fortinet.fortios.fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

To install it use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings.

New in version 2.10: of fortinet.fortios

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

Parameter Choices/Defaults Comments
access_token
string
Token-based authentication. Generated from GUI of Fortigate.
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task.
vdom
string
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
vpn_ssl_settings
dictionary
Configure SSL VPN.
algorithm
string
    Choices:
  • high
  • medium
  • default
  • low
Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
auth_session_check_source_ip
string
    Choices:
  • enable
  • disable
Enable/disable checking of source IP for authentication session.
auth_timeout
integer
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
authentication_rule
list / elements=string
Authentication rule for SSL VPN.
auth
string
    Choices:
  • any
  • local
  • radius
  • tacacs+
  • ldap
SSL VPN authentication method restriction.
cipher
string
    Choices:
  • any
  • high
  • medium
SSL VPN cipher strength.
client_cert
string
    Choices:
  • enable
  • disable
Enable/disable SSL VPN client certificate restrictive.
groups
list / elements=string
User groups.
name
string / required
Group name. Source user.group.name.
id
integer / required
ID (0 - 4294967295).
portal
string
SSL VPN portal. Source vpn.ssl.web.portal.name.
realm
string
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
source_address
list / elements=string
Source address of incoming traffic.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
source_address6
list / elements=string
IPv6 source address of incoming traffic.
name
string / required
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
source_address6_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source IPv6 address match.
source_address_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source address match.
source_interface
list / elements=string
SSL VPN source interface of incoming traffic.
name
string / required
Interface name. Source system.interface.name system.zone.name.
user_peer
string
Name of user peer. Source user.peer.name.
users
list / elements=string
User name.
name
string / required
User name. Source user.local.name.
auto_tunnel_static_route
string
    Choices:
  • enable
  • disable
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
banned_cipher
list / elements=string
    Choices:
  • RSA
  • DH
  • DHE
  • ECDH
  • ECDHE
  • DSS
  • ECDSA
  • AES
  • AESGCM
  • CAMELLIA
  • 3DES
  • SHA1
  • SHA256
  • SHA384
  • STATIC
  • CHACHA20
  • ARIA
  • AESCCM
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
check_referer
string
    Choices:
  • enable
  • disable
Enable/disable verification of referer field in HTTP request header.
ciphersuite
list / elements=string
    Choices:
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
  • TLS-AES-128-CCM-SHA256
  • TLS-AES-128-CCM-8-SHA256
Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.
client_sigalgs
string
    Choices:
  • no-rsa-pss
  • all
Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.
default_portal
string
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
deflate_compression_level
integer
Compression level (0~9).
deflate_min_data_size
integer
Minimum amount of data that triggers compression (200 - 65535 bytes).
dns_server1
string
DNS server 1.
dns_server2
string
DNS server 2.
dns_suffix
string
DNS suffix used for SSL-VPN clients.
dtls_hello_timeout
integer
SSLVPN maximum DTLS hello timeout (10 - 60 sec).
dtls_max_proto_ver
string
    Choices:
  • dtls1-0
  • dtls1-2
DTLS maximum protocol version.
dtls_min_proto_ver
string
    Choices:
  • dtls1-0
  • dtls1-2
DTLS minimum protocol version.
dtls_tunnel
string
    Choices:
  • enable
  • disable
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
dual_stack_mode
string
    Choices:
  • enable
  • disable
Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal.
encode_2f_sequence
string
    Choices:
  • enable
  • disable
Encode 2F sequence to forward slash in URLs.
encrypt_and_store_password
string
    Choices:
  • enable
  • disable
Encrypt and store user passwords for SSL VPN web sessions.
force_two_factor_auth
string
    Choices:
  • enable
  • disable
Enable to force two-factor authentication for all SSL-VPNs.
header_x_forwarded_for
string
    Choices:
  • pass
  • add
  • remove
Forward the same, add, or remove HTTP header.
hsts_include_subdomains
string
    Choices:
  • enable
  • disable
Add HSTS includeSubDomains response header.
http_compression
string
    Choices:
  • enable
  • disable
Enable to allow HTTP compression over SSL-VPN tunnels.
http_only_cookie
string
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN support for HttpOnly cookies.
http_request_body_timeout
integer
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec).
http_request_header_timeout
integer
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec).
https_redirect
string
    Choices:
  • enable
  • disable
Enable/disable redirect of port 80 to SSL-VPN port.
idle_timeout
integer
SSL VPN disconnects if idle for specified time in seconds.
ipv6_dns_server1
string
IPv6 DNS server 1.
ipv6_dns_server2
string
IPv6 DNS server 2.
ipv6_wins_server1
string
IPv6 WINS server 1.
ipv6_wins_server2
string
IPv6 WINS server 2.
login_attempt_limit
integer
SSL VPN maximum login attempt times before block (0 - 10).
login_block_time
integer
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec).
login_timeout
integer
SSLVPN maximum login timeout (10 - 180 sec).
port
integer
SSL-VPN access port (1 - 65535).
port_precedence
string
    Choices:
  • enable
  • disable
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
reqclientcert
string
    Choices:
  • enable
  • disable
Enable to require client certificates for all SSL-VPN users.
route_source_interface
string
    Choices:
  • enable
  • disable
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
servercert
string
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
source_address
list / elements=string
Source address of incoming traffic.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
source_address6
list / elements=string
IPv6 source address of incoming traffic.
name
string / required
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
source_address6_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source IPv6 address match.
source_address_negate
string
    Choices:
  • enable
  • disable
Enable/disable negated source address match.
source_interface
list / elements=string
SSL VPN source interface of incoming traffic.
name
string / required
Interface name. Source system.interface.name system.zone.name.
ssl_client_renegotiation
string
    Choices:
  • disable
  • enable
Enable to allow client renegotiation by the server if the tunnel goes down.
ssl_insert_empty_fragment
string
    Choices:
  • enable
  • disable
Enable/disable insertion of empty fragment.
ssl_max_proto_ver
string
    Choices:
  • tls1-0
  • tls1-1
  • tls1-2
  • tls1-3
SSL maximum protocol version.
ssl_min_proto_ver
string
    Choices:
  • tls1-0
  • tls1-1
  • tls1-2
  • tls1-3
SSL minimum protocol version.
tlsv1_0
string
    Choices:
  • enable
  • disable
Enable/disable TLSv1.0.
tlsv1_1
string
    Choices:
  • enable
  • disable
Enable/disable TLSv1.1.
tlsv1_2
string
    Choices:
  • enable
  • disable
Enable/disable TLSv1.2.
tlsv1_3
string
    Choices:
  • enable
  • disable
tlsv1-3
transform_backward_slashes
string
    Choices:
  • enable
  • disable
Transform backward slashes to forward slashes in URLs.
tunnel_addr_assigned_method
string
    Choices:
  • first-available
  • round-robin
Method used for assigning address for tunnel.
tunnel_connect_without_reauth
string
    Choices:
  • enable
  • disable
Enable/disable tunnel connection without re-authorization if previous connection dropped.
tunnel_ip_pools
list / elements=string
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
name
string / required
Address name. Source firewall.address.name firewall.addrgrp.name.
tunnel_ipv6_pools
list / elements=string
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
name
string / required
Address name. Source firewall.address6.name firewall.addrgrp6.name.
tunnel_user_session_timeout
integer
Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec).
unsafe_legacy_renegotiation
string
    Choices:
  • enable
  • disable
Enable/disable unsafe legacy re-negotiation.
url_obscuration
string
    Choices:
  • enable
  • disable
Enable to obscure the host name of the URL of the web browser display.
user_peer
string
Name of user peer. Source user.peer.name.
wins_server1
string
WINS server 1.
wins_server2
string
WINS server 2.
x_content_type_options
string
    Choices:
  • enable
  • disable
Add HTTP X-Content-Type-Options header.

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure SSL VPN.
    fortios_vpn_ssl_settings:
      vdom:  "{{ vdom }}"
      vpn_ssl_settings:
        algorithm: "high"
        auth_session_check_source_ip: "enable"
        auth_timeout: "5"
        authentication_rule:
         -
            auth: "any"
            cipher: "any"
            client_cert: "enable"
            groups:
             -
                name: "default_name_11 (source user.group.name)"
            id:  "12"
            portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
            realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
            source_address:
             -
                name: "default_name_16 (source firewall.address.name firewall.addrgrp.name)"
            source_address_negate: "enable"
            source_address6:
             -
                name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name)"
            source_address6_negate: "enable"
            source_interface:
             -
                name: "default_name_22 (source system.interface.name system.zone.name)"
            user_peer: "<your_own_value> (source user.peer.name)"
            users:
             -
                name: "default_name_25 (source user.local.name)"
        auto_tunnel_static_route: "enable"
        banned_cipher: "RSA"
        check_referer: "enable"
        ciphersuite: "TLS-AES-128-GCM-SHA256"
        client_sigalgs: "no-rsa-pss"
        default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
        deflate_compression_level: "32"
        deflate_min_data_size: "33"
        dns_server1: "<your_own_value>"
        dns_server2: "<your_own_value>"
        dns_suffix: "<your_own_value>"
        dtls_hello_timeout: "37"
        dtls_max_proto_ver: "dtls1-0"
        dtls_min_proto_ver: "dtls1-0"
        dtls_tunnel: "enable"
        dual_stack_mode: "enable"
        encode_2f_sequence: "enable"
        encrypt_and_store_password: "enable"
        force_two_factor_auth: "enable"
        header_x_forwarded_for: "pass"
        hsts_include_subdomains: "enable"
        http_compression: "enable"
        http_only_cookie: "enable"
        http_request_body_timeout: "49"
        http_request_header_timeout: "50"
        https_redirect: "enable"
        idle_timeout: "52"
        ipv6_dns_server1: "<your_own_value>"
        ipv6_dns_server2: "<your_own_value>"
        ipv6_wins_server1: "<your_own_value>"
        ipv6_wins_server2: "<your_own_value>"
        login_attempt_limit: "57"
        login_block_time: "58"
        login_timeout: "59"
        port: "60"
        port_precedence: "enable"
        reqclientcert: "enable"
        route_source_interface: "enable"
        servercert: "<your_own_value> (source vpn.certificate.local.name)"
        source_address:
         -
            name: "default_name_66 (source firewall.address.name firewall.addrgrp.name)"
        source_address_negate: "enable"
        source_address6:
         -
            name: "default_name_69 (source firewall.address6.name firewall.addrgrp6.name)"
        source_address6_negate: "enable"
        source_interface:
         -
            name: "default_name_72 (source system.interface.name system.zone.name)"
        ssl_client_renegotiation: "disable"
        ssl_insert_empty_fragment: "enable"
        ssl_max_proto_ver: "tls1-0"
        ssl_min_proto_ver: "tls1-0"
        tlsv1_0: "enable"
        tlsv1_1: "enable"
        tlsv1_2: "enable"
        tlsv1_3: "enable"
        transform_backward_slashes: "enable"
        tunnel_addr_assigned_method: "first-available"
        tunnel_connect_without_reauth: "enable"
        tunnel_ip_pools:
         -
            name: "default_name_85 (source firewall.address.name firewall.addrgrp.name)"
        tunnel_ipv6_pools:
         -
            name: "default_name_87 (source firewall.address6.name firewall.addrgrp6.name)"
        tunnel_user_session_timeout: "88"
        unsafe_legacy_renegotiation: "enable"
        url_obscuration: "enable"
        user_peer: "<your_own_value> (source user.peer.name)"
        wins_server1: "<your_own_value>"
        wins_server2: "<your_own_value>"
        x_content_type_options: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)