fortinet.fortios.fortios_application_list – Configure application control lists in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

To install it use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_application_list.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify application feature and list category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter Choices/Defaults Comments
access_token
string
Token-based authentication. Generated from GUI of Fortigate.
application_list
dictionary
Configure application control lists.
app_replacemsg
string
    Choices:
  • disable
  • enable
Enable/disable replacement messages for blocked applications.
comment
string
comments
control_default_network_services
string
    Choices:
  • disable
  • enable
Enable/disable enforcement of protocols over selected ports.
deep_app_inspection
string
    Choices:
  • disable
  • enable
Enable/disable deep application inspection.
default_network_services
list / elements=string
Default network service entries.
id
integer / required
Entry ID.
port
integer
Port number.
services
string
    Choices:
  • http
  • ssh
  • telnet
  • ftp
  • dns
  • smtp
  • pop3
  • imap
  • snmp
  • nntp
  • https
Network protocols.
violation_action
string
    Choices:
  • pass
  • monitor
  • block
Action for protocols not white listed under selected port.
enforce_default_app_port
string
    Choices:
  • disable
  • enable
Enable/disable default application port enforcement for allowed applications.
entries
list / elements=string
Application list entries.
action
string
    Choices:
  • pass
  • block
  • reset
Pass or block traffic, or reset connection for traffic from this application.
application
list / elements=string
ID of allowed applications.
id
integer / required
Application IDs.
behavior
string
Application behavior filter.
category
list / elements=string
Category ID list.
id
integer / required
Application category ID.
exclusion
list / elements=string
ID of excluded applications.
id
integer / required
Excluded application IDs.
id
integer / required
Entry ID.
log
string
    Choices:
  • disable
  • enable
Enable/disable logging for this application list.
log_packet
string
    Choices:
  • disable
  • enable
Enable/disable packet logging.
parameters
list / elements=string
Application parameters.
id
integer / required
Parameter ID.
members
list / elements=string
Parameter tuple members.
id
integer / required
Parameter.
name
string
Parameter name.
value
string
Parameter value.
value
string
Parameter value.
per_ip_shaper
string
Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
popularity
list / elements=string
    Choices:
  • 1
  • 2
  • 3
  • 4
  • 5
Application popularity filter (1 - 5, from least to most popular).
protocols
string
Application protocol filter.
quarantine
string
    Choices:
  • none
  • attacker
Quarantine method.
quarantine_expiry
string
Duration of quarantine. (Format
quarantine_log
string
    Choices:
  • disable
  • enable
Enable/disable quarantine logging.
rate_count
integer
Count of the rate.
rate_duration
integer
Duration (sec) of the rate.
rate_mode
string
    Choices:
  • periodical
  • continuous
Rate limit mode.
rate_track
string
    Choices:
  • none
  • src-ip
  • dest-ip
  • dhcp-client-mac
  • dns-domain
Track the packet protocol field.
risk
list / elements=string
Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
level
integer / required
Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
session_ttl
integer
Session TTL (0 = default).
shaper
string
Traffic shaper. Source firewall.shaper.traffic-shaper.name.
shaper_reverse
string
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
sub_category
list / elements=string
Application Sub-category ID list.
id
integer / required
Application sub-category ID.
technology
string
Application technology filter.
vendor
string
Application vendor filter.
extended_log
string
    Choices:
  • enable
  • disable
Enable/disable extended logging.
force_inclusion_ssl_di_sigs
string
    Choices:
  • disable
  • enable
Enable/disable forced inclusion of SSL deep inspection signatures.
name
string / required
List name.
options
list / elements=string
    Choices:
  • allow-dns
  • allow-icmp
  • allow-http
  • allow-ssl
  • allow-quic
Basic application protocol signatures allowed by default.
other_application_action
string
    Choices:
  • pass
  • block
Action for other applications.
other_application_log
string
    Choices:
  • disable
  • enable
Enable/disable logging for other applications.
p2p_black_list
list / elements=string
    Choices:
  • skype
  • edonkey
  • bittorrent
P2P applications to be black listed.
p2p_block_list
list / elements=string
    Choices:
  • skype
  • edonkey
  • bittorrent
P2P applications to be blocklisted.
replacemsg_group
string
Replacement message group. Source system.replacemsg-group.name.
unknown_application_action
string
    Choices:
  • pass
  • block
Pass or block traffic from unknown applications.
unknown_application_log
string
    Choices:
  • disable
  • enable
Enable/disable logging for unknown applications.
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task.
state
string / required
    Choices:
  • present
  • absent
Indicates whether to create or remove the object.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure application control lists.
    fortios_application_list:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      application_list:
        app_replacemsg: "disable"
        comment: "comments"
        control_default_network_services: "disable"
        deep_app_inspection: "disable"
        default_network_services:
         -
            id:  "8"
            port: "9"
            services: "http"
            violation_action: "pass"
        enforce_default_app_port: "disable"
        entries:
         -
            action: "pass"
            application:
             -
                id:  "16"
            behavior: "<your_own_value>"
            category:
             -
                id:  "19"
            exclusion:
             -
                id:  "21"
            id:  "22"
            log: "disable"
            log_packet: "disable"
            parameters:
             -
                id:  "26"
                members:
                 -
                    id:  "28"
                    name: "default_name_29"
                    value: "<your_own_value>"
                value: "<your_own_value>"
            per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
            popularity: "1"
            protocols: "<your_own_value>"
            quarantine: "none"
            quarantine_expiry: "<your_own_value>"
            quarantine_log: "disable"
            rate_count: "38"
            rate_duration: "39"
            rate_mode: "periodical"
            rate_track: "none"
            risk:
             -
                level: "43"
            session_ttl: "44"
            shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
            shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
            sub_category:
             -
                id:  "48"
            technology: "<your_own_value>"
            vendor: "<your_own_value>"
        extended_log: "enable"
        force_inclusion_ssl_di_sigs: "disable"
        name: "default_name_53"
        options: "allow-dns"
        other_application_action: "pass"
        other_application_log: "disable"
        p2p_black_list: "skype"
        p2p_block_list: "skype"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        unknown_application_action: "pass"
        unknown_application_log: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)