fortios_firewall_sniffer – Configure sniffer in Fortinet’s FortiOS and FortiGate.

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and sniffer category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • state - Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. type: str required: False choices: present, absent
  • firewall_sniffer - Configure sniffer. type: dict
    • state - B(Deprecated) type: str required: False choices: present, absent
    • anomaly - Configuration method to edit Denial of Service (DoS) anomaly settings. type: list
      • action - Action taken when the threshold is reached. type: str choices: pass, block
      • log - Enable/disable anomaly logging. type: str choices: enable, disable
      • name - Anomaly name. type: str required: True
      • quarantine - Quarantine method. type: str choices: none, attacker
      • quarantine_expiry - Duration of quarantine. (Format type: str
      • quarantine_log - Enable/disable quarantine logging. type: str choices: disable, enable
      • status - Enable/disable this anomaly. type: str choices: disable, enable
      • threshold - Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. type: int
      • threshold(default) - Number of detected instances per minute which triggers action (1 - 2147483647). Note that each anomaly has a different threshold value assigned to it. type: int
    • application_list - Name of an existing application list. Source application.list.name. type: str
    • application_list_status - Enable/disable application control profile. type: str choices: enable, disable
    • av_profile - Name of an existing antivirus profile. Source antivirus.profile.name. type: str
    • av_profile_status - Enable/disable antivirus profile. type: str choices: enable, disable
    • dlp_sensor - Name of an existing DLP sensor. Source dlp.sensor.name. type: str
    • dlp_sensor_status - Enable/disable DLP sensor. type: str choices: enable, disable
    • dsri - Enable/disable DSRI. type: str choices: enable, disable
    • host - Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). type: str
    • id - Sniffer ID. type: int required: True
    • interface - Interface name that traffic sniffing will take place on. Source system.interface.name. type: str
    • ips_dos_status - Enable/disable IPS DoS anomaly detection. type: str choices: enable, disable
    • ips_sensor - Name of an existing IPS sensor. Source ips.sensor.name. type: str
    • ips_sensor_status - Enable/disable IPS sensor. type: str choices: enable, disable
    • ipv6 - Enable/disable sniffing IPv6 packets. type: str choices: enable, disable
    • logtraffic - Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy. type: str choices: all, utm, disable
    • max_packet_count - Maximum packet count (1 - 1000000). type: int
    • non_ip - Enable/disable sniffing non-IP packets. type: str choices: enable, disable
    • port - Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). type: str
    • protocol - Integer value for the protocol type as defined by IANA (0 - 255). type: str
    • scan_botnet_connections - Enable/disable scanning of connections to Botnet servers. type: str choices: disable, block, monitor
    • spamfilter_profile - Name of an existing spam filter profile. Source spamfilter.profile.name. type: str
    • spamfilter_profile_status - Enable/disable spam filter. type: str choices: enable, disable
    • status - Enable/disable the active status of the sniffer. type: str choices: enable, disable
    • vlan - List of VLANs to sniff. type: str
    • webfilter_profile - Name of an existing web filter profile. Source webfilter.profile.name. type: str
    • webfilter_profile_status - Enable/disable web filter profile. type: str choices: enable, disable

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure sniffer.
    fortios_firewall_sniffer:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_sniffer:
        anomaly:
         -
            action: "pass"
            log: "enable"
            name: "default_name_6"
            quarantine: "none"
            quarantine_expiry: "<your_own_value>"
            quarantine_log: "disable"
            status: "disable"
            threshold: "11"
            threshold(default): "12"
        application_list: "<your_own_value> (source application.list.name)"
        application_list_status: "enable"
        av_profile: "<your_own_value> (source antivirus.profile.name)"
        av_profile_status: "enable"
        dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
        dlp_sensor_status: "enable"
        dsri: "enable"
        host: "myhostname"
        id:  "21"
        interface: "<your_own_value> (source system.interface.name)"
        ips_dos_status: "enable"
        ips_sensor: "<your_own_value> (source ips.sensor.name)"
        ips_sensor_status: "enable"
        ipv6: "enable"
        logtraffic: "all"
        max_packet_count: "28"
        non_ip: "enable"
        port: "<your_own_value>"
        protocol: "<your_own_value>"
        scan_botnet_connections: "disable"
        spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
        spamfilter_profile_status: "enable"
        status: "enable"
        vlan: "<your_own_value>"
        webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
        webfilter_profile_status: "enable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.