fortios_vpn_certificate_setting – VPN certificate setting in Fortinet’s FortiOS and FortiGate.¶
New in version 2.0.0.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
FortiOS Version Compatibility¶
v6.0.0 |
v6.0.5 |
v6.0.11 |
v6.2.0 |
v6.2.3 |
v6.2.5 |
v6.2.7 |
v6.4.0 |
v6.4.1 |
v6.4.4 |
v7.0.0 |
v7.0.1 |
v7.0.2 |
v7.0.3 |
v7.0.4 |
v7.0.5 |
v7.0.6 |
v7.0.7 |
v7.0.8 |
v7.2.0 |
v7.2.1 |
v7.2.2 |
v7.2.4 |
v7.4.0 |
|
fortios_vpn_certificate_setting | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes |
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- vpn_certificate_setting - VPN certificate setting. type: dict more...
- cert_expire_warning - Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning (0 - 100). type: int more...
- certname_dsa1024 - 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_dsa2048 - 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_ecdsa256 - 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_ecdsa384 - 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_ecdsa521 - 521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_ed25519 - 253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_ed448 - 456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_rsa1024 - 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_rsa2048 - 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- certname_rsa4096 - 4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str more...
- check_ca_cert - Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . type: str choices: enable, disable more...
- check_ca_chain - Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . type: str choices: enable, disable more...
- cmp_key_usage_checking - Enable/disable server certificate key usage checking in CMP mode . type: str choices: enable, disable more...
- cmp_save_extra_certs - Enable/disable saving extra certificates in CMP mode . type: str choices: enable, disable more...
- cn_allow_multi - When searching for a matching certificate, allow multiple CN fields in certificate subject name . type: str choices: disable, enable more...
- cn_match - When searching for a matching certificate, control how to do CN value matching with certificate subject name . type: str choices: substring, value more...
- crl_verification - CRL verification options. type: dict more...
- chain_crl_absence - CRL verification option when CRL of any certificate in chain is absent . type: str choices: ignore, revoke more...
- expiry - CRL verification option when CRL is expired . type: str choices: ignore, revoke more...
- leaf_crl_absence - CRL verification option when leaf CRL is absent . type: str choices: ignore, revoke more...
- interface - Specify outgoing interface to reach server. Source system.interface.name. type: str more...
- interface_select_method - Specify how to select outgoing interface to reach server. type: str choices: auto, sdwan, specify more...
- ocsp_default_server - Default OCSP server. Source vpn.certificate.ocsp-server.name. type: str more...
- ocsp_option - Specify whether the OCSP URL is from certificate or configured OCSP server. type: str choices: certificate, server more...
- ocsp_status - Enable/disable receiving certificates using the OCSP. type: str choices: enable, disable more...
- proxy - Proxy server FQDN or IP for OCSP/CA queries during certificate verification. type: str more...
- proxy_password - Proxy server password. type: str more...
- proxy_port - Proxy server port (1 - 65535). type: int more...
- proxy_username - Proxy server user name. type: str more...
- source_ip - Source IP address for dynamic AIA and OCSP queries. type: str more...
- ssl_min_proto_version - Minimum supported protocol version for SSL/TLS connections . type: str choices: default, SSLv3, TLSv1, TLSv1-1, TLSv1-2 more...
- ssl_ocsp_option - Specify whether the OCSP URL is from the certificate or the default OCSP server. type: str choices: certificate, server more...
- ssl_ocsp_source_ip - Source IP address to use to communicate with the OCSP server. type: str more...
- ssl_ocsp_status - Enable/disable SSL OCSP. type: str choices: enable, disable more...
- strict_crl_check - Enable/disable strict mode CRL checking. type: str choices: enable, disable more...
- strict_ocsp_check - Enable/disable strict mode OCSP checking. type: str choices: enable, disable more...
- subject_match - When searching for a matching certificate, control how to do RDN value matching with certificate subject name . type: str choices: substring, value more...
- subject_set - When searching for a matching certificate, control how to do RDN set matching with certificate subject name . type: str choices: subset, superset more...
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: VPN certificate setting.
fortios_vpn_certificate_setting:
vdom: "{{ vdom }}"
vpn_certificate_setting:
cert_expire_warning: "14"
certname_dsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_dsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa256: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa384: "<your_own_value> (source vpn.certificate.local.name)"
certname_ecdsa521: "<your_own_value> (source vpn.certificate.local.name)"
certname_ed25519: "<your_own_value> (source vpn.certificate.local.name)"
certname_ed448: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa1024: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa2048: "<your_own_value> (source vpn.certificate.local.name)"
certname_rsa4096: "<your_own_value> (source vpn.certificate.local.name)"
check_ca_cert: "enable"
check_ca_chain: "enable"
cmp_key_usage_checking: "enable"
cmp_save_extra_certs: "enable"
cn_allow_multi: "disable"
cn_match: "substring"
crl_verification:
chain_crl_absence: "ignore"
expiry: "ignore"
leaf_crl_absence: "ignore"
interface: "<your_own_value> (source system.interface.name)"
interface_select_method: "auto"
ocsp_default_server: "<your_own_value> (source vpn.certificate.ocsp-server.name)"
ocsp_option: "certificate"
ocsp_status: "enable"
proxy: "<your_own_value>"
proxy_password: "<your_own_value>"
proxy_port: "8080"
proxy_username: "<your_own_value>"
source_ip: "84.230.14.43"
ssl_min_proto_version: "default"
ssl_ocsp_option: "certificate"
ssl_ocsp_source_ip: "<your_own_value>"
ssl_ocsp_status: "enable"
strict_crl_check: "enable"
strict_ocsp_check: "enable"
subject_match: "substring"
subject_set: "subset"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3