fortinet.fortimanager.fmgr_pkg_firewall_proxypolicy – Configure proxy policies.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.4).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_pkg_firewall_proxypolicy.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
adom
string / required
the parameter (adom) in requested url
bypass_validation
boolean
    Choices:
  • no ←
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task
pkg
string / required
the parameter (pkg) in requested url
pkg_firewall_proxypolicy
dictionary
the top level parameters set
access-proxy
string
Access Proxy.
action
string
    Choices:
  • accept
  • deny
  • redirect
Accept or deny traffic matching the policy parameters.
application-list
string
Name of an existing Application list.
av-profile
string
Name of an existing Antivirus profile.
cifs-profile
string
Name of an existing CIFS profile.
comments
string
Optional comments.
decrypted-traffic-mirror
string
Decrypted traffic mirror.
device-ownership
string
    Choices:
  • disable
  • enable
When enabled, the ownership enforcement will be done at policy level.
disclaimer
string
    Choices:
  • disable
  • domain
  • policy
  • user
Web proxy disclaimer setting: by domain, policy, or user.
dlp-sensor
string
Name of an existing DLP sensor.
dstaddr
string
Destination address objects.
dstaddr-negate
string
    Choices:
  • disable
  • enable
When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
dstaddr6
string
IPv6 destination address objects.
dstintf
string
Destination interface names.
emailfilter-profile
string
Name of an existing email filter profile.
file-filter-profile
string
Name of an existing file-filter profile.
global-label
string
Global web-based manager visible label.
groups
string
Names of group objects.
http-tunnel-auth
string
    Choices:
  • disable
  • enable
Enable/disable HTTP tunnel authentication.
icap-profile
string
Name of an existing ICAP profile.
internet-service
string
    Choices:
  • disable
  • enable
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
internet-service-custom
string
Custom Internet Service name.
internet-service-custom-group
string
Custom Internet Service group name.
internet-service-group
string
Internet Service group name.
internet-service-id
string
Internet Service ID.
internet-service-name
string
Internet Service name.
internet-service-negate
string
    Choices:
  • disable
  • enable
When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
ips-sensor
string
Name of an existing IPS sensor.
label
string
VDOM-specific GUI visible label.
logtraffic
string
    Choices:
  • disable
  • all
  • utm
Enable/disable logging traffic through the policy.
logtraffic-start
string
    Choices:
  • disable
  • enable
Enable/disable policy log traffic start.
mms-profile
string
Name of an existing MMS profile.
name
string
Policy name.
policyid
integer
Policy ID.
poolname
string
Name of IP pool object.
profile-group
string
Name of profile group.
profile-protocol-options
string
Name of an existing Protocol options profile.
profile-type
string
    Choices:
  • single
  • group
Determine whether the firewall policy allows security profile groups or single profiles only.
proxy
string
    Choices:
  • explicit-web
  • transparent-web
  • ftp
  • wanopt
  • ssh
  • ssh-tunnel
  • access-proxy
Type of explicit proxy.
redirect-url
string
Redirect URL for further explicit web proxy processing.
replacemsg-override-group
string
Authentication replacement message override group.
scan-botnet-connections
string
    Choices:
  • disable
  • block
  • monitor
Enable/disable scanning of connections to Botnet servers.
schedule
string
Name of schedule object.
service
string
Name of service objects.
service-negate
string
    Choices:
  • disable
  • enable
When enabled, services match against any service EXCEPT the specified destination services.
session-ttl
integer
TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
spamfilter-profile
string
Name of an existing Spam filter profile.
srcaddr
string
Source address objects (must be set when using Web proxy).
srcaddr-negate
string
    Choices:
  • disable
  • enable
When enabled, source addresses match against any address EXCEPT the specified source addresses.
srcaddr6
string
IPv6 source address objects.
srcintf
string
Source interface names.
ssh-filter-profile
string
Name of an existing SSH filter profile.
ssh-policy-redirect
string
    Choices:
  • disable
  • enable
Redirect SSH traffic to matching transparent proxy policy.
ssl-ssh-profile
string
Name of an existing SSL SSH profile.
status
string
    Choices:
  • disable
  • enable
Enable/disable the active status of the policy.
tags
string
Names of object-tags applied to address. Tags need to be preconfigured in config system object-tag. Separate multiple tags wit...
transparent
string
    Choices:
  • disable
  • enable
Enable to use the IP address of the client to connect to the server.
users
string
Names of user objects.
utm-status
string
    Choices:
  • disable
  • enable
Enable the use of UTM profiles/sensors/lists.
uuid
string
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
videofilter-profile
string
Name of an existing VideoFilter profile.
voip-profile
string
Name of an existing VoIP profile.
waf-profile
string
Name of an existing Web application firewall profile.
webcache
string
    Choices:
  • disable
  • enable
Enable/disable web caching.
webcache-https
string
    Choices:
  • disable
  • enable
Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
webfilter-profile
string
Name of an existing Web filter profile.
webproxy-forward-server
string
Name of web proxy forward server.
webproxy-profile
string
Name of web proxy profile.
ztna-ems-tag
string
ZTNA EMS Tag names.
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: gathering fortimanager facts
  hosts: fortimanager00
  gather_facts: no
  connection: httpapi
  collections:
    - fortinet.fortimanager
  vars:
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443
  tasks:
   - name: retrieve all the proxy policies
     fmgr_fact:
       facts:
           selector: 'pkg_firewall_proxypolicy'
           params:
               adom: 'ansible'
               proxy-policy: ''
               pkg: 'ansible' # package name
- hosts: fortimanager00
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure proxy policies.
     fmgr_pkg_firewall_proxypolicy:
        bypass_validation: False
        adom: ansible
        pkg: ansible # package name
        state: present
        pkg_firewall_proxypolicy:
           action: accept #<value in [accept, deny, redirect]>
           comments: ansible-comment
           dstaddr: all
           dstintf: any
           policyid: 1
           schedule: always
           service: ALL
           srcaddr: all
           srcintf: any
           status: disable

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)