fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to configure endpoint_control feature and profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
endpoint_control_profile
-
Default:
null
Configure FortiClient endpoint control profiles.
description
-
Description.
device-groups
-
Device groups.
name
- / required
Device group object from available options. Source user.device-group.name user.device-category.name.
forticlient-android-settings
-
FortiClient settings for Android platform.
disable-wf-when-protected
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient web category filtering when protected by FortiGate.
forticlient-advanced-vpn
-
    Choices:
  • enable
  • disable
Enable/disable advanced FortiClient VPN configuration.
forticlient-advanced-vpn-buffer
-
Advanced FortiClient VPN configuration.
forticlient-vpn-provisioning
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient VPN provisioning.
forticlient-vpn-settings
-
FortiClient VPN settings.
auth-method
-
    Choices:
  • psk
  • certificate
Authentication method.
name
- / required
VPN name.
preshared-key
-
Pre-shared secret for PSK authentication.
remote-gw
-
IP address or FQDN of the remote VPN gateway.
sslvpn-access-port
-
SSL VPN access port (1 - 65535).
sslvpn-require-certificate
-
    Choices:
  • enable
  • disable
Enable/disable requiring SSL VPN client certificate.
type
-
    Choices:
  • ipsec
  • ssl
VPN type (IPsec or SSL VPN).
forticlient-wf
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient web filtering.
forticlient-wf-profile
-
The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient-ios-settings
-
FortiClient settings for iOS platform.
client-vpn-provisioning
-
    Choices:
  • enable
  • disable
FortiClient VPN provisioning.
client-vpn-settings
-
FortiClient VPN settings.
auth-method
-
    Choices:
  • psk
  • certificate
Authentication method.
name
- / required
VPN name.
preshared-key
-
Pre-shared secret for PSK authentication.
remote-gw
-
IP address or FQDN of the remote VPN gateway.
sslvpn-access-port
-
SSL VPN access port (1 - 65535).
sslvpn-require-certificate
-
    Choices:
  • enable
  • disable
Enable/disable requiring SSL VPN client certificate.
type
-
    Choices:
  • ipsec
  • ssl
VPN type (IPsec or SSL VPN).
vpn-configuration-content
-
Content of VPN configuration.
vpn-configuration-name
-
Name of VPN configuration.
configuration-content
-
Content of configuration profile.
configuration-name
-
Name of configuration profile.
disable-wf-when-protected
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient web category filtering when protected by FortiGate.
distribute-configuration-profile
-
    Choices:
  • enable
  • disable
Enable/disable configuration profile (.mobileconfig file) distribution.
forticlient-wf
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient web filtering.
forticlient-wf-profile
-
The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient-winmac-settings
-
FortiClient settings for Windows/Mac platform.
av-realtime-protection
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient AntiVirus real-time protection.
av-signature-up-to-date
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient AV signature updates.
forticlient-application-firewall
-
    Choices:
  • enable
  • disable
Enable/disable the FortiClient application firewall.
forticlient-application-firewall-list
-
FortiClient application firewall rule list. Source application.list.name.
forticlient-av
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient AntiVirus scanning.
forticlient-ems-compliance
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
forticlient-ems-compliance-action
-
    Choices:
  • block
  • warning
FortiClient EMS compliance action.
forticlient-ems-entries
-
FortiClient EMS entries.
name
- / required
FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
forticlient-linux-ver
-
Minimum FortiClient Linux version.
forticlient-log-upload
-
    Choices:
  • enable
  • disable
Enable/disable uploading FortiClient logs.
forticlient-log-upload-level
-
    Choices:
  • traffic
  • vulnerability
  • event
Select the FortiClient logs to upload.
forticlient-log-upload-server
-
IP address or FQDN of the server to which to upload FortiClient logs.
forticlient-mac-ver
-
Minimum FortiClient Mac OS version.
forticlient-minimum-software-version
-
    Choices:
  • enable
  • disable
Enable/disable requiring clients to run FortiClient with a minimum software version number.
forticlient-operating-system
-
FortiClient operating system.
id
- / required
Operating system entry ID.
os-name
-
Customize operating system name or Mac OS format:x.x.x
os-type
-
    Choices:
  • custom
  • mac-os
  • win-7
  • win-80
  • win-81
  • win-10
  • win-2000
  • win-home-svr
  • win-svr-10
  • win-svr-2003
  • win-svr-2003-r2
  • win-svr-2008
  • win-svr-2008-r2
  • win-svr-2012
  • win-svr-2012-r2
  • win-sto-svr-2003
  • win-vista
  • win-xp
  • ubuntu-linux
  • centos-linux
  • redhat-linux
  • fedora-linux
Operating system type.
forticlient-own-file
-
Checking the path and filename of the FortiClient application.
file
-
File path and name.
id
- / required
File ID.
forticlient-registration-compliance-action
-
    Choices:
  • block
  • warning
FortiClient registration compliance action.
forticlient-registry-entry
-
FortiClient registry entry.
id
- / required
Registry entry ID.
registry-entry
-
Registry entry.
forticlient-running-app
-
Use FortiClient to verify if the listed applications are running on the client.
app-name
-
Application name.
app-sha256-signature
-
App's SHA256 signature.
app-sha256-signature2
-
App's SHA256 Signature.
app-sha256-signature3
-
App's SHA256 Signature.
app-sha256-signature4
-
App's SHA256 Signature.
application-check-rule
-
    Choices:
  • present
  • absent
Application check rule.
id
- / required
Application ID.
process-name
-
Process name.
process-name2
-
Process name.
process-name3
-
Process name.
process-name4
-
Process name.
forticlient-security-posture
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient security posture check options.
forticlient-security-posture-compliance-action
-
    Choices:
  • block
  • warning
FortiClient security posture compliance action.
forticlient-system-compliance
-
    Choices:
  • enable
  • disable
Enable/disable enforcement of FortiClient system compliance.
forticlient-system-compliance-action
-
    Choices:
  • block
  • warning
Block or warn clients not compliant with FortiClient requirements.
forticlient-vuln-scan
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient vulnerability scanning.
forticlient-vuln-scan-compliance-action
-
    Choices:
  • block
  • warning
FortiClient vulnerability compliance action.
forticlient-vuln-scan-enforce
-
    Choices:
  • critical
  • high
  • medium
  • low
  • info
Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
forticlient-vuln-scan-enforce-grace
-
FortiClient vulnerability scan enforcement grace period (0 - 30 days, default = 1).
forticlient-vuln-scan-exempt
-
    Choices:
  • enable
  • disable
Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
forticlient-wf
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient web filtering.
forticlient-wf-profile
-
The FortiClient web filter profile to apply. Source webfilter.profile.name.
forticlient-win-ver
-
Minimum FortiClient Windows version.
os-av-software-installed
-
    Choices:
  • enable
  • disable
Enable/disable checking for OS recognized AntiVirus software.
sandbox-address
-
FortiSandbox address.
sandbox-analysis
-
    Choices:
  • enable
  • disable
Enable/disable sending files to FortiSandbox for analysis.
on-net-addr
-
Addresses for on-net detection.
name
- / required
Address object from available options. Source firewall.address.name firewall.addrgrp.name.
profile-name
- / required
Profile name.
replacemsg-override-group
-
Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name.
src-addr
-
Source addresses.
name
- / required
Address object from available options. Source firewall.address.name firewall.addrgrp.name.
state
-
    Choices:
  • present
  • absent
Indicates whether to create or remove the object
user-groups
-
User groups.
name
- / required
User group name. Source user.group.name.
users
-
Users.
name
- / required
User name. Source user.local.name.
host
- / required
FortiOS or FortiGate ip address.
https
boolean
    Choices:
  • no ←
  • yes
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure FortiClient endpoint control profiles.
    fortios_endpoint_control_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      endpoint_control_profile:
        state: "present"
        description: "<your_own_value>"
        device-groups:
         -
            name: "default_name_5 (source user.device-group.name user.device-category.name)"
        forticlient-android-settings:
            disable-wf-when-protected: "enable"
            forticlient-advanced-vpn: "enable"
            forticlient-advanced-vpn-buffer: "<your_own_value>"
            forticlient-vpn-provisioning: "enable"
            forticlient-vpn-settings:
             -
                auth-method: "psk"
                name: "default_name_13"
                preshared-key: "<your_own_value>"
                remote-gw: "<your_own_value>"
                sslvpn-access-port: "16"
                sslvpn-require-certificate: "enable"
                type: "ipsec"
            forticlient-wf: "enable"
            forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient-ios-settings:
            client-vpn-provisioning: "enable"
            client-vpn-settings:
             -
                auth-method: "psk"
                name: "default_name_25"
                preshared-key: "<your_own_value>"
                remote-gw: "<your_own_value>"
                sslvpn-access-port: "28"
                sslvpn-require-certificate: "enable"
                type: "ipsec"
                vpn-configuration-content: "<your_own_value>"
                vpn-configuration-name: "<your_own_value>"
            configuration-content: "<your_own_value>"
            configuration-name: "<your_own_value>"
            disable-wf-when-protected: "enable"
            distribute-configuration-profile: "enable"
            forticlient-wf: "enable"
            forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient-winmac-settings:
            av-realtime-protection: "enable"
            av-signature-up-to-date: "enable"
            forticlient-application-firewall: "enable"
            forticlient-application-firewall-list: "<your_own_value> (source application.list.name)"
            forticlient-av: "enable"
            forticlient-ems-compliance: "enable"
            forticlient-ems-compliance-action: "block"
            forticlient-ems-entries:
             -
                name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
            forticlient-linux-ver: "<your_own_value>"
            forticlient-log-upload: "enable"
            forticlient-log-upload-level: "traffic"
            forticlient-log-upload-server: "<your_own_value>"
            forticlient-mac-ver: "<your_own_value>"
            forticlient-minimum-software-version: "enable"
            forticlient-operating-system:
             -
                id:  "56"
                os-name: "<your_own_value>"
                os-type: "custom"
            forticlient-own-file:
             -
                file: "<your_own_value>"
                id:  "61"
            forticlient-registration-compliance-action: "block"
            forticlient-registry-entry:
             -
                id:  "64"
                registry-entry: "<your_own_value>"
            forticlient-running-app:
             -
                app-name: "<your_own_value>"
                app-sha256-signature: "<your_own_value>"
                app-sha256-signature2: "<your_own_value>"
                app-sha256-signature3: "<your_own_value>"
                app-sha256-signature4: "<your_own_value>"
                application-check-rule: "present"
                id:  "73"
                process-name: "<your_own_value>"
                process-name2: "<your_own_value>"
                process-name3: "<your_own_value>"
                process-name4: "<your_own_value>"
            forticlient-security-posture: "enable"
            forticlient-security-posture-compliance-action: "block"
            forticlient-system-compliance: "enable"
            forticlient-system-compliance-action: "block"
            forticlient-vuln-scan: "enable"
            forticlient-vuln-scan-compliance-action: "block"
            forticlient-vuln-scan-enforce: "critical"
            forticlient-vuln-scan-enforce-grace: "85"
            forticlient-vuln-scan-exempt: "enable"
            forticlient-wf: "enable"
            forticlient-wf-profile: "<your_own_value> (source webfilter.profile.name)"
            forticlient-win-ver: "<your_own_value>"
            os-av-software-installed: "enable"
            sandbox-address: "<your_own_value>"
            sandbox-analysis: "enable"
        on-net-addr:
         -
            name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
        profile-name: "<your_own_value>"
        replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
        src-addr:
         -
            name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
        user-groups:
         -
            name: "default_name_100 (source user.group.name)"
        users:
         -
            name: "default_name_102 (source user.local.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.