fortios_system_settings – Configure VDOM settings in Fortinet’s FortiOS and FortiGate.

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • system_settings - Configure VDOM settings. type: dict
    • allow_subnet_overlap - Enable/disable allowing interface subnets to use overlapping IP addresses. type: str choices: enable, disable
    • asymroute - Enable/disable IPv4 asymmetric routing. type: str choices: enable, disable
    • asymroute_icmp - Enable/disable ICMP asymmetric routing. type: str choices: enable, disable
    • asymroute6 - Enable/disable asymmetric IPv6 routing. type: str choices: enable, disable
    • asymroute6_icmp - Enable/disable asymmetric ICMPv6 routing. type: str choices: enable, disable
    • bfd - Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. type: str choices: enable, disable
    • bfd_desired_min_tx - BFD desired minimal transmit interval (1 - 100000 ms). type: int
    • bfd_detect_mult - BFD detection multiplier (1 - 50). type: int
    • bfd_dont_enforce_src_port - Enable to not enforce verifying the source port of BFD Packets. type: str choices: enable, disable
    • bfd_required_min_rx - BFD required minimal receive interval (1 - 100000 ms). type: int
    • block_land_attack - Enable/disable blocking of land attacks. type: str choices: disable, enable
    • central_nat - Enable/disable central NAT. type: str choices: enable, disable
    • comments - VDOM comments. type: str
    • compliance_check - Enable/disable PCI DSS compliance checking. type: str choices: enable, disable
    • default_voip_alg_mode - Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn"t include a VoIP profile. type: str choices: proxy-based, kernel-helper-based
    • deny_tcp_with_icmp - Enable/disable denying TCP by sending an ICMP communication prohibited packet. type: str choices: enable, disable
    • device - Interface to use for management access for NAT mode. Source system.interface.name. type: str
    • dhcp_proxy - Enable/disable the DHCP Proxy. type: str choices: enable, disable
    • dhcp_server_ip - DHCP Server IPv4 address. type: str
    • dhcp6_server_ip - DHCPv6 server IPv6 address. type: str
    • discovered_device_timeout - Timeout for discovered devices (1 - 365 days). type: int
    • ecmp_max_paths - Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100). type: int
    • email_portal_check_dns - Enable/disable using DNS to validate email addresses collected by a captive portal. type: str choices: disable, enable
    • firewall_session_dirty - Select how to manage sessions affected by firewall policy configuration changes. type: str choices: check-all, check-new, check-policy-option
    • fw_session_hairpin - Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. type: str choices: enable, disable
    • gateway - Transparent mode IPv4 default gateway IP address. type: str
    • gateway6 - Transparent mode IPv4 default gateway IP address. type: str
    • gui_advanced_policy - Enable/disable advanced policy configuration on the GUI. type: str choices: enable, disable
    • gui_allow_unnamed_policy - Enable/disable the requirement for policy naming on the GUI. type: str choices: enable, disable
    • gui_antivirus - Enable/disable AntiVirus on the GUI. type: str choices: enable, disable
    • gui_ap_profile - Enable/disable FortiAP profiles on the GUI. type: str choices: enable, disable
    • gui_application_control - Enable/disable application control on the GUI. type: str choices: enable, disable
    • gui_default_policy_columns - Default columns to display for policy lists on GUI. type: list
      • name - Select column name. type: str required: True
    • gui_dhcp_advanced - Enable/disable advanced DHCP options on the GUI. type: str choices: enable, disable
    • gui_dlp - Enable/disable DLP on the GUI. type: str choices: enable, disable
    • gui_dns_database - Enable/disable DNS database settings on the GUI. type: str choices: enable, disable
    • gui_dnsfilter - Enable/disable DNS Filtering on the GUI. type: str choices: enable, disable
    • gui_domain_ip_reputation - Enable/disable Domain and IP Reputation on the GUI. type: str choices: enable, disable
    • gui_dos_policy - Enable/disable DoS policies on the GUI. type: str choices: enable, disable
    • gui_dynamic_profile_display - Enable/disable RADIUS Single Sign On (RSSO) on the GUI. type: str choices: enable, disable
    • gui_dynamic_routing - Enable/disable dynamic routing on the GUI. type: str choices: enable, disable
    • gui_email_collection - Enable/disable email collection on the GUI. type: str choices: enable, disable
    • gui_endpoint_control - Enable/disable endpoint control on the GUI. type: str choices: enable, disable
    • gui_endpoint_control_advanced - Enable/disable advanced endpoint control options on the GUI. type: str choices: enable, disable
    • gui_explicit_proxy - Enable/disable the explicit proxy on the GUI. type: str choices: enable, disable
    • gui_fortiap_split_tunneling - Enable/disable FortiAP split tunneling on the GUI. type: str choices: enable, disable
    • gui_fortiextender_controller - Enable/disable FortiExtender on the GUI. type: str choices: enable, disable
    • gui_icap - Enable/disable ICAP on the GUI. type: str choices: enable, disable
    • gui_implicit_policy - Enable/disable implicit firewall policies on the GUI. type: str choices: enable, disable
    • gui_ips - Enable/disable IPS on the GUI. type: str choices: enable, disable
    • gui_load_balance - Enable/disable server load balancing on the GUI. type: str choices: enable, disable
    • gui_local_in_policy - Enable/disable Local-In policies on the GUI. type: str choices: enable, disable
    • gui_local_reports - Enable/disable local reports on the GUI. type: str choices: enable, disable
    • gui_multicast_policy - Enable/disable multicast firewall policies on the GUI. type: str choices: enable, disable
    • gui_multiple_interface_policy - Enable/disable adding multiple interfaces to a policy on the GUI. type: str choices: enable, disable
    • gui_multiple_utm_profiles - Enable/disable multiple UTM profiles on the GUI. type: str choices: enable, disable
    • gui_nat46_64 - Enable/disable NAT46 and NAT64 settings on the GUI. type: str choices: enable, disable
    • gui_object_colors - Enable/disable object colors on the GUI. type: str choices: enable, disable
    • gui_policy_based_ipsec - Enable/disable policy-based IPsec VPN on the GUI. type: str choices: enable, disable
    • gui_policy_learning - Enable/disable firewall policy learning mode on the GUI. type: str choices: enable, disable
    • gui_replacement_message_groups - Enable/disable replacement message groups on the GUI. type: str choices: enable, disable
    • gui_spamfilter - Enable/disable Antispam on the GUI. type: str choices: enable, disable
    • gui_sslvpn_personal_bookmarks - Enable/disable SSL-VPN personal bookmark management on the GUI. type: str choices: enable, disable
    • gui_sslvpn_realms - Enable/disable SSL-VPN realms on the GUI. type: str choices: enable, disable
    • gui_switch_controller - Enable/disable the switch controller on the GUI. type: str choices: enable, disable
    • gui_threat_weight - Enable/disable threat weight on the GUI. type: str choices: enable, disable
    • gui_traffic_shaping - Enable/disable traffic shaping on the GUI. type: str choices: enable, disable
    • gui_voip_profile - Enable/disable VoIP profiles on the GUI. type: str choices: enable, disable
    • gui_vpn - Enable/disable VPN tunnels on the GUI. type: str choices: enable, disable
    • gui_waf_profile - Enable/disable Web Application Firewall on the GUI. type: str choices: enable, disable
    • gui_wan_load_balancing - Enable/disable SD-WAN on the GUI. type: str choices: enable, disable
    • gui_wanopt_cache - Enable/disable WAN Optimization and Web Caching on the GUI. type: str choices: enable, disable
    • gui_webfilter - Enable/disable Web filtering on the GUI. type: str choices: enable, disable
    • gui_webfilter_advanced - Enable/disable advanced web filtering on the GUI. type: str choices: enable, disable
    • gui_wireless_controller - Enable/disable the wireless controller on the GUI. type: str choices: enable, disable
    • http_external_dest - Offload HTTP traffic to FortiWeb or FortiCache. type: str choices: fortiweb, forticache
    • ike_dn_format - Configure IKE ASN.1 Distinguished Name format conventions. type: str choices: with-space, no-space
    • ike_quick_crash_detect - Enable/disable IKE quick crash detection (RFC 6290). type: str choices: enable, disable
    • ike_session_resume - Enable/disable IKEv2 session resumption (RFC 5723). type: str choices: enable, disable
    • implicit_allow_dns - Enable/disable implicitly allowing DNS traffic. type: str choices: enable, disable
    • inspection_mode - Inspection mode (proxy-based or flow-based). type: str choices: proxy, flow
    • ip - IP address and netmask. type: str
    • ip6 - IPv6 address prefix for NAT mode. type: str
    • link_down_access - Enable/disable link down access traffic. type: str choices: enable, disable
    • lldp_transmission - Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM. type: str choices: enable, disable, global
    • mac_ttl - Duration of MAC addresses in Transparent mode (300 - 8640000 sec). type: int
    • manageip - Transparent mode IPv4 management IP address and netmask. type: str
    • manageip6 - Transparent mode IPv6 management IP address and netmask. type: str
    • multicast_forward - Enable/disable multicast forwarding. type: str choices: enable, disable
    • multicast_skip_policy - Enable/disable allowing multicast traffic through the FortiGate without a policy check. type: str choices: enable, disable
    • multicast_ttl_notchange - Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. type: str choices: enable, disable
    • ngfw_mode - Next Generation Firewall (NGFW) mode. type: str choices: profile-based, policy-based
    • opmode - Firewall operation mode (NAT or Transparent). type: str choices: nat, transparent
    • sccp_port - TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535). type: int
    • ses_denied_traffic - Enable/disable including denied session in the session table. type: str choices: enable, disable
    • sip_helper - Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG). type: str choices: enable, disable
    • sip_nat_trace - Enable/disable recording the original SIP source IP address when NAT is used. type: str choices: enable, disable
    • sip_ssl_port - TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535). type: int
    • sip_tcp_port - TCP port the SIP proxy monitors for SIP traffic (0 - 65535). type: int
    • sip_udp_port - UDP port the SIP proxy monitors for SIP traffic (0 - 65535). type: int
    • snat_hairpin_traffic - Enable/disable source NAT (SNAT) for hairpin traffic. type: str choices: enable, disable
    • ssl_ssh_profile - Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name. type: str
    • status - Enable/disable this VDOM. type: str choices: enable, disable
    • strict_src_check - Enable/disable strict source verification. type: str choices: enable, disable
    • tcp_session_without_syn - Enable/disable allowing TCP session without SYN flags. type: str choices: enable, disable
    • utf8_spam_tagging - Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. type: str choices: enable, disable
    • v4_ecmp_mode - IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. type: str choices: source-ip-based, weight-based, usage-based, source-dest-ip-based
    • vpn_stats_log - Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. type: str choices: ipsec, pptp, l2tp, ssl
    • vpn_stats_period - Period to send VPN log statistics (60 - 86400 sec). type: int
    • wccp_cache_engine - Enable/disable WCCP cache engine. type: str choices: enable, disable

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure VDOM settings.
    fortios_system_settings:
      vdom:  "{{ vdom }}"
      system_settings:
        allow_subnet_overlap: "enable"
        asymroute: "enable"
        asymroute_icmp: "enable"
        asymroute6: "enable"
        asymroute6_icmp: "enable"
        bfd: "enable"
        bfd_desired_min_tx: "9"
        bfd_detect_mult: "10"
        bfd_dont_enforce_src_port: "enable"
        bfd_required_min_rx: "12"
        block_land_attack: "disable"
        central_nat: "enable"
        comments: "<your_own_value>"
        compliance_check: "enable"
        default_voip_alg_mode: "proxy-based"
        deny_tcp_with_icmp: "enable"
        device: "<your_own_value> (source system.interface.name)"
        dhcp_proxy: "enable"
        dhcp_server_ip: "<your_own_value>"
        dhcp6_server_ip: "<your_own_value>"
        discovered_device_timeout: "23"
        ecmp_max_paths: "24"
        email_portal_check_dns: "disable"
        firewall_session_dirty: "check-all"
        fw_session_hairpin: "enable"
        gateway: "<your_own_value>"
        gateway6: "<your_own_value>"
        gui_advanced_policy: "enable"
        gui_allow_unnamed_policy: "enable"
        gui_antivirus: "enable"
        gui_ap_profile: "enable"
        gui_application_control: "enable"
        gui_default_policy_columns:
         -
            name: "default_name_36"
        gui_dhcp_advanced: "enable"
        gui_dlp: "enable"
        gui_dns_database: "enable"
        gui_dnsfilter: "enable"
        gui_domain_ip_reputation: "enable"
        gui_dos_policy: "enable"
        gui_dynamic_profile_display: "enable"
        gui_dynamic_routing: "enable"
        gui_email_collection: "enable"
        gui_endpoint_control: "enable"
        gui_endpoint_control_advanced: "enable"
        gui_explicit_proxy: "enable"
        gui_fortiap_split_tunneling: "enable"
        gui_fortiextender_controller: "enable"
        gui_icap: "enable"
        gui_implicit_policy: "enable"
        gui_ips: "enable"
        gui_load_balance: "enable"
        gui_local_in_policy: "enable"
        gui_local_reports: "enable"
        gui_multicast_policy: "enable"
        gui_multiple_interface_policy: "enable"
        gui_multiple_utm_profiles: "enable"
        gui_nat46_64: "enable"
        gui_object_colors: "enable"
        gui_policy_based_ipsec: "enable"
        gui_policy_learning: "enable"
        gui_replacement_message_groups: "enable"
        gui_spamfilter: "enable"
        gui_sslvpn_personal_bookmarks: "enable"
        gui_sslvpn_realms: "enable"
        gui_switch_controller: "enable"
        gui_threat_weight: "enable"
        gui_traffic_shaping: "enable"
        gui_voip_profile: "enable"
        gui_vpn: "enable"
        gui_waf_profile: "enable"
        gui_wan_load_balancing: "enable"
        gui_wanopt_cache: "enable"
        gui_webfilter: "enable"
        gui_webfilter_advanced: "enable"
        gui_wireless_controller: "enable"
        http_external_dest: "fortiweb"
        ike_dn_format: "with-space"
        ike_quick_crash_detect: "enable"
        ike_session_resume: "enable"
        implicit_allow_dns: "enable"
        inspection_mode: "proxy"
        ip: "<your_own_value>"
        ip6: "<your_own_value>"
        link_down_access: "enable"
        lldp_transmission: "enable"
        mac_ttl: "89"
        manageip: "<your_own_value>"
        manageip6: "<your_own_value>"
        multicast_forward: "enable"
        multicast_skip_policy: "enable"
        multicast_ttl_notchange: "enable"
        ngfw_mode: "profile-based"
        opmode: "nat"
        sccp_port: "97"
        ses_denied_traffic: "enable"
        sip_helper: "enable"
        sip_nat_trace: "enable"
        sip_ssl_port: "101"
        sip_tcp_port: "102"
        sip_udp_port: "103"
        snat_hairpin_traffic: "enable"
        ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
        status: "enable"
        strict_src_check: "enable"
        tcp_session_without_syn: "enable"
        utf8_spam_tagging: "enable"
        v4_ecmp_mode: "source-ip-based"
        vpn_stats_log: "ipsec"
        vpn_stats_period: "112"
        wccp_cache_engine: "enable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.