fortios_vpn_ssl_settings – Configure SSL-VPN in Fortinet’s FortiOS and FortiGate.¶

New in version 2.0.0.

Synopsis
Requirements
Tips
FortiOS Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9

Tips ¶

Using member operation to add an element to an existing object.

FortiOS Version Compatibility ¶

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0 v7.0.1 v7.0.2 v7.0.3 v7.0.4 v7.0.5 v7.0.6 v7.0.7 v7.0.8 v7.2.0 v7.2.1 v7.2.2

fortios_vpn_ssl_settings yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

Parameters ¶

access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
enable_log - Enable/Disable logging for task. type: bool required: false default: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
member_path - Member attribute path to operate on. type: str
member_state - Add or delete a member under specified attribute path. type: str choices: present, absent

vpn_ssl_settings - Configure SSL-VPN. type: dict more...

algorithm - Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. type: str choices: high, medium, default, low more...

auth_session_check_source_ip - Enable/disable checking of source IP for authentication session. type: str choices: enable, disable more...

auth_timeout - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int more...

authentication_rule - Authentication rule for SSL-VPN. type: list more...

auth - SSL-VPN authentication method restriction. type: str choices: any, local, radius, tacacs+, ldap, peer more...

cipher - SSL-VPN cipher strength. type: str choices: any, high, medium more...

client_cert - Enable/disable SSL-VPN client certificate restrictive. type: str choices: enable, disable more...

groups - User groups. type: list more...

name - Group name. Source user.group.name. type: str more...

id - ID (0 - 4294967295). type: int more...

portal - SSL-VPN portal. Source vpn.ssl.web.portal.name. type: str more...

realm - SSL-VPN realm. Source vpn.ssl.web.realm.url-path. type: str more...

source_address - Source address of incoming traffic. type: list more...

name - Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. type: str more...

source_address_negate - Enable/disable negated source address match. type: str choices: enable, disable more...

source_address6 - IPv6 source address of incoming traffic. type: list more...

name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. type: str more...

source_address6_negate - Enable/disable negated source IPv6 address match. type: str choices: enable, disable more...

source_interface - SSL-VPN source interface of incoming traffic. type: list more...

name - Interface name. Source system.interface.name system.zone.name. type: str more...

user_peer - Name of user peer. Source user.peer.name. type: str more...

users - User name. type: list more...

name - User name. Source user.local.name. type: str more...

auto_tunnel_static_route - Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses. type: str choices: enable, disable more...

banned_cipher - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below. type: list choices: RSA, DHE, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC, CHACHA20, ARIA, AESCCM, DH, ECDH more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0 v7.0.1 v7.0.2 v7.0.3 v7.0.4 v7.0.5 v7.0.6 v7.0.7 v7.0.8 v7.2.0 v7.2.1 v7.2.2

banned_cipher yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[RSA] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[DHE] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[ECDHE] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[DSS] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[ECDSA] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[AES] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[AESGCM] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[CAMELLIA] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[3DES] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[SHA1] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[SHA256] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[SHA384] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[STATIC] yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes

[CHACHA20] no no no no no no no no no no yes yes yes yes yes yes yes yes yes yes yes yes

[ARIA] no no no no no no no no no no yes yes yes yes yes yes yes yes yes yes yes yes

[AESCCM] no no no no no no no no no no yes yes yes yes yes yes yes yes yes yes yes yes

[DH] yes yes yes n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

[ECDH] yes yes yes n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a

browser_language_detection - Enable/disable overriding the configured system language based on the preferred language of the browser. type: str choices: enable, disable more...

check_referer - Enable/disable verification of referer field in HTTP request header. type: str choices: enable, disable more...

ciphersuite - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. type: list choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-AES-128-CCM-SHA256, TLS-AES-128-CCM-8-SHA256 more...

client_sigalgs - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. type: str choices: no-rsa-pss, all more...

default_portal - Default SSL-VPN portal. Source vpn.ssl.web.portal.name. type: str more...

deflate_compression_level - Compression level (0~9). type: int more...

deflate_min_data_size - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int more...

dns_server1 - DNS server 1. type: str more...

dns_server2 - DNS server 2. type: str more...

dns_suffix - DNS suffix used for SSL-VPN clients. type: str more...

dtls_hello_timeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec). type: int more...

dtls_max_proto_ver - DTLS maximum protocol version. type: str choices: dtls1-0, dtls1-2 more...

dtls_min_proto_ver - DTLS minimum protocol version. type: str choices: dtls1-0, dtls1-2 more...

dtls_tunnel - Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str choices: enable, disable more...

dual_stack_mode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. type: str choices: enable, disable more...

encode_2f_sequence - Encode 2F sequence to forward slash in URLs. type: str choices: enable, disable more...

encrypt_and_store_password - Encrypt and store user passwords for SSL-VPN web sessions. type: str choices: enable, disable more...

force_two_factor_auth - Enable/disable only PKI users with two-factor authentication for SSL-VPNs. type: str choices: enable, disable more...

header_x_forwarded_for - Forward the same, add, or remove HTTP header. type: str choices: pass, add, remove more...

hsts_include_subdomains - Add HSTS includeSubDomains response header. type: str choices: enable, disable more...

http_compression - Enable/disable to allow HTTP compression over SSL-VPN tunnels. type: str choices: enable, disable more...

http_only_cookie - Enable/disable SSL-VPN support for HttpOnly cookies. type: str choices: enable, disable more...

http_request_body_timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). type: int more...

http_request_header_timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). type: int more...

https_redirect - Enable/disable redirect of port 80 to SSL-VPN port. type: str choices: enable, disable more...

idle_timeout - SSL-VPN disconnects if idle for specified time in seconds. type: int more...

ipv6_dns_server1 - IPv6 DNS server 1. type: str more...

ipv6_dns_server2 - IPv6 DNS server 2. type: str more...

ipv6_wins_server1 - IPv6 WINS server 1. type: str more...

ipv6_wins_server2 - IPv6 WINS server 2. type: str more...

login_attempt_limit - SSL-VPN maximum login attempt times before block (0 - 10). type: int more...

login_block_time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). type: int more...

login_timeout - SSLVPN maximum login timeout (10 - 180 sec). type: int more...

port - SSL-VPN access port (1 - 65535). type: int more...

port_precedence - Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str choices: enable, disable more...

reqclientcert - Enable/disable to require client certificates for all SSL-VPN users. type: str choices: enable, disable more...

route_source_interface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. type: str choices: enable, disable more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7

route_source_interface yes yes yes yes yes yes yes

[enable] yes yes yes yes yes yes yes

[disable] yes yes yes yes yes yes yes

saml_redirect_port - SAML local redirect port in the machine running FortiClient (0 - 65535). 0 is to disable redirection on FGT side. type: int more...

servercert - Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. type: str more...