fortinet.fortios.fortios_firewall_access_proxy – Configure Access Proxy in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

To install it use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_firewall_access_proxy.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter Choices/Defaults Comments
access_token
string
Token-based authentication. Generated from GUI of Fortigate.
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task.
firewall_access_proxy
dictionary
Configure Access Proxy.
api_gateway
list / elements=string
Set API Gateway.
http_cookie_age
integer
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.
http_cookie_domain
string
Domain that HTTP cookie persistence should apply to.
http_cookie_domain_from_host
string
    Choices:
  • disable
  • enable
Enable/disable use of HTTP cookie domain from host field in HTTP.
http_cookie_generation
integer
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
http_cookie_path
string
Limit HTTP cookie persistence to the specified path.
http_cookie_share
string
    Choices:
  • disable
  • same-ip
Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
https_cookie_secure
string
    Choices:
  • disable
  • enable
Enable/disable verification that inserted HTTPS cookies are secure.
id
integer / required
API Gateway ID.
ldb_method
string
    Choices:
  • static
  • round-robin
  • weighted
  • least-session
  • least-rtt
  • first-alive
  • http-host
Method used to distribute sessions to real servers.
persistence
string
    Choices:
  • none
  • http-cookie
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
realservers
list / elements=string
Select the real servers that this Access Proxy will distribute traffic to.
address
string
Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name.
health_check
string
    Choices:
  • disable
  • enable
Enable to check the responsiveness of the real server before forwarding traffic.
health_check_proto
string
    Choices:
  • ping
  • http
  • tcp-connect
Protocol of the health check monitor to use when polling to determine server"s connectivity status.
http_host
string
HTTP server domain name in HTTP header.
id
integer / required
Real server ID.
ip
string
IP address of the real server.
mappedport
string
Port for communicating with the real server.
port
integer
Port for communicating with the real server.
status
string
    Choices:
  • active
  • standby
  • disable
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
weight
integer
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.
saml_server
string
SAML service provider configuration for VIP authentication. Source user.saml.name.
service
string
    Choices:
  • http
  • https
  • tcp-forwarding
  • samlsp
Service.
ssl_algorithm
string
    Choices:
  • high
  • medium
  • low
  • custom
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
ssl_cipher_suites
list / elements=string
SSL/TLS cipher suites to offer to a server, ordered by priority.
cipher
string
    Choices:
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
  • TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA
  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA
  • TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
  • TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
  • TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
  • TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
  • TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
  • TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
  • TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
  • TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
  • TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
  • TLS-RSA-WITH-AES-128-CBC-SHA
  • TLS-RSA-WITH-AES-256-CBC-SHA
  • TLS-RSA-WITH-AES-128-CBC-SHA256
  • TLS-RSA-WITH-AES-128-GCM-SHA256
  • TLS-RSA-WITH-AES-256-CBC-SHA256
  • TLS-RSA-WITH-AES-256-GCM-SHA384
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-SEED-CBC-SHA
  • TLS-DHE-DSS-WITH-SEED-CBC-SHA
  • TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
  • TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256
  • TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384
  • TLS-RSA-WITH-SEED-CBC-SHA
  • TLS-RSA-WITH-ARIA-128-CBC-SHA256
  • TLS-RSA-WITH-ARIA-256-CBC-SHA384
  • TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256
  • TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384
  • TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256
  • TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384
  • TLS-ECDHE-RSA-WITH-RC4-128-SHA
  • TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
  • TLS-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-RSA-WITH-RC4-128-MD5
  • TLS-RSA-WITH-RC4-128-SHA
  • TLS-DHE-RSA-WITH-DES-CBC-SHA
  • TLS-DHE-DSS-WITH-DES-CBC-SHA
  • TLS-RSA-WITH-DES-CBC-SHA
Cipher suite name.
priority
integer / required
SSL/TLS cipher suites priority.
versions
string
    Choices:
  • tls-1.0
  • tls-1.1
  • tls-1.2
  • tls-1.3
SSL/TLS versions that the cipher suite can be used with.
ssl_dh_bits
string
    Choices:
  • 768
  • 1024
  • 1536
  • 2048
  • 3072
  • 4096
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
ssl_max_version
string
    Choices:
  • tls-1.0
  • tls-1.1
  • tls-1.2
  • tls-1.3
Highest SSL/TLS version acceptable from a server.
ssl_min_version
string
    Choices:
  • tls-1.0
  • tls-1.1
  • tls-1.2
  • tls-1.3
Lowest SSL/TLS version acceptable from a server.
url_map
string
URL pattern to match.
url_map_type
string
    Choices:
  • sub-string
  • wildcard
  • regex
Type of url-map.
virtual_host
string
Virtual host. Source firewall.access-proxy-virtual-host.name.
client_cert
string
    Choices:
  • disable
  • enable
Enable/disable to request client certificate.
empty_cert_action
string
    Choices:
  • accept
  • block
Action of an empty client certificate.
ldb_method
string
    Choices:
  • static
  • round-robin
  • weighted
  • least-session
  • least-rtt
  • first-alive
Method used to distribute sessions to SSL real servers.
name
string / required
Access Proxy name.
realservers
list / elements=string
Select the SSL real servers that this Access Proxy will distribute traffic to.
id
integer / required
Real server ID.
ip
string
IP address of the real server.
port
integer
Port for communicating with the real server.
status
string
    Choices:
  • active
  • standby
  • disable
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
weight
integer
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.
server_pubkey_auth
string
    Choices:
  • disable
  • enable
Enable/disable SSH real server public key authentication.
server_pubkey_auth_settings
dictionary
Server SSH public key authentication settings.
auth_ca
string
Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name.
cert_extension
list / elements=string
Configure certificate extension for user certificate.
critical
string
    Choices:
  • False
  • True
Critical option.
data
string
Name of certificate extension.
name
string / required
Name of certificate extension.
type
string
    Choices:
  • fixed
  • user
Type of certificate extension.
permit_agent_forwarding
string
    Choices:
  • enable
  • disable
Enable/disable appending permit-agent-forwarding certificate extension.
permit_port_forwarding
string
    Choices:
  • enable
  • disable
Enable/disable appending permit-port-forwarding certificate extension.
permit_pty
string
    Choices:
  • enable
  • disable
Enable/disable appending permit-pty certificate extension.
permit_user_rc
string
    Choices:
  • enable
  • disable
Enable/disable appending permit-user-rc certificate extension.
permit_x11_forwarding
string
    Choices:
  • enable
  • disable
Enable/disable appending permit-x11-forwarding certificate extension.
source_address
string
    Choices:
  • enable
  • disable
Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address.
vip
string
Virtual IP name. Source firewall.vip.name.
state
string / required
    Choices:
  • present
  • absent
Indicates whether to create or remove the object.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure Access Proxy.
    fortios_firewall_access_proxy:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_access_proxy:
        api_gateway:
         -
            http_cookie_age: "4"
            http_cookie_domain: "<your_own_value>"
            http_cookie_domain_from_host: "disable"
            http_cookie_generation: "7"
            http_cookie_path: "<your_own_value>"
            http_cookie_share: "disable"
            https_cookie_secure: "disable"
            id:  "11"
            ldb_method: "static"
            persistence: "none"
            realservers:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                health_check: "disable"
                health_check_proto: "ping"
                http_host: "myhostname"
                id:  "19"
                ip: "<your_own_value>"
                mappedport: "<your_own_value>"
                port: "22"
                status: "active"
                weight: "24"
            saml_server: "<your_own_value> (source user.saml.name)"
            service: "http"
            ssl_algorithm: "high"
            ssl_cipher_suites:
             -
                cipher: "TLS-AES-128-GCM-SHA256"
                priority: "30"
                versions: "tls-1.0"
            ssl_dh_bits: "768"
            ssl_max_version: "tls-1.0"
            ssl_min_version: "tls-1.0"
            url_map: "<your_own_value>"
            url_map_type: "sub-string"
            virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
        client_cert: "disable"
        empty_cert_action: "accept"
        ldb_method: "static"
        name: "default_name_41"
        realservers:
         -
            id:  "43"
            ip: "<your_own_value>"
            port: "45"
            status: "active"
            weight: "47"
        server_pubkey_auth: "disable"
        server_pubkey_auth_settings:
            auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
            cert_extension:
             -
                critical: "no"
                data: "<your_own_value>"
                name: "default_name_54"
                type: "fixed"
            permit_agent_forwarding: "enable"
            permit_port_forwarding: "enable"
            permit_pty: "enable"
            permit_user_rc: "enable"
            permit_x11_forwarding: "enable"
            source_address: "enable"
        vip: "<your_own_value> (source firewall.vip.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)