fortinet.fortimanager.fmgr_pkg_header_policy – Configure IPv4/IPv6 policies.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.4).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_pkg_header_policy.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
bypass_validation
boolean
    Choices:
  • no ←
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task
pkg
string / required
the parameter (pkg) in requested url
pkg_header_policy
dictionary
the top level parameters set
action
string
    Choices:
  • deny
  • accept
  • ipsec
  • ssl-vpn
no description
active-auth-method
string
    Choices:
  • ntlm
  • basic
  • digest
  • form
no description
anti-replay
string
    Choices:
  • disable
  • enable
no description
app-category
string
no description
app-group
string
no description
application
integer
no description
application-charts
list / elements=string
    Choices:
  • top10-app
  • top10-p2p-user
  • top10-media-user
no description
application-list
string
no description
auth-cert
string
no description
auth-method
string
    Choices:
  • basic
  • digest
  • ntlm
  • fsae
  • form
  • fsso
  • rsso
no description
auth-path
string
    Choices:
  • disable
  • enable
no description
auth-portal
string
    Choices:
  • disable
  • enable
no description
auth-redirect-addr
string
no description
auto-asic-offload
string
    Choices:
  • disable
  • enable
no description
av-profile
string
no description
bandwidth
string
    Choices:
  • disable
  • enable
no description
best-route
string
    Choices:
  • disable
  • enable
no description
block-notification
string
    Choices:
  • disable
  • enable
no description
captive-portal-exempt
string
    Choices:
  • disable
  • enable
no description
capture-packet
string
    Choices:
  • disable
  • enable
no description
casi-profile
string
no description
central-nat
string
    Choices:
  • disable
  • enable
no description
cgn-eif
string
    Choices:
  • disable
  • enable
no description
cgn-eim
string
    Choices:
  • disable
  • enable
no description
cgn-log-server-grp
string
no description
cgn-resource-quota
integer
no description
cgn-session-quota
integer
no description
cifs-profile
string
no description
client-reputation
string
    Choices:
  • disable
  • enable
no description
client-reputation-mode
string
    Choices:
  • learning
  • monitoring
no description
comments
string
no description
custom-log-fields
string
no description
decrypted-traffic-mirror
string
no description
deep-inspection-options
string
no description
delay-tcp-npu-session
string
    Choices:
  • disable
  • enable
no description
delay-tcp-npu-sessoin
string
    Choices:
  • disable
  • enable
no description
device-detection-portal
string
    Choices:
  • disable
  • enable
no description
devices
string
no description
diffserv-forward
string
    Choices:
  • disable
  • enable
no description
diffserv-reverse
string
    Choices:
  • disable
  • enable
no description
diffservcode-forward
string
no description
diffservcode-rev
string
no description
disclaimer
string
    Choices:
  • disable
  • enable
no description
dlp-sensor
string
no description
dnsfilter-profile
string
no description
dponly
string
    Choices:
  • disable
  • enable
no description
dscp-match
string
    Choices:
  • disable
  • enable
no description
dscp-negate
string
    Choices:
  • disable
  • enable
no description
dscp-value
string
no description
dsri
string
    Choices:
  • disable
  • enable
no description
dstaddr
string
no description
dstaddr-negate
string
    Choices:
  • disable
  • enable
no description
dstaddr6
string
no description
dstintf
string
no description
dynamic-profile
string
    Choices:
  • disable
  • enable
no description
dynamic-profile-access
list / elements=string
    Choices:
  • imap
  • smtp
  • pop3
  • http
  • ftp
  • im
  • nntp
  • imaps
  • smtps
  • pop3s
  • https
  • ftps
  • ssh
no description
dynamic-profile-fallthrough
string
    Choices:
  • disable
  • enable
no description
dynamic-profile-group
string
no description
dynamic-shaping
string
    Choices:
  • disable
  • enable
Enable/disable dynamic RADIUS defined traffic shaping.
email-collect
string
    Choices:
  • disable
  • enable
no description
email-collection-portal
string
    Choices:
  • disable
  • enable
no description
emailfilter-profile
string
no description
endpoint-check
string
    Choices:
  • disable
  • enable
no description
endpoint-compliance
string
    Choices:
  • disable
  • enable
no description
endpoint-keepalive-interface
string
no description
endpoint-profile
string
no description
failed-connection
string
    Choices:
  • disable
  • enable
no description
fall-through-unauthenticated
string
    Choices:
  • disable
  • enable
no description
file-filter-profile
string
no description
firewall-session-dirty
string
    Choices:
  • check-all
  • check-new
no description
fixedport
string
    Choices:
  • disable
  • enable
no description
forticlient-compliance-devices
list / elements=string
    Choices:
  • windows-pc
  • mac
  • iphone-ipad
  • android
no description
forticlient-compliance-enforcement-portal
string
    Choices:
  • disable
  • enable
no description
fsae
string
    Choices:
  • disable
  • enable
no description
fsae-server-for-ntlm
string
no description
fsso
string
    Choices:
  • disable
  • enable
no description
fsso-agent-for-ntlm
string
no description
fsso-groups
string
no description
geo-location
string
    Choices:
  • disable
  • enable
no description
geoip-anycast
string
    Choices:
  • disable
  • enable
no description
geoip-match
string
    Choices:
  • physical-location
  • registered-location
no description
global-label
string
no description
groups
string
no description
gtp-profile
string
no description
http-policy-redirect
string
    Choices:
  • disable
  • enable
no description
icap-profile
string
no description
identity-based
string
    Choices:
  • disable
  • enable
no description
identity-based-policy
list / elements=string
no description
action
string
    Choices:
  • deny
  • accept
no description
application-charts
list / elements=string
    Choices:
  • top10-app
  • top10-p2p-user
  • top10-media-user
no description
application-list
string
no description
av-profile
string
no description
capture-packet
string
    Choices:
  • disable
  • enable
no description
deep-inspection-options
string
no description
devices
string
no description
dlp-sensor
string
no description
dstaddr
string
no description
dstaddr-negate
string
    Choices:
  • disable
  • enable
no description
endpoint-compliance
string
    Choices:
  • disable
  • enable
no description
groups
string
no description
icap-profile
string
no description
id
integer
no description
ips-sensor
string
no description
logtraffic
string
    Choices:
  • disable
  • enable
  • all
  • utm
no description
logtraffic-app
string
    Choices:
  • disable
  • enable
no description
logtraffic-start
string
    Choices:
  • disable
  • enable
no description
mms-profile
string
no description
per-ip-shaper
string
no description
profile-group
string
no description
profile-protocol-options
string
no description
profile-type
string
    Choices:
  • single
  • group
no description
replacemsg-group
string
no description
schedule
string
no description
send-deny-packet
string
    Choices:
  • disable
  • enable
no description
service
string
no description
service-negate
string
    Choices:
  • disable
  • enable
no description
spamfilter-profile
string
no description
sslvpn-portal
string
no description
sslvpn-realm
string
no description
traffic-shaper
string
no description
traffic-shaper-reverse
string
no description
users
string
no description
utm-status
string
    Choices:
  • disable
  • enable
no description
voip-profile
string
no description
webfilter-profile
string
no description
identity-based-route
string
no description
identity-from
string
    Choices:
  • auth
  • device
no description
inbound
string
    Choices:
  • disable
  • enable
no description
inspection-mode
string
    Choices:
  • proxy
  • flow
no description
internet-service
string
    Choices:
  • disable
  • enable
no description
internet-service-custom
string
no description
internet-service-custom-group
string
no description
internet-service-group
string
no description
internet-service-id
string
no description
internet-service-name
string
no description
internet-service-negate
string
    Choices:
  • disable
  • enable
no description
internet-service-src
string
    Choices:
  • disable
  • enable
no description
internet-service-src-custom
string
no description
internet-service-src-custom-group
string
no description
internet-service-src-group
string
no description
internet-service-src-id
string
no description
internet-service-src-name
string
no description
internet-service-src-negate
string
    Choices:
  • disable
  • enable
no description
ip-based
string
    Choices:
  • disable
  • enable
no description
ippool
string
    Choices:
  • disable
  • enable
no description
ips-sensor
string
no description
label
string
no description
learning-mode
string
    Choices:
  • disable
  • enable
no description
log-unmatched-traffic
string
    Choices:
  • disable
  • enable
no description
logtraffic
string
    Choices:
  • disable
  • enable
  • all
  • utm
no description
logtraffic-app
string
    Choices:
  • disable
  • enable
no description
logtraffic-start
string
    Choices:
  • disable
  • enable
no description
match-vip
string
    Choices:
  • disable
  • enable
no description
match-vip-only
string
    Choices:
  • disable
  • enable
no description
mms-profile
string
no description
name
string
no description
nat
string
    Choices:
  • disable
  • enable
no description
natinbound
string
    Choices:
  • disable
  • enable
no description
natip
string
no description
natoutbound
string
    Choices:
  • disable
  • enable
no description
np-acceleration
string
    Choices:
  • disable
  • enable
no description
ntlm
string
    Choices:
  • disable
  • enable
no description
ntlm-enabled-browsers
string
no description
ntlm-guest
string
    Choices:
  • disable
  • enable
no description
outbound
string
    Choices:
  • disable
  • enable
no description
passive-wan-health-measurement
string
    Choices:
  • disable
  • enable
Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
per-ip-shaper
string
no description
permit-any-host
string
    Choices:
  • disable
  • enable
no description
permit-stun-host
string
    Choices:
  • disable
  • enable
no description
policy-offload
string
    Choices:
  • disable
  • enable
no description
policyid
integer
no description
poolname
string
no description
poolname6
string
no description
profile-group
string
no description
profile-protocol-options
string
no description
profile-type
string
    Choices:
  • single
  • group
no description
radius-mac-auth-bypass
string
    Choices:
  • disable
  • enable
no description
redirect-url
string
no description
replacemsg-group
string
no description
replacemsg-override-group
string
no description
reputation-direction
string
    Choices:
  • source
  • destination
no description
reputation-minimum
integer
no description
require-tfa
string
    Choices:
  • disable
  • enable
no description
rsso
string
    Choices:
  • disable
  • enable
no description
rtp-addr
string
no description
rtp-nat
string
    Choices:
  • disable
  • enable
no description
scan-botnet-connections
string
    Choices:
  • disable
  • block
  • monitor
no description
schedule
string
no description
schedule-timeout
string
    Choices:
  • disable
  • enable
no description
send-deny-packet
string
    Choices:
  • disable
  • enable
no description
service
string
no description
service-negate
string
    Choices:
  • disable
  • enable
no description
session-ttl
integer
no description
sessions
string
    Choices:
  • disable
  • enable
no description
spamfilter-profile
string
no description
src-vendor-mac
string
no description
srcaddr
string
no description
srcaddr-negate
string
    Choices:
  • disable
  • enable
no description
srcaddr6
string
no description
srcintf
string
no description
ssh-filter-profile
string
no description
ssh-policy-redirect
string
    Choices:
  • disable
  • enable
no description
ssl-mirror
string
    Choices:
  • disable
  • enable
no description
ssl-mirror-intf
string
no description
ssl-ssh-profile
string
no description
sslvpn-auth
string
    Choices:
  • any
  • local
  • radius
  • ldap
  • tacacs+
no description
sslvpn-ccert
string
    Choices:
  • disable
  • enable
no description
sslvpn-cipher
string
    Choices:
  • any
  • high
  • medium
no description
sso-auth-method
string
    Choices:
  • fsso
  • rsso
no description
status
string
    Choices:
  • disable
  • enable
no description
tags
string
no description
tcp-mss-receiver
integer
no description
tcp-mss-sender
integer
no description
tcp-reset
string
    Choices:
  • disable
  • enable
no description
tcp-session-without-syn
string
    Choices:
  • all
  • data-only
  • disable
no description
timeout-send-rst
string
    Choices:
  • disable
  • enable
no description
tos
string
no description
tos-mask
string
no description
tos-negate
string
    Choices:
  • disable
  • enable
no description
traffic-shaper
string
no description
traffic-shaper-reverse
string
no description
transaction-based
string
    Choices:
  • disable
  • enable
no description
url-category
string
no description
users
string
no description
utm-inspection-mode
string
    Choices:
  • proxy
  • flow
no description
utm-status
string
    Choices:
  • disable
  • enable
no description
uuid
string
no description
vendor-mac
string
no description
videofilter-profile
string
Name of an existing VideoFilter profile.
vlan-cos-fwd
integer
no description
vlan-cos-rev
integer
no description
vlan-filter
string
no description
voip-profile
string
no description
vpntunnel
string
no description
waf-profile
string
no description
wanopt
string
    Choices:
  • disable
  • enable
no description
wanopt-detection
string
    Choices:
  • active
  • passive
  • off
no description
wanopt-passive-opt
string
    Choices:
  • default
  • transparent
  • non-transparent
no description
wanopt-peer
string
no description
wanopt-profile
string
no description
wccp
string
    Choices:
  • disable
  • enable
no description
web-auth-cookie
string
    Choices:
  • disable
  • enable
no description
webcache
string
    Choices:
  • disable
  • enable
no description
webcache-https
string
    Choices:
  • disable
  • ssl-server
  • any
  • enable
no description
webfilter-profile
string
no description
webproxy-forward-server
string
no description
webproxy-profile
string
no description
wsso
string
    Choices:
  • disable
  • enable
no description
ztna-ems-tag
string
Source ztna-ems-tag names.
ztna-geo-tag
string
Source ztna-geo-tag names.
ztna-status
string
    Choices:
  • disable
  • enable
Enable/disable zero trust access.
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: gathering fortimanager facts
  hosts: fortimanager00
  gather_facts: no
  connection: httpapi
  collections:
    - fortinet.fortimanager
  vars:
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443
  tasks:
   - name: retrieve all the IPv4 header policies
     fmgr_fact:
       facts:
           selector: 'pkg_header_policy'
           params:
               pkg: 'ansible'
               policy: ''
- hosts: fortimanager00
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure IPv4 header policies.
     fmgr_pkg_header_policy:
        bypass_validation: False
        pkg: ansible
        state: present
        pkg_header_policy:
           action: accept #<value in [deny, accept, ipsec, ...]>
           comments: 'ansible-comment'
           dstaddr: gall
           dstintf: any
           name: ansible-test-header
           policyid: 1073741826 # must larger than 2^30(1074741824), since header/footer policy is a special policy
           schedule: galways
           service: gALL
           srcaddr: gall
           srcintf: any
           status: disable

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)