fortios_firewall_proxy_policy – Configure proxy policies in Fortinet’s FortiOS and FortiGate.

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and proxy_policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • state - Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. type: str required: False choices: present, absent
  • firewall_proxy_policy - Configure proxy policies. type: dict
    • state - B(Deprecated) type: str required: False choices: present, absent
    • action - Accept or deny traffic matching the policy parameters. type: str choices: accept, deny, redirect
    • application_list - Name of an existing Application list. Source application.list.name. type: str
    • av_profile - Name of an existing Antivirus profile. Source antivirus.profile.name. type: str
    • comments - Optional comments. type: str
    • disclaimer - Web proxy disclaimer setting: by domain, policy, or user. type: str choices: disable, domain, policy, user
    • dlp_sensor - Name of an existing DLP sensor. Source dlp.sensor.name. type: str
    • dstaddr - Destination address objects. type: list
      • name - Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name. type: str required: True
    • dstaddr_negate - When enabled, destination addresses match against any address EXCEPT the specified destination addresses. type: str choices: enable, disable
    • dstaddr6 - IPv6 destination address objects. type: list
      • name - Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall.vipgrp64.name system.external-resource.name. type: str required: True
    • dstintf - Destination interface names. type: list
      • name - Interface name. Source system.interface.name system.zone.name. type: str required: True
    • global_label - Global web-based manager visible label. type: str
    • groups - Names of group objects. type: list
      • name - Group name. Source user.group.name. type: str required: True
    • http_tunnel_auth - Enable/disable HTTP tunnel authentication. type: str choices: enable, disable
    • icap_profile - Name of an existing ICAP profile. Source icap.profile.name. type: str
    • internet_service - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. type: str choices: enable, disable
    • internet_service_custom - Custom Internet Service name. type: list
      • name - Custom name. Source firewall.internet-service-custom.name. type: str required: True
    • internet_service_id - Internet Service ID. type: list
      • id - Internet Service ID. Source firewall.internet-service.id. type: int required: True
    • internet_service_negate - When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service. type: str choices: enable, disable
    • ips_sensor - Name of an existing IPS sensor. Source ips.sensor.name. type: str
    • label - VDOM-specific GUI visible label. type: str
    • logtraffic - Enable/disable logging traffic through the policy. type: str choices: all, utm, disable
    • logtraffic_start - Enable/disable policy log traffic start. type: str choices: enable, disable
    • policyid - Policy ID. type: int required: True
    • poolname - Name of IP pool object. type: list
      • name - IP pool name. Source firewall.ippool.name. type: str required: True
    • profile_group - Name of profile group. Source firewall.profile-group.name. type: str
    • profile_protocol_options - Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name. type: str
    • profile_type - Determine whether the firewall policy allows security profile groups or single profiles only. type: str choices: single, group
    • proxy - Type of explicit proxy. type: str choices: explicit-web, transparent-web, ftp, ssh, ssh-tunnel, wanopt
    • redirect_url - Redirect URL for further explicit web proxy processing. type: str
    • replacemsg_override_group - Authentication replacement message override group. Source system.replacemsg-group.name. type: str
    • scan_botnet_connections - Enable/disable scanning of connections to Botnet servers. type: str choices: disable, block, monitor
    • schedule - Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name. type: str
    • service - Name of service objects. type: list
      • name - Service name. Source firewall.service.custom.name firewall.service.group.name. type: str required: True
    • service_negate - When enabled, services match against any service EXCEPT the specified destination services. type: str choices: enable, disable
    • session_ttl - TTL in seconds for sessions accepted by this policy (0 means use the system ). type: int
    • spamfilter_profile - Name of an existing Spam filter profile. Source spamfilter.profile.name. type: str
    • srcaddr - Source address objects (must be set when using Web proxy). type: list
      • name - Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system .external-resource.name. type: str required: True
    • srcaddr_negate - When enabled, source addresses match against any address EXCEPT the specified source addresses. type: str choices: enable, disable
    • srcaddr6 - IPv6 source address objects. type: list
      • name - Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name. type: str required: True
    • srcintf - Source interface names. type: list
      • name - Interface name. Source system.interface.name system.zone.name. type: str required: True
    • ssh_filter_profile - Name of an existing SSH filter profile. Source ssh-filter.profile.name. type: str
    • ssl_ssh_profile - Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name. type: str
    • status - Enable/disable the active status of the policy. type: str choices: enable, disable
    • transparent - Enable to use the IP address of the client to connect to the server. type: str choices: enable, disable
    • users - Names of user objects. type: list
      • name - Group name. Source user.local.name. type: str required: True
    • utm_status - Enable the use of UTM profiles/sensors/lists. type: str choices: enable, disable
    • uuid - Universally Unique Identifier (UUID; automatically assigned but can be manually reset). type: str
    • waf_profile - Name of an existing Web application firewall profile. Source waf.profile.name. type: str
    • webcache - Enable/disable web caching. type: str choices: enable, disable
    • webcache_https - Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile). type: str choices: disable, enable
    • webfilter_profile - Name of an existing Web filter profile. Source webfilter.profile.name. type: str
    • webproxy_forward_server - Name of web proxy forward server. Source web-proxy.forward-server.name web-proxy.forward-server-group.name. type: str
    • webproxy_profile - Name of web proxy profile. Source web-proxy.profile.name. type: str

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure proxy policies.
    fortios_firewall_proxy_policy:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_proxy_policy:
        action: "accept"
        application_list: "<your_own_value> (source application.list.name)"
        av_profile: "<your_own_value> (source antivirus.profile.name)"
        comments: "<your_own_value>"
        disclaimer: "disable"
        dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
        dstaddr:
         -
            name: "default_name_10 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip
              .name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name)"
        dstaddr_negate: "enable"
        dstaddr6:
         -
            name: "default_name_13 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall
              .vipgrp64.name system.external-resource.name)"
        dstintf:
         -
            name: "default_name_15 (source system.interface.name system.zone.name)"
        global_label: "<your_own_value>"
        groups:
         -
            name: "default_name_18 (source user.group.name)"
        http_tunnel_auth: "enable"
        icap_profile: "<your_own_value> (source icap.profile.name)"
        internet_service: "enable"
        internet_service_custom:
         -
            name: "default_name_23 (source firewall.internet-service-custom.name)"
        internet_service_id:
         -
            id:  "25 (source firewall.internet-service.id)"
        internet_service_negate: "enable"
        ips_sensor: "<your_own_value> (source ips.sensor.name)"
        label: "<your_own_value>"
        logtraffic: "all"
        logtraffic_start: "enable"
        policyid: "31"
        poolname:
         -
            name: "default_name_33 (source firewall.ippool.name)"
        profile_group: "<your_own_value> (source firewall.profile-group.name)"
        profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
        profile_type: "single"
        proxy: "explicit-web"
        redirect_url: "<your_own_value>"
        replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
        scan_botnet_connections: "disable"
        schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
        service:
         -
            name: "default_name_43 (source firewall.service.custom.name firewall.service.group.name)"
        service_negate: "enable"
        session_ttl: "45"
        spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
        srcaddr:
         -
            name: "default_name_48 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system
              .external-resource.name)"
        srcaddr_negate: "enable"
        srcaddr6:
         -
            name: "default_name_51 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
        srcintf:
         -
            name: "default_name_53 (source system.interface.name system.zone.name)"
        ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
        ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
        status: "enable"
        transparent: "enable"
        users:
         -
            name: "default_name_59 (source user.local.name)"
        utm_status: "enable"
        uuid: "<your_own_value>"
        waf_profile: "<your_own_value> (source waf.profile.name)"
        webcache: "enable"
        webcache_https: "disable"
        webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
        webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
        webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.