fortinet.fortios.fortios_system_global module – Configure global attributes in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.3.9).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: fortinet.fortios.fortios_system_global
.
New in fortinet.fortios 2.0.0
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and global category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Configure global attributes. |
|
Enable/disable concurrent administrator logins. Use policy-auth-concurrent for firewall authenticated users. Choices:
|
|
Console login timeout that overrides the admin timeout value (15 - 300 seconds). |
|
Override access profile. Source system.accprofile.name. |
|
Enable/disable FortiCloud admin login via SSO. Choices:
|
|
Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client”s Host header for any redirection. |
|
HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. |
|
Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Choices:
|
|
Enable/disable redirection of HTTP administration access to HTTPS. Choices:
|
|
Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Choices:
|
|
Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Choices:
|
|
Allowed TLS versions for web administration. Choices:
|
|
Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. |
|
Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. |
|
Maximum number of administrators who can be logged in at the same time (1 - 100). |
|
Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is “bcpb” followed by the FortiGate unit serial number. You have limited time to complete this login. Choices:
|
|
Administrative access port for HTTP. (1 - 65535). |
|
Enable/disable local admin authentication restriction when remote authenticator is up and running . Choices:
|
|
Enable/disable SCP support for system configuration backup, restore, and firmware file upload. Choices:
|
|
Server certificate that the FortiGate uses for HTTPS administrative connections. Source certificate.local.name. |
|
Administrative access port for HTTPS. (1 - 65535). |
|
Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour)). |
|
Enable/disable password authentication for SSH admin access. Choices:
|
|
Administrative access port for SSH. (1 - 65535). |
|
Enable/disable SSH v1 compatibility. Choices:
|
|
Enable/disable TELNET service. Choices:
|
|
Administrative access port for TELNET. (1 - 65535). |
|
Number of minutes before an idle administrator session times out (1 - 480 minutes (8 hours)). A shorter idle timeout is more secure. |
|
Alias for your FortiGate unit. |
|
Disable to prevent traffic with same local ingress and egress interface from being forwarded without policy check. Choices:
|
|
Level of checking for packet replay and TCP sequence checking. Choices:
|
|
Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647). |
|
Enable/disable asymmetric route. Choices:
|
|
Server certificate that the FortiGate uses for HTTPS firewall authentication connections. Source certificate.local.name. |
|
User authentication HTTP port. (1 - 65535). |
|
User authentication HTTPS port. (1 - 65535). |
|
User IKE SAML authentication port (0 - 65535). |
|
Enable to prevent user authentication sessions from timing out when idle. Choices:
|
|
Enable/disable automatic and periodic backup of authentication sessions . Sessions are restored upon bootup. Choices:
|
|
Configure automatic authentication session backup interval in minutes . Choices:
|
|
Action to take when the number of allowed user authenticated sessions is reached. Choices:
|
|
Enable/disable automatic authorization of dedicated Fortinet extension devices. Choices:
|
|
Enable/disable automatic log partition check after ungraceful shutdown. Choices:
|
|
Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Choices:
|
|
When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Choices:
|
|
Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Choices:
|
|
Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Duration in seconds for blocked sessions (1 - 300 sec (5 minutes)). |
|
Maximum number of bridge forwarding database (FDB) entries. |
|
Maximum number of certificates that can be traversed in a certificate chain. |
|
Time-out for reverting to the last saved configuration. (10 - 4294967295 seconds). |
|
Configuration file save mode for CLI changes. Choices:
|
|
Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is OK in most cases. Choices:
|
|
Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Choices:
|
|
Enable/disable CLI audit log. Choices:
|
|
Enable/disable all cloud communication. Choices:
|
|
Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Choices:
|
|
Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Enable/disable global PCI DSS compliance check. Choices:
|
|
Time of day to run scheduled PCI DSS compliance checks. |
|
Threshold at which CPU usage is reported (% of total CPU). |
|
Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Choices:
|
|
Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Choices:
|
|
Default service source port range . |
|
Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Choices:
|
|
Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour)). |
|
Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year)). |
|
Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Choices:
|
|
DHCP leases backup interval in seconds (10 - 3600). |
|
DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs. |
|
Enable/disable daylight saving time. Choices:
|
|
Enable/disable early TCP NPU session. Choices:
|
|
Enable/disable edit new VDOM prompt. Choices:
|
|
Enable/disable access to the FortiGuard network for non-compliant endpoints. Choices:
|
|
Endpoint control portal port (1 - 65535). |
|
Configure reserved network subnet for managed LAN extension FortiExtender units. This is available when the FortiExtender daemon is running. |
|
Fail-time for server lost. |
|
Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailable. |
|
Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet”s privacy policy. Choices:
|
|
FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours)). |
|
Local UDP port for Forward Error Correction (49152 - 65535). |
|
Type of alert to retrieve from FortiGuard. Choices:
|
|
Enable/disable forticarrier-bypass. Choices:
|
|
Enable/disable config upload to FortiConverter. Choices:
|
|
Enable/disable FortiConverter integration service. Choices:
|
|
Enable/disable FortiExtender. Choices:
|
|
FortiExtender data port (1024 - 49150). |
|
Enable/disable FortiExtender CAPWAP lockdown. Choices:
|
|
Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Choices:
|
|
Enable/disable FortiExtender VLAN mode. Choices:
|
|
Enable/disable integration with the FortiGSLB cloud service. Choices:
|
|
Enable/disable integration with the FortiIPAM cloud service. Choices:
|
|
FortiService port (1 - 65535). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. |
|
Enable/disable FortiToken Cloud service. Choices:
|
|
Enable/disable FTM push service of FortiToken Cloud. Choices:
|
|
Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days)). |
|
Enable/disable the factory default hostname warning on the GUI setup wizard. Choices:
|
|
Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Choices:
|
|
Enable/disable Allow app-detection based SD-WAN. Choices:
|
|
Enable/disable the automatic patch upgrade setup prompt on the GUI. Choices:
|
|
Domain of CDN server. |
|
Enable/disable Load GUI static files from a CDN. Choices:
|
|
Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Choices:
|
|
Enable/disable custom languages in GUI. Choices:
|
|
Default date format used throughout GUI. Choices:
|
|
Source from which the FortiGate GUI uses to display date and time entries. Choices:
|
|
Add the latitude of the location of this FortiGate to position it on the Threat Map. |
|
Add the longitude of the location of this FortiGate to position it on the Threat Map. |
|
Enable/disable displaying the FortiGate”s hostname on the GUI login page. Choices:
|
|
Enable/disable the firmware upgrade warning on the GUI. Choices:
|
|
Enable/disable the FortiCare registration setup warning on the GUI. Choices:
|
|
Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Choices:
|
|
Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Choices:
|
|
Enable/disable displaying FortiSandbox Cloud on the GUI. Choices:
|
|
Enable/disable IPv6 settings on the GUI. Choices:
|
|
Number of lines to display per page for web administration. |
|
Enable/disable Local-out traffic on the GUI. Choices:
|
|
Enable/disable replacement message groups on the GUI. Choices:
|
|
Enable/disable REST API result caching on FortiGate. Choices:
|
|
Color scheme for the administration GUI. Choices:
|
|
Enable/disable wireless open security option on the GUI. Choices:
|
|
Enable/disable Workflow management features on the GUI. Choices:
|
|
Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Enable/disable honoring of Don”t-Fragment (DF) flag. Choices:
|
|
FortiGate unit”s hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. |
|
Maximum number of simultaneous HTTP requests that will be served. This number may affect GUI and REST API performance (0 - 128). |
|
Maximum number of IGMP memberships (96 - 64000). |
|
Enable/disable allowing use of interface-subnet setting in firewall addresses . Choices:
|
|
Configure which Internet Service database size to download from FortiGuard and use. Choices:
|
|
Configure which on-demand Internet Service IDs are to be downloaded. |
|
Internet Service ID. see <a href=’#notes’>Notes</a>. Source firewall.internet-service.id. |
|
Dead gateway detection interval. |
|
Enable/disable logging of IPv4 address conflict detection. Choices:
|
|
Maximum memory (MB) used to reassemble IPv4/IPv6 fragments. |
|
Timeout value in seconds for any fragment not being reassembled |
|
IP source port range used for traffic originating from the FortiGate unit. |
|
Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). |
|
Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Choices:
|
|
ESP jump ahead rate (1G - 10G pps equivalent). |
|
Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Choices:
|
|
Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption. Choices:
|
|
Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Choices:
|
|
Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Choices:
|
|
Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). |
|
Enable/disable IPv6 address probe through Anycast. Choices:
|
|
Enable/disable silent drop of IPv6 local-in traffic. Choices:
|
|
Enable/disable silent drop of IPv6 local-in traffic. Choices:
|
|
Enable/disable IPv6 address probe through Multicast. Choices:
|
|
Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Choices:
|
|
Timeout value in seconds for any IPv6 fragment not being reassembled |
|
Configure CPU IRQ time accounting mode. Choices:
|
|
GUI display language. Choices:
|
|
Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000). |
|
Enable/disable Link Layer Discovery Protocol (LLDP) reception. Choices:
|
|
Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Choices:
|
|
Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Choices:
|
|
Enable/disable logging of SSL connection events. Choices:
|
|
Whether UUIDs are added to traffic logs. You can disable UUIDs, add firewall policy UUIDs to traffic logs, or add all UUIDs to traffic logs. Choices:
|
|
Enable/disable insertion of address UUIDs to traffic logs. Choices:
|
|
Enable/disable insertion of policy UUIDs to traffic logs. Choices:
|
|
Enable/disable login time recording. Choices:
|
|
Enable/disable long VDOM name support. Choices:
|
|
Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric. |
|
Overriding port for management connection (Overrides admin port). |
|
Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Choices:
|
|
Management virtual domain name. Source system.vdom.name. |
|
Maximum DLP stat memory (0 - 4294967295). |
|
Maximum number of IP route cache entries (0 - 2147483647). |
|
Enable/disable no modification of multicast TTL. Choices:
|
|
Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM). |
|
Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM). |
|
Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM). |
|
Affinity setting for logging (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. |
|
Enforce all login methods to require an additional authentication factor . Choices:
|
|
Enable/disable multicast forwarding. Choices:
|
|
Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). |
|
Enable/disable sending of ARP/ICMP6 probing packets to update neighbors for offloaded sessions. Choices:
|
|
Enable/disable per-user block/allow list filter. Choices:
|
|
Enable/disable per-user black/white list filter. Choices:
|
|
Enable/disable path MTU discovery. Choices:
|
|
Number of concurrent firewall use logins from the same user (1 - 100). |
|
Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Choices:
|
|
Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Choices:
|
|
Enable/disable private data encryption using an AES 128-bit key or passpharse. Choices:
|
|
Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Choices:
|
|
Lifetime timeout in minutes for authenticated users (5 - 65535 min). |
|
Authentication timeout in minutes for authenticated users (1 - 300 min). |
|
Enable/disable using management VDOM to send requests. Choices:
|
|
Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Choices:
|
|
Enable/disable email proxy hardware acceleration. Choices:
|
|
Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Choices:
|
|
Enable/disable using the content processor to accelerate KXP traffic. Choices:
|
|
Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Choices:
|
|
The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s. |
|
Enable/disable use of the maximum memory usage on the FortiGate unit”s proxy processing of resources, such as block lists, allow lists, and external resources. Choices:
|
|
Proxy worker count. |
|
Purdue Level of this FortiGate. Choices:
|
|
Maximum number of unacknowledged packets before sending ACK (2 - 5). |
|
QUIC congestion control algorithm . Choices:
|
|
Maximum transmit datagram size (1200 - 1500). |
|
Enable/disable path MTU discovery . Choices:
|
|
Time-to-live (TTL) for TLS handshake in seconds (1 - 60). |
|
Enable/disable UDP payload size shaping per connection ID . Choices:
|
|
RADIUS service port number. |
|
Enable/disable reboot of system upon restoring configuration. Choices:
|
|
Statistics refresh interval second(s) in GUI. |
|
Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (1-300 sec). |
|
Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Choices:
|
|
Daily restart time (hh:mm). |
|
Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Choices:
|
|
Enable/disable back-up of the latest image revision after the firmware is upgraded. Choices:
|
|
Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. |
|
SCIM http port (0 - 65535). |
|
SCIM port (0 - 65535). |
|
Server certificate that the FortiGate uses for SCIM connections. Source certificate.local.name. |
|
Enable/disable the submission of Security Rating results to FortiGuard. Choices:
|
|
Enable/disable scheduled runs of Security Rating. Choices:
|
|
Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Choices:
|
|
Maximum number of sflowd child processes allowed to run. |
|
Enable/disable the ability to change the source NAT route. Choices:
|
|
Enable/disable detection of those special format files when using Data Loss Prevention. Choices:
|
|
Enable/disable speed test server. Choices:
|
|
Speedtest server controller port number. |
|
Speedtest server port number. |
|
Split port(s) to multiple 10Gbps ports. |
|
Configure split port mode of ports. |
|
Split port interface. |
|
The configuration mode for the split port interface. Choices:
|
|
Date within a month to run ssd trim. |
|
How often to run SSD Trim . SSD Trim prevents SSD drive data loss by finding and isolating errors. Choices:
|
|
Hour of the day on which to run SSD Trim (0 - 23). |
|
Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). |
|
Day of week to run SSD Trim. Choices:
|
|
Enable/disable CBC cipher for SSH access. Choices:
|
|
Select one or more SSH ciphers. Choices:
|
|
Enable/disable HMAC-MD5 for SSH access. Choices:
|
|
Config SSH host key. |
|
Select one or more SSH hostkey algorithms. Choices:
|
|
Enable/disable SSH host key override in SSH daemon. Choices:
|
|
Password for ssh-hostkey. |
|
Select one or more SSH kex algorithms. Choices:
|
|
Enable/disable SHA1 key exchange for SSH access. Choices:
|
|
Select one or more SSH MAC algorithms. Choices:
|
|
Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Choices:
|
|
Minimum supported protocol version for SSL/TLS connections . Choices:
|
|
Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Choices:
|
|
sslvpn-cipher-hardware-acceleration Choices:
|
|
Enable/disable verification of EMS serial number in SSL-VPN connection. Choices:
|
|
sslvpn-kxp-hardware-acceleration Choices:
|
|
Maximum number of SSL-VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes. |
|
sslvpn-plugin-version-check Choices:
|
|
Enable/disable SSL-VPN web mode. Choices:
|
|
Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Choices:
|
|
Enable to use strong encryption and only allow strong ciphers and digest for HTTPS/SSH/TLS/SSL functions. Choices:
|
|
Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Choices:
|
|
Configure reserved network subnet for managed switches. This is available when the switch controller is enabled. |
|
Time in minutes between updates of performance statistics logging. (1 - 15 min). |
|
Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day)). |
|
Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day)). |
|
Enable SACK, timestamp and MSS TCP options. Choices:
|
|
Length of the TCP CLOSE state in seconds (5 - 300 sec). |
|
Length of the TCP TIME-WAIT state in seconds (1 - 300 sec). |
|
Enable/disable TFTP. Choices:
|
|
Timezone database name. Enter ? to view the list of timezone. Source system.timezone.name. |
|
Enable/disable skip policy check and allow multicast through. Choices:
|
|
Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Choices:
|
|
Default system-wide level of priority for traffic prioritization. Choices:
|
|
Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes)). |
|
FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour)). |
|
FortiToken authentication session timeout (60 - 600 sec (10 minutes)). |
|
FortiToken Mobile session timeout (1 - 168 hours (7 days)). |
|
SMS-based two-factor authentication session timeout (30 - 300 sec). |
|
UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day)). |
|
URL filter CPU affinity. |
|
URL filter daemon count. |
|
Maximum number of devices allowed in user device store. |
|
Maximum unified memory allowed in user device store. |
|
Maximum number of users allowed in user device store. |
|
Maximum number of previous passwords saved per admin/user (3 - 15). |
|
Certificate to use for https user authentication. Source certificate.local.name. |
|
vdom-admin Choices:
|
|
Enable/disable support for multiple virtual domains (VDOMs). Choices:
|
|
Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Choices:
|
|
Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs. |
|
Enable/disable virtual server hardware acceleration. Choices:
|
|
Enable/disable virtual switch VLAN. Choices:
|
|
Enable/disable verification of EMS serial number in SSL-VPN connection. Choices:
|
|
Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). |
|
Number of concurrent WAD-cache-service object-cache processes. |
|
Number of concurrent WAD-cache-service byte-cache processes. |
|
Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection. |
|
WAD workers daily restart end time (hh:mm). |
|
WAD worker restart mode . Choices:
|
|
WAD workers daily restart time (hh:mm). |
|
Enable/disable dispatching traffic to WAD workers based on source affinity. Choices:
|
|
Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. |
|
CA certificate that verifies the WiFi certificate. Source certificate.ca.name. |
|
Certificate to use for WiFi authentication. Source certificate.local.name. |
|
Enable/disable comparability with WiMAX 4G USB devices. Choices:
|
|
Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Choices:
|
|
Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150). |
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: |
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
The module supports check_mode.
Examples
- name: Configure global attributes.
fortinet.fortios.fortios_system_global:
vdom: "{{ vdom }}"
system_global:
admin_concurrent: "enable"
admin_console_timeout: "0"
admin_forticloud_sso_default_profile: "<your_own_value> (source system.accprofile.name)"
admin_forticloud_sso_login: "enable"
admin_host: "myhostname"
admin_hsts_max_age: "63072000"
admin_https_pki_required: "enable"
admin_https_redirect: "enable"
admin_https_ssl_banned_ciphers: "RSA"
admin_https_ssl_ciphersuites: "TLS-AES-128-GCM-SHA256"
admin_https_ssl_versions: "tlsv1-1"
admin_lockout_duration: "60"
admin_lockout_threshold: "3"
admin_login_max: "100"
admin_maintainer: "enable"
admin_port: "80"
admin_restrict_local: "all"
admin_scp: "enable"
admin_server_cert: "<your_own_value> (source certificate.local.name)"
admin_sport: "443"
admin_ssh_grace_time: "120"
admin_ssh_password: "enable"
admin_ssh_port: "22"
admin_ssh_v1: "enable"
admin_telnet: "enable"
admin_telnet_port: "23"
admintimeout: "5"
alias: "<your_own_value>"
allow_traffic_redirect: "enable"
anti_replay: "disable"
arp_max_entry: "131072"
asymroute: "enable"
auth_cert: "<your_own_value> (source certificate.local.name)"
auth_http_port: "1000"
auth_https_port: "1003"
auth_ike_saml_port: "1001"
auth_keepalive: "enable"
auth_session_auto_backup: "enable"
auth_session_auto_backup_interval: "1min"
auth_session_limit: "block-new"
auto_auth_extension_device: "enable"
autorun_log_fsck: "enable"
av_affinity: "<your_own_value>"
av_failopen: "pass"
av_failopen_session: "enable"
batch_cmdb: "enable"
bfd_affinity: "<your_own_value>"
block_session_timer: "30"
br_fdb_max_entry: "8192"
cert_chain_max: "8"
cfg_revert_timeout: "600"
cfg_save: "automatic"
check_protocol_header: "loose"
check_reset_range: "strict"
cli_audit_log: "enable"
cloud_communication: "enable"
clt_cert_req: "enable"
cmdbsvr_affinity: "<your_own_value>"
compliance_check: "enable"
compliance_check_time: "<your_own_value>"
cpu_use_threshold: "90"
csr_ca_attribute: "enable"
daily_restart: "enable"
default_service_source_port: "<your_own_value>"
delay_tcp_npu_session: "enable"
device_identification_active_scan_delay: "1800"
device_idle_timeout: "300"
dh_params: "1024"
dhcp_lease_backup_interval: "60"
dnsproxy_worker_count: "1"
dst: "enable"
early_tcp_npu_session: "enable"
edit_vdom_prompt: "enable"
endpoint_control_fds_access: "enable"
endpoint_control_portal_port: "32767"
extender_controller_reserved_network: "<your_own_value>"
failtime: "5"
faz_disk_buffer_size: "0"
fds_statistics: "enable"
fds_statistics_period: "60"
fec_port: "50000"
fgd_alert_subscription: "advisory"
forticarrier_bypass: "enable"
forticonverter_config_upload: "once"
forticonverter_integration: "enable"
fortiextender: "disable"
fortiextender_data_port: "25246"
fortiextender_discovery_lockdown: "disable"
fortiextender_provision_on_authorization: "enable"
fortiextender_vlan_mode: "enable"
fortigslb_integration: "disable"
fortiipam_integration: "enable"
fortiservice_port: "8013"
fortitoken_cloud: "enable"
fortitoken_cloud_push_status: "enable"
fortitoken_cloud_sync_interval: "24"
gui_allow_default_hostname: "enable"
gui_allow_incompatible_fabric_fgt: "enable"
gui_app_detection_sdwan: "enable"
gui_auto_upgrade_setup_warning: "enable"
gui_cdn_domain_override: "<your_own_value>"
gui_cdn_usage: "enable"
gui_certificates: "enable"
gui_custom_language: "enable"
gui_date_format: "yyyy/MM/dd"
gui_date_time_source: "system"
gui_device_latitude: "<your_own_value>"
gui_device_longitude: "<your_own_value>"
gui_display_hostname: "enable"
gui_firmware_upgrade_warning: "enable"
gui_forticare_registration_setup_warning: "enable"
gui_fortigate_cloud_sandbox: "enable"
gui_fortiguard_resource_fetch: "enable"
gui_fortisandbox_cloud: "enable"
gui_ipv6: "enable"
gui_lines_per_page: "500"
gui_local_out: "enable"
gui_replacement_message_groups: "enable"
gui_rest_api_cache: "enable"
gui_theme: "jade"
gui_wireless_opensecurity: "enable"
gui_workflow_management: "enable"
ha_affinity: "<your_own_value>"
honor_df: "enable"
hostname: "myhostname"
httpd_max_worker_count: "0"
igmp_state_limit: "3200"
interface_subnet_usage: "disable"
internet_service_database: "mini"
internet_service_download_list:
-
id: "133 (source firewall.internet-service.id)"
interval: "5"
ip_conflict_detection: "enable"
ip_fragment_mem_thresholds: "32"
ip_fragment_timeout: "30"
ip_src_port_range: "<your_own_value>"
ips_affinity: "<your_own_value>"
ipsec_asic_offload: "enable"
ipsec_ha_seqjump_rate: "10"
ipsec_hmac_offload: "enable"
ipsec_qat_offload: "enable"
ipsec_round_robin: "enable"
ipsec_soft_dec_async: "enable"
ipv6_accept_dad: "1"
ipv6_allow_anycast_probe: "enable"
ipv6_allow_local_in_silent_drop: "enable"
ipv6_allow_local_in_slient_drop: "enable"
ipv6_allow_multicast_probe: "enable"
ipv6_allow_traffic_redirect: "enable"
ipv6_fragment_timeout: "60"
irq_time_accounting: "auto"
language: "english"
ldapconntimeout: "500"
lldp_reception: "enable"
lldp_transmission: "enable"
log_single_cpu_high: "enable"
log_ssl_connection: "enable"
log_uuid: "disable"
log_uuid_address: "enable"
log_uuid_policy: "enable"
login_timestamp: "enable"
long_vdom_name: "enable"
management_ip: "<your_own_value>"
management_port: "443"
management_port_use_admin_sport: "enable"
management_vdom: "<your_own_value> (source system.vdom.name)"
max_dlpstat_memory: "169"
max_route_cache_size: "0"
mc_ttl_notchange: "enable"
memory_use_threshold_extreme: "95"
memory_use_threshold_green: "82"
memory_use_threshold_red: "88"
miglog_affinity: "<your_own_value>"
miglogd_children: "0"
multi_factor_authentication: "optional"
multicast_forward: "enable"
ndp_max_entry: "0"
npu_neighbor_update: "enable"
per_user_bal: "enable"
per_user_bwl: "enable"
pmtu_discovery: "enable"
policy_auth_concurrent: "0"
post_login_banner: "disable"
pre_login_banner: "enable"
private_data_encryption: "disable"
proxy_auth_lifetime: "enable"
proxy_auth_lifetime_timeout: "480"
proxy_auth_timeout: "10"
proxy_cert_use_mgmt_vdom: "enable"
proxy_cipher_hardware_acceleration: "disable"
proxy_hardware_acceleration: "disable"
proxy_keep_alive_mode: "session"
proxy_kxp_hardware_acceleration: "disable"
proxy_re_authentication_mode: "session"
proxy_re_authentication_time: "30"
proxy_resource_mode: "enable"
proxy_worker_count: "0"
purdue_level: "1"
quic_ack_thresold: "3"
quic_congestion_control_algo: "cubic"
quic_max_datagram_size: "1500"
quic_pmtud: "enable"
quic_tls_handshake_timeout: "5"
quic_udp_payload_size_shaping_per_cid: "enable"
radius_port: "1812"
reboot_upon_config_restore: "enable"
refresh: "0"
remoteauthtimeout: "5"
reset_sessionless_tcp: "enable"
restart_time: "<your_own_value>"
revision_backup_on_logout: "enable"
revision_image_auto_backup: "enable"
scanunit_count: "0"
scim_http_port: "44558"
scim_https_port: "44559"
scim_server_cert: "<your_own_value> (source certificate.local.name)"
security_rating_result_submission: "enable"
security_rating_run_on_schedule: "enable"
send_pmtu_icmp: "enable"
sflowd_max_children_num: "6"
snat_route_change: "enable"
special_file_23_support: "disable"
speedtest_server: "enable"
speedtestd_ctrl_port: "5200"
speedtestd_server_port: "5201"
split_port: "<your_own_value>"
split_port_mode:
-
interface: "<your_own_value>"
split_mode: "disable"
ssd_trim_date: "1"
ssd_trim_freq: "never"
ssd_trim_hour: "1"
ssd_trim_min: "60"
ssd_trim_weekday: "sunday"
ssh_cbc_cipher: "enable"
ssh_enc_algo: "[email protected]"
ssh_hmac_md5: "enable"
ssh_hostkey: "myhostname"
ssh_hostkey_algo: "ssh-rsa"
ssh_hostkey_override: "disable"
ssh_hostkey_password: "myhostname"
ssh_kex_algo: "diffie-hellman-group1-sha1"
ssh_kex_sha1: "enable"
ssh_mac_algo: "hmac-md5"
ssh_mac_weak: "enable"
ssl_min_proto_version: "SSLv3"
ssl_static_key_ciphers: "enable"
sslvpn_cipher_hardware_acceleration: "enable"
sslvpn_ems_sn_check: "enable"
sslvpn_kxp_hardware_acceleration: "enable"
sslvpn_max_worker_count: "0"
sslvpn_plugin_version_check: "enable"
sslvpn_web_mode: "enable"
strict_dirty_session_check: "enable"
strong_crypto: "enable"
switch_controller: "disable"
switch_controller_reserved_network: "<your_own_value>"
sys_perf_log_interval: "5"
syslog_affinity: "<your_own_value>"
tcp_halfclose_timer: "120"
tcp_halfopen_timer: "10"
tcp_option: "enable"
tcp_rst_timer: "5"
tcp_timewait_timer: "1"
tftp: "enable"
timezone: "<your_own_value> (source system.timezone.name)"
tp_mc_skip_policy: "enable"
traffic_priority: "tos"
traffic_priority_level: "low"
two_factor_email_expiry: "60"
two_factor_fac_expiry: "60"
two_factor_ftk_expiry: "60"
two_factor_ftm_expiry: "72"
two_factor_sms_expiry: "60"
udp_idle_timer: "180"
url_filter_affinity: "<your_own_value>"
url_filter_count: "1"
user_device_store_max_devices: "20920"
user_device_store_max_unified_mem: "104604672"
user_device_store_max_users: "20920"
user_history_password_threshold: "3"
user_server_cert: "<your_own_value> (source certificate.local.name)"
vdom_admin: "enable"
vdom_mode: "no-vdom"
vip_arp_range: "unlimited"
virtual_server_count: "20"
virtual_server_hardware_acceleration: "disable"
virtual_switch_vlan: "enable"
vpn_ems_sn_check: "enable"
wad_affinity: "<your_own_value>"
wad_csvc_cs_count: "1"
wad_csvc_db_count: "0"
wad_memory_change_granularity: "10"
wad_restart_end_time: "<your_own_value>"
wad_restart_mode: "none"
wad_restart_start_time: "<your_own_value>"
wad_source_affinity: "disable"
wad_worker_count: "0"
wifi_ca_certificate: "<your_own_value> (source certificate.ca.name)"
wifi_certificate: "<your_own_value> (source certificate.local.name)"
wimax_4g_usb: "enable"
wireless_controller: "enable"
wireless_controller_port: "5246"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: |
|
Last method used to provision the content into FortiGate Returned: always Sample: |
|
Last result given by FortiGate on last operation applied Returned: always Sample: |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: |
|
Name of the table used to fulfill the request Returned: always Sample: |
|
Path of the table used to fulfill the request Returned: always Sample: |
|
Internal revision number Returned: always Sample: |
|
Serial number of the unit Returned: always Sample: |
|
Indication of the operation’s result Returned: always Sample: |
|
Virtual domain used Returned: always Sample: |
|
Version of the FortiGate Returned: always Sample: |