fortios_vpn_ssl_web_portal – Portal in Fortinet’s FortiOS and FortiGate.

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl_web feature and portal category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • state - Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. type: str required: False choices: present, absent
  • vpn_ssl_web_portal - Portal. type: dict
    • state - B(Deprecated) type: str required: False choices: present, absent
    • allow_user_access - Allow user access to SSL-VPN applications. type: str choices: web, ftp, smb, telnet, ssh, vnc, rdp, ping, citrix, portforward
    • auto_connect - Enable/disable automatic connect by client when system is up. type: str choices: enable, disable
    • bookmark_group - Portal bookmark group. type: list
      • bookmarks - Bookmark table. type: list
        • additional_params - Additional parameters. type: str
        • apptype - Application type. type: str choices: citrix, ftp, portforward, rdp, smb, ssh, telnet, vnc, web
        • description - Description. type: str
        • folder - Network shared file folder parameter. type: str
        • form_data - Form data. type: list
          • name - Name. type: str required: True
          • value - Value. type: str
        • host - Host name/IP parameter. type: str
        • listening_port - Listening port (0 - 65535). type: int
        • logon_password - Logon password. type: str
        • logon_user - Logon user. type: str
        • name - Bookmark name. type: str required: True
        • port - Remote port. type: int
        • remote_port - Remote port (0 - 65535). type: int
        • security - Security mode for RDP connection. type: str choices: rdp, nla, tls, any
        • server_layout - Server side keyboard layout. type: str choices: en-us-qwerty, de-de-qwertz, fr-fr-azerty, it-it-qwerty, sv-se-qwerty, failsafe
        • show_status_window - Enable/disable showing of status window. type: str choices: enable, disable
        • sso - Single Sign-On. type: str choices: disable, static, auto
        • sso_credential - Single sign-on credentials. type: str choices: sslvpn-login, alternative
        • sso_credential_sent_once - Single sign-on credentials are only sent once to remote server. type: str choices: enable, disable
        • sso_password - SSO password. type: str
        • sso_username - SSO user name. type: str
        • url - URL parameter. type: str
      • name - Bookmark group name. type: str required: True
    • custom_lang - Change the web portal display language. Overrides config system global set language. You can use config system custom-language and execute system custom-language to add custom language files. Source system.custom-language.name. type: str
    • customize_forticlient_download_url - Enable support of customized download URL for FortiClient. type: str choices: enable, disable
    • display_bookmark - Enable to display the web portal bookmark widget. type: str choices: enable, disable
    • display_connection_tools - Enable to display the web portal connection tools widget. type: str choices: enable, disable
    • display_history - Enable to display the web portal user login history widget. type: str choices: enable, disable
    • display_status - Enable to display the web portal status widget. type: str choices: enable, disable
    • dns_server1 - IPv4 DNS server 1. type: str
    • dns_server2 - IPv4 DNS server 2. type: str
    • dns_suffix - DNS suffix. type: str
    • exclusive_routing - Enable/disable all traffic go through tunnel only. type: str choices: enable, disable
    • forticlient_download - Enable/disable download option for FortiClient. type: str choices: enable, disable
    • forticlient_download_method - FortiClient download method. type: str choices: direct, ssl-vpn
    • heading - Web portal heading message. type: str
    • host_check - Type of host checking performed on endpoints. type: str choices: none, av, fw, av-fw, custom
    • host_check_interval - Periodic host check interval. Value of 0 means disabled and host checking only happens when the endpoint connects. type: int
    • host_check_policy - One or more policies to require the endpoint to have specific security software. type: list
      • name - Host check software list name. Source vpn.ssl.web.host-check-software.name. type: str required: True
    • ip_mode - Method by which users of this SSL-VPN tunnel obtain IP addresses. type: str choices: range, user-group
    • ip_pools - IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients. type: list
      • name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
    • ipv6_dns_server1 - IPv6 DNS server 1. type: str
    • ipv6_dns_server2 - IPv6 DNS server 2. type: str
    • ipv6_exclusive_routing - Enable/disable all IPv6 traffic go through tunnel only. type: str choices: enable, disable
    • ipv6_pools - IPv4 firewall source address objects reserved for SSL-VPN tunnel mode clients. type: list
      • name - Address name. Source firewall.address6.name firewall.addrgrp6.name. type: str required: True
    • ipv6_service_restriction - Enable/disable IPv6 tunnel service restriction. type: str choices: enable, disable
    • ipv6_split_tunneling - Enable/disable IPv6 split tunneling. type: str choices: enable, disable
    • ipv6_split_tunneling_routing_address - IPv6 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access. type: list
      • name - Address name. Source firewall.address6.name firewall.addrgrp6.name. type: str required: True
    • ipv6_tunnel_mode - Enable/disable IPv6 SSL-VPN tunnel mode. type: str choices: enable, disable
    • ipv6_wins_server1 - IPv6 WINS server 1. type: str
    • ipv6_wins_server2 - IPv6 WINS server 2. type: str
    • keep_alive - Enable/disable automatic reconnect for FortiClient connections. type: str choices: enable, disable
    • limit_user_logins - Enable to limit each user to one SSL-VPN session at a time. type: str choices: enable, disable
    • mac_addr_action - Client MAC address action. type: str choices: allow, deny
    • mac_addr_check - Enable/disable MAC address host checking. type: str choices: enable, disable
    • mac_addr_check_rule - Client MAC address check rule. type: list
      • mac_addr_list - Client MAC address list. type: list
        • addr - Client MAC address. type: str required: True
      • mac_addr_mask - Client MAC address mask. type: int
      • name - Client MAC address check rule name. type: str required: True
    • macos_forticlient_download_url - Download URL for Mac FortiClient. type: str
    • name - Portal name. type: str required: True
    • os_check - Enable to let the FortiGate decide action based on client OS. type: str choices: enable, disable
    • os_check_list - SSL VPN OS checks. type: list
      • action - OS check options. type: str choices: deny, allow, check-up-to-date
      • latest_patch_level - Latest OS patch level. type: str
      • name - Name. type: str required: True
      • tolerance - OS patch level tolerance. type: int
    • redir_url - Client login redirect URL. type: str
    • save_password - Enable/disable FortiClient saving the user"s password. type: str choices: enable, disable
    • service_restriction - Enable/disable tunnel service restriction. type: str choices: enable, disable
    • skip_check_for_unsupported_browser - Enable to skip host check if browser does not support it. type: str choices: enable, disable
    • skip_check_for_unsupported_os - Enable to skip host check if client OS does not support it. type: str choices: enable, disable
    • smb_ntlmv1_auth - Enable support of NTLMv1 for Samba authentication. type: str choices: enable, disable
    • split_dns - Split DNS for SSL VPN. type: list
      • dns_server1 - DNS server 1. type: str
      • dns_server2 - DNS server 2. type: str
      • domains - Split DNS domains used for SSL-VPN clients separated by comma(,). type: str
      • id - ID. type: int required: True
      • ipv6_dns_server1 - IPv6 DNS server 1. type: str
      • ipv6_dns_server2 - IPv6 DNS server 2. type: str
    • split_tunneling - Enable/disable IPv4 split tunneling. type: str choices: enable, disable
    • split_tunneling_routing_address - IPv4 SSL-VPN tunnel mode firewall address objects that override firewall policy destination addresses to control split-tunneling access. type: list
      • name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: True
    • theme - Web portal color scheme. type: str choices: blue, green, red, melongene, mariner
    • tunnel_mode - Enable/disable IPv4 SSL-VPN tunnel mode. type: str choices: enable, disable
    • user_bookmark - Enable to allow web portal users to create their own bookmarks. type: str choices: enable, disable
    • user_group_bookmark - Enable to allow web portal users to create bookmarks for all users in the same user group. type: str choices: enable, disable
    • web_mode - Enable/disable SSL VPN web mode. type: str choices: enable, disable
    • windows_forticlient_download_url - Download URL for Windows FortiClient. type: str
    • wins_server1 - IPv4 WINS server 1. type: str
    • wins_server2 - IPv4 WINS server 1. type: str

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Portal.
    fortios_vpn_ssl_web_portal:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      vpn_ssl_web_portal:
        allow_user_access: "web"
        auto_connect: "enable"
        bookmark_group:
         -
            bookmarks:
             -
                additional_params: "<your_own_value>"
                apptype: "citrix"
                description: "<your_own_value>"
                folder: "<your_own_value>"
                form_data:
                 -
                    name: "default_name_12"
                    value: "<your_own_value>"
                host: "<your_own_value>"
                listening_port: "15"
                logon_password: "<your_own_value>"
                logon_user: "<your_own_value>"
                name: "default_name_18"
                port: "19"
                remote_port: "20"
                security: "rdp"
                server_layout: "en-us-qwerty"
                show_status_window: "enable"
                sso: "disable"
                sso_credential: "sslvpn-login"
                sso_credential_sent_once: "enable"
                sso_password: "<your_own_value>"
                sso_username: "<your_own_value>"
                url: "myurl.com"
            name: "default_name_30"
        custom_lang: "<your_own_value> (source system.custom-language.name)"
        customize_forticlient_download_url: "enable"
        display_bookmark: "enable"
        display_connection_tools: "enable"
        display_history: "enable"
        display_status: "enable"
        dns_server1: "<your_own_value>"
        dns_server2: "<your_own_value>"
        dns_suffix: "<your_own_value>"
        exclusive_routing: "enable"
        forticlient_download: "enable"
        forticlient_download_method: "direct"
        heading: "<your_own_value>"
        host_check: "none"
        host_check_interval: "45"
        host_check_policy:
         -
            name: "default_name_47 (source vpn.ssl.web.host-check-software.name)"
        ip_mode: "range"
        ip_pools:
         -
            name: "default_name_50 (source firewall.address.name firewall.addrgrp.name)"
        ipv6_dns_server1: "<your_own_value>"
        ipv6_dns_server2: "<your_own_value>"
        ipv6_exclusive_routing: "enable"
        ipv6_pools:
         -
            name: "default_name_55 (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6_service_restriction: "enable"
        ipv6_split_tunneling: "enable"
        ipv6_split_tunneling_routing_address:
         -
            name: "default_name_59 (source firewall.address6.name firewall.addrgrp6.name)"
        ipv6_tunnel_mode: "enable"
        ipv6_wins_server1: "<your_own_value>"
        ipv6_wins_server2: "<your_own_value>"
        keep_alive: "enable"
        limit_user_logins: "enable"
        mac_addr_action: "allow"
        mac_addr_check: "enable"
        mac_addr_check_rule:
         -
            mac_addr_list:
             -
                addr: "<your_own_value>"
            mac_addr_mask: "70"
            name: "default_name_71"
        macos_forticlient_download_url: "<your_own_value>"
        name: "default_name_73"
        os_check: "enable"
        os_check_list:
         -
            action: "deny"
            latest_patch_level: "<your_own_value>"
            name: "default_name_78"
            tolerance: "79"
        redir_url: "<your_own_value>"
        save_password: "enable"
        service_restriction: "enable"
        skip_check_for_unsupported_browser: "enable"
        skip_check_for_unsupported_os: "enable"
        smb_ntlmv1_auth: "enable"
        split_dns:
         -
            dns_server1: "<your_own_value>"
            dns_server2: "<your_own_value>"
            domains: "<your_own_value>"
            id:  "90"
            ipv6_dns_server1: "<your_own_value>"
            ipv6_dns_server2: "<your_own_value>"
        split_tunneling: "enable"
        split_tunneling_routing_address:
         -
            name: "default_name_95 (source firewall.address.name firewall.addrgrp.name)"
        theme: "blue"
        tunnel_mode: "enable"
        user_bookmark: "enable"
        user_group_bookmark: "enable"
        web_mode: "enable"
        windows_forticlient_download_url: "<your_own_value>"
        wins_server1: "<your_own_value>"
        wins_server2: "<your_own_value>"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.