fortios_vpn_ssl_web_portal – Portal in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify vpn_ssl_web feature and portal category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
- / required
FortiOS or FortiGate ip address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
vpn_ssl_web_portal
-
Default:
null
Portal.
allow-user-access
-
    Choices:
  • web
  • ftp
  • smb
  • telnet
  • ssh
  • vnc
  • rdp
  • ping
  • citrix
  • portforward
Allow user access to SSL-VPN applications.
auto-connect
-
    Choices:
  • enable
  • disable
Enable/disable automatic connect by client when system is up.
bookmark-group
-
Portal bookmark group.
bookmarks
-
Bookmark table.
additional-params
-
Additional parameters.
apptype
-
    Choices:
  • citrix
  • ftp
  • portforward
  • rdp
  • smb
  • ssh
  • telnet
  • vnc
  • web
Application type.
description
-
Description.
folder
-
Network shared file folder parameter.
form-data
-
Form data.
name
- / required
Name.
value
-
Value.
host
-
Host name/IP parameter.
listening-port
-
Listening port (0 - 65535).
load-balancing-info
-
The load balancing information or cookie which should be provided to the connection broker.
logon-password
-
Logon password.
logon-user
-
Logon user.
name
- / required
Bookmark name.
port
-
Remote port.
preconnection-blob
-
An arbitrary string which identifies the RDP source.
preconnection-id
-
The numeric ID of the RDP source (0-2147483648).
remote-port
-
Remote port (0 - 65535).
security
-
    Choices:
  • rdp
  • nla
  • tls
  • any
Security mode for RDP connection.
server-layout
-
    Choices:
  • de-de-qwertz
  • en-gb-qwerty
  • en-us-qwerty
  • es-es-qwerty
  • fr-fr-azerty
  • fr-ch-qwertz
  • it-it-qwerty
  • ja-jp-qwerty
  • pt-br-qwerty
  • sv-se-qwerty
  • tr-tr-qwerty
  • failsafe
Server side keyboard layout.
show-status-window
-
    Choices:
  • enable
  • disable
Enable/disable showing of status window.
sso
-
    Choices:
  • disable
  • static
  • auto
Single Sign-On.
sso-credential
-
    Choices:
  • sslvpn-login
  • alternative
Single sign-on credentials.
sso-credential-sent-once
-
    Choices:
  • enable
  • disable
Single sign-on credentials are only sent once to remote server.
sso-password
-
SSO password.
sso-username
-
SSO user name.
url
-
URL parameter.
name
- / required
Bookmark group name.
custom-lang
-
Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files. Source system.custom-language.name.
customize-forticlient-download-url
-
    Choices:
  • enable
  • disable
Enable support of customized download URL for FortiClient.
display-bookmark
-
    Choices:
  • enable
  • disable
Enable to display the web portal bookmark widget.
display-connection-tools
-
    Choices:
  • enable
  • disable
Enable to display the web portal connection tools widget.
display-history
-
    Choices:
  • enable
  • disable
Enable to display the web portal user login history widget.
display-status
-
    Choices:
  • enable
  • disable
Enable to display the web portal status widget.
dns-server1
-
IPv4 DNS server 1.
dns-server2
-
IPv4 DNS server 2.
dns-suffix
-
DNS suffix.
exclusive-routing
-
    Choices:
  • enable
  • disable
Enable/disable all traffic go through tunnel only.
forticlient-download
-
    Choices:
  • enable
  • disable
Enable/disable download option for FortiClient.
forticlient-download-method
-
    Choices:
  • direct
  • ssl-vpn
FortiClient download method.
heading
-
Web portal heading message.
hide-sso-credential
-
    Choices:
  • enable
  • disable
Enable to prevent SSO credential being sent to client.
host-check
-
    Choices:
  • none
  • av
  • fw
  • av-fw
  • custom
Type of host checking performed on endpoints.
host-check-interval
-
Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects.
host-check-policy
-
One or more policies to require the endpoint to have specific security software.
name
- / required
Host check software list name. Source vpn.ssl.web.host-check-software.name.
ip-mode
-
    Choices:
  • range
  • user-group
Method by which users of this SSL-VPN tunnel obtain IP addresses.
ip-pools
-
IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
ipv6-dns-server1
-
IPv6 DNS server 1.
ipv6-dns-server2
-
IPv6 DNS server 2.
ipv6-exclusive-routing
-
    Choices:
  • enable
  • disable
Enable/disable all IPv6 traffic go through tunnel only.
ipv6-pools
-
IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients.
name
- / required
Address name. Source firewall.address6.name firewall.addrgrp6.name.
ipv6-service-restriction
-
    Choices:
  • enable
  • disable
Enable/disable IPv6 tunnel service restriction.
ipv6-split-tunneling
-
    Choices:
  • enable
  • disable
Enable/disable IPv6 split tunneling.
ipv6-split-tunneling-routing-address
-
IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
name
- / required
Address name. Source firewall.address6.name firewall.addrgrp6.name.
ipv6-tunnel-mode
-
    Choices:
  • enable
  • disable
Enable/disable IPv6 SSL-VPN tunnel mode.
ipv6-wins-server1
-
IPv6 WINS server 1.
ipv6-wins-server2
-
IPv6 WINS server 2.
keep-alive
-
    Choices:
  • enable
  • disable
Enable/disable automatic reconnect for FortiClient connections.
limit-user-logins
-
    Choices:
  • enable
  • disable
Enable to limit each user to one SSL-VPN session at a time.
mac-addr-action
-
    Choices:
  • allow
  • deny
Client MAC address action.
mac-addr-check
-
    Choices:
  • enable
  • disable
Enable/disable MAC address host checking.
mac-addr-check-rule
-
Client MAC address check rule.
mac-addr-list
-
Client MAC address list.
addr
- / required
Client MAC address.
mac-addr-mask
-
Client MAC address mask.
name
- / required
Client MAC address check rule name.
macos-forticlient-download-url
-
Download URL for Mac FortiClient.
name
- / required
Portal name.
os-check
-
    Choices:
  • enable
  • disable
Enable to let the FortiGate decide action based on client OS.
os-check-list
-
SSL VPN OS checks.
action
-
    Choices:
  • deny
  • allow
  • check-up-to-date
OS check options.
latest-patch-level
-
Latest OS patch level.
name
- / required
Name.
tolerance
-
OS patch level tolerance.
redir-url
-
Client login redirect URL.
save-password
-
    Choices:
  • enable
  • disable
Enable/disable FortiClient saving the user's password.
service-restriction
-
    Choices:
  • enable
  • disable
Enable/disable tunnel service restriction.
skip-check-for-unsupported-browser
-
    Choices:
  • enable
  • disable
Enable to skip host check if browser does not support it.
skip-check-for-unsupported-os
-
    Choices:
  • enable
  • disable
Enable to skip host check if client OS does not support it.
smb-ntlmv1-auth
-
    Choices:
  • enable
  • disable
Enable support of NTLMv1 for Samba authentication.
smbv1
-
    Choices:
  • enable
  • disable
Enable/disable support of SMBv1 for Samba.
split-dns
-
Split DNS for SSL VPN.
dns-server1
-
DNS server 1.
dns-server2
-
DNS server 2.
domains
-
Split DNS domains used for SSL-VPN clients separated by comma(,).
id
- / required
ID.
ipv6-dns-server1
-
IPv6 DNS server 1.
ipv6-dns-server2
-
IPv6 DNS server 2.
split-tunneling
-
    Choices:
  • enable
  • disable
Enable/disable IPv4 split tunneling.
split-tunneling-routing-address
-
IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access.
name
- / required
Address name. Source firewall.address.name firewall.addrgrp.name.
state
-
    Choices:
  • present
  • absent
Indicates whether to create or remove the object
theme
-
    Choices:
  • blue
  • green
  • red
  • melongene
  • mariner
Web portal color scheme.
tunnel-mode
-
    Choices:
  • enable
  • disable
Enable/disable IPv4 SSL-VPN tunnel mode.
user-bookmark
-
    Choices:
  • enable
  • disable
Enable to allow web portal users to create their own bookmarks.
user-group-bookmark
-
    Choices:
  • enable
  • disable
Enable to allow web portal users to create bookmarks for all users in the same user group.
web-mode
-
    Choices:
  • enable
  • disable
Enable/disable SSL VPN web mode.
windows-forticlient-download-url
-
Download URL for Windows FortiClient.
wins-server1
-
IPv4 WINS server 1.
wins-server2
-
IPv4 WINS server 1.

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Portal.
    fortios_vpn_ssl_web_portal:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      vpn_ssl_web_portal:
        state: "present"
        allow-user-access: "web"
        auto-connect: "enable"
        bookmark-group:
         -
            bookmarks:
             -
                additional-params: "<your_own_value>"
                apptype: "citrix"
                description: "<your_own_value>"
                folder: "<your_own_value>"
                form-data:
                 -
                    name: "default_name_12"
                    value: "<your_own_value>"
                host: "<your_own_value>"
                listening-port: "15"
                load-balancing-info: "<your_own_value>"
                logon-password: "<your_own_value>"
                logon-user: "<your_own_value>"
                name: "default_name_19"
                port: "20"
                preconnection-blob: "<your_own_value>"
                preconnection-id: "22"
                remote-port: "23"
                security: "rdp"
                server-layout: "de-de-qwertz"
                show-status-window: "enable"
                sso: "disable"
                sso-credential: "sslvpn-login"
                sso-credential-sent-once: "enable"
                sso-password: "<your_own_value>"
                sso-username: "<your_own_value>"
                url: "myurl.com"
            name: "default_name_33"
        custom-lang: "<your_own_value> (source system.custom-language.name)"
        customize-forticlient-download-url: "enable"
        display-bookmark: "enable"
        display-connection-tools: "enable"
        display-history: "enable"
        display-status: "enable"
        dns-server1: "<your_own_value>"
        dns-server2: "<your_own_value>"
        dns-suffix: "<your_own_value>"
        exclusive-routing: "enable"
        forticlient-download: "enable"
        forticlient-download-method: "direct"
        heading: "<your_own_value>"
        hide-sso-credential: "enable"
        host-check: "none"
        host-check-interval: "49"
        host-check-policy:
         -
            name: "default_name_51 (source vpn.ssl.web.host-check-software.name)"
        ip-mode: "range"
        ip-pools:
         -
            name: "default_name_54 (source firewall.address.name firewall.addrgrp.name)"
        ipv6-dns-server1: "<your_own_value>"
        ipv6-dns-server2: "<your_own_value>"
        ipv6-exclusive-routing: "enable"
        ipv6-pools:
         -
            name: "default_name_59 (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-service-restriction: "enable"
        ipv6-split-tunneling: "enable"
        ipv6-split-tunneling-routing-address:
         -
            name: "default_name_63 (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6-tunnel-mode: "enable"
        ipv6-wins-server1: "<your_own_value>"
        ipv6-wins-server2: "<your_own_value>"
        keep-alive: "enable"
        limit-user-logins: "enable"
        mac-addr-action: "allow"
        mac-addr-check: "enable"
        mac-addr-check-rule:
         -
            mac-addr-list:
             -
                addr: "<your_own_value>"
            mac-addr-mask: "74"
            name: "default_name_75"
        macos-forticlient-download-url: "<your_own_value>"
        name: "default_name_77"
        os-check: "enable"
        os-check-list:
         -
            action: "deny"
            latest-patch-level: "<your_own_value>"
            name: "default_name_82"
            tolerance: "83"
        redir-url: "<your_own_value>"
        save-password: "enable"
        service-restriction: "enable"
        skip-check-for-unsupported-browser: "enable"
        skip-check-for-unsupported-os: "enable"
        smb-ntlmv1-auth: "enable"
        smbv1: "enable"
        split-dns:
         -
            dns-server1: "<your_own_value>"
            dns-server2: "<your_own_value>"
            domains: "<your_own_value>"
            id:  "95"
            ipv6-dns-server1: "<your_own_value>"
            ipv6-dns-server2: "<your_own_value>"
        split-tunneling: "enable"
        split-tunneling-routing-address:
         -
            name: "default_name_100 (source firewall.address.name firewall.addrgrp.name)"
        theme: "blue"
        tunnel-mode: "enable"
        user-bookmark: "enable"
        user-group-bookmark: "enable"
        web-mode: "enable"
        windows-forticlient-download-url: "<your_own_value>"
        wins-server1: "<your_own_value>"
        wins-server2: "<your_own_value>"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.