fortios_firewall_sniffer – Configure sniffer in Fortinet’s FortiOS and FortiGate.¶

New in version 2.0.0.

Synopsis
Requirements
Tips
FortiOS Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and sniffer category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9

Tips ¶

Using member operation to add an element to an existing object.

FortiOS Version Compatibility ¶

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0 v7.0.1 v7.0.2 v7.0.3 v7.0.4 v7.0.5 v7.0.6 v7.0.7 v7.0.8 v7.2.0 v7.2.1 v7.2.2

fortios_firewall_sniffer yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

Parameters ¶

access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
enable_log - Enable/Disable logging for task. type: bool required: false default: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
member_path - Member attribute path to operate on. type: str
member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
state - Indicates whether to create or remove the object. type: str required: true choices: present, absent

firewall_sniffer - Configure sniffer. type: dict more...

anomaly - Configuration method to edit Denial of Service (DoS) anomaly settings. type: list more...

action - Action taken when the threshold is reached. type: str choices: pass, block, proxy more...

log - Enable/disable anomaly logging. type: str choices: enable, disable more...

name - Anomaly name. type: str more...

quarantine - Quarantine method. type: str choices: none, attacker more...

quarantine_expiry - Duration of quarantine. (Format type: str more...

quarantine_log - Enable/disable quarantine logging. type: str choices: disable, enable more...

status - Enable/disable this anomaly. type: str choices: disable, enable more...

threshold - Anomaly threshold. Number of detected instances (packets per second or concurrent session number) that triggers the anomaly action. type: int more...

threshold_default - Number of detected instances per minute which triggers action (1 - 2147483647). Note that each anomaly has a different threshold value assigned to it. type: int more...

application_list - Name of an existing application list. Source application.list.name. type: str more...

application_list_status - Enable/disable application control profile. type: str choices: enable, disable more...

av_profile - Name of an existing antivirus profile. Source antivirus.profile.name. type: str more...

av_profile_status - Enable/disable antivirus profile. type: str choices: enable, disable more...

dlp_profile - Name of an existing DLP profile. Source dlp.profile.name. type: str more...

dlp_profile_status - Enable/disable DLP profile. type: str choices: enable, disable more...

dlp_sensor - Name of an existing DLP sensor. Source dlp.sensor.name. type: str more...

dlp_sensor_status - Enable/disable DLP sensor. type: str choices: enable, disable more...

dsri - Enable/disable DSRI. type: str choices: enable, disable more...

emailfilter_profile - Name of an existing email filter profile. Source emailfilter.profile.name. type: str more...

emailfilter_profile_status - Enable/disable emailfilter. type: str choices: enable, disable more...

file_filter_profile - Name of an existing file-filter profile. Source file-filter.profile.name. type: str more...

file_filter_profile_status - Enable/disable file filter. type: str choices: enable, disable more...

host - Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). type: str more...

id - Sniffer ID (0 - 9999). type: int required: true more...

interface - Interface name that traffic sniffing will take place on. Source system.interface.name. type: str more...

ip_threatfeed - Name of an existing IP threat feed. type: list more...

name - Threat feed name. Source system.external-resource.name. type: str more...

v7.0.0 v7.0.1 v7.0.2 v7.0.3 v7.0.4 v7.0.5 v7.0.6 v7.0.7 v7.0.8 v7.2.0 v7.2.1 v7.2.2

name yes yes yes yes yes yes yes yes yes yes yes yes

ip_threatfeed_status - Enable/disable IP threat feed. type: str choices: enable, disable more...

ips_dos_status - Enable/disable IPS DoS anomaly detection. type: str choices: enable, disable more...

ips_sensor - Name of an existing IPS sensor. Source ips.sensor.name. type: str more...

ips_sensor_status - Enable/disable IPS sensor. type: str choices: enable, disable more...

ipv6 - Enable/disable sniffing IPv6 packets. type: str choices: enable, disable more...

logtraffic - Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy. type: str choices: all, utm, disable more...

max_packet_count - Maximum packet count (1 - 1000000). type: int more...

non_ip - Enable/disable sniffing non-IP packets. type: str choices: enable, disable more...

port - Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). type: str more...

protocol - Integer value for the protocol type as defined by IANA (0 - 255). type: str more...

scan_botnet_connections - Enable/disable scanning of connections to Botnet servers. type: str choices: disable, block, monitor more...

v6.0.0 v6.0.5 v6.0.11

scan_botnet_connections yes yes yes

[disable] yes yes yes

[block] yes yes yes

[monitor] yes yes yes
spamfilter_profile - Name of an existing spam filter profile. Source spamfilter.profile.name. type: str more...

v6.0.0 v6.0.5 v6.0.11

spamfilter_profile yes yes yes
spamfilter_profile_status - Enable/disable spam filter. type: str choices: enable, disable more...

v6.0.0 v6.0.5 v6.0.11

spamfilter_profile_status yes yes yes

[enable] yes yes yes

[disable] yes yes yes

status - Enable/disable the active status of the sniffer. type: str choices: enable, disable more...

vlan - List of VLANs to sniff. type: str more...

webfilter_profile - Name of an existing web filter profile. Source webfilter.profile.name. type: str more...

webfilter_profile_status - Enable/disable web filter profile. type: str choices: enable, disable more...

Notes ¶

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples ¶

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure sniffer.
    fortios_firewall_sniffer:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_sniffer:
        anomaly:
         -
            action: "pass"
            log: "enable"
            name: "default_name_6"
            quarantine: "none"
            quarantine_expiry: "<your_own_value>"
            quarantine_log: "disable"
            status: "disable"
            threshold: "0"
            threshold_default: "0"
        application_list: "<your_own_value> (source application.list.name)"
        application_list_status: "enable"
        av_profile: "<your_own_value> (source antivirus.profile.name)"
        av_profile_status: "enable"
        dlp_profile: "<your_own_value> (source dlp.profile.name)"
        dlp_profile_status: "enable"
        dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
        dlp_sensor_status: "enable"
        dsri: "enable"
        emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)"
        emailfilter_profile_status: "enable"
        file_filter_profile: "<your_own_value> (source file-filter.profile.name)"
        file_filter_profile_status: "enable"
        host: "myhostname"
        id:  "27"
        interface: "<your_own_value> (source system.interface.name)"
        ip_threatfeed:
         -
            name: "default_name_30 (source system.external-resource.name)"
        ip_threatfeed_status: "enable"
        ips_dos_status: "enable"
        ips_sensor: "<your_own_value> (source ips.sensor.name)"
        ips_sensor_status: "enable"
        ipv6: "enable"
        logtraffic: "all"
        max_packet_count: "4000"
        non_ip: "enable"
        port: "<your_own_value>"
        protocol: "<your_own_value>"
        scan_botnet_connections: "disable"
        spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
        spamfilter_profile_status: "enable"
        status: "enable"
        vlan: "<your_own_value>"
        webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
        webfilter_profile_status: "enable"

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

build - Build number of the fortigate image returned: always type: str sample: 1547
http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
revision - Internal revision number returned: always type: str sample: 17.0.2.10658
serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
status - Indication of the operation's result returned: always type: str sample: success
vdom - Virtual domain used returned: always type: str sample: root
version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.