fortios_firewall_ssl_ssh_profile – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate.¶
New in version 2.0.0.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and ssl_ssh_profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
FortiOS Version Compatibility¶
v6.0.0 |
v6.0.5 |
v6.0.11 |
v6.2.0 |
v6.2.3 |
v6.2.5 |
v6.2.7 |
v6.4.0 |
v6.4.1 |
v6.4.4 |
v7.0.0 |
v7.0.1 |
v7.0.2 |
v7.0.3 |
v7.0.4 |
v7.0.5 |
v7.0.6 |
v7.0.7 |
v7.0.8 |
v7.2.0 |
v7.2.1 |
v7.2.2 |
v7.2.4 |
v7.4.0 |
|
fortios_firewall_ssl_ssh_profile | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes |
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
- firewall_ssl_ssh_profile - Configure SSL/SSH protocol options. type: dict more...
- allowlist - Enable/disable exempting servers by FortiGuard allowlist. type: str choices: enable, disable more...
- block_blacklisted_certificates - Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. type: str choices: disable, enable more...
- block_blocklisted_certificates - Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. type: str choices: disable, enable more...
- caname - CA certificate used by SSL Inspection. Source vpn.certificate.local.name. type: str more...
- comment - Optional comments. type: str more...
- dot - Configure DNS over TLS options. type: dict more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- ftps - Configure FTPS options. type: dict more...
- allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...
- min_allowed_ssl_version - Minimum SSL version to be allowed. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ports - Ports to use for scanning (1 - 65535). type: list
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...
- unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- https - Configure HTTPS options. type: dict more...
- allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...
- cert_probe_failure - Action based on certificate probe failure. type: str choices: allow, block more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...
- min_allowed_ssl_version - Minimum SSL version to be allowed. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ports - Ports to use for scanning (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- status - Configure protocol inspection status. type: str choices: disable, certificate-inspection, deep-inspection more...
- unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- imaps - Configure IMAPS options. type: dict more...
- allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...
- ports - Ports to use for scanning (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...
- unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- mapi_over_https - Enable/disable inspection of MAPI over HTTPS. type: str choices: enable, disable more...
- name - Name. type: str required: true more...
- pop3s - Configure POP3S options. type: dict more...
- allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...
- ports - Ports to use for scanning (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...
- unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- rpc_over_https - Enable/disable inspection of RPC over HTTPS. type: str choices: enable, disable more...
- server_cert - Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name. type: list member_path: server_cert:name more...
- name - Certificate list. Source vpn.certificate.local.name. type: str required: true more...
- server_cert_mode - Re-sign or replace the server"s certificate. type: str choices: re-sign, replace more...
- smtps - Configure SMTPS options. type: dict more...
- allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...
- ports - Ports to use for scanning (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...
- unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- ssh - Configure SSH options. type: dict more...
- inspect_all - Level of SSL inspection. type: str choices: disable, deep-inspection more...
- ports - Ports to use for scanning (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- ssh_algorithm - Relative strength of encryption algorithms accepted during negotiation. type: str choices: compatible, high-encryption more...
- ssh_policy_check - Enable/disable SSH policy check. type: str choices: disable, enable more...
- ssh_tun_policy_check - Enable/disable SSH tunnel policy check. type: str choices: disable, enable more...
- status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...
- unsupported_version - Action based on SSH version being unsupported. type: str choices: bypass, block more...
- ssl - Configure SSL options. type: dict more...
- allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...
- cert_probe_failure - Action based on certificate probe failure. type: str choices: allow, block more...
- cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...
- cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...
- client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...
- client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...
- expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...
- inspect_all - Level of SSL inspection. type: str choices: disable, certificate-inspection, deep-inspection more...
- invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...
- min_allowed_ssl_version - Minimum SSL version to be allowed. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...
- sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...
- unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...
- unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...
- unsupported_ssl_version - Action based on the SSL version used being unsupported. type: str choices: allow, block, inspect more...
- untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...
- untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...
- ssl_anomalies_log - Enable/disable logging SSL anomalies. type: str choices: disable, enable more...
- ssl_anomaly_log - Enable/disable logging of SSL anomalies. type: str choices: disable, enable more...
- ssl_exempt - Servers to exempt from SSL inspection. type: list member_path: ssl_exempt:id more...
- address - IPv4 address object. Source firewall.address.name firewall.addrgrp.name. type: str more...
- address6 - IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
- fortiguard_category - FortiGuard category ID. type: int more...
- id - ID number. type: int required: true more...
- regex - Exempt servers by regular expression. type: str more...
- type - Type of address object (IPv4 or IPv6) or FortiGuard category. type: str choices: fortiguard-category, address, address6, wildcard-fqdn, regex more...
- wildcard_fqdn - Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name. type: str more...
- ssl_exemption_ip_rating - Enable/disable IP based URL rating. type: str choices: enable, disable more...
- ssl_exemption_log - Enable/disable logging of SSL exemptions. type: str choices: disable, enable more...
- ssl_exemptions_log - Enable/disable logging SSL exemptions. type: str choices: disable, enable more...
- ssl_handshake_log - Enable/disable logging of TLS handshakes. type: str choices: disable, enable more...
- ssl_negotiation_log - Enable/disable logging of SSL negotiation events. type: str choices: disable, enable more...
- ssl_server - SSL server settings used for client certificate request. type: list member_path: ssl_server:id more...
- ftps_client_cert_request - Action based on client certificate request during the FTPS handshake. type: str choices: bypass, inspect, block more...
- ftps_client_certificate - Action based on received client certificate during the FTPS handshake. type: str choices: bypass, inspect, block more...
- https_client_cert_request - Action based on client certificate request during the HTTPS handshake. type: str choices: bypass, inspect, block more...
- https_client_certificate - Action based on received client certificate during the HTTPS handshake. type: str choices: bypass, inspect, block more...
- id - SSL server ID. type: int required: true more...
- imaps_client_cert_request - Action based on client certificate request during the IMAPS handshake. type: str choices: bypass, inspect, block more...
- imaps_client_certificate - Action based on received client certificate during the IMAPS handshake. type: str choices: bypass, inspect, block more...
- ip - IPv4 address of the SSL server. type: str more...
- pop3s_client_cert_request - Action based on client certificate request during the POP3S handshake. type: str choices: bypass, inspect, block more...
- pop3s_client_certificate - Action based on received client certificate during the POP3S handshake. type: str choices: bypass, inspect, block more...
- smtps_client_cert_request - Action based on client certificate request during the SMTPS handshake. type: str choices: bypass, inspect, block more...
- smtps_client_certificate - Action based on received client certificate during the SMTPS handshake. type: str choices: bypass, inspect, block more...
- ssl_other_client_cert_request - Action based on client certificate request during an SSL protocol handshake. type: str choices: bypass, inspect, block more...
- ssl_other_client_certificate - Action based on received client certificate during an SSL protocol handshake. type: str choices: bypass, inspect, block more...
- ssl_server_cert_log - Enable/disable logging of server certificate information. type: str choices: disable, enable more...
- supported_alpn - Configure ALPN option. type: str choices: http1-1, http2, all, none more...
- untrusted_caname - Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name. type: str more...
- use_ssl_server - Enable/disable the use of SSL server table for SSL offloading. type: str choices: disable, enable more...
- whitelist - Enable/disable exempting servers by FortiGuard whitelist. type: str choices: enable, disable more...
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL/SSH protocol options.
fortios_firewall_ssl_ssh_profile:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_ssl_ssh_profile:
allowlist: "enable"
block_blacklisted_certificates: "disable"
block_blocklisted_certificates: "disable"
caname: "<your_own_value> (source vpn.certificate.local.name)"
comment: "Optional comments."
dot:
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_certificate: "bypass"
expired_server_cert: "allow"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_server_cert: "allow"
ftps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
ports: "<your_own_value>"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
https:
allow_invalid_server_cert: "enable"
cert_probe_failure: "allow"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
imaps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
mapi_over_https: "enable"
name: "default_name_81"
pop3s:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
rpc_over_https: "enable"
server_cert:
-
name: "default_name_103 (source vpn.certificate.local.name)"
server_cert_mode: "re-sign"
smtps:
allow_invalid_server_cert: "enable"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
invalid_server_cert: "allow"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
status: "disable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
ssh:
inspect_all: "disable"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
ssh_algorithm: "compatible"
ssh_policy_check: "disable"
ssh_tun_policy_check: "disable"
status: "disable"
unsupported_version: "bypass"
ssl:
allow_invalid_server_cert: "enable"
cert_probe_failure: "allow"
cert_validation_failure: "allow"
cert_validation_timeout: "allow"
client_cert_request: "bypass"
client_certificate: "bypass"
expired_server_cert: "allow"
inspect_all: "disable"
invalid_server_cert: "allow"
min_allowed_ssl_version: "ssl-3.0"
revoked_server_cert: "allow"
sni_server_cert_check: "enable"
unsupported_ssl: "bypass"
unsupported_ssl_cipher: "allow"
unsupported_ssl_negotiation: "allow"
unsupported_ssl_version: "allow"
untrusted_cert: "allow"
untrusted_server_cert: "allow"
ssl_anomalies_log: "disable"
ssl_anomaly_log: "disable"
ssl_exempt:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
fortiguard_category: "0"
id: "158"
regex: "<your_own_value>"
type: "fortiguard-category"
wildcard_fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
ssl_exemption_ip_rating: "enable"
ssl_exemption_log: "disable"
ssl_exemptions_log: "disable"
ssl_handshake_log: "disable"
ssl_negotiation_log: "disable"
ssl_server:
-
ftps_client_cert_request: "bypass"
ftps_client_certificate: "bypass"
https_client_cert_request: "bypass"
https_client_certificate: "bypass"
id: "172"
imaps_client_cert_request: "bypass"
imaps_client_certificate: "bypass"
ip: "<your_own_value>"
pop3s_client_cert_request: "bypass"
pop3s_client_certificate: "bypass"
smtps_client_cert_request: "bypass"
smtps_client_certificate: "bypass"
ssl_other_client_cert_request: "bypass"
ssl_other_client_certificate: "bypass"
ssl_server_cert_log: "disable"
supported_alpn: "http1-1"
untrusted_caname: "<your_own_value> (source vpn.certificate.local.name)"
use_ssl_server: "disable"
whitelist: "enable"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3