fortios_vpn_ssl_settings – Configure SSL-VPN in Fortinet’s FortiOS and FortiGate.¶
New in version 2.0.0.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
FortiOS Version Compatibility¶
v6.0.0 |
v6.0.5 |
v6.0.11 |
v6.2.0 |
v6.2.3 |
v6.2.5 |
v6.2.7 |
v6.4.0 |
v6.4.1 |
v6.4.4 |
v7.0.0 |
v7.0.1 |
v7.0.2 |
v7.0.3 |
v7.0.4 |
v7.0.5 |
v7.0.6 |
v7.0.7 |
v7.0.8 |
v7.2.0 |
v7.2.1 |
v7.2.2 |
|
fortios_vpn_ssl_settings | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes |
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- vpn_ssl_settings - Configure SSL-VPN. type: dict more...
- algorithm - Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. type: str choices: high, medium, default, low more...
- auth_session_check_source_ip - Enable/disable checking of source IP for authentication session. type: str choices: enable, disable more...
- auth_timeout - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int more...
- authentication_rule - Authentication rule for SSL-VPN. type: list more...
- auth - SSL-VPN authentication method restriction. type: str choices: any, local, radius, tacacs+, ldap, peer more...
- cipher - SSL-VPN cipher strength. type: str choices: any, high, medium more...
- client_cert - Enable/disable SSL-VPN client certificate restrictive. type: str choices: enable, disable more...
- groups - User groups. type: list more...
- name - Group name. Source user.group.name. type: str more...
- id - ID (0 - 4294967295). type: int more...
- portal - SSL-VPN portal. Source vpn.ssl.web.portal.name. type: str more...
- realm - SSL-VPN realm. Source vpn.ssl.web.realm.url-path. type: str more...
- source_address - Source address of incoming traffic. type: list more...
- name - Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. type: str more...
- source_address_negate - Enable/disable negated source address match. type: str choices: enable, disable more...
- source_address6 - IPv6 source address of incoming traffic. type: list more...
- name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. type: str more...
- source_address6_negate - Enable/disable negated source IPv6 address match. type: str choices: enable, disable more...
- source_interface - SSL-VPN source interface of incoming traffic. type: list more...
- name - Interface name. Source system.interface.name system.zone.name. type: str more...
- user_peer - Name of user peer. Source user.peer.name. type: str more...
- users - User name. type: list more...
- name - User name. Source user.local.name. type: str more...
- auto_tunnel_static_route - Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses. type: str choices: enable, disable more...
- banned_cipher - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. Only applies to TLS 1.2 and below. type: list choices: RSA, DHE, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC, CHACHA20, ARIA, AESCCM, DH, ECDH more...
- browser_language_detection - Enable/disable overriding the configured system language based on the preferred language of the browser. type: str choices: enable, disable more...
- check_referer - Enable/disable verification of referer field in HTTP request header. type: str choices: enable, disable more...
- ciphersuite - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. type: list choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-AES-128-CCM-SHA256, TLS-AES-128-CCM-8-SHA256 more...
- client_sigalgs - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. type: str choices: no-rsa-pss, all more...
- default_portal - Default SSL-VPN portal. Source vpn.ssl.web.portal.name. type: str more...
- deflate_compression_level - Compression level (0~9). type: int more...
- deflate_min_data_size - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int more...
- dns_server1 - DNS server 1. type: str more...
- dns_server2 - DNS server 2. type: str more...
- dns_suffix - DNS suffix used for SSL-VPN clients. type: str more...
- dtls_hello_timeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec). type: int more...
- dtls_max_proto_ver - DTLS maximum protocol version. type: str choices: dtls1-0, dtls1-2 more...
- dtls_min_proto_ver - DTLS minimum protocol version. type: str choices: dtls1-0, dtls1-2 more...
- dtls_tunnel - Enable/disable DTLS to prevent eavesdropping, tampering, or message forgery. type: str choices: enable, disable more...
- dual_stack_mode - Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal. type: str choices: enable, disable more...
- encode_2f_sequence - Encode 2F sequence to forward slash in URLs. type: str choices: enable, disable more...
- encrypt_and_store_password - Encrypt and store user passwords for SSL-VPN web sessions. type: str choices: enable, disable more...
- force_two_factor_auth - Enable/disable only PKI users with two-factor authentication for SSL-VPNs. type: str choices: enable, disable more...
- header_x_forwarded_for - Forward the same, add, or remove HTTP header. type: str choices: pass, add, remove more...
- hsts_include_subdomains - Add HSTS includeSubDomains response header. type: str choices: enable, disable more...
- http_compression - Enable/disable to allow HTTP compression over SSL-VPN tunnels. type: str choices: enable, disable more...
- http_only_cookie - Enable/disable SSL-VPN support for HttpOnly cookies. type: str choices: enable, disable more...
- http_request_body_timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). type: int more...
- http_request_header_timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). type: int more...
- https_redirect - Enable/disable redirect of port 80 to SSL-VPN port. type: str choices: enable, disable more...
- idle_timeout - SSL-VPN disconnects if idle for specified time in seconds. type: int more...
- ipv6_dns_server1 - IPv6 DNS server 1. type: str more...
- ipv6_dns_server2 - IPv6 DNS server 2. type: str more...
- ipv6_wins_server1 - IPv6 WINS server 1. type: str more...
- ipv6_wins_server2 - IPv6 WINS server 2. type: str more...
- login_attempt_limit - SSL-VPN maximum login attempt times before block (0 - 10). type: int more...
- login_block_time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). type: int more...
- login_timeout - SSLVPN maximum login timeout (10 - 180 sec). type: int more...
- port - SSL-VPN access port (1 - 65535). type: int more...
- port_precedence - Enable/disable, Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str choices: enable, disable more...
- reqclientcert - Enable/disable to require client certificates for all SSL-VPN users. type: str choices: enable, disable more...
- route_source_interface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. type: str choices: enable, disable more...
- saml_redirect_port - SAML local redirect port in the machine running FortiClient (0 - 65535). 0 is to disable redirection on FGT side. type: int more...
- servercert - Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. type: str more...
- source_address - Source address of incoming traffic. type: list more...
- name - Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name. type: str more...
- source_address_negate - Enable/disable negated source address match. type: str choices: enable, disable more...
- source_address6 - IPv6 source address of incoming traffic. type: list more...
- name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. type: str more...
- source_address6_negate - Enable/disable negated source IPv6 address match. type: str choices: enable, disable more...
- source_interface - SSL-VPN source interface of incoming traffic. type: list more...
- name - Interface name. Source system.interface.name system.zone.name. type: str more...
- ssl_client_renegotiation - Enable/disable to allow client renegotiation by the server if the tunnel goes down. type: str choices: disable, enable more...
- ssl_insert_empty_fragment - Enable/disable insertion of empty fragment. type: str choices: enable, disable more...
- ssl_max_proto_ver - SSL maximum protocol version. type: str choices: tls1-0, tls1-1, tls1-2, tls1-3 more...
- ssl_min_proto_ver - SSL minimum protocol version. type: str choices: tls1-0, tls1-1, tls1-2, tls1-3 more...
- status - Enable/disable SSL-VPN. type: str choices: enable, disable more...
- tlsv1_0 - tlsv1-0 type: str choices: enable, disable more...
- tlsv1_1 - tlsv1-1 type: str choices: enable, disable more...
- tlsv1_2 - tlsv1-2 type: str choices: enable, disable more...
- tlsv1_3 - tlsv1-3 type: str choices: enable, disable more...
- transform_backward_slashes - Transform backward slashes to forward slashes in URLs. type: str choices: enable, disable more...
- tunnel_addr_assigned_method - Method used for assigning address for tunnel. type: str choices: first-available, round-robin more...
- tunnel_connect_without_reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. type: str choices: enable, disable more...
- tunnel_ip_pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: list more...
- name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str more...
- tunnel_ipv6_pools - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: list more...
- name - Address name. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
- tunnel_user_session_timeout - Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec). type: int more...
- unsafe_legacy_renegotiation - Enable/disable unsafe legacy re-negotiation. type: str choices: enable, disable more...
- url_obscuration - Enable/disable to obscure the host name of the URL of the web browser display. type: str choices: enable, disable more...
- user_peer - Name of user peer. Source user.peer.name. type: str more...
- web_mode_snat - Enable/disable use of IP pools defined in firewall policy while using web-mode. type: str choices: enable, disable more...
- wins_server1 - WINS server 1. type: str more...
- wins_server2 - WINS server 2. type: str more...
- x_content_type_options - Add HTTP X-Content-Type-Options header. type: str choices: enable, disable more...
- ztna_trusted_client - Enable/disable verification of device certificate for SSLVPN ZTNA session. type: str choices: enable, disable more...
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL-VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_session_check_source_ip: "enable"
auth_timeout: "28800"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_11 (source user.group.name)"
id: "12"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_16 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_22 (source system.interface.name system.zone.name)"
user_peer: "<your_own_value> (source user.peer.name)"
users:
-
name: "default_name_25 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
browser_language_detection: "enable"
check_referer: "enable"
ciphersuite: "TLS-AES-128-GCM-SHA256"
client_sigalgs: "no-rsa-pss"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "6"
deflate_min_data_size: "300"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "10"
dtls_max_proto_ver: "dtls1-0"
dtls_min_proto_ver: "dtls1-0"
dtls_tunnel: "enable"
dual_stack_mode: "enable"
encode_2f_sequence: "enable"
encrypt_and_store_password: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
hsts_include_subdomains: "enable"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "30"
http_request_header_timeout: "20"
https_redirect: "enable"
idle_timeout: "300"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "2"
login_block_time: "60"
login_timeout: "30"
port: "10443"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
saml_redirect_port: "8020"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_68 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_71 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_74 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
ssl_max_proto_ver: "tls1-0"
ssl_min_proto_ver: "tls1-0"
status: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tlsv1_3: "enable"
transform_backward_slashes: "enable"
tunnel_addr_assigned_method: "first-available"
tunnel_connect_without_reauth: "enable"
tunnel_ip_pools:
-
name: "default_name_88 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_90 (source firewall.address6.name firewall.addrgrp6.name)"
tunnel_user_session_timeout: "30"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
user_peer: "<your_own_value> (source user.peer.name)"
web_mode_snat: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
ztna_trusted_client: "enable"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3