fortios_system_settings – Configure VDOM settings in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to configure system feature and settings category. Examples includes all options and need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
- / required
FortiOS or FortiGate ip adress.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
system_settings
-
Default:
null
Configure VDOM settings.
allow-subnet-overlap
-
    Choices:
  • enable
  • disable
Enable/disable allowing interface subnets to use overlapping IP addresses.
asymroute
-
    Choices:
  • enable
  • disable
Enable/disable IPv4 asymmetric routing.
asymroute-icmp
-
    Choices:
  • enable
  • disable
Enable/disable ICMP asymmetric routing.
asymroute6
-
    Choices:
  • enable
  • disable
Enable/disable asymmetric IPv6 routing.
asymroute6-icmp
-
    Choices:
  • enable
  • disable
Enable/disable asymmetric ICMPv6 routing.
bfd
-
    Choices:
  • enable
  • disable
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
bfd-desired-min-tx
-
BFD desired minimal transmit interval (1 - 100000 ms, default = 50).
bfd-detect-mult
-
BFD detection multiplier (1 - 50, default = 3).
bfd-dont-enforce-src-port
-
    Choices:
  • enable
  • disable
Enable to not enforce verifying the source port of BFD Packets.
bfd-required-min-rx
-
BFD required minimal receive interval (1 - 100000 ms, default = 50).
block-land-attack
-
    Choices:
  • disable
  • enable
Enable/disable blocking of land attacks.
central-nat
-
    Choices:
  • enable
  • disable
Enable/disable central NAT.
comments
-
VDOM comments.
compliance-check
-
    Choices:
  • enable
  • disable
Enable/disable PCI DSS compliance checking.
default-voip-alg-mode
-
    Choices:
  • proxy-based
  • kernel-helper-based
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
deny-tcp-with-icmp
-
    Choices:
  • enable
  • disable
Enable/disable denying TCP by sending an ICMP communication prohibited packet.
device
-
Interface to use for management access for NAT mode. Source system.interface.name.
dhcp-proxy
-
    Choices:
  • enable
  • disable
Enable/disable the DHCP Proxy.
dhcp-server-ip
-
DHCP Server IPv4 address.
dhcp6-server-ip
-
DHCPv6 server IPv6 address.
discovered-device-timeout
-
Timeout for discovered devices (1 - 365 days, default = 28).
ecmp-max-paths
-
Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100, default = 10).
email-portal-check-dns
-
    Choices:
  • disable
  • enable
Enable/disable using DNS to validate email addresses collected by a captive portal.
firewall-session-dirty
-
    Choices:
  • check-all
  • check-new
  • check-policy-option
Select how to manage sessions affected by firewall policy configuration changes.
fw-session-hairpin
-
    Choices:
  • enable
  • disable
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
gateway
-
Transparent mode IPv4 default gateway IP address.
gateway6
-
Transparent mode IPv4 default gateway IP address.
gui-advanced-policy
-
    Choices:
  • enable
  • disable
Enable/disable advanced policy configuration on the GUI.
gui-allow-unnamed-policy
-
    Choices:
  • enable
  • disable
Enable/disable the requirement for policy naming on the GUI.
gui-antivirus
-
    Choices:
  • enable
  • disable
Enable/disable AntiVirus on the GUI.
gui-ap-profile
-
    Choices:
  • enable
  • disable
Enable/disable FortiAP profiles on the GUI.
gui-application-control
-
    Choices:
  • enable
  • disable
Enable/disable application control on the GUI.
gui-default-policy-columns
-
Default columns to display for policy lists on GUI.
name
- / required
Select column name.
gui-dhcp-advanced
-
    Choices:
  • enable
  • disable
Enable/disable advanced DHCP options on the GUI.
gui-dlp
-
    Choices:
  • enable
  • disable
Enable/disable DLP on the GUI.
gui-dns-database
-
    Choices:
  • enable
  • disable
Enable/disable DNS database settings on the GUI.
gui-dnsfilter
-
    Choices:
  • enable
  • disable
Enable/disable DNS Filtering on the GUI.
gui-domain-ip-reputation
-
    Choices:
  • enable
  • disable
Enable/disable Domain and IP Reputation on the GUI.
gui-dos-policy
-
    Choices:
  • enable
  • disable
Enable/disable DoS policies on the GUI.
gui-dynamic-profile-display
-
    Choices:
  • enable
  • disable
Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
gui-dynamic-routing
-
    Choices:
  • enable
  • disable
Enable/disable dynamic routing on the GUI.
gui-email-collection
-
    Choices:
  • enable
  • disable
Enable/disable email collection on the GUI.
gui-endpoint-control
-
    Choices:
  • enable
  • disable
Enable/disable endpoint control on the GUI.
gui-endpoint-control-advanced
-
    Choices:
  • enable
  • disable
Enable/disable advanced endpoint control options on the GUI.
gui-explicit-proxy
-
    Choices:
  • enable
  • disable
Enable/disable the explicit proxy on the GUI.
gui-fortiap-split-tunneling
-
    Choices:
  • enable
  • disable
Enable/disable FortiAP split tunneling on the GUI.
gui-fortiextender-controller
-
    Choices:
  • enable
  • disable
Enable/disable FortiExtender on the GUI.
gui-icap
-
    Choices:
  • enable
  • disable
Enable/disable ICAP on the GUI.
gui-implicit-policy
-
    Choices:
  • enable
  • disable
Enable/disable implicit firewall policies on the GUI.
gui-ips
-
    Choices:
  • enable
  • disable
Enable/disable IPS on the GUI.
gui-load-balance
-
    Choices:
  • enable
  • disable
Enable/disable server load balancing on the GUI.
gui-local-in-policy
-
    Choices:
  • enable
  • disable
Enable/disable Local-In policies on the GUI.
gui-local-reports
-
    Choices:
  • enable
  • disable
Enable/disable local reports on the GUI.
gui-multicast-policy
-
    Choices:
  • enable
  • disable
Enable/disable multicast firewall policies on the GUI.
gui-multiple-interface-policy
-
    Choices:
  • enable
  • disable
Enable/disable adding multiple interfaces to a policy on the GUI.
gui-multiple-utm-profiles
-
    Choices:
  • enable
  • disable
Enable/disable multiple UTM profiles on the GUI.
gui-nat46-64
-
    Choices:
  • enable
  • disable
Enable/disable NAT46 and NAT64 settings on the GUI.
gui-object-colors
-
    Choices:
  • enable
  • disable
Enable/disable object colors on the GUI.
gui-policy-based-ipsec
-
    Choices:
  • enable
  • disable
Enable/disable policy-based IPsec VPN on the GUI.
gui-policy-learning
-
    Choices:
  • enable
  • disable
Enable/disable firewall policy learning mode on the GUI.
gui-replacement-message-groups
-
    Choices:
  • enable
  • disable
Enable/disable replacement message groups on the GUI.
gui-spamfilter
-
    Choices:
  • enable
  • disable
Enable/disable Antispam on the GUI.
gui-sslvpn-personal-bookmarks
-
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN personal bookmark management on the GUI.
gui-sslvpn-realms
-
    Choices:
  • enable
  • disable
Enable/disable SSL-VPN realms on the GUI.
gui-switch-controller
-
    Choices:
  • enable
  • disable
Enable/disable the switch controller on the GUI.
gui-threat-weight
-
    Choices:
  • enable
  • disable
Enable/disable threat weight on the GUI.
gui-traffic-shaping
-
    Choices:
  • enable
  • disable
Enable/disable traffic shaping on the GUI.
gui-voip-profile
-
    Choices:
  • enable
  • disable
Enable/disable VoIP profiles on the GUI.
gui-vpn
-
    Choices:
  • enable
  • disable
Enable/disable VPN tunnels on the GUI.
gui-waf-profile
-
    Choices:
  • enable
  • disable
Enable/disable Web Application Firewall on the GUI.
gui-wan-load-balancing
-
    Choices:
  • enable
  • disable
Enable/disable SD-WAN on the GUI.
gui-wanopt-cache
-
    Choices:
  • enable
  • disable
Enable/disable WAN Optimization and Web Caching on the GUI.
gui-webfilter
-
    Choices:
  • enable
  • disable
Enable/disable Web filtering on the GUI.
gui-webfilter-advanced
-
    Choices:
  • enable
  • disable
Enable/disable advanced web filtering on the GUI.
gui-wireless-controller
-
    Choices:
  • enable
  • disable
Enable/disable the wireless controller on the GUI.
http-external-dest
-
    Choices:
  • fortiweb
  • forticache
Offload HTTP traffic to FortiWeb or FortiCache.
ike-dn-format
-
    Choices:
  • with-space
  • no-space
Configure IKE ASN.1 Distinguished Name format conventions.
ike-quick-crash-detect
-
    Choices:
  • enable
  • disable
Enable/disable IKE quick crash detection (RFC 6290).
ike-session-resume
-
    Choices:
  • enable
  • disable
Enable/disable IKEv2 session resumption (RFC 5723).
implicit-allow-dns
-
    Choices:
  • enable
  • disable
Enable/disable implicitly allowing DNS traffic.
inspection-mode
-
    Choices:
  • proxy
  • flow
Inspection mode (proxy-based or flow-based).
ip
-
IP address and netmask.
ip6
-
IPv6 address prefix for NAT mode.
link-down-access
-
    Choices:
  • enable
  • disable
Enable/disable link down access traffic.
lldp-transmission
-
    Choices:
  • enable
  • disable
  • global
Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
mac-ttl
-
Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).
manageip
-
Transparent mode IPv4 management IP address and netmask.
manageip6
-
Transparent mode IPv6 management IP address and netmask.
multicast-forward
-
    Choices:
  • enable
  • disable
Enable/disable multicast forwarding.
multicast-skip-policy
-
    Choices:
  • enable
  • disable
Enable/disable allowing multicast traffic through the FortiGate without a policy check.
multicast-ttl-notchange
-
    Choices:
  • enable
  • disable
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
ngfw-mode
-
    Choices:
  • profile-based
  • policy-based
Next Generation Firewall (NGFW) mode.
opmode
-
    Choices:
  • nat
  • transparent
Firewall operation mode (NAT or Transparent).
prp-trailer-action
-
    Choices:
  • enable
  • disable
Enable/disable action to take on PRP trailer.
sccp-port
-
TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).
ses-denied-traffic
-
    Choices:
  • enable
  • disable
Enable/disable including denied session in the session table.
sip-helper
-
    Choices:
  • enable
  • disable
Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
sip-nat-trace
-
    Choices:
  • enable
  • disable
Enable/disable recording the original SIP source IP address when NAT is used.
sip-ssl-port
-
TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).
sip-tcp-port
-
TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).
sip-udp-port
-
UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).
snat-hairpin-traffic
-
    Choices:
  • enable
  • disable
Enable/disable source NAT (SNAT) for hairpin traffic.
ssl-ssh-profile
-
Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name.
status
-
    Choices:
  • enable
  • disable
Enable/disable this VDOM.
strict-src-check
-
    Choices:
  • enable
  • disable
Enable/disable strict source verification.
tcp-session-without-syn
-
    Choices:
  • enable
  • disable
Enable/disable allowing TCP session without SYN flags.
utf8-spam-tagging
-
    Choices:
  • enable
  • disable
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
v4-ecmp-mode
-
    Choices:
  • source-ip-based
  • weight-based
  • usage-based
  • source-dest-ip-based
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
vpn-stats-log
-
    Choices:
  • ipsec
  • pptp
  • l2tp
  • ssl
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
vpn-stats-period
-
Period to send VPN log statistics (60 - 86400 sec).
wccp-cache-engine
-
    Choices:
  • enable
  • disable
Enable/disable WCCP cache engine.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure VDOM settings.
    fortios_system_settings:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      system_settings:
        allow-subnet-overlap: "enable"
        asymroute: "enable"
        asymroute-icmp: "enable"
        asymroute6: "enable"
        asymroute6-icmp: "enable"
        bfd: "enable"
        bfd-desired-min-tx: "9"
        bfd-detect-mult: "10"
        bfd-dont-enforce-src-port: "enable"
        bfd-required-min-rx: "12"
        block-land-attack: "disable"
        central-nat: "enable"
        comments: "<your_own_value>"
        compliance-check: "enable"
        default-voip-alg-mode: "proxy-based"
        deny-tcp-with-icmp: "enable"
        device: "<your_own_value> (source system.interface.name)"
        dhcp-proxy: "enable"
        dhcp-server-ip: "<your_own_value>"
        dhcp6-server-ip: "<your_own_value>"
        discovered-device-timeout: "23"
        ecmp-max-paths: "24"
        email-portal-check-dns: "disable"
        firewall-session-dirty: "check-all"
        fw-session-hairpin: "enable"
        gateway: "<your_own_value>"
        gateway6: "<your_own_value>"
        gui-advanced-policy: "enable"
        gui-allow-unnamed-policy: "enable"
        gui-antivirus: "enable"
        gui-ap-profile: "enable"
        gui-application-control: "enable"
        gui-default-policy-columns:
         -
            name: "default_name_36"
        gui-dhcp-advanced: "enable"
        gui-dlp: "enable"
        gui-dns-database: "enable"
        gui-dnsfilter: "enable"
        gui-domain-ip-reputation: "enable"
        gui-dos-policy: "enable"
        gui-dynamic-profile-display: "enable"
        gui-dynamic-routing: "enable"
        gui-email-collection: "enable"
        gui-endpoint-control: "enable"
        gui-endpoint-control-advanced: "enable"
        gui-explicit-proxy: "enable"
        gui-fortiap-split-tunneling: "enable"
        gui-fortiextender-controller: "enable"
        gui-icap: "enable"
        gui-implicit-policy: "enable"
        gui-ips: "enable"
        gui-load-balance: "enable"
        gui-local-in-policy: "enable"
        gui-local-reports: "enable"
        gui-multicast-policy: "enable"
        gui-multiple-interface-policy: "enable"
        gui-multiple-utm-profiles: "enable"
        gui-nat46-64: "enable"
        gui-object-colors: "enable"
        gui-policy-based-ipsec: "enable"
        gui-policy-learning: "enable"
        gui-replacement-message-groups: "enable"
        gui-spamfilter: "enable"
        gui-sslvpn-personal-bookmarks: "enable"
        gui-sslvpn-realms: "enable"
        gui-switch-controller: "enable"
        gui-threat-weight: "enable"
        gui-traffic-shaping: "enable"
        gui-voip-profile: "enable"
        gui-vpn: "enable"
        gui-waf-profile: "enable"
        gui-wan-load-balancing: "enable"
        gui-wanopt-cache: "enable"
        gui-webfilter: "enable"
        gui-webfilter-advanced: "enable"
        gui-wireless-controller: "enable"
        http-external-dest: "fortiweb"
        ike-dn-format: "with-space"
        ike-quick-crash-detect: "enable"
        ike-session-resume: "enable"
        implicit-allow-dns: "enable"
        inspection-mode: "proxy"
        ip: "<your_own_value>"
        ip6: "<your_own_value>"
        link-down-access: "enable"
        lldp-transmission: "enable"
        mac-ttl: "89"
        manageip: "<your_own_value>"
        manageip6: "<your_own_value>"
        multicast-forward: "enable"
        multicast-skip-policy: "enable"
        multicast-ttl-notchange: "enable"
        ngfw-mode: "profile-based"
        opmode: "nat"
        prp-trailer-action: "enable"
        sccp-port: "98"
        ses-denied-traffic: "enable"
        sip-helper: "enable"
        sip-nat-trace: "enable"
        sip-ssl-port: "102"
        sip-tcp-port: "103"
        sip-udp-port: "104"
        snat-hairpin-traffic: "enable"
        ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
        status: "enable"
        strict-src-check: "enable"
        tcp-session-without-syn: "enable"
        utf8-spam-tagging: "enable"
        v4-ecmp-mode: "source-ip-based"
        vpn-stats-log: "ipsec"
        vpn-stats-period: "113"
        wccp-cache-engine: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.