_own_value> (source file-filter.profile.name)"
          global_label: "<your_own_value>"
          groups:
              -
                  name: "default_name_33 (source user.group.name)"
          http_tunnel_auth: "enable"
          icap_profile: "<your_own_value> (source icap.profile.name)"
          internet_service: "enable"
          internet_service_custom:
              -
                  name: "default_name_38 (source firewall.internet-service-custom.name)"
          internet_service_custom_group:
              -
                  name: "default_name_40 (source firewall.internet-service-custom-group.name)"
          internet_service_group:
              -
                  name: "default_name_42 (source firewall.internet-service-group.name)"
          internet_service_id:
              -
                  id: "44 (source firewall.internet-service.id)"
          internet_service_name:
              -
                  name: "default_name_46 (source firewall.internet-service-name.name)"
          internet_service_negate: "enable"
          internet_service6: "enable"
          internet_service6_custom:
              -
                  name: "default_name_50 (source firewall.internet-service-custom.name)"
          internet_service6_custom_group:
              -
                  name: "default_name_52 (source firewall.internet-service-custom-group.name)"
          internet_service6_group:
              -
                  name: "default_name_54 (source firewall.internet-service-group.name)"
          internet_service6_name:
              -
                  name: "default_name_56 (source firewall.internet-service-name.name)"
          internet_service6_negate: "enable"
          ips_sensor: "<your_own_value> (source ips.sensor.name)"
          ips_voip_filter: "<your_own_value> (source voip.profile.name)"
          label: "<your_own_value>"
          log_http_transaction: "enable"
          logtraffic: "all"
          logtraffic_start: "enable"
          mms_profile: "<your_own_value> (source firewall.mms-profile.name)"
          name: "default_name_65"
          policyid: "<you_own_value>"
          poolname:
              -
                  name: "default_name_68 (source firewall.ippool.name)"
          profile_group: "<your_own_value> (source firewall.profile-group.name)"
          profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
          profile_type: "single"
          proxy: "explicit-web"
          redirect_url: "<your_own_value>"
          replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
          scan_botnet_connections: "disable"
          schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
          sctp_filter_profile: "<your_own_value> (source sctp-filter.profile.name)"
          service:
              -
                  name: "default_name_79 (source firewall.service.custom.name firewall.service.group.name)"
          service_negate: "enable"
          session_ttl: "0"
          spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
          srcaddr:
              -
                  name: "default_name_84 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system
                    .external-resource.name)"
          srcaddr_negate: "enable"
          srcaddr6:
              -
                  name: "default_name_87 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
          srcintf:
              -
                  name: "default_name_89 (source system.interface.name system.zone.name system.sdwan.zone.name)"
          ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
          ssh_policy_redirect: "enable"
          ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
          status: "enable"
          transparent: "enable"
          users:
              -
                  name: "default_name_96 (source user.local.name user.certificate.name)"
          utm_status: "enable"
          uuid: "<your_own_value>"
          videofilter_profile: "<your_own_value> (source videofilter.profile.name)"
          virtual_patch_profile: "<your_own_value> (source virtual-patch.profile.name)"
          voip_profile: "<your_own_value> (source voip.profile.name)"
          waf_profile: "<your_own_value> (source waf.profile.name)"
          webcache: "enable"
          webcache_https: "disable"
          webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
          webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
          webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"
          ztna_ems_tag:
              -
                  name: "default_name_109 (source firewall.address.name firewall.addrgrp.name)"
          ztna_proxy:
              -
                  name: "default_name_111 (source ztna.traffic-forward-proxy.name)"
          ztna_tags_match_logic: "or"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
build string	Build number of the fortigate image Returned: always Sample: "1547"
http_method string	Last method used to provision the content into FortiGate Returned: always Sample: "PUT"
http_status string	Last result given by FortiGate on last operation applied Returned: always Sample: "200"
mkey string	Master key (id) used in the last call to FortiGate Returned: success Sample: "id"
name string	Name of the table used to fulfill the request Returned: always Sample: "urlfilter"
path string	Path of the table used to fulfill the request Returned: always Sample: "webfilter"
revision string	Internal revision number Returned: always Sample: "17.0.2.10658"
serial string	Serial number of the unit Returned: always Sample: "FGVMEVYYQT3AB5352"
status string	Indication of the operation’s result Returned: always Sample: "success"
vdom string	Virtual domain used Returned: always Sample: "root"
version string	Version of the FortiGate Returned: always Sample: "v5.6.3"

Authors

• Link Zheng (@chillancezen)

• Jie Xue (@JieX19)

• Hongbin Lu (@fgtdev-hblu)

• Frank Shen (@frankshen01)

• Miguel Angel Munoz (@mamunozgonzalez)

• Nicolas Thomas (@thomnico)

Collection links

• Issue Tracker
• Homepage
• Repository (Sources)