fortinet.fortimanager.fmgr_vpn_ssl_settings module – Configure SSL VPN.
Note
This module is part of the fortinet.fortimanager collection (version 2.4.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_vpn_ssl_settings.
New in fortinet.fortimanager 2.1.0
Synopsis
This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
Parameter |
Comments |
|---|---|
The token to access FortiManager without using username and password. |
|
Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. Choices:
|
|
The parameter (device) in requested url. |
|
Enable/Disable logging for task. Choices:
|
|
Authenticate Ansible client with forticloud API access token. |
|
The overridden method for the underlying Json RPC request. Choices:
|
|
The rc codes list with which the conditions to fail will be overriden. |
|
The rc codes list with which the conditions to succeed will be overriden. |
|
The parameter (vdom) in requested url. |
|
The top level parameters set. |
|
Force the SSL VPN security level. Choices:
|
|
Deprecated, please rename it to auth_session_check_source_ip. Enable/disable checking of source IP for authentication session. Choices:
|
|
Deprecated, please rename it to auth_timeout. SSL VPN authentication timeout |
|
Deprecated, please rename it to authentication_rule. |
|
SSL VPN authentication method restriction. Choices:
|
|
SSL VPN cipher strength. Choices:
|
|
Deprecated, please rename it to client_cert. Enable/disable SSL VPN client certificate restrictive. Choices:
|
|
(list or str) User groups. |
|
ID |
|
SSL VPN portal. |
|
SSL VPN realm. |
|
(list or str) Deprecated, please rename it to source_address. Source address of incoming traffic. |
|
Deprecated, please rename it to source_address_negate. Enable/disable negated source address match. Choices:
|
|
(list or str) Deprecated, please rename it to source_address6. IPv6 source address of incoming traffic. |
|
Deprecated, please rename it to source_address6_negate. Enable/disable negated source IPv6 address match. Choices:
|
|
(list or str) Deprecated, please rename it to source_interface. SSL VPN source interface of incoming traffic. |
|
Deprecated, please rename it to user_peer. Name of user peer. |
|
(list or str) User name. |
|
Deprecated, please rename it to auto_tunnel_static_route. Enable/disable to auto-create static routes for the SSL VPN tunn… Choices:
|
|
Deprecated, please rename it to banned_cipher. Choices:
|
|
Deprecated, please rename it to browser_language_detection. Enable/disable overriding the configured system language based… Choices:
|
|
Deprecated, please rename it to check_referer. Enable/disable verification of referer field in HTTP request header. Choices:
|
|
No description. Choices:
|
|
Deprecated, please rename it to client_sigalgs. Set signature algorithms related to client authentication. Choices:
|
|
Deprecated, please rename it to default_portal. Default SSL VPN portal. |
|
Deprecated, please rename it to deflate_compression_level. Compression level |
|
Deprecated, please rename it to deflate_min_data_size. Minimum amount of data that triggers compression |
|
Deprecated, please rename it to dns_server1. DNS server 1. |
|
Deprecated, please rename it to dns_server2. DNS server 2. |
|
Deprecated, please rename it to dns_suffix. DNS suffix used for SSL VPN clients. |
|
Deprecated, please rename it to dtls_heartbeat_fail_count. Number of missing heartbeats before the connection is considere… |
|
Deprecated, please rename it to dtls_heartbeat_idle_timeout. Idle timeout before DTLS heartbeat is sent. |
|
Deprecated, please rename it to dtls_heartbeat_interval. Interval between DTLS heartbeat. |
|
Deprecated, please rename it to dtls_hello_timeout. SSLVPN maximum DTLS hello timeout |
|
Deprecated, please rename it to dtls_max_proto_ver. DTLS maximum protocol version. Choices:
|
|
Deprecated, please rename it to dtls_min_proto_ver. DTLS minimum protocol version. Choices:
|
|
Deprecated, please rename it to dtls_tunnel. Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. Choices:
|
|
Deprecated, please rename it to dual_stack_mode. Tunnel mode Choices:
|
|
Deprecated, please rename it to encode_2f_sequence. Encode 2F sequence to forward slash in URLs. Choices:
|
|
Deprecated, please rename it to encrypt_and_store_password. Encrypt and store user passwords for SSL VPN web sessions. Choices:
|
|
Deprecated, please rename it to force_two_factor_auth. Enable/disable only PKI users with two-factor authentication for SS… Choices:
|
|
Deprecated, please rename it to header_x_forwarded_for. Forward the same, add, or remove HTTP header. Choices:
|
|
Deprecated, please rename it to hsts_include_subdomains. Add HSTS includeSubDomains response header. Choices:
|
|
Deprecated, please rename it to http_compression. Enable/disable to allow HTTP compression over SSL VPN tunnels. Choices:
|
|
Deprecated, please rename it to http_only_cookie. Enable/disable SSL VPN support for HttpOnly cookies. Choices:
|
|
Deprecated, please rename it to http_request_body_timeout. SSL VPN session is disconnected if an HTTP request body is not … |
|
Deprecated, please rename it to http_request_header_timeout. SSL VPN session is disconnected if an HTTP request header is … |
|
Deprecated, please rename it to https_redirect. Enable/disable redirect of port 80 to SSL VPN port. Choices:
|
|
Deprecated, please rename it to idle_timeout. SSL VPN disconnects if idle for specified time in seconds. |
|
Deprecated, please rename it to ipv6_dns_server1. IPv6 DNS server 1. |
|
Deprecated, please rename it to ipv6_dns_server2. IPv6 DNS server 2. |
|
Deprecated, please rename it to ipv6_wins_server1. IPv6 WINS server 1. |
|
Deprecated, please rename it to ipv6_wins_server2. IPv6 WINS server 2. |
|
Deprecated, please rename it to login_attempt_limit. SSL VPN maximum login attempt times before block |
|
Deprecated, please rename it to login_block_time. Time for which a user is blocked from logging in after too many failed l… |
|
Deprecated, please rename it to login_timeout. SSLVPN maximum login timeout |
|
SSL VPN access port |
|
Deprecated, please rename it to port_precedence. Enable/disable, Enable means that if SSL VPN connections are allowed on a… Choices:
|
|
Enable/disable to require client certificates for all SSL VPN users. Choices:
|
|
Deprecated, please rename it to route_source_interface. Enable/disable to allow SSL VPN sessions to bypass routing and bin… Choices:
|
|
Deprecated, please rename it to saml_redirect_port. SAML local redirect port in the machine running FortiClient |
|
Deprecated, please rename it to server_hostname. Server hostname for HTTPS. |
|
Name of the server certificate to be used for SSL VPNs. |
|
(list or str) Deprecated, please rename it to source_address. Source address of incoming traffic. |
|
Deprecated, please rename it to source_address_negate. Enable/disable negated source address match. Choices:
|
|
(list or str) Deprecated, please rename it to source_address6. IPv6 source address of incoming traffic. |
|
Deprecated, please rename it to source_address6_negate. Enable/disable negated source IPv6 address match. Choices:
|
|
(list or str) Deprecated, please rename it to source_interface. SSL VPN source interface of incoming traffic. |
|
Deprecated, please rename it to ssl_big_buffer. Disable using the big SSLv3 buffer feature to save memory and force higher… Choices:
|
|
Deprecated, please rename it to ssl_client_renegotiation. Enable/disable to allow client renegotiation by the server if th… Choices:
|
|
Deprecated, please rename it to ssl_insert_empty_fragment. Enable/disable insertion of empty fragment. Choices:
|
|
Deprecated, please rename it to ssl_max_proto_ver. SSL maximum protocol version. Choices:
|
|
Deprecated, please rename it to ssl_min_proto_ver. SSL minimum protocol version. Choices:
|
|
No description. Choices:
|
|
Enable/disable SSL-VPN. Choices:
|
|
Deprecated, please rename it to tlsv1_0. Enable/disable TLSv1. Choices:
|
|
Deprecated, please rename it to tlsv1_1. Enable/disable TLSv1. Choices:
|
|
Deprecated, please rename it to tlsv1_2. Enable/disable TLSv1. Choices:
|
|
Deprecated, please rename it to tlsv1_3. Choices:
|
|
Deprecated, please rename it to transform_backward_slashes. Transform backward slashes to forward slashes in URLs. Choices:
|
|
Deprecated, please rename it to tunnel_addr_assigned_method. Method used for assigning address for tunnel. Choices:
|
|
Deprecated, please rename it to tunnel_connect_without_reauth. Enable/disable tunnel connection without re-authorization i… Choices:
|
|
(list or str) Deprecated, please rename it to tunnel_ip_pools. Names of the IPv4 IP Pool firewall objects that define the … |
|
(list or str) Deprecated, please rename it to tunnel_ipv6_pools. Names of the IPv6 IP Pool firewall objects that define th… |
|
Deprecated, please rename it to tunnel_user_session_timeout. Time out value to clean up user session after tunnel connecti… |
|
Deprecated, please rename it to unsafe_legacy_renegotiation. Enable/disable unsafe legacy re-negotiation. Choices:
|
|
Deprecated, please rename it to url_obscuration. Enable/disable to obscure the host name of the URL of the web browser dis… Choices:
|
|
Deprecated, please rename it to user_peer. Name of user peer. |
|
Deprecated, please rename it to web_mode_snat. Enable/disable use of IP pools defined in firewall policy while using web-mode. Choices:
|
|
Deprecated, please rename it to wins_server1. WINS server 1. |
|
Deprecated, please rename it to wins_server2. WINS server 2. |
|
Deprecated, please rename it to x_content_type_options. Add HTTP X-Content-Type-Options header. Choices:
|
|
Deprecated, please rename it to ztna_trusted_client. Enable/disable verification of device certificate for SSLVPN ZTNA ses… Choices:
|
|
The adom to lock for FortiManager running in workspace mode, the value can be global and others including root. |
|
The maximum time in seconds to wait for other user to release the workspace lock. Default: |
Notes
Note
Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.
Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- name: Example playbook (generated based on argument schema)
hosts: fortimanagers
connection: httpapi
vars:
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortinet.fortimanager.fmgr_vpn_ssl_settings:
# bypass_validation: false
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
# rc_succeeded: [0, -2, -3, ...]
# rc_failed: [-2, -3, ...]
device: <your own value>
vdom: <your own value>
vpn_ssl_settings:
algorithm: <value in [default, high, low, ...]>
auth_session_check_source_ip: <value in [disable, enable]>
auth_timeout: <integer>
authentication_rule:
-
auth: <value in [any, local, radius, ...]>
cipher: <value in [any, high, medium]>
client_cert: <value in [disable, enable]>
groups: <list or string>
id: <integer>
portal: <string>
realm: <string>
source_address: <list or string>
source_address_negate: <value in [disable, enable]>
source_address6: <list or string>
source_address6_negate: <value in [disable, enable]>
source_interface: <list or string>
user_peer: <string>
users: <list or string>
auto_tunnel_static_route: <value in [disable, enable]>
banned_cipher:
- RSA
- DH
- DHE
- ECDH
- ECDHE
- DSS
- ECDSA
- AES
- AESGCM
- CAMELLIA
- 3DES
- SHA1
- SHA256
- SHA384
- STATIC
- CHACHA20
- ARIA
- AESCCM
check_referer: <value in [disable, enable]>
default_portal: <string>
deflate_compression_level: <integer>
deflate_min_data_size: <integer>
dns_server1: <string>
dns_server2: <string>
dns_suffix: <string>
dtls_hello_timeout: <integer>
dtls_max_proto_ver: <value in [dtls1-0, dtls1-2]>
dtls_min_proto_ver: <value in [dtls1-0, dtls1-2]>
dtls_tunnel: <value in [disable, enable]>
encode_2f_sequence: <value in [disable, enable]>
encrypt_and_store_password: <value in [disable, enable]>
force_two_factor_auth: <value in [disable, enable]>
header_x_forwarded_for: <value in [pass, add, remove]>
hsts_include_subdomains: <value in [disable, enable]>
http_compression: <value in [disable, enable]>
http_only_cookie: <value in [disable, enable]>
http_request_body_timeout: <integer>
http_request_header_timeout: <integer>
https_redirect: <value in [disable, enable]>
idle_timeout: <integer>
ipv6_dns_server1: <string>
ipv6_dns_server2: <string>
ipv6_wins_server1: <string>
ipv6_wins_server2: <string>
login_attempt_limit: <integer>
login_block_time: <integer>
login_timeout: <integer>
port: <integer>
port_precedence: <value in [disable, enable]>
reqclientcert: <value in [disable, enable]>
route_source_interface: <value in [disable, enable]>
servercert: <string>
source_address: <list or string>
source_address_negate: <value in [disable, enable]>
source_address6: <list or string>
source_address6_negate: <value in [disable, enable]>
source_interface: <list or string>
ssl_client_renegotiation: <value in [disable, enable]>
ssl_insert_empty_fragment: <value in [disable, enable]>
ssl_max_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
ssl_min_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
tlsv1_0: <value in [disable, enable]>
tlsv1_1: <value in [disable, enable]>
tlsv1_2: <value in [disable, enable]>
tlsv1_3: <value in [disable, enable]>
transform_backward_slashes: <value in [disable, enable]>
tunnel_connect_without_reauth: <value in [disable, enable]>
tunnel_ip_pools: <list or string>
tunnel_ipv6_pools: <list or string>
tunnel_user_session_timeout: <integer>
unsafe_legacy_renegotiation: <value in [disable, enable]>
url_obscuration: <value in [disable, enable]>
user_peer: <string>
wins_server1: <string>
wins_server2: <string>
x_content_type_options: <value in [disable, enable]>
sslv3: <value in [disable, enable]>
ssl_big_buffer: <value in [disable, enable]>
client_sigalgs: <value in [no-rsa-pss, all]>
ciphersuite:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-CCM-SHA256
- TLS-AES-128-CCM-8-SHA256
dual_stack_mode: <value in [disable, enable]>
tunnel_addr_assigned_method: <value in [first-available, round-robin]>
browser_language_detection: <value in [disable, enable]>
saml_redirect_port: <integer>
status: <value in [disable, enable]>
web_mode_snat: <value in [disable, enable]>
ztna_trusted_client: <value in [disable, enable]>
dtls_heartbeat_fail_count: <integer>
dtls_heartbeat_idle_timeout: <integer>
dtls_heartbeat_interval: <integer>
server_hostname: <string>
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The result of the request. Returned: always |
|
The full url requested. Returned: always Sample: |
|
The status of api request. Returned: always Sample: |
|
The api response. Returned: always |
|
The descriptive message of the api response. Returned: always Sample: |
|
The information of the target system. Returned: always |
|
The status the request. Returned: always Sample: |
|
Warning if the parameters used in the playbook are not supported by the current FortiManager version. Returned: complex |