community.network.fmgr_secprof_appctrl – Manage application control security profiles

Note

This plugin is part of the community.network collection.

To install it use: ansible-galaxy collection install community.network.

To use it in a playbook, specify: community.network.fmgr_secprof_appctrl.

Synopsis

  • Manage application control security profiles within FortiManager

Parameters

Parameter Choices/Defaults Comments
adom
string
Default:
"root"
The ADOM the configuration should belong to.
app_replacemsg
string
    Choices:
  • disable
  • enable
Enable/disable replacement messages for blocked applications.
choice | disable | Disable replacement messages for blocked applications.
choice | enable | Enable replacement messages for blocked applications.
comment
string
comments
deep_app_inspection
string
    Choices:
  • disable
  • enable
Enable/disable deep application inspection.
choice | disable | Disable deep application inspection.
choice | enable | Enable deep application inspection.
entries
string
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, OMIT THE USE OF THIS PARAMETER
AND USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
entries_action
string
    Choices:
  • pass
  • block
  • reset
Pass or block traffic, or reset connection for traffic from this application.
choice | pass | Pass or allow matching traffic.
choice | block | Block or drop matching traffic.
choice | reset | Reset sessions for matching traffic.
entries_application
string
ID of allowed applications.
entries_behavior
string
Application behavior filter.
entries_category
string
Category ID list.
entries_log
string
    Choices:
  • disable
  • enable
Enable/disable logging for this application list.
choice | disable | Disable logging.
choice | enable | Enable logging.
entries_log_packet
string
    Choices:
  • disable
  • enable
Enable/disable packet logging.
choice | disable | Disable packet logging.
choice | enable | Enable packet logging.
entries_parameters_value
string
Parameter value.
entries_per_ip_shaper
string
Per-IP traffic shaper.
entries_popularity
string
    Choices:
  • 1
  • 2
  • 3
  • 4
  • 5
Application popularity filter (1 - 5, from least to most popular).
FLAG Based Options. Specify multiple in list form.
flag | 1 | Popularity level 1.
flag | 2 | Popularity level 2.
flag | 3 | Popularity level 3.
flag | 4 | Popularity level 4.
flag | 5 | Popularity level 5.
entries_protocols
string
Application protocol filter.
entries_quarantine
string
    Choices:
  • none
  • attacker
Quarantine method.
choice | none | Quarantine is disabled.
choice | attacker | Block all traffic sent from attacker's IP address.
The attacker's IP address is also added to the banned user list. The target's address is not affected.
entries_quarantine_expiry
string
Duration of quarantine. (Format
Requires quarantine set to attacker.
entries_quarantine_log
string
    Choices:
  • disable
  • enable
Enable/disable quarantine logging.
choice | disable | Disable quarantine logging.
choice | enable | Enable quarantine logging.
entries_rate_count
string
Count of the rate.
entries_rate_duration
string
Duration (sec) of the rate.
entries_rate_mode
string
    Choices:
  • periodical
  • continuous
Rate limit mode.
choice | periodical | Allow configured number of packets every rate-duration.
choice | continuous | Block packets once the rate is reached.
entries_rate_track
string
    Choices:
  • none
  • src-ip
  • dest-ip
  • dhcp-client-mac
  • dns-domain
Track the packet protocol field.
choice | none |
choice | src-ip | Source IP.
choice | dest-ip | Destination IP.
choice | dhcp-client-mac | DHCP client.
choice | dns-domain | DNS domain.
entries_risk
string
Risk, or impact, of allowing traffic from this application to occur 1 - 5;
(Low, Elevated, Medium, High, and Critical).
entries_session_ttl
string
Session TTL (0 = default).
entries_shaper
string
Traffic shaper.
entries_shaper_reverse
string
Reverse traffic shaper.
entries_sub_category
string
Application Sub-category ID list.
entries_technology
string
Application technology filter.
entries_vendor
string
Application vendor filter.
extended_log
string
    Choices:
  • disable
  • enable
Enable/disable extended logging.
choice | disable | Disable setting.
choice | enable | Enable setting.
mode
string
    Choices:
  • add ←
  • set
  • delete
  • update
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
name
string
List name.
options
string
    Choices:
  • allow-dns
  • allow-icmp
  • allow-http
  • allow-ssl
  • allow-quic
NO DESCRIPTION PARSED ENTER MANUALLY
FLAG Based Options. Specify multiple in list form.
flag | allow-dns | Allow DNS.
flag | allow-icmp | Allow ICMP.
flag | allow-http | Allow generic HTTP web browsing.
flag | allow-ssl | Allow generic SSL communication.
flag | allow-quic | Allow QUIC.
other_application_action
string
    Choices:
  • pass
  • block
Action for other applications.
choice | pass | Allow sessions matching an application in this application list.
choice | block | Block sessions matching an application in this application list.
other_application_log
string
    Choices:
  • disable
  • enable
Enable/disable logging for other applications.
choice | disable | Disable logging for other applications.
choice | enable | Enable logging for other applications.
p2p_black_list
string
    Choices:
  • skype
  • edonkey
  • bittorrent
NO DESCRIPTION PARSED ENTER MANUALLY
FLAG Based Options. Specify multiple in list form.
flag | skype | Skype.
flag | edonkey | Edonkey.
flag | bittorrent | Bit torrent.
replacemsg_group
string
Replacement message group.
unknown_application_action
string
    Choices:
  • pass
  • block
Pass or block traffic from unknown applications.
choice | pass | Pass or allow unknown applications.
choice | block | Drop or block unknown applications.
unknown_application_log
string
    Choices:
  • disable
  • enable
Enable/disable logging for unknown applications.
choice | disable | Disable logging for unknown applications.
choice | enable | Enable logging for unknown applications.

Examples

- name: DELETE Profile
  community.network.fmgr_secprof_appctrl:
    name: "Ansible_Application_Control_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "delete"

- name: CREATE Profile
  community.network.fmgr_secprof_appctrl:
    name: "Ansible_Application_Control_Profile"
    comment: "Created by Ansible Module TEST"
    mode: "set"
    entries: [{
              action: "block",
              log: "enable",
              log-packet: "enable",
              protocols: ["1"],
              quarantine: "attacker",
              quarantine-log: "enable",
              },
              {action: "pass",
              category: ["2","3","4"]},
            ]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_result
string
always
full API response, includes status code and message



Authors

  • Luke Weighall (@lweighall)

  • Andrew Welsh (@Ghilli3)

  • Jim Huber (@p4r4n0y1ng)