fortios_firewall_ssl_ssh_profile – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to configure firewall feature and ssl_ssh_profile category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
firewall_ssl_ssh_profile
-
Default:
null
Configure SSL/SSH protocol options.
caname
-
CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
comment
-
Optional comments.
ftps
-
Configure FTPS options.
allow-invalid-server-cert
-
    Choices:
  • enable
  • disable
When enabled, allows SSL sessions whose server certificate validation failed.
client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request.
ports
-
Ports to use for scanning (1 - 65535, default = 443).
status
-
    Choices:
  • disable
  • deep-inspection
Configure protocol inspection status.
unsupported-ssl
-
    Choices:
  • bypass
  • inspect
  • block
Action based on the SSL encryption used being unsupported.
untrusted-cert
-
    Choices:
  • allow
  • block
  • ignore
Allow, ignore, or block the untrusted SSL session server certificate.
https
-
Configure HTTPS options.
allow-invalid-server-cert
-
    Choices:
  • enable
  • disable
When enabled, allows SSL sessions whose server certificate validation failed.
client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request.
ports
-
Ports to use for scanning (1 - 65535, default = 443).
status
-
    Choices:
  • disable
  • certificate-inspection
  • deep-inspection
Configure protocol inspection status.
unsupported-ssl
-
    Choices:
  • bypass
  • inspect
  • block
Action based on the SSL encryption used being unsupported.
untrusted-cert
-
    Choices:
  • allow
  • block
  • ignore
Allow, ignore, or block the untrusted SSL session server certificate.
imaps
-
Configure IMAPS options.
allow-invalid-server-cert
-
    Choices:
  • enable
  • disable
When enabled, allows SSL sessions whose server certificate validation failed.
client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request.
ports
-
Ports to use for scanning (1 - 65535, default = 443).
status
-
    Choices:
  • disable
  • deep-inspection
Configure protocol inspection status.
unsupported-ssl
-
    Choices:
  • bypass
  • inspect
  • block
Action based on the SSL encryption used being unsupported.
untrusted-cert
-
    Choices:
  • allow
  • block
  • ignore
Allow, ignore, or block the untrusted SSL session server certificate.
mapi-over-https
-
    Choices:
  • enable
  • disable
Enable/disable inspection of MAPI over HTTPS.
name
- / required
Name.
pop3s
-
Configure POP3S options.
allow-invalid-server-cert
-
    Choices:
  • enable
  • disable
When enabled, allows SSL sessions whose server certificate validation failed.
client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request.
ports
-
Ports to use for scanning (1 - 65535, default = 443).
status
-
    Choices:
  • disable
  • deep-inspection
Configure protocol inspection status.
unsupported-ssl
-
    Choices:
  • bypass
  • inspect
  • block
Action based on the SSL encryption used being unsupported.
untrusted-cert
-
    Choices:
  • allow
  • block
  • ignore
Allow, ignore, or block the untrusted SSL session server certificate.
rpc-over-https
-
    Choices:
  • enable
  • disable
Enable/disable inspection of RPC over HTTPS.
server-cert
-
Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name.
server-cert-mode
-
    Choices:
  • re-sign
  • replace
Re-sign or replace the server's certificate.
smtps
-
Configure SMTPS options.
allow-invalid-server-cert
-
    Choices:
  • enable
  • disable
When enabled, allows SSL sessions whose server certificate validation failed.
client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request.
ports
-
Ports to use for scanning (1 - 65535, default = 443).
status
-
    Choices:
  • disable
  • deep-inspection
Configure protocol inspection status.
unsupported-ssl
-
    Choices:
  • bypass
  • inspect
  • block
Action based on the SSL encryption used being unsupported.
untrusted-cert
-
    Choices:
  • allow
  • block
  • ignore
Allow, ignore, or block the untrusted SSL session server certificate.
ssh
-
Configure SSH options.
inspect-all
-
    Choices:
  • disable
  • deep-inspection
Level of SSL inspection.
ports
-
Ports to use for scanning (1 - 65535, default = 443).
ssh-algorithm
-
    Choices:
  • compatible
  • high-encryption
Relative strength of encryption algorithms accepted during negotiation.
ssh-policy-check
-
    Choices:
  • disable
  • enable
Enable/disable SSH policy check.
ssh-tun-policy-check
-
    Choices:
  • disable
  • enable
Enable/disable SSH tunnel policy check.
status
-
    Choices:
  • disable
  • deep-inspection
Configure protocol inspection status.
unsupported-version
-
    Choices:
  • bypass
  • block
Action based on SSH version being unsupported.
ssl
-
Configure SSL options.
allow-invalid-server-cert
-
    Choices:
  • enable
  • disable
When enabled, allows SSL sessions whose server certificate validation failed.
client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request.
inspect-all
-
    Choices:
  • disable
  • certificate-inspection
  • deep-inspection
Level of SSL inspection.
unsupported-ssl
-
    Choices:
  • bypass
  • inspect
  • block
Action based on the SSL encryption used being unsupported.
untrusted-cert
-
    Choices:
  • allow
  • block
  • ignore
Allow, ignore, or block the untrusted SSL session server certificate.
ssl-anomalies-log
-
    Choices:
  • disable
  • enable
Enable/disable logging SSL anomalies.
ssl-exempt
-
Servers to exempt from SSL inspection.
address
-
IPv4 address object. Source firewall.address.name firewall.addrgrp.name.
address6
-
IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name.
fortiguard-category
-
FortiGuard category ID.
id
- / required
ID number.
regex
-
Exempt servers by regular expression.
type
-
    Choices:
  • fortiguard-category
  • address
  • address6
  • wildcard-fqdn
  • regex
Type of address object (IPv4 or IPv6) or FortiGuard category.
wildcard-fqdn
-
Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name.
ssl-exemptions-log
-
    Choices:
  • disable
  • enable
Enable/disable logging SSL exemptions.
ssl-server
-
SSL servers.
ftps-client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request during the FTPS handshake.
https-client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request during the HTTPS handshake.
id
- / required
SSL server ID.
imaps-client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request during the IMAPS handshake.
ip
-
IPv4 address of the SSL server.
pop3s-client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request during the POP3S handshake.
smtps-client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request during the SMTPS handshake.
ssl-other-client-cert-request
-
    Choices:
  • bypass
  • inspect
  • block
Action based on client certificate request during an SSL protocol handshake.
state
-
    Choices:
  • present
  • absent
Indicates whether to create or remove the object
untrusted-caname
-
Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
use-ssl-server
-
    Choices:
  • disable
  • enable
Enable/disable the use of SSL server table for SSL offloading.
whitelist
-
    Choices:
  • enable
  • disable
Enable/disable exempting servers by FortiGuard whitelist.
host
- / required
FortiOS or FortiGate ip adress.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure SSL/SSH protocol options.
    fortios_firewall_ssl_ssh_profile:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      firewall_ssl_ssh_profile:
        state: "present"
        caname: "<your_own_value> (source vpn.certificate.local.name)"
        comment: "Optional comments."
        ftps:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "8"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        https:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "15"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        imaps:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "22"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        mapi-over-https: "enable"
        name: "default_name_27"
        pop3s:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "31"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        rpc-over-https: "enable"
        server-cert: "<your_own_value> (source vpn.certificate.local.name)"
        server-cert-mode: "re-sign"
        smtps:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            ports: "41"
            status: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        ssh:
            inspect-all: "disable"
            ports: "47"
            ssh-algorithm: "compatible"
            ssh-policy-check: "disable"
            ssh-tun-policy-check: "disable"
            status: "disable"
            unsupported-version: "bypass"
        ssl:
            allow-invalid-server-cert: "enable"
            client-cert-request: "bypass"
            inspect-all: "disable"
            unsupported-ssl: "bypass"
            untrusted-cert: "allow"
        ssl-anomalies-log: "disable"
        ssl-exempt:
         -
            address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
            fortiguard-category: "63"
            id:  "64"
            regex: "<your_own_value>"
            type: "fortiguard-category"
            wildcard-fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
        ssl-exemptions-log: "disable"
        ssl-server:
         -
            ftps-client-cert-request: "bypass"
            https-client-cert-request: "bypass"
            id:  "72"
            imaps-client-cert-request: "bypass"
            ip: "<your_own_value>"
            pop3s-client-cert-request: "bypass"
            smtps-client-cert-request: "bypass"
            ssl-other-client-cert-request: "bypass"
        untrusted-caname: "<your_own_value> (source vpn.certificate.local.name)"
        use-ssl-server: "disable"
        whitelist: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.