fortinet.fortimanager.fmgr_application_list module – Configure application control lists.

Note

This module is part of the fortinet.fortimanager collection (version 2.4.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_application_list.

New in fortinet.fortimanager 1.0.0

Synopsis

• This module is able to configure a FortiManager device.

• Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter	Comments
access_token string	The token to access FortiManager without using username and password.
adom string / required	The parameter (adom) in requested url.
application_list dictionary	The top level parameters set.
app-replacemsg string	Deprecated, please rename it to app_replacemsg. Enable/disable replacement messages for blocked applications. Choices: "disable" "enable"
comment string	Comments
control-default-network-services string	Deprecated, please rename it to control_default_network_services. Enable/disable enforcement of protocols over selected ports. Choices: "disable" "enable"
deep-app-inspection string	Deprecated, please rename it to deep_app_inspection. Enable/disable deep application inspection. Choices: "disable" "enable"
default-network-services list / elements=dictionary	Deprecated, please rename it to default_network_services. Default-Network-Services.
id integer	Entry ID.
port integer	Port number.
services list / elements=string	Network protocols. Choices: "http" "ssh" "telnet" "ftp" "dns" "smtp" "pop3" "imap" "snmp" "nntp" "https"
violation-action string	Deprecated, please rename it to violation_action. Action for protocols not white listed under selected port. Choices: "block" "monitor" "pass"
enforce-default-app-port string	Deprecated, please rename it to enforce_default_app_port. Enable/disable default application port enforcement for allowed … Choices: "disable" "enable"
entries list / elements=dictionary	Entries.
action string	Pass or block traffic, or reset connection for traffic from this application. Choices: "pass" "block" "reset"
application any	(list) ID of allowed applications.
behavior any	(list) Application behavior filter.
category any	(list or str) Category ID list.
exclusion any	(list) ID of excluded applications.
id integer	Entry ID.
log string	Enable/disable logging for this application list. Choices: "disable" "enable"
log-packet string	Deprecated, please rename it to log_packet. Enable/disable packet logging. Choices: "disable" "enable"
parameters list / elements=dictionary	Parameters.
id integer	Parameter ID.
members list / elements=dictionary	Members.
id integer	Parameter.
name string	Parameter name.
value string	Parameter value.
value string	Parameter value.
per-ip-shaper string	Deprecated, please rename it to per_ip_shaper. Per-IP traffic shaper.
popularity list / elements=string	Application popularity filter Choices: "1" "2" "3" "4" "5"
protocols any	(list) Application protocol filter.
quarantine string	Quarantine method. Choices: "none" "attacker"
quarantine-expiry string	Deprecated, please rename it to quarantine_expiry. Duration of quarantine.
quarantine-log string	Deprecated, please rename it to quarantine_log. Enable/disable quarantine logging. Choices: "disable" "enable"
rate-count integer	Deprecated, please rename it to rate_count. Count of the rate.
rate-duration integer	Deprecated, please rename it to rate_duration. Duration
rate-mode string	Deprecated, please rename it to rate_mode. Rate limit mode. Choices: "periodical" "continuous"
rate-track string	Deprecated, please rename it to rate_track. Track the packet protocol field. Choices: "none" "src-ip" "dest-ip" "dhcp-client-mac" "dns-domain"
risk any	(list) Risk, or impact, of allowing traffic from this application to occur
session-ttl integer	Deprecated, please rename it to session_ttl. Session TTL
shaper string	Traffic shaper.
shaper-reverse string	Deprecated, please rename it to shaper_reverse. Reverse traffic shaper.
sub-category any	(list) Deprecated, please rename it to sub_category. Application Sub-category ID list.
tags string	Tag filter.
technology any	(list) Application technology filter.
vendor any	(list) Application vendor filter.
extended-log string	Deprecated, please rename it to extended_log. Enable/disable extended logging. Choices: "disable" "enable"
force-inclusion-ssl-di-sigs string	Deprecated, please rename it to force_inclusion_ssl_di_sigs. Enable/disable forced inclusion of SSL deep inspection signat… Choices: "disable" "enable"
name string / required	List name.
options list / elements=string	Basic application protocol signatures allowed by default. Choices: "allow-dns" "allow-icmp" "allow-http" "allow-ssl" "allow-quic"
other-application-action string	Deprecated, please rename it to other_application_action. Action for other applications. Choices: "pass" "block"
other-application-log string	Deprecated, please rename it to other_application_log. Enable/disable logging for other applications. Choices: "disable" "enable"
p2p-black-list list / elements=string	Deprecated, please rename it to p2p_black_list. P2P applications to be black listed. Choices: "skype" "edonkey" "bittorrent"
p2p-block-list list / elements=string	Deprecated, please rename it to p2p_block_list. P2P applications to be blocklisted. Choices: "skype" "edonkey" "bittorrent"
replacemsg-group string	Deprecated, please rename it to replacemsg_group. Replacement message group.
unknown-application-action string	Deprecated, please rename it to unknown_application_action. Pass or block traffic from unknown applications. Choices: "pass" "block"
unknown-application-log string	Deprecated, please rename it to unknown_application_log. Enable/disable logging for unknown applications. Choices: "disable" "enable"
bypass_validation boolean	Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. Choices: false ← (default) true
enable_log boolean	Enable/Disable logging for task. Choices: false ← (default) true
forticloud_access_token string	Authenticate Ansible client with forticloud API access token.
proposed_method string	The overridden method for the underlying Json RPC request. Choices: "update" "set" "add"
rc_failed list / elements=integer	The rc codes list with which the conditions to fail will be overriden.
rc_succeeded list / elements=integer	The rc codes list with which the conditions to succeed will be overriden.
state string / required	The directive to create, update or delete an object. Choices: "present" "absent"
workspace_locking_adom string	The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.
workspace_locking_timeout integer	The maximum time in seconds to wait for other user to release the workspace lock. Default: 300

Notes

Note

• Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

• Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

• To create or update an object, use state present directive.

• To delete an object, use state absent directive.

• Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure application control lists.
      fortinet.fortimanager.fmgr_application_list:
        adom: ansible
        state: present
        application_list:
          app-replacemsg: enable
          comment: "ansible-test-comment"
          deep-app-inspection: enable
          extended-log: disable
          name: "ansible-test"
          other-application-action: pass
          other-application-log: disable
          unknown-application-action: pass
          unknown-application-log: disable

- name: Gathering fortimanager facts
  hosts: fortimanagers
  gather_facts: false
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Retrieve all the application list
      fortinet.fortimanager.fmgr_fact:
        facts:
          selector: "application_list"
          params:
            adom: "ansible"
            list: "your_value"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
meta dictionary	The result of the request. Returned: always
request_url string	The full url requested. Returned: always Sample: "/sys/login/user"
response_code integer	The status of api request. Returned: always Sample: 0
response_data list / elements=string	The api response. Returned: always
response_message string	The descriptive message of the api response. Returned: always Sample: "OK."
system_information dictionary	The information of the target system. Returned: always
rc integer	The status the request. Returned: always Sample: 0
version_check_warning list / elements=string	Warning if the parameters used in the playbook are not supported by the current FortiManager version. Returned: complex

Authors

• Xinwei Du (@dux-fortinet)

• Xing Li (@lix-fortinet)

• Jie Xue (@JieX19)

• Link Zheng (@chillancezen)

• Frank Shen (@fshen01)

• Hongbin Lu (@fgtdev-hblu)

Collection links

• Issue Tracker
• Homepage
• Repository (Sources)