fortinet.fortios.fortios_firewall_ssl_ssh_profile module – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.8).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_ssl_ssh_profile
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and ssl_ssh_profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Configure SSL/SSH protocol options. |
|
Enable/disable exempting servers by FortiGuard allowlist. Choices:
|
|
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. Choices:
|
|
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. Choices:
|
|
CA certificate used by SSL Inspection. Source vpn.certificate.local.name. |
|
Optional comments. |
|
Configure DNS over TLS options. |
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
QUIC inspection status . Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
ClientHelloOuter SNIs to be blocked. |
|
ClientHelloOuter SNI name. |
|
ClientHelloOuter SNI to be blocked. |
|
Configure FTPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Minimum SSL version to be allowed. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Configure HTTPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate probe failure. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Block/allow session based on existence of encrypted-client-hello. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Minimum SSL version to be allowed. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
QUIC inspection status . Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Configure IMAPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Enable/disable inspection of MAPI over HTTPS. Choices:
|
|
Name. |
|
Configure POP3S options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Enable/disable inspection of RPC over HTTPS. Choices:
|
|
Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name. |
|
Certificate list. Source vpn.certificate.local.name. |
|
Re-sign or replace the server”s certificate. Choices:
|
|
Configure SMTPS options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Configure SSH options. |
|
Level of SSL inspection. Choices:
|
|
Ports to use for scanning (1 - 65535). |
|
Proxy traffic after the TCP 3-way handshake has been established (not before). Choices:
|
|
Relative strength of encryption algorithms accepted during negotiation. Choices:
|
|
Enable/disable SSH policy check. Choices:
|
|
Enable/disable SSH tunnel policy check. Choices:
|
|
Configure protocol inspection status. Choices:
|
|
Action based on SSH version being unsupported. Choices:
|
|
Configure SSL options. |
|
When enabled, allows SSL sessions whose server certificate validation failed. Choices:
|
|
Action based on certificate probe failure. Choices:
|
|
Action based on certificate validation failure. Choices:
|
|
Action based on certificate validation timeout. Choices:
|
|
Action based on client certificate request. Choices:
|
|
Action based on received client certificate. Choices:
|
|
Block/allow session based on existence of encrypted-client-hello. Choices:
|
|
Action based on server certificate is expired. Choices:
|
|
Level of SSL inspection. Choices:
|
|
Allow or block the invalid SSL session server certificate. Choices:
|
|
Minimum SSL version to be allowed. Choices:
|
|
Action based on server certificate is revoked. Choices:
|
|
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. Choices:
|
|
Action based on the SSL encryption used being unsupported. Choices:
|
|
Action based on the SSL cipher used being unsupported. Choices:
|
|
Action based on the SSL negotiation used being unsupported. Choices:
|
|
Action based on the SSL version used being unsupported. Choices:
|
|
Allow, ignore, or block the untrusted SSL session server certificate. Choices:
|
|
Action based on server certificate is not issued by a trusted CA. Choices:
|
|
Enable/disable logging SSL anomalies. Choices:
|
|
Enable/disable logging of SSL anomalies. Choices:
|
|
Servers to exempt from SSL inspection. |
|
IPv4 address object. Source firewall.address.name firewall.addrgrp.name. |
|
IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name. |
|
FortiGuard category ID. |
|
ID number. see <a href=’#notes’>Notes</a>. |
|
Exempt servers by regular expression. |
|
Type of address object (IPv4 or IPv6) or FortiGuard category. Choices:
|
|
Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name. |
|
Enable/disable IP based URL rating. Choices:
|
|
Enable/disable logging of SSL exemptions. Choices:
|
|
Enable/disable logging SSL exemptions. Choices:
|
|
Enable/disable logging of TLS handshakes. Choices:
|
|
Enable/disable logging of SSL negotiation events. Choices:
|
|
SSL server settings used for client certificate request. |
|
Action based on client certificate request during the FTPS handshake. Choices:
|
|
Action based on received client certificate during the FTPS handshake. Choices:
|
|
Action based on client certificate request during the HTTPS handshake. Choices:
|
|
Action based on received client certificate during the HTTPS handshake. Choices:
|
|
SSL server ID. see <a href=’#notes’>Notes</a>. |
|
Action based on client certificate request during the IMAPS handshake. Choices:
|
|
Action based on received client certificate during the IMAPS handshake. Choices:
|
|
IPv4 address of the SSL server. |
|
Action based on client certificate request during the POP3S handshake. Choices:
|
|
Action based on received client certificate during the POP3S handshake. Choices:
|
|
Action based on client certificate request during the SMTPS handshake. Choices:
|
|
Action based on received client certificate during the SMTPS handshake. Choices:
|
|
Action based on client certificate request during an SSL protocol handshake. Choices:
|
|
Action based on received client certificate during an SSL protocol handshake. Choices:
|
|
Enable/disable logging of server certificate information. Choices:
|
|
Configure ALPN option. Choices:
|
|
Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name. |
|
Enable/disable the use of SSL server table for SSL offloading. Choices:
|
|
Enable/disable exempting servers by FortiGuard whitelist. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
The module supports check_mode.
Examples
- name: Configure SSL/SSH protocol options.
fortinet.fortios.fortios_firewall_ssl_ssh_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_ssl_ssh_profile:
allowlist: "enable"
block_blacklisted_certificates: "disable"
block_blocklisted_certificates: "disable"
caname: "<your_own_value> (source vpn.certificate.local.name)"
comment: "Optional comments."
dot:
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_certificate: "bypass"
expired_server_cert: "allow"
proxy_after_tcp_handshake: "enable"
quic: "inspect"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_server_cert: "allow"
ech_outer_sni:
-
name: "default_name_23"
sni: "<your_own_value>"
ftps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
ports: "<your_own_value>"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
https:
allow_invalid_server_cert: "enable"
cert_probe_failure: "allow"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
encrypted_client_hello: "allow"
expired_server_cert: "allow"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
quic: "inspect"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
imaps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
mapi_over_https: "enable"
name: "default_name_87"
pop3s:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
rpc_over_https: "enable"
server_cert:
-
name: "default_name_109 (source vpn.certificate.local.name)"
server_cert_mode: "re-sign"
smtps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
ssh:
inspect_all: "disable"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
ssh_algorithm: "compatible"
ssh_policy_check: "disable"
ssh_tun_policy_check: "disable"
status: "disable"
unsupported_version: "bypass"
ssl:
allow_invalid_server_cert: "enable"
cert_probe_failure: "allow"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
encrypted_client_hello: "allow"
expired_server_cert: "allow"
inspect_all: "disable"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
ssl_anomalies_log: "disable"
ssl_anomaly_log: "disable"
ssl_exempt:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
fortiguard_category: "0"
id: "165"
regex: "<your_own_value>"
type: "fortiguard-category"
wildcard_fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
ssl_exemption_ip_rating: "enable"
ssl_exemption_log: "disable"
ssl_exemptions_log: "disable"
ssl_handshake_log: "disable"
ssl_negotiation_log: "disable"
ssl_server:
-
ftps_client_cert_request: "bypass"
ftps_client_certificate: "bypass"
https_client_cert_request: "bypass"
https_client_certificate: "bypass"
id: "179"
imaps_client_cert_request: "bypass"
imaps_client_certificate: "bypass"
ip: "<your_own_value>"
pop3s_client_cert_request: "bypass"
pop3s_client_certificate: "bypass"
smtps_client_cert_request: "bypass"
smtps_client_certificate: "bypass"
ssl_other_client_cert_request: "bypass"
ssl_other_client_certificate: "bypass"
ssl_server_cert_log: "disable"
supported_alpn: "http1-1"
untrusted_caname: "<your_own_value> (source vpn.certificate.local.name)"
use_ssl_server: "disable"
whitelist: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |