fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate.¶
New in version 2.8.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements¶
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- vpn_ssl_settings - Configure SSL VPN. type: dict
- algorithm - Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any. type: str choices: high, medium, default, low
- auth_timeout - SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int
- authentication_rule - Authentication rule for SSL VPN. type: list
- auth - SSL VPN authentication method restriction. type: str choices: any, local, radius, tacacs+, ldap
- cipher - SSL VPN cipher strength. type: str choices: any, high, medium
- client_cert - Enable/disable SSL VPN client certificate restrictive. type: str choices: enable, disable
- groups - User groups. type: list
- name - Group name. Source user.group.name. type: str required: True
- id - ID (0 - 4294967295). type: int required: True
- portal - SSL VPN portal. Source vpn.ssl.web.portal.name. type: str
- realm - SSL VPN realm. Source vpn.ssl.web.realm.url-path. type: str
- source_address - Source address of incoming traffic. type: list
- name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
- source_address_negate - Enable/disable negated source address match. type: str choices: enable, disable
- source_address6 - IPv6 source address of incoming traffic. type: list
- name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. type: str required: True
- source_address6_negate - Enable/disable negated source IPv6 address match. type: str choices: enable, disable
- source_interface - SSL VPN source interface of incoming traffic. type: list
- name - Interface name. Source system.interface.name system.zone.name. type: str required: True
- users - User name. type: list
- name - User name. Source user.local.name. type: str required: True
- auto_tunnel_static_route - Enable to auto-create static routes for the SSL-VPN tunnel IP addresses. type: str choices: enable, disable
- banned_cipher - Select one or more cipher technologies that cannot be used in SSL-VPN negotiations. type: list choices: RSA, DH, DHE, ECDH, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC
- check_referer - Enable/disable verification of referer field in HTTP request header. type: str choices: enable, disable
- default_portal - Default SSL VPN portal. Source vpn.ssl.web.portal.name. type: str
- deflate_compression_level - Compression level (0~9). type: int
- deflate_min_data_size - Minimum amount of data that triggers compression (200 - 65535 bytes). type: int
- dns_server1 - DNS server 1. type: str
- dns_server2 - DNS server 2. type: str
- dns_suffix - DNS suffix used for SSL-VPN clients. type: str
- dtls_hello_timeout - SSLVPN maximum DTLS hello timeout (10 - 60 sec). type: int
- dtls_tunnel - Enable DTLS to prevent eavesdropping, tampering, or message forgery. type: str choices: enable, disable
- force_two_factor_auth - Enable to force two-factor authentication for all SSL-VPNs. type: str choices: enable, disable
- header_x_forwarded_for - Forward the same, add, or remove HTTP header. type: str choices: pass, add, remove
- http_compression - Enable to allow HTTP compression over SSL-VPN tunnels. type: str choices: enable, disable
- http_only_cookie - Enable/disable SSL-VPN support for HttpOnly cookies. type: str choices: enable, disable
- http_request_body_timeout - SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). type: int
- http_request_header_timeout - SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). type: int
- https_redirect - Enable/disable redirect of port 80 to SSL-VPN port. type: str choices: enable, disable
- idle_timeout - SSL VPN disconnects if idle for specified time in seconds. type: int
- ipv6_dns_server1 - IPv6 DNS server 1. type: str
- ipv6_dns_server2 - IPv6 DNS server 2. type: str
- ipv6_wins_server1 - IPv6 WINS server 1. type: str
- ipv6_wins_server2 - IPv6 WINS server 2. type: str
- login_attempt_limit - SSL VPN maximum login attempt times before block (0 - 10). type: int
- login_block_time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). type: int
- login_timeout - SSLVPN maximum login timeout (10 - 180 sec). type: int
- port - SSL-VPN access port (1 - 65535). type: int
- port_precedence - Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: str choices: enable, disable
- reqclientcert - Enable to require client certificates for all SSL-VPN users. type: str choices: enable, disable
- route_source_interface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. type: str choices: enable, disable
- servercert - Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name. type: str
- source_address - Source address of incoming traffic. type: list
- name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
- source_address_negate - Enable/disable negated source address match. type: str choices: enable, disable
- source_address6 - IPv6 source address of incoming traffic. type: list
- name - IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. type: str required: True
- source_address6_negate - Enable/disable negated source IPv6 address match. type: str choices: enable, disable
- source_interface - SSL VPN source interface of incoming traffic. type: list
- name - Interface name. Source system.interface.name system.zone.name. type: str required: True
- ssl_big_buffer - Disable use of the big SSLv3 buffer feature to save memory and force higher security. type: str choices: enable, disable
- ssl_client_renegotiation - Enable to allow client renegotiation by the server if the tunnel goes down. type: str choices: disable, enable
- ssl_insert_empty_fragment - Enable/disable insertion of empty fragment. type: str choices: enable, disable
- sslv3 - sslv3 type: str choices: enable, disable
- tlsv1_0 - Enable/disable TLSv1.0. type: str choices: enable, disable
- tlsv1_1 - Enable/disable TLSv1.1. type: str choices: enable, disable
- tlsv1_2 - Enable/disable TLSv1.2. type: str choices: enable, disable
- tunnel_ip_pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: list
- name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
- tunnel_ipv6_pools - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: list
- name - Address name. Source firewall.address6.name firewall.addrgrp6.name. type: str required: True
- unsafe_legacy_renegotiation - Enable/disable unsafe legacy re-negotiation. type: str choices: enable, disable
- url_obscuration - Enable to obscure the host name of the URL of the web browser display. type: str choices: enable, disable
- wins_server1 - WINS server 1. type: str
- wins_server2 - WINS server 2. type: str
- x_content_type_options - Add HTTP X-Content-Type-Options header. type: str choices: enable, disable
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_timeout: "4"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_10 (source user.group.name)"
id: "11"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_15 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_18 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_21 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_23 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "28"
deflate_min_data_size: "29"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "33"
dtls_tunnel: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "39"
http_request_header_timeout: "40"
https_redirect: "enable"
idle_timeout: "42"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "47"
login_block_time: "48"
login_timeout: "49"
port: "50"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_56 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_59 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_62 (source system.interface.name system.zone.name)"
ssl_big_buffer: "enable"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
sslv3: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tunnel_ip_pools:
-
name: "default_name_71 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_73 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3