fortinet.fortimanager.fmgr_vpn_ssl_settings module – Configure SSL VPN.

Note

This module is part of the fortinet.fortimanager collection (version 2.8.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_vpn_ssl_settings.

New in fortinet.fortimanager 2.1.0

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

access_token

string

The token to access FortiManager without using username and password.

bypass_validation

boolean

Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters.

Choices:

  • false ← (default)

  • true

device

string / required

The parameter (device) in requested url.

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • false ← (default)

  • true

forticloud_access_token

string

Authenticate Ansible client with forticloud API access token.

proposed_method

string

The overridden method for the underlying Json RPC request.

Choices:

  • "update"

  • "set"

  • "add"

rc_failed

list / elements=integer

The rc codes list with which the conditions to fail will be overriden.

rc_succeeded

list / elements=integer

The rc codes list with which the conditions to succeed will be overriden.

vdom

string / required

The parameter (vdom) in requested url.

vpn_ssl_settings

dictionary

The top level parameters set.

algorithm

string

Force the SSL VPN security level.

Choices:

  • "default"

  • "high"

  • "low"

  • "medium"

auth_session_check_source_ip

aliases: auth-session-check-source-ip

string

Enable/disable checking of source IP for authentication session.

Choices:

  • "disable"

  • "enable"

auth_timeout

aliases: auth-timeout

integer

SSL VPN authentication timeout

authentication_rule

aliases: authentication-rule

list / elements=dictionary

Authentication rule.

auth

string

SSL VPN authentication method restriction.

Choices:

  • "any"

  • "local"

  • "radius"

  • "ldap"

  • "tacacs+"

  • "peer"

cipher

string

SSL VPN cipher strength.

Choices:

  • "any"

  • "high"

  • "medium"

client_cert

aliases: client-cert

string

Enable/disable SSL VPN client certificate restrictive.

Choices:

  • "disable"

  • "enable"

groups

any

(list or str) User groups.

id

integer

ID

portal

string

SSL VPN portal.

realm

string

SSL VPN realm.

source_address

aliases: source-address

any

(list or str) Source address of incoming traffic.

source_address6

aliases: source-address6

any

(list or str) IPv6 source address of incoming traffic.

source_address6_negate

aliases: source-address6-negate

string

Enable/disable negated source IPv6 address match.

Choices:

  • "disable"

  • "enable"

source_address_negate

aliases: source-address-negate

string

Enable/disable negated source address match.

Choices:

  • "disable"

  • "enable"

source_interface

aliases: source-interface

any

(list or str) SSL VPN source interface of incoming traffic.

user_peer

aliases: user-peer

string

Name of user peer.

users

any

(list or str) User name.

auto_tunnel_static_route

aliases: auto-tunnel-static-route

string

Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses.

Choices:

  • "disable"

  • "enable"

banned_cipher

aliases: banned-cipher

list / elements=string

Select one or more cipher technologies that cannot be used in SSL VPN negotiations.

Choices:

  • "RSA"

  • "DH"

  • "DHE"

  • "ECDH"

  • "ECDHE"

  • "DSS"

  • "ECDSA"

  • "AES"

  • "AESGCM"

  • "CAMELLIA"

  • "3DES"

  • "SHA1"

  • "SHA256"

  • "SHA384"

  • "STATIC"

  • "CHACHA20"

  • "ARIA"

  • "AESCCM"

browser_language_detection

aliases: browser-language-detection

string

Enable/disable overriding the configured system language based on the preferred language of the browser.

Choices:

  • "disable"

  • "enable"

check_referer

aliases: check-referer

string

Enable/disable verification of referer field in HTTP request header.

Choices:

  • "disable"

  • "enable"

ciphersuite

list / elements=string

Select one or more TLS 1.

Choices:

  • "TLS-AES-128-GCM-SHA256"

  • "TLS-AES-256-GCM-SHA384"

  • "TLS-CHACHA20-POLY1305-SHA256"

  • "TLS-AES-128-CCM-SHA256"

  • "TLS-AES-128-CCM-8-SHA256"

client_sigalgs

aliases: client-sigalgs

string

Set signature algorithms related to client authentication.

Choices:

  • "no-rsa-pss"

  • "all"

default_portal

aliases: default-portal

string

Default SSL VPN portal.

deflate_compression_level

aliases: deflate-compression-level

integer

Compression level

deflate_min_data_size

aliases: deflate-min-data-size

integer

Minimum amount of data that triggers compression

dns_server1

aliases: dns-server1

string

DNS server 1.

dns_server2

aliases: dns-server2

string

DNS server 2.

dns_suffix

aliases: dns-suffix

string

DNS suffix used for SSL VPN clients.

dtls_heartbeat_fail_count

aliases: dtls-heartbeat-fail-count

integer

Number of missing heartbeats before the connection is considered dropped.

dtls_heartbeat_idle_timeout

aliases: dtls-heartbeat-idle-timeout

integer

Idle timeout before DTLS heartbeat is sent.

dtls_heartbeat_interval

aliases: dtls-heartbeat-interval

integer

Interval between DTLS heartbeat.

dtls_hello_timeout

aliases: dtls-hello-timeout

integer

SSLVPN maximum DTLS hello timeout

dtls_max_proto_ver

aliases: dtls-max-proto-ver

string

DTLS maximum protocol version.

Choices:

  • "dtls1-0"

  • "dtls1-2"

dtls_min_proto_ver

aliases: dtls-min-proto-ver

string

DTLS minimum protocol version.

Choices:

  • "dtls1-0"

  • "dtls1-2"

dtls_tunnel

aliases: dtls-tunnel

string

Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.

Choices:

  • "disable"

  • "enable"

dual_stack_mode

aliases: dual-stack-mode

string

Tunnel mode

Choices:

  • "disable"

  • "enable"

encode_2f_sequence

aliases: encode-2f-sequence

string

Encode 2F sequence to forward slash in URLs.

Choices:

  • "disable"

  • "enable"

encrypt_and_store_password

aliases: encrypt-and-store-password

string

Encrypt and store user passwords for SSL VPN web sessions.

Choices:

  • "disable"

  • "enable"

force_two_factor_auth

aliases: force-two-factor-auth

string

Enable/disable only PKI users with two-factor authentication for SSL VPNs.

Choices:

  • "disable"

  • "enable"

header_x_forwarded_for

aliases: header-x-forwarded-for

string

Forward the same, add, or remove HTTP header.

Choices:

  • "pass"

  • "add"

  • "remove"

hsts_include_subdomains

aliases: hsts-include-subdomains

string

Add HSTS includeSubDomains response header.

Choices:

  • "disable"

  • "enable"

http_compression

aliases: http-compression

string

Enable/disable to allow HTTP compression over SSL VPN tunnels.

Choices:

  • "disable"

  • "enable"

http_only_cookie

aliases: http-only-cookie

string

Enable/disable SSL VPN support for HttpOnly cookies.

Choices:

  • "disable"

  • "enable"

http_request_body_timeout

aliases: http-request-body-timeout

integer

SSL VPN session is disconnected if an HTTP request body is not received within this time

http_request_header_timeout

aliases: http-request-header-timeout

integer

SSL VPN session is disconnected if an HTTP request header is not received within this time

https_redirect

aliases: https-redirect

string

Enable/disable redirect of port 80 to SSL VPN port.

Choices:

  • "disable"

  • "enable"

idle_timeout

aliases: idle-timeout

integer

SSL VPN disconnects if idle for specified time in seconds.

ipv6_dns_server1

aliases: ipv6-dns-server1

string

IPv6 DNS server 1.

ipv6_dns_server2

aliases: ipv6-dns-server2

string

IPv6 DNS server 2.

ipv6_wins_server1

aliases: ipv6-wins-server1

string

IPv6 WINS server 1.

ipv6_wins_server2

aliases: ipv6-wins-server2

string

IPv6 WINS server 2.

login_attempt_limit

aliases: login-attempt-limit

integer

SSL VPN maximum login attempt times before block

login_block_time

aliases: login-block-time

integer

Time for which a user is blocked from logging in after too many failed login attempts

login_timeout

aliases: login-timeout

integer

SSLVPN maximum login timeout

port

integer

SSL VPN access port

port_precedence

aliases: port-precedence

string

Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on …

Choices:

  • "disable"

  • "enable"

reqclientcert

string

Enable/disable to require client certificates for all SSL VPN users.

Choices:

  • "disable"

  • "enable"

route_source_interface

aliases: route-source-interface

string

Enable/disable to allow SSL VPN sessions to bypass routing and bind to the incoming interface.

Choices:

  • "disable"

  • "enable"

saml_redirect_port

aliases: saml-redirect-port

integer

SAML local redirect port in the machine running FortiClient

server_hostname

aliases: server-hostname

string

Server hostname for HTTPS.

servercert

string

Name of the server certificate to be used for SSL VPNs.

source_address

aliases: source-address

any

(list or str) Source address of incoming traffic.

source_address6

aliases: source-address6

any

(list or str) IPv6 source address of incoming traffic.

source_address6_negate

aliases: source-address6-negate

string

Enable/disable negated source IPv6 address match.

Choices:

  • "disable"

  • "enable"

source_address_negate

aliases: source-address-negate

string

Enable/disable negated source address match.

Choices:

  • "disable"

  • "enable"

source_interface

aliases: source-interface

any

(list or str) SSL VPN source interface of incoming traffic.

ssl_big_buffer

aliases: ssl-big-buffer

string

Disable using the big SSLv3 buffer feature to save memory and force higher security.

Choices:

  • "disable"

  • "enable"

ssl_client_renegotiation

aliases: ssl-client-renegotiation

string

Enable/disable to allow client renegotiation by the server if the tunnel goes down.

Choices:

  • "disable"

  • "enable"

ssl_insert_empty_fragment

aliases: ssl-insert-empty-fragment

string

Enable/disable insertion of empty fragment.

Choices:

  • "disable"

  • "enable"

ssl_max_proto_ver

aliases: ssl-max-proto-ver

string

SSL maximum protocol version.

Choices:

  • "tls1-0"

  • "tls1-1"

  • "tls1-2"

  • "tls1-3"

ssl_min_proto_ver

aliases: ssl-min-proto-ver

string

SSL minimum protocol version.

Choices:

  • "tls1-0"

  • "tls1-1"

  • "tls1-2"

  • "tls1-3"

sslv3

string

Sslv3.

Choices:

  • "disable"

  • "enable"

status

string

Enable/disable SSL-VPN.

Choices:

  • "disable"

  • "enable"

tlsv1_0

aliases: tlsv1-0

string

Enable/disable TLSv1.

Choices:

  • "disable"

  • "enable"

tlsv1_1

aliases: tlsv1-1

string

Enable/disable TLSv1.

Choices:

  • "disable"

  • "enable"

tlsv1_2

aliases: tlsv1-2

string

Enable/disable TLSv1.

Choices:

  • "disable"

  • "enable"

tlsv1_3

aliases: tlsv1-3

string

Tlsv1 3.

Choices:

  • "disable"

  • "enable"

transform_backward_slashes

aliases: transform-backward-slashes

string

Transform backward slashes to forward slashes in URLs.

Choices:

  • "disable"

  • "enable"

tunnel_addr_assigned_method

aliases: tunnel-addr-assigned-method

string

Method used for assigning address for tunnel.

Choices:

  • "first-available"

  • "round-robin"

tunnel_connect_without_reauth

aliases: tunnel-connect-without-reauth

string

Enable/disable tunnel connection without re-authorization if previous connection dropped.

Choices:

  • "disable"

  • "enable"

tunnel_ip_pools

aliases: tunnel-ip-pools

any

(list or str) Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.

tunnel_ipv6_pools

aliases: tunnel-ipv6-pools

any

(list or str) Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.

tunnel_user_session_timeout

aliases: tunnel-user-session-timeout

integer

Time out value to clean up user session after tunnel connection is dropped

unsafe_legacy_renegotiation

aliases: unsafe-legacy-renegotiation

string

Enable/disable unsafe legacy re-negotiation.

Choices:

  • "disable"

  • "enable"

url_obscuration

aliases: url-obscuration

string

Enable/disable to obscure the host name of the URL of the web browser display.

Choices:

  • "disable"

  • "enable"

user_peer

aliases: user-peer

string

Name of user peer.

web_mode_snat

aliases: web-mode-snat

string

Enable/disable use of IP pools defined in firewall policy while using web-mode.

Choices:

  • "disable"

  • "enable"

wins_server1

aliases: wins-server1

string

WINS server 1.

wins_server2

aliases: wins-server2

string

WINS server 2.

x_content_type_options

aliases: x-content-type-options

string

Add HTTP X-Content-Type-Options header.

Choices:

  • "disable"

  • "enable"

ztna_trusted_client

aliases: ztna-trusted-client

string

Enable/disable verification of device certificate for SSLVPN ZTNA session.

Choices:

  • "disable"

  • "enable"

workspace_locking_adom

string

The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.

workspace_locking_timeout

integer

The maximum time in seconds to wait for other user to release the workspace lock.

Default: 300

Notes

Note

  • Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook (generated based on argument schema)
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure SSL VPN.
      fortinet.fortimanager.fmgr_vpn_ssl_settings:
        # bypass_validation: false
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        # rc_succeeded: [0, -2, -3, ...]
        # rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        vpn_ssl_settings:
          algorithm: <value in [default, high, low, ...]>
          auth_session_check_source_ip: <value in [disable, enable]>
          auth_timeout: <integer>
          authentication_rule:
            -
              auth: <value in [any, local, radius, ...]>
              cipher: <value in [any, high, medium]>
              client_cert: <value in [disable, enable]>
              groups: <list or string>
              id: <integer>
              portal: <string>
              realm: <string>
              source_address: <list or string>
              source_address_negate: <value in [disable, enable]>
              source_address6: <list or string>
              source_address6_negate: <value in [disable, enable]>
              source_interface: <list or string>
              user_peer: <string>
              users: <list or string>
          auto_tunnel_static_route: <value in [disable, enable]>
          banned_cipher:
            - "RSA"
            - "DH"
            - "DHE"
            - "ECDH"
            - "ECDHE"
            - "DSS"
            - "ECDSA"
            - "AES"
            - "AESGCM"
            - "CAMELLIA"
            - "3DES"
            - "SHA1"
            - "SHA256"
            - "SHA384"
            - "STATIC"
            - "CHACHA20"
            - "ARIA"
            - "AESCCM"
          check_referer: <value in [disable, enable]>
          default_portal: <string>
          deflate_compression_level: <integer>
          deflate_min_data_size: <integer>
          dns_server1: <string>
          dns_server2: <string>
          dns_suffix: <string>
          dtls_hello_timeout: <integer>
          dtls_max_proto_ver: <value in [dtls1-0, dtls1-2]>
          dtls_min_proto_ver: <value in [dtls1-0, dtls1-2]>
          dtls_tunnel: <value in [disable, enable]>
          encode_2f_sequence: <value in [disable, enable]>
          encrypt_and_store_password: <value in [disable, enable]>
          force_two_factor_auth: <value in [disable, enable]>
          header_x_forwarded_for: <value in [pass, add, remove]>
          hsts_include_subdomains: <value in [disable, enable]>
          http_compression: <value in [disable, enable]>
          http_only_cookie: <value in [disable, enable]>
          http_request_body_timeout: <integer>
          http_request_header_timeout: <integer>
          https_redirect: <value in [disable, enable]>
          idle_timeout: <integer>
          ipv6_dns_server1: <string>
          ipv6_dns_server2: <string>
          ipv6_wins_server1: <string>
          ipv6_wins_server2: <string>
          login_attempt_limit: <integer>
          login_block_time: <integer>
          login_timeout: <integer>
          port: <integer>
          port_precedence: <value in [disable, enable]>
          reqclientcert: <value in [disable, enable]>
          route_source_interface: <value in [disable, enable]>
          servercert: <string>
          source_address: <list or string>
          source_address_negate: <value in [disable, enable]>
          source_address6: <list or string>
          source_address6_negate: <value in [disable, enable]>
          source_interface: <list or string>
          ssl_client_renegotiation: <value in [disable, enable]>
          ssl_insert_empty_fragment: <value in [disable, enable]>
          ssl_max_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
          ssl_min_proto_ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
          tlsv1_0: <value in [disable, enable]>
          tlsv1_1: <value in [disable, enable]>
          tlsv1_2: <value in [disable, enable]>
          tlsv1_3: <value in [disable, enable]>
          transform_backward_slashes: <value in [disable, enable]>
          tunnel_connect_without_reauth: <value in [disable, enable]>
          tunnel_ip_pools: <list or string>
          tunnel_ipv6_pools: <list or string>
          tunnel_user_session_timeout: <integer>
          unsafe_legacy_renegotiation: <value in [disable, enable]>
          url_obscuration: <value in [disable, enable]>
          user_peer: <string>
          wins_server1: <string>
          wins_server2: <string>
          x_content_type_options: <value in [disable, enable]>
          sslv3: <value in [disable, enable]>
          ssl_big_buffer: <value in [disable, enable]>
          client_sigalgs: <value in [no-rsa-pss, all]>
          ciphersuite:
            - "TLS-AES-128-GCM-SHA256"
            - "TLS-AES-256-GCM-SHA384"
            - "TLS-CHACHA20-POLY1305-SHA256"
            - "TLS-AES-128-CCM-SHA256"
            - "TLS-AES-128-CCM-8-SHA256"
          dual_stack_mode: <value in [disable, enable]>
          tunnel_addr_assigned_method: <value in [first-available, round-robin]>
          browser_language_detection: <value in [disable, enable]>
          saml_redirect_port: <integer>
          status: <value in [disable, enable]>
          web_mode_snat: <value in [disable, enable]>
          ztna_trusted_client: <value in [disable, enable]>
          dtls_heartbeat_fail_count: <integer>
          dtls_heartbeat_idle_timeout: <integer>
          dtls_heartbeat_interval: <integer>
          server_hostname: <string>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

meta

dictionary

The result of the request.

Returned: always

request_url

string

The full url requested.

Returned: always

Sample: "/sys/login/user"

response_code

integer

The status of api request.

Returned: always

Sample: 0

response_data

list / elements=string

The api response.

Returned: always

response_message

string

The descriptive message of the api response.

Returned: always

Sample: "OK."

system_information

dictionary

The information of the target system.

Returned: always

rc

integer

The status the request.

Returned: always

Sample: 0

version_check_warning

list / elements=string

Warning if the parameters used in the playbook are not supported by the current FortiManager version.

Returned: complex

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)