fortinet.fortimanager.fmgr_vpn_ssl_settings – Configure SSL VPN.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.3).

To install it use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_vpn_ssl_settings.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
bypass_validation
boolean
    Choices:
  • no ←
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
device
string / required
the parameter (device) in requested url
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
vdom
string / required
the parameter (vdom) in requested url
vpn_ssl_settings
dictionary
the top level parameters set
algorithm
string
    Choices:
  • default
  • high
  • low
  • medium
Force the SSL VPN security level. High allows only high. Medium allows medium and high. Low allows any.
auth-session-check-source-ip
string
    Choices:
  • disable
  • enable
Enable/disable checking of source IP for authentication session.
auth-timeout
integer
SSL VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
authentication-rule
list / elements=string
no description
auth
string
    Choices:
  • any
  • local
  • radius
  • ldap
  • tacacs+
SSL VPN authentication method restriction.
cipher
string
    Choices:
  • any
  • high
  • medium
SSL VPN cipher strength.
client-cert
string
    Choices:
  • disable
  • enable
Enable/disable SSL VPN client certificate restrictive.
groups
string
User groups.
id
integer
ID (0 - 4294967295).
portal
string
SSL VPN portal.
realm
string
SSL VPN realm.
source-address
string
Source address of incoming traffic.
source-address-negate
string
    Choices:
  • disable
  • enable
Enable/disable negated source address match.
source-address6
string
IPv6 source address of incoming traffic.
source-address6-negate
string
    Choices:
  • disable
  • enable
Enable/disable negated source IPv6 address match.
source-interface
string
SSL VPN source interface of incoming traffic.
user-peer
string
Name of user peer.
users
string
User name.
auto-tunnel-static-route
string
    Choices:
  • disable
  • enable
Enable/disable to auto-create static routes for the SSL VPN tunnel IP addresses.
banned-cipher
list / elements=string
    Choices:
  • RSA
  • DH
  • DHE
  • ECDH
  • ECDHE
  • DSS
  • ECDSA
  • AES
  • AESGCM
  • CAMELLIA
  • 3DES
  • SHA1
  • SHA256
  • SHA384
  • STATIC
no description
check-referer
string
    Choices:
  • disable
  • enable
Enable/disable verification of referer field in HTTP request header.
default-portal
string
Default SSL VPN portal.
deflate-compression-level
integer
Compression level (0~9).
deflate-min-data-size
integer
Minimum amount of data that triggers compression (200 - 65535 bytes).
dns-server1
string
DNS server 1.
dns-server2
string
DNS server 2.
dns-suffix
string
DNS suffix used for SSL VPN clients.
dtls-hello-timeout
integer
SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
dtls-max-proto-ver
string
    Choices:
  • dtls1-0
  • dtls1-2
DTLS maximum protocol version.
dtls-min-proto-ver
string
    Choices:
  • dtls1-0
  • dtls1-2
DTLS minimum protocol version.
dtls-tunnel
string
    Choices:
  • disable
  • enable
Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery.
encode-2f-sequence
string
    Choices:
  • disable
  • enable
Encode 2F sequence to forward slash in URLs.
encrypt-and-store-password
string
    Choices:
  • disable
  • enable
Encrypt and store user passwords for SSL VPN web sessions.
force-two-factor-auth
string
    Choices:
  • disable
  • enable
Enable/disable only PKI users with two-factor authentication for SSL VPNs.
header-x-forwarded-for
string
    Choices:
  • pass
  • add
  • remove
Forward the same, add, or remove HTTP header.
hsts-include-subdomains
string
    Choices:
  • disable
  • enable
Add HSTS includeSubDomains response header.
http-compression
string
    Choices:
  • disable
  • enable
Enable/disable to allow HTTP compression over SSL VPN tunnels.
http-only-cookie
string
    Choices:
  • disable
  • enable
Enable/disable SSL VPN support for HttpOnly cookies.
http-request-body-timeout
integer
SSL VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
http-request-header-timeout
integer
SSL VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
https-redirect
string
    Choices:
  • disable
  • enable
Enable/disable redirect of port 80 to SSL VPN port.
idle-timeout
integer
SSL VPN disconnects if idle for specified time in seconds.
ipv6-dns-server1
string
IPv6 DNS server 1.
ipv6-dns-server2
string
IPv6 DNS server 2.
ipv6-wins-server1
string
IPv6 WINS server 1.
ipv6-wins-server2
string
IPv6 WINS server 2.
login-attempt-limit
integer
SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
login-block-time
integer
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
login-timeout
integer
SSLVPN maximum login timeout (10 - 180 sec, default = 30).
port
integer
SSL VPN access port (1 - 65535).
port-precedence
string
    Choices:
  • disable
  • enable
Enable/disable, Enable means that if SSL VPN connections are allowed on an interface admin GUI connections are blocked on that...
reqclientcert
string
    Choices:
  • disable
  • enable
Enable/disable to require client certificates for all SSL VPN users.
route-source-interface
string
    Choices:
  • disable
  • enable
Enable/disable to allow SSL VPN sessions to bypass routing and bind to the incoming interface.
servercert
string
Name of the server certificate to be used for SSL VPNs.
source-address
string
Source address of incoming traffic.
source-address-negate
string
    Choices:
  • disable
  • enable
Enable/disable negated source address match.
source-address6
string
IPv6 source address of incoming traffic.
source-address6-negate
string
    Choices:
  • disable
  • enable
Enable/disable negated source IPv6 address match.
source-interface
string
SSL VPN source interface of incoming traffic.
ssl-client-renegotiation
string
    Choices:
  • disable
  • enable
Enable/disable to allow client renegotiation by the server if the tunnel goes down.
ssl-insert-empty-fragment
string
    Choices:
  • disable
  • enable
Enable/disable insertion of empty fragment.
ssl-max-proto-ver
string
    Choices:
  • tls1-0
  • tls1-1
  • tls1-2
  • tls1-3
SSL maximum protocol version.
ssl-min-proto-ver
string
    Choices:
  • tls1-0
  • tls1-1
  • tls1-2
  • tls1-3
SSL minimum protocol version.
tlsv1-0
string
    Choices:
  • disable
  • enable
no description
tlsv1-1
string
    Choices:
  • disable
  • enable
no description
tlsv1-2
string
    Choices:
  • disable
  • enable
no description
tlsv1-3
string
    Choices:
  • disable
  • enable
no description
transform-backward-slashes
string
    Choices:
  • disable
  • enable
Transform backward slashes to forward slashes in URLs.
tunnel-connect-without-reauth
string
    Choices:
  • disable
  • enable
Enable/disable tunnel connection without re-authorization if previous connection dropped.
tunnel-ip-pools
string
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
tunnel-ipv6-pools
string
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
tunnel-user-session-timeout
integer
Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec, default=30).
unsafe-legacy-renegotiation
string
    Choices:
  • disable
  • enable
Enable/disable unsafe legacy re-negotiation.
url-obscuration
string
    Choices:
  • disable
  • enable
Enable/disable to obscure the host name of the URL of the web browser display.
user-peer
string
Name of user peer.
wins-server1
string
WINS server 1.
wins-server2
string
WINS server 2.
x-content-type-options
string
    Choices:
  • disable
  • enable
Add HTTP X-Content-Type-Options header.
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure SSL VPN.
     fmgr_vpn_ssl_settings:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        device: <your own value>
        vdom: <your own value>
        vpn_ssl_settings:
           algorithm: <value in [default, high, low, ...]>
           auth-session-check-source-ip: <value in [disable, enable]>
           auth-timeout: <value of integer>
           authentication-rule:
             -
                 auth: <value in [any, local, radius, ...]>
                 cipher: <value in [any, high, medium]>
                 client-cert: <value in [disable, enable]>
                 groups: <value of string>
                 id: <value of integer>
                 portal: <value of string>
                 realm: <value of string>
                 source-address: <value of string>
                 source-address-negate: <value in [disable, enable]>
                 source-address6: <value of string>
                 source-address6-negate: <value in [disable, enable]>
                 source-interface: <value of string>
                 user-peer: <value of string>
                 users: <value of string>
           auto-tunnel-static-route: <value in [disable, enable]>
           banned-cipher:
             - RSA
             - DH
             - DHE
             - ECDH
             - ECDHE
             - DSS
             - ECDSA
             - AES
             - AESGCM
             - CAMELLIA
             - 3DES
             - SHA1
             - SHA256
             - SHA384
             - STATIC
           check-referer: <value in [disable, enable]>
           default-portal: <value of string>
           deflate-compression-level: <value of integer>
           deflate-min-data-size: <value of integer>
           dns-server1: <value of string>
           dns-server2: <value of string>
           dns-suffix: <value of string>
           dtls-hello-timeout: <value of integer>
           dtls-max-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-min-proto-ver: <value in [dtls1-0, dtls1-2]>
           dtls-tunnel: <value in [disable, enable]>
           encode-2f-sequence: <value in [disable, enable]>
           encrypt-and-store-password: <value in [disable, enable]>
           force-two-factor-auth: <value in [disable, enable]>
           header-x-forwarded-for: <value in [pass, add, remove]>
           hsts-include-subdomains: <value in [disable, enable]>
           http-compression: <value in [disable, enable]>
           http-only-cookie: <value in [disable, enable]>
           http-request-body-timeout: <value of integer>
           http-request-header-timeout: <value of integer>
           https-redirect: <value in [disable, enable]>
           idle-timeout: <value of integer>
           ipv6-dns-server1: <value of string>
           ipv6-dns-server2: <value of string>
           ipv6-wins-server1: <value of string>
           ipv6-wins-server2: <value of string>
           login-attempt-limit: <value of integer>
           login-block-time: <value of integer>
           login-timeout: <value of integer>
           port: <value of integer>
           port-precedence: <value in [disable, enable]>
           reqclientcert: <value in [disable, enable]>
           route-source-interface: <value in [disable, enable]>
           servercert: <value of string>
           source-address: <value of string>
           source-address-negate: <value in [disable, enable]>
           source-address6: <value of string>
           source-address6-negate: <value in [disable, enable]>
           source-interface: <value of string>
           ssl-client-renegotiation: <value in [disable, enable]>
           ssl-insert-empty-fragment: <value in [disable, enable]>
           ssl-max-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           ssl-min-proto-ver: <value in [tls1-0, tls1-1, tls1-2, ...]>
           tlsv1-0: <value in [disable, enable]>
           tlsv1-1: <value in [disable, enable]>
           tlsv1-2: <value in [disable, enable]>
           tlsv1-3: <value in [disable, enable]>
           transform-backward-slashes: <value in [disable, enable]>
           tunnel-connect-without-reauth: <value in [disable, enable]>
           tunnel-ip-pools: <value of string>
           tunnel-ipv6-pools: <value of string>
           tunnel-user-session-timeout: <value of integer>
           unsafe-legacy-renegotiation: <value in [disable, enable]>
           url-obscuration: <value in [disable, enable]>
           user-peer: <value of string>
           wins-server1: <value of string>
           wins-server2: <value of string>
           x-content-type-options: <value in [disable, enable]>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)