fortinet.fortios.fortios_system_interface – Configure interfaces in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

To install it use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_system_interface.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and interface category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter Choices/Defaults Comments
access_token
string
Token-based authentication. Generated from GUI of Fortigate.
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task.
state
string / required
    Choices:
  • present
  • absent
Indicates whether to create or remove the object.
system_interface
dictionary
Configure interfaces.
ac_name
string
PPPoE server name.
aggregate
string
Aggregate interface.
algorithm
string
    Choices:
  • L2
  • L3
  • L4
Frame distribution algorithm.
alias
string
Alias will be displayed with the interface name to make it easier to distinguish.
allowaccess
list / elements=string
    Choices:
  • ping
  • https
  • ssh
  • snmp
  • http
  • telnet
  • fgfm
  • radius-acct
  • probe-response
  • capwap
  • ftm
  • fabric
Permitted types of management access to this interface.
ap_discover
string
    Choices:
  • enable
  • disable
Enable/disable automatic registration of unknown FortiAP devices.
arpforward
string
    Choices:
  • enable
  • disable
Enable/disable ARP forwarding.
auth_type
string
    Choices:
  • auto
  • pap
  • chap
  • mschapv1
  • mschapv2
PPP authentication type to use.
auto_auth_extension_device
string
    Choices:
  • enable
  • disable
Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
bandwidth_measure_time
integer
Bandwidth measure time
bfd
string
    Choices:
  • global
  • enable
  • disable
Bidirectional Forwarding Detection (BFD) settings.
bfd_desired_min_tx
integer
BFD desired minimal transmit interval.
bfd_detect_mult
integer
BFD detection multiplier.
bfd_required_min_rx
integer
BFD required minimal receive interval.
broadcast_forticlient_discovery
string
    Choices:
  • enable
  • disable
Enable/disable broadcasting FortiClient discovery messages.
broadcast_forward
string
    Choices:
  • enable
  • disable
Enable/disable broadcast forwarding.
captive_portal
integer
Enable/disable captive portal.
cli_conn_status
integer
CLI connection status.
client_options
list / elements=string
DHCP client options.
code
integer
DHCP client option code.
id
integer / required
ID.
ip
string
DHCP option IPs.
type
string
    Choices:
  • hex
  • string
  • ip
  • fqdn
DHCP client option type.
value
string
DHCP client option value.
color
integer
Color of icon on the GUI.
dedicated_to
string
    Choices:
  • none
  • management
Configure interface for single purpose.
defaultgw
string
    Choices:
  • enable
  • disable
Enable to get the gateway IP from the DHCP or PPPoE server.
description
string
Description.
detected_peer_mtu
integer
MTU of detected peer (0 - 4294967295).
detectprotocol
list / elements=string
    Choices:
  • ping
  • tcp-echo
  • udp-echo
Protocols used to detect the server.
detectserver
string
Gateway"s ping server for this IP.
device_access_list
string
Device access list.
device_identification
string
    Choices:
  • enable
  • disable
Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
device_identification_active_scan
string
    Choices:
  • enable
  • disable
Enable/disable active gathering of device identity information about the devices on the network connected to this interface.
device_netscan
string
    Choices:
  • disable
  • enable
Enable/disable inclusion of devices detected on this interface in network vulnerability scans.
device_user_identification
string
    Choices:
  • enable
  • disable
Enable/disable passive gathering of user identity information about users on this interface.
devindex
integer
Device Index.
dhcp_client_identifier
string
DHCP client identifier.
dhcp_relay_agent_option
string
    Choices:
  • enable
  • disable
Enable/disable DHCP relay agent option.
dhcp_relay_interface
string
Specify outgoing interface to reach server. Source system.interface.name.
dhcp_relay_interface_select_method
string
    Choices:
  • auto
  • sdwan
  • specify
Specify how to select outgoing interface to reach server.
dhcp_relay_ip
string
DHCP relay IP address.
dhcp_relay_request_all_server
string
    Choices:
  • disable
  • enable
Enable/disable sending of DHCP requests to all servers.
dhcp_relay_service
string
    Choices:
  • disable
  • enable
Enable/disable allowing this interface to act as a DHCP relay.
dhcp_relay_type
string
    Choices:
  • regular
  • ipsec
DHCP relay type (regular or IPsec).
dhcp_renew_time
integer
DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.
disc_retry_timeout
integer
Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.
disconnect_threshold
integer
Time in milliseconds to wait before sending a notification that this interface is down or disconnected.
distance
integer
Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.
dns_server_override
string
    Choices:
  • enable
  • disable
Enable/disable use DNS acquired by DHCP or PPPoE.
drop_fragment
string
    Choices:
  • enable
  • disable
Enable/disable drop fragment packets.
drop_overlapped_fragment
string
    Choices:
  • enable
  • disable
Enable/disable drop overlapped fragment packets.
egress_cos
string
    Choices:
  • disable
  • cos0
  • cos1
  • cos2
  • cos3
  • cos4
  • cos5
  • cos6
  • cos7
Override outgoing CoS in user VLAN tag.
egress_queues
dictionary
Configure queues of NP port on egress path.
cos0
string
CoS profile name for CoS 0. Source system.isf-queue-profile.name.
cos1
string
CoS profile name for CoS 1. Source system.isf-queue-profile.name.
cos2
string
CoS profile name for CoS 2. Source system.isf-queue-profile.name.
cos3
string
CoS profile name for CoS 3. Source system.isf-queue-profile.name.
cos4
string
CoS profile name for CoS 4. Source system.isf-queue-profile.name.
cos5
string
CoS profile name for CoS 5. Source system.isf-queue-profile.name.
cos6
string
CoS profile name for CoS 6. Source system.isf-queue-profile.name.
cos7
string
CoS profile name for CoS 7. Source system.isf-queue-profile.name.
egress_shaping_profile
string
Outgoing traffic shaping profile. Source firewall.shaping-profile.profile-name.
endpoint_compliance
string
    Choices:
  • enable
  • disable
Enable/disable endpoint compliance enforcement.
estimated_downstream_bandwidth
integer
Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.
estimated_upstream_bandwidth
integer
Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.
explicit_ftp_proxy
string
    Choices:
  • enable
  • disable
Enable/disable the explicit FTP proxy on this interface.
explicit_web_proxy
string
    Choices:
  • enable
  • disable
Enable/disable the explicit web proxy on this interface.
external
string
    Choices:
  • enable
  • disable
Enable/disable identifying the interface as an external interface (which usually means it"s connected to the Internet).
fail_action_on_extender
string
    Choices:
  • soft-restart
  • hard-restart
  • reboot
Action on extender when interface fail .
fail_alert_interfaces
list / elements=string
Names of the FortiGate interfaces from which the link failure alert is sent for this interface.
name
string / required
Names of the physical interfaces belonging to the aggregate or redundant interface. Source system.interface.name.
fail_alert_method
string
    Choices:
  • link-failed-signal
  • link-down
Select link-failed-signal or link-down method to alert about a failed link.
fail_detect
string
    Choices:
  • enable
  • disable
Enable/disable fail detection features for this interface.
fail_detect_option
list / elements=string
    Choices:
  • detectserver
  • link-down
Options for detecting that this interface has failed.
fortiheartbeat
string
    Choices:
  • enable
  • disable
Enable/disable FortiHeartBeat (FortiTelemetry on GUI).
fortilink
string
    Choices:
  • enable
  • disable
Enable FortiLink to dedicate this interface to manage other Fortinet devices.
fortilink_backup_link
integer
fortilink split interface backup link.
fortilink_neighbor_detect
string
    Choices:
  • lldp
  • fortilink
Protocol for FortiGate neighbor discovery.
fortilink_split_interface
string
    Choices:
  • enable
  • disable
Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy (maximum 2 interfaces in the "members" command).
fortilink_stacking
string
    Choices:
  • enable
  • disable
Enable/disable FortiLink switch-stacking on this interface.
forward_domain
integer
Transparent mode forward domain.
gi_gk
string
    Choices:
  • enable
  • disable
Enable/disable Gi Gatekeeper.
gwdetect
string
    Choices:
  • enable
  • disable
Enable/disable detect gateway alive for first.
ha_priority
integer
HA election priority for the PING server.
icmp_accept_redirect
string
    Choices:
  • enable
  • disable
Enable/disable ICMP accept redirect.
icmp_send_redirect
string
    Choices:
  • enable
  • disable
Enable/disable ICMP send redirect.
ident_accept
string
    Choices:
  • enable
  • disable
Enable/disable authentication for this interface.
idle_timeout
integer
PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.
inbandwidth
integer
Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited.
ingress_cos
string
    Choices:
  • disable
  • cos0
  • cos1
  • cos2
  • cos3
  • cos4
  • cos5
  • cos6
  • cos7
Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.
ingress_shaping_profile
string
Incoming traffic shaping profile. Source firewall.shaping-profile.profile-name.
ingress_spillover_threshold
integer
Ingress Spillover threshold (0 - 16776000 kbps).
interface
string
Interface name. Source system.interface.name.
internal
integer
Implicitly created.
ip
string
Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.
ip_managed_by_fortiipam
string
    Choices:
  • enable
  • disable
Enable/disable automatic IP address assignment of this interface by FortiIPAM.
ipmac
string
    Choices:
  • enable
  • disable
Enable/disable IP/MAC binding.
ips_sniffer_mode
string
    Choices:
  • enable
  • disable
Enable/disable the use of this interface as a one-armed sniffer.
ipunnumbered
string
Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.
ipv6
dictionary
IPv6 of interface.
autoconf
string
    Choices:
  • enable
  • disable
Enable/disable address auto config.
cli_conn6_status
integer
CLI IPv6 connection status.
dhcp6_client_options
list / elements=string
    Choices:
  • rapid
  • iapd
  • iana
DHCPv6 client options.
dhcp6_information_request
string
    Choices:
  • enable
  • disable
Enable/disable DHCPv6 information request.
dhcp6_prefix_delegation
string
    Choices:
  • enable
  • disable
Enable/disable DHCPv6 prefix delegation.
dhcp6_prefix_hint
string
DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.
dhcp6_prefix_hint_plt
integer
DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.
dhcp6_prefix_hint_vlt
integer
DHCPv6 prefix hint valid life time (sec).
dhcp6_relay_ip
string
DHCPv6 relay IP address.
dhcp6_relay_service
string
    Choices:
  • disable
  • enable
Enable/disable DHCPv6 relay.
dhcp6_relay_type
string
    Choices:
  • regular
DHCPv6 relay type.
icmp6_send_redirect
string
    Choices:
  • enable
  • disable
Enable/disable sending of ICMPv6 redirects.
interface_identifier
string
IPv6 interface identifier.
ip6_address
string
Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
ip6_allowaccess
list / elements=string
    Choices:
  • ping
  • https
  • ssh
  • snmp
  • http
  • telnet
  • fgfm
  • capwap
  • fabric
Allow management access to the interface.
ip6_default_life
integer
Default life (sec).
ip6_delegated_prefix_list
list / elements=string
Advertised IPv6 delegated prefix list.
autonomous_flag
string
    Choices:
  • enable
  • disable
Enable/disable the autonomous flag.
onlink_flag
string
    Choices:
  • enable
  • disable
Enable/disable the onlink flag.
prefix_id
integer
Prefix ID.
rdnss
string
Recursive DNS server option.
rdnss_service
string
    Choices:
  • delegated
  • default
  • specify
Recursive DNS service option.
subnet
string
Add subnet ID to routing prefix.
upstream_interface
string
Name of the interface that provides delegated information. Source system.interface.name.
ip6_dns_server_override
string
    Choices:
  • enable
  • disable
Enable/disable using the DNS server acquired by DHCP.
ip6_extra_addr
list / elements=string
Extra IPv6 address prefixes of interface.
prefix
string / required
IPv6 address prefix.
ip6_hop_limit
integer
Hop limit (0 means unspecified).
ip6_link_mtu
integer
IPv6 link MTU.
ip6_manage_flag
string
    Choices:
  • enable
  • disable
Enable/disable the managed flag.
ip6_max_interval
integer
IPv6 maximum interval (4 to 1800 sec).
ip6_min_interval
integer
IPv6 minimum interval (3 to 1350 sec).
ip6_mode
string
    Choices:
  • static
  • dhcp
  • pppoe
  • delegated
Addressing mode (static, DHCP, delegated).
ip6_other_flag
string
    Choices:
  • enable
  • disable
Enable/disable the other IPv6 flag.
ip6_prefix_list
list / elements=string
Advertised prefix list.
autonomous_flag
string
    Choices:
  • enable
  • disable
Enable/disable the autonomous flag.
dnssl
list / elements=string
DNS search list option.
domain
string / required
Domain name.
onlink_flag
string
    Choices:
  • enable
  • disable
Enable/disable the onlink flag.
preferred_life_time
integer
Preferred life time (sec).
prefix
string / required
IPv6 prefix.
rdnss
string
Recursive DNS server option.
valid_life_time
integer
Valid life time (sec).
ip6_prefix_mode
string
    Choices:
  • dhcp6
  • ra
Assigning a prefix from DHCP or RA.
ip6_reachable_time
integer
IPv6 reachable time (milliseconds; 0 means unspecified).
ip6_retrans_time
integer
IPv6 retransmit time (milliseconds; 0 means unspecified).
ip6_send_adv
string
    Choices:
  • enable
  • disable
Enable/disable sending advertisements about the interface.
ip6_subnet
string
Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
ip6_upstream_interface
string
Interface name providing delegated information. Source system.interface.name.
nd_cert
string
Neighbor discovery certificate. Source certificate.local.name.
nd_cga_modifier
string
Neighbor discovery CGA modifier.
nd_mode
string
    Choices:
  • basic
  • SEND-compatible
Neighbor discovery mode.
nd_security_level
integer
Neighbor discovery security level (0 - 7; 0 = least secure).
nd_timestamp_delta
integer
Neighbor discovery timestamp delta value (1 - 3600 sec; ).
nd_timestamp_fuzz
integer
Neighbor discovery timestamp fuzz factor (1 - 60 sec; ).
ra_send_mtu
string
    Choices:
  • enable
  • disable
Enable/disable sending link MTU in RA packet.
unique_autoconf_addr
string
    Choices:
  • enable
  • disable
Enable/disable unique auto config address.
vrip6_link_local
string
Link-local IPv6 address of virtual router.
vrrp6
list / elements=string
IPv6 VRRP configuration.
accept_mode
string
    Choices:
  • enable
  • disable
Enable/disable accept mode.
adv_interval
integer
Advertisement interval (1 - 255 seconds).
preempt
string
    Choices:
  • enable
  • disable
Enable/disable preempt mode.
priority
integer
Priority of the virtual router (1 - 255).
start_time
integer
Startup time (1 - 255 seconds).
status
string
    Choices:
  • enable
  • disable
Enable/disable VRRP.
vrdst6
string
Monitor the route to this destination.
vrgrp
integer
VRRP group ID (1 - 65535).
vrid
integer / required
Virtual router identifier (1 - 255).
vrip6
string
IPv6 address of the virtual router.
vrrp_virtual_mac6
string
    Choices:
  • enable
  • disable
Enable/disable virtual MAC for VRRP.
l2forward
string
    Choices:
  • enable
  • disable
Enable/disable l2 forwarding.
lacp_ha_slave
string
    Choices:
  • enable
  • disable
LACP HA slave.
lacp_mode
string
    Choices:
  • static
  • passive
  • active
LACP mode.
lacp_speed
string
    Choices:
  • slow
  • fast
How often the interface sends LACP messages.
lcp_echo_interval
integer
Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.
lcp_max_echo_fails
integer
Maximum missed LCP echo messages before disconnect.
link_up_delay
integer
Number of milliseconds to wait before considering a link is up.
lldp_network_policy
string
LLDP-MED network policy profile. Source system.lldp.network-policy.name.
lldp_reception
string
    Choices:
  • enable
  • disable
  • vdom
Enable/disable Link Layer Discovery Protocol (LLDP) reception.
lldp_transmission
string
    Choices:
  • enable
  • disable
  • vdom
Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
macaddr
string
Change the interface"s MAC address.
managed_device
list / elements=string
Available when FortiLink is enabled, used for managed devices through FortiLink interface.
name
string / required
Managed dev identifier.
managed_subnetwork_size
string
    Choices:
  • 256
  • 512
  • 1024
  • 2048
  • 4096
  • 8192
  • 16384
  • 32768
  • 65536
Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit"s DHCP server settings.
management_ip
string
High Availability in-band management IP address of this interface.
measured_downstream_bandwidth
integer
Measured downstream bandwidth (kbps).
measured_upstream_bandwidth
integer
Measured upstream bandwidth (kbps).
mediatype
string
    Choices:
  • cfp2-sr10
  • cfp2-lr4
Select SFP media interface type
member
list / elements=string
Physical interfaces that belong to the aggregate or redundant interface.
interface_name
string
Physical interface name. Source system.interface.name.
min_links
integer
Minimum number of aggregated ports that must be up.
min_links_down
string
    Choices:
  • operational
  • administrative
Action to take when less than the configured minimum number of links are active.
mode
string
    Choices:
  • static
  • dhcp
  • pppoe
Addressing mode (static, DHCP, PPPoE).
monitor_bandwidth
string
    Choices:
  • enable
  • disable
Enable monitoring bandwidth on this interface.
mtu
integer
MTU value for this interface.
mtu_override
string
    Choices:
  • enable
  • disable
Enable to set a custom MTU for this interface.
name
string / required
Name.
ndiscforward
string
    Choices:
  • enable
  • disable
Enable/disable NDISC forwarding.
netbios_forward
string
    Choices:
  • disable
  • enable
Enable/disable NETBIOS forwarding.
netflow_sampler
string
    Choices:
  • disable
  • tx
  • rx
  • both
Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
outbandwidth
integer
Bandwidth limit for outgoing traffic (0 - 16776000 kbps).
padt_retry_timeout
integer
PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.
password
string
PPPoE account"s password.
ping_serv_status
integer
PING server status.
polling_interval
integer
sFlow polling interval (1 - 255 sec).
pppoe_unnumbered_negotiate
string
    Choices:
  • enable
  • disable
Enable/disable PPPoE unnumbered negotiation.
pptp_auth_type
string
    Choices:
  • auto
  • pap
  • chap
  • mschapv1
  • mschapv2
PPTP authentication type.
pptp_client
string
    Choices:
  • enable
  • disable
Enable/disable PPTP client.
pptp_password
string
PPTP password.
pptp_server_ip
string
PPTP server IP address.
pptp_timeout
integer
Idle timer in minutes (0 for disabled).
pptp_user
string
PPTP user name.
preserve_session_route
string
    Choices:
  • enable
  • disable
Enable/disable preservation of session route when dirty.
priority
integer
Priority of learned routes.
priority_override
string
    Choices:
  • enable
  • disable
Enable/disable fail back to higher priority port once recovered.
proxy_captive_portal
string
    Choices:
  • enable
  • disable
Enable/disable proxy captive portal on this interface.
redundant_interface
string
Redundant interface.
remote_ip
string
Remote IP address of tunnel.
replacemsg_override_group
string
Replacement message override group.
ring_rx
integer
RX ring size.
ring_tx
integer
TX ring size.
role
string
    Choices:
  • lan
  • wan
  • dmz
  • undefined
Interface role.
sample_direction
string
    Choices:
  • tx
  • rx
  • both
Data that NetFlow collects (rx, tx, or both).
sample_rate
integer
sFlow sample rate (10 - 99999).
scan_botnet_connections
string
    Choices:
  • disable
  • block
  • monitor
Enable monitoring or blocking connections to Botnet servers through this interface.
secondary_IP
string
    Choices:
  • enable
  • disable
Enable/disable adding a secondary IP to this interface.
secondaryip
list / elements=string
Second IP address of interface.
allowaccess
list / elements=string
    Choices:
  • ping
  • https
  • ssh
  • snmp
  • http
  • telnet
  • fgfm
  • radius-acct
  • probe-response
  • capwap
  • ftm
  • fabric
Management access settings for the secondary IP address.
detectprotocol
list / elements=string
    Choices:
  • ping
  • tcp-echo
  • udp-echo
Protocols used to detect the server.
detectserver
string
Gateway"s ping server for this IP.
gwdetect
string
    Choices:
  • enable
  • disable
Enable/disable detect gateway alive for first.
ha_priority
integer
HA election priority for the PING server.
id
integer / required
ID.
ip
string
Secondary IP address of the interface.
ping_serv_status
integer
PING server status.
security_exempt_list
string
Name of security-exempt-list.
security_external_logout
string
URL of external authentication logout server.
security_external_web
string
URL of external authentication web server.
security_groups
list / elements=string
User groups that can authenticate with the captive portal.
name
string / required
Names of user groups that can authenticate with the captive portal. Source user.group.name.
security_mac_auth_bypass
string
    Choices:
  • enable
  • disable
  • mac-auth-only
Enable/disable MAC authentication bypass.
security_mode
string
    Choices:
  • none
  • captive-portal
  • 802.1X
Turn on captive portal authentication for this interface.
security_redirect_url
string
URL redirection after disclaimer/authentication.
service_name
string
PPPoE service name.
sflow_sampler
string
    Choices:
  • enable
  • disable
Enable/disable sFlow on this interface.
snmp_index
integer
Permanent SNMP Index of the interface.
speed
string
    Choices:
  • auto
  • 10full
  • 10half
  • 100full
  • 100half
  • 1000full
  • 1000half
  • 1000auto
  • 10000full
  • 10000auto
  • 40000full
  • 100Gfull
Interface speed. The default setting and the options available depend on the interface hardware.
spillover_threshold
integer
Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.
src_check
string
    Choices:
  • enable
  • disable
Enable/disable source IP check.
status
string
    Choices:
  • up
  • down
Bring the interface up or shut the interface down.
stp
string
    Choices:
  • disable
  • enable
Enable/disable STP.
stp_ha_secondary
string
    Choices:
  • disable
  • enable
  • priority-adjust
Control STP behaviour on HA secondary.
stp_ha_slave
string
    Choices:
  • disable
  • enable
  • priority-adjust
Control STP behaviour on HA slave.
stpforward
string
    Choices:
  • enable
  • disable
Enable/disable STP forwarding.
stpforward_mode
string
    Choices:
  • rpl-all-ext-id
  • rpl-bridge-ext-id
  • rpl-nothing
Configure STP forwarding mode.
subst
string
    Choices:
  • enable
  • disable
Enable to always send packets from this interface to a destination MAC address.
substitute_dst_mac
string
Destination MAC address that all packets are sent to from this interface.
swc_first_create
integer
Initial create for switch-controller VLANs.
swc_vlan
integer
Creation status for switch-controller VLANs.
switch
string
Contained in switch.
switch_controller_access_vlan
string
    Choices:
  • enable
  • disable
Block FortiSwitch port-to-port traffic.
switch_controller_arp_inspection
string
    Choices:
  • enable
  • disable
Enable/disable FortiSwitch ARP inspection.
switch_controller_dhcp_snooping
string
    Choices:
  • enable
  • disable
Switch controller DHCP snooping.
switch_controller_dhcp_snooping_option82
string
    Choices:
  • enable
  • disable
Switch controller DHCP snooping option82.
switch_controller_dhcp_snooping_verify_mac
string
    Choices:
  • enable
  • disable
Switch controller DHCP snooping verify MAC.
switch_controller_dynamic
string
Integrated FortiLink settings for managed FortiSwitch. Source switch-controller.fortilink-settings.name.
switch_controller_feature
string
    Choices:
  • none
  • default-vlan
  • quarantine
  • rspan
  • voice
  • video
  • nac
Interface"s purpose when assigning traffic (read only).
switch_controller_igmp_snooping
string
    Choices:
  • enable
  • disable
Switch controller IGMP snooping.
switch_controller_igmp_snooping_fast_leave
string
    Choices:
  • enable
  • disable
Switch controller IGMP snooping fast-leave.
switch_controller_igmp_snooping_proxy
string
    Choices:
  • enable
  • disable
Switch controller IGMP snooping proxy.
switch_controller_iot_scanning
string
    Choices:
  • enable
  • disable
Enable/disable managed FortiSwitch IoT scanning.
switch_controller_learning_limit
integer
Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default).
switch_controller_mgmt_vlan
integer
VLAN to use for FortiLink management purposes.
switch_controller_nac
string
Integrated NAC settings for managed FortiSwitch. Source switch-controller.nac-settings.name.
switch_controller_rspan_mode
string
    Choices:
  • disable
  • enable
Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.
switch_controller_source_ip
string
    Choices:
  • outbound
  • fixed
Source IP address used in FortiLink over L3 connections.
switch_controller_traffic_policy
string
Switch controller traffic policy for the VLAN. Source switch-controller.traffic-policy.name.
tagging
list / elements=string
Config object tagging.
category
string
Tag category. Source system.object-tagging.category.
name
string / required
Tagging entry name.
tags
list / elements=string
Tags.
name
string / required
Tag name. Source system.object-tagging.tags.name.
tcp_mss
integer
TCP maximum segment size. 0 means do not change segment size.
trust_ip6_1
string
Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
trust_ip6_2
string
Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
trust_ip6_3
string
Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
trust_ip_1
string
Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
trust_ip_2
string
Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
trust_ip_3
string
Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
type
string
    Choices:
  • physical
  • vlan
  • aggregate
  • redundant
  • tunnel
  • vdom-link
  • loopback
  • switch
  • hard-switch
  • vap-switch
  • wl-mesh
  • fext-wan
  • vxlan
  • hdlc
  • switch-vlan
  • emac-vlan
  • geneve
  • ssl
Interface type.
username
string
Username of the PPPoE account, provided by your ISP.
vdom
string
Interface is in this virtual domain (VDOM). Source system.vdom.name.
vindex
integer
Switch control interface VLAN ID.
vlan_protocol
string
    Choices:
  • 8021q
  • 8021ad
Ethernet protocol of VLAN.
vlanforward
string
    Choices:
  • enable
  • disable
Enable/disable traffic forwarding between VLANs on this interface.
vlanid
integer
VLAN ID (1 - 4094).
vrf
integer
Virtual Routing Forwarding ID.
vrrp
list / elements=string
VRRP configuration.
accept_mode
string
    Choices:
  • enable
  • disable
Enable/disable accept mode.
adv_interval
integer
Advertisement interval (1 - 255 seconds).
ignore_default_route
string
    Choices:
  • enable
  • disable
Enable/disable ignoring of default route when checking destination.
preempt
string
    Choices:
  • enable
  • disable
Enable/disable preempt mode.
priority
integer
Priority of the virtual router (1 - 255).
proxy_arp
list / elements=string
VRRP Proxy ARP configuration.
id
integer / required
ID.
ip
string
Set IP addresses of proxy ARP.
start_time
integer
Startup time (1 - 255 seconds).
status
string
    Choices:
  • enable
  • disable
Enable/disable this VRRP configuration.
version
string
    Choices:
  • 2
  • 3
VRRP version.
vrdst
string
Monitor the route to this destination.
vrdst_priority
integer
Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254).
vrgrp
integer
VRRP group ID (1 - 65535).
vrid
integer / required
Virtual router identifier (1 - 255).
vrip
string
IP address of the virtual router.
vrrp_virtual_mac
string
    Choices:
  • enable
  • disable
Enable/disable use of virtual MAC for VRRP.
wccp
string
    Choices:
  • enable
  • disable
Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
weight
integer
Default weight for static routes (if route has no weight configured).
wins_ip
string
WINS server IP.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure interfaces.
    fortios_system_interface:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      system_interface:
        ac_name: "<your_own_value>"
        aggregate: "<your_own_value>"
        algorithm: "L2"
        alias: "<your_own_value>"
        allowaccess: "ping"
        ap_discover: "enable"
        arpforward: "enable"
        auth_type: "auto"
        auto_auth_extension_device: "enable"
        bandwidth_measure_time: "12"
        bfd: "global"
        bfd_desired_min_tx: "14"
        bfd_detect_mult: "15"
        bfd_required_min_rx: "16"
        broadcast_forticlient_discovery: "enable"
        broadcast_forward: "enable"
        captive_portal: "19"
        cli_conn_status: "20"
        client_options:
         -
            code: "22"
            id:  "23"
            ip: "<your_own_value>"
            type: "hex"
            value: "<your_own_value>"
        color: "27"
        dedicated_to: "none"
        defaultgw: "enable"
        description: "<your_own_value>"
        detected_peer_mtu: "31"
        detectprotocol: "ping"
        detectserver: "<your_own_value>"
        device_access_list: "<your_own_value>"
        device_identification: "enable"
        device_identification_active_scan: "enable"
        device_netscan: "disable"
        device_user_identification: "enable"
        devindex: "39"
        dhcp_client_identifier:  "myId_40"
        dhcp_relay_agent_option: "enable"
        dhcp_relay_interface: "<your_own_value> (source system.interface.name)"
        dhcp_relay_interface_select_method: "auto"
        dhcp_relay_ip: "<your_own_value>"
        dhcp_relay_request_all_server: "disable"
        dhcp_relay_service: "disable"
        dhcp_relay_type: "regular"
        dhcp_renew_time: "48"
        disc_retry_timeout: "49"
        disconnect_threshold: "50"
        distance: "51"
        dns_server_override: "enable"
        drop_fragment: "enable"
        drop_overlapped_fragment: "enable"
        egress_cos: "disable"
        egress_queues:
            cos0: "<your_own_value> (source system.isf-queue-profile.name)"
            cos1: "<your_own_value> (source system.isf-queue-profile.name)"
            cos2: "<your_own_value> (source system.isf-queue-profile.name)"
            cos3: "<your_own_value> (source system.isf-queue-profile.name)"
            cos4: "<your_own_value> (source system.isf-queue-profile.name)"
            cos5: "<your_own_value> (source system.isf-queue-profile.name)"
            cos6: "<your_own_value> (source system.isf-queue-profile.name)"
            cos7: "<your_own_value> (source system.isf-queue-profile.name)"
        egress_shaping_profile: "<your_own_value> (source firewall.shaping-profile.profile-name)"
        endpoint_compliance: "enable"
        estimated_downstream_bandwidth: "67"
        estimated_upstream_bandwidth: "68"
        explicit_ftp_proxy: "enable"
        explicit_web_proxy: "enable"
        external: "enable"
        fail_action_on_extender: "soft-restart"
        fail_alert_interfaces:
         -
            name: "default_name_74 (source system.interface.name)"
        fail_alert_method: "link-failed-signal"
        fail_detect: "enable"
        fail_detect_option: "detectserver"
        fortiheartbeat: "enable"
        fortilink: "enable"
        fortilink_backup_link: "80"
        fortilink_neighbor_detect: "lldp"
        fortilink_split_interface: "enable"
        fortilink_stacking: "enable"
        forward_domain: "84"
        gi_gk: "enable"
        gwdetect: "enable"
        ha_priority: "87"
        icmp_accept_redirect: "enable"
        icmp_send_redirect: "enable"
        ident_accept: "enable"
        idle_timeout: "91"
        inbandwidth: "92"
        ingress_cos: "disable"
        ingress_shaping_profile: "<your_own_value> (source firewall.shaping-profile.profile-name)"
        ingress_spillover_threshold: "95"
        interface: "<your_own_value> (source system.interface.name)"
        internal: "97"
        ip: "<your_own_value>"
        ip_managed_by_fortiipam: "enable"
        ipmac: "enable"
        ips_sniffer_mode: "enable"
        ipunnumbered: "<your_own_value>"
        ipv6:
            autoconf: "enable"
            cli_conn6_status: "105"
            dhcp6_client_options: "rapid"
            dhcp6_information_request: "enable"
            dhcp6_prefix_delegation: "enable"
            dhcp6_prefix_hint: "<your_own_value>"
            dhcp6_prefix_hint_plt: "110"
            dhcp6_prefix_hint_vlt: "111"
            dhcp6_relay_ip: "<your_own_value>"
            dhcp6_relay_service: "disable"
            dhcp6_relay_type: "regular"
            icmp6_send_redirect: "enable"
            interface_identifier: "<your_own_value>"
            ip6_address: "<your_own_value>"
            ip6_allowaccess: "ping"
            ip6_default_life: "119"
            ip6_delegated_prefix_list:
             -
                autonomous_flag: "enable"
                onlink_flag: "enable"
                prefix_id: "123"
                rdnss: "<your_own_value>"
                rdnss_service: "delegated"
                subnet: "<your_own_value>"
                upstream_interface: "<your_own_value> (source system.interface.name)"
            ip6_dns_server_override: "enable"
            ip6_extra_addr:
             -
                prefix: "<your_own_value>"
            ip6_hop_limit: "131"
            ip6_link_mtu: "132"
            ip6_manage_flag: "enable"
            ip6_max_interval: "134"
            ip6_min_interval: "135"
            ip6_mode: "static"
            ip6_other_flag: "enable"
            ip6_prefix_list:
             -
                autonomous_flag: "enable"
                dnssl:
                 -
                    domain: "<your_own_value>"
                onlink_flag: "enable"
                preferred_life_time: "143"
                prefix: "<your_own_value>"
                rdnss: "<your_own_value>"
                valid_life_time: "146"
            ip6_prefix_mode: "dhcp6"
            ip6_reachable_time: "148"
            ip6_retrans_time: "149"
            ip6_send_adv: "enable"
            ip6_subnet: "<your_own_value>"
            ip6_upstream_interface: "<your_own_value> (source system.interface.name)"
            nd_cert: "<your_own_value> (source certificate.local.name)"
            nd_cga_modifier: "<your_own_value>"
            nd_mode: "basic"
            nd_security_level: "156"
            nd_timestamp_delta: "157"
            nd_timestamp_fuzz: "158"
            ra_send_mtu: "enable"
            unique_autoconf_addr: "enable"
            vrip6_link_local: "<your_own_value>"
            vrrp_virtual_mac6: "enable"
            vrrp6:
             -
                accept_mode: "enable"
                adv_interval: "165"
                preempt: "enable"
                priority: "167"
                start_time: "168"
                status: "enable"
                vrdst6: "<your_own_value>"
                vrgrp: "171"
                vrid: "172"
                vrip6: "<your_own_value>"
        l2forward: "enable"
        lacp_ha_slave: "enable"
        lacp_mode: "static"
        lacp_speed: "slow"
        lcp_echo_interval: "178"
        lcp_max_echo_fails: "179"
        link_up_delay: "180"
        lldp_network_policy: "<your_own_value> (source system.lldp.network-policy.name)"
        lldp_reception: "enable"
        lldp_transmission: "enable"
        macaddr: "<your_own_value>"
        managed_device:
         -
            name: "default_name_186"
        managed_subnetwork_size: "256"
        management_ip: "<your_own_value>"
        measured_downstream_bandwidth: "189"
        measured_upstream_bandwidth: "190"
        mediatype: "cfp2-sr10"
        member:
         -
            interface_name: "<your_own_value> (source system.interface.name)"
        min_links: "194"
        min_links_down: "operational"
        mode: "static"
        monitor_bandwidth: "enable"
        mtu: "198"
        mtu_override: "enable"
        name: "default_name_200"
        ndiscforward: "enable"
        netbios_forward: "disable"
        netflow_sampler: "disable"
        outbandwidth: "204"
        padt_retry_timeout: "205"
        password: "<your_own_value>"
        ping_serv_status: "207"
        polling_interval: "208"
        pppoe_unnumbered_negotiate: "enable"
        pptp_auth_type: "auto"
        pptp_client: "enable"
        pptp_password: "<your_own_value>"
        pptp_server_ip: "<your_own_value>"
        pptp_timeout: "214"
        pptp_user: "<your_own_value>"
        preserve_session_route: "enable"
        priority: "217"
        priority_override: "enable"
        proxy_captive_portal: "enable"
        redundant_interface: "<your_own_value>"
        remote_ip: "<your_own_value>"
        replacemsg_override_group: "<your_own_value>"
        ring_rx: "223"
        ring_tx: "224"
        role: "lan"
        sample_direction: "tx"
        sample_rate: "227"
        scan_botnet_connections: "disable"
        secondary_IP: "enable"
        secondaryip:
         -
            allowaccess: "ping"
            detectprotocol: "ping"
            detectserver: "<your_own_value>"
            gwdetect: "enable"
            ha_priority: "235"
            id:  "236"
            ip: "<your_own_value>"
            ping_serv_status: "238"
        security_exempt_list: "<your_own_value>"
        security_external_logout: "<your_own_value>"
        security_external_web: "<your_own_value>"
        security_groups:
         -
            name: "default_name_243 (source user.group.name)"
        security_mac_auth_bypass: "enable"
        security_mode: "none"
        security_redirect_url: "<your_own_value>"
        service_name: "<your_own_value>"
        sflow_sampler: "enable"
        snmp_index: "249"
        speed: "auto"
        spillover_threshold: "251"
        src_check: "enable"
        status: "up"
        stp: "disable"
        stp_ha_secondary: "disable"
        stp_ha_slave: "disable"
        stpforward: "enable"
        stpforward_mode: "rpl-all-ext-id"
        subst: "enable"
        substitute_dst_mac: "<your_own_value>"
        swc_first_create: "261"
        swc_vlan: "262"
        switch: "<your_own_value>"
        switch_controller_access_vlan: "enable"
        switch_controller_arp_inspection: "enable"
        switch_controller_dhcp_snooping: "enable"
        switch_controller_dhcp_snooping_option82: "enable"
        switch_controller_dhcp_snooping_verify_mac: "enable"
        switch_controller_dynamic: "<your_own_value> (source switch-controller.fortilink-settings.name)"
        switch_controller_feature: "none"
        switch_controller_igmp_snooping: "enable"
        switch_controller_igmp_snooping_fast_leave: "enable"
        switch_controller_igmp_snooping_proxy: "enable"
        switch_controller_iot_scanning: "enable"
        switch_controller_learning_limit: "275"
        switch_controller_mgmt_vlan: "276"
        switch_controller_nac: "<your_own_value> (source switch-controller.nac-settings.name)"
        switch_controller_rspan_mode: "disable"
        switch_controller_source_ip: "outbound"
        switch_controller_traffic_policy: "<your_own_value> (source switch-controller.traffic-policy.name)"
        tagging:
         -
            category: "<your_own_value> (source system.object-tagging.category)"
            name: "default_name_283"
            tags:
             -
                name: "default_name_285 (source system.object-tagging.tags.name)"
        tcp_mss: "286"
        trust_ip_1: "<your_own_value>"
        trust_ip_2: "<your_own_value>"
        trust_ip_3: "<your_own_value>"
        trust_ip6_1: "<your_own_value>"
        trust_ip6_2: "<your_own_value>"
        trust_ip6_3: "<your_own_value>"
        type: "physical"
        username: "<your_own_value>"
        vdom: "<your_own_value> (source system.vdom.name)"
        vindex: "296"
        vlan_protocol: "8021q"
        vlanforward: "enable"
        vlanid: "299"
        vrf: "300"
        vrrp:
         -
            accept_mode: "enable"
            adv_interval: "303"
            ignore_default_route: "enable"
            preempt: "enable"
            priority: "306"
            proxy_arp:
             -
                id:  "308"
                ip: "<your_own_value>"
            start_time: "310"
            status: "enable"
            version: "2"
            vrdst: "<your_own_value>"
            vrdst_priority: "314"
            vrgrp: "315"
            vrid: "316"
            vrip: "<your_own_value>"
        vrrp_virtual_mac: "enable"
        wccp: "enable"
        weight: "320"
        wins_ip: "<your_own_value>"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)