fortios_firewall_access_proxy – Configure Access Proxy in Fortinet’s FortiOS and FortiGate.¶
New in version 2.10.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements¶
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
- enable_log - Enable/Disable logging for task. type: bool required: False default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- state - Indicates whether to create or remove the object. type: str required: True choices: present, absent
- firewall_access_proxy - Configure Access Proxy. type: dict more...
- api_gateway - Set API Gateway. type: list more...
- http_cookie_age - Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. type: int more...
- http_cookie_domain - Domain that HTTP cookie persistence should apply to. type: str more...
- http_cookie_domain_from_host - Enable/disable use of HTTP cookie domain from host field in HTTP. type: str choices: disable, enable more...
- http_cookie_generation - Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. type: int more...
- http_cookie_path - Limit HTTP cookie persistence to the specified path. type: str more...
- http_cookie_share - Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. type: str choices: disable, same-ip more...
- https_cookie_secure - Enable/disable verification that inserted HTTPS cookies are secure. type: str choices: disable, enable more...
- id - API Gateway ID. type: int required: True more...
- ldb_method - Method used to distribute sessions to real servers. type: str choices: static, round-robin, weighted, least-session, least-rtt, first-alive, http-host more...
- persistence - Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. type: str choices: none, http-cookie more...
- realservers - Select the real servers that this Access Proxy will distribute traffic to. type: list more...
- address - Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name. type: str more...
- health_check - Enable to check the responsiveness of the real server before forwarding traffic. type: str choices: disable, enable more...
- health_check_proto - Protocol of the health check monitor to use when polling to determine server"s connectivity status. type: str choices: ping, http, tcp-connect more...
- http_host - HTTP server domain name in HTTP header. type: str more...
- id - Real server ID. type: int required: True more...
- ip - IP address of the real server. type: str more...
- mappedport - Port for communicating with the real server. type: str more...
- port - Port for communicating with the real server. type: int more...
- status - Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. type: str choices: active, standby, disable more...
- weight - Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. type: int more...
- saml_server - SAML service provider configuration for VIP authentication. Source user.saml.name. type: str more...
- service - Service. type: str choices: http, https, tcp-forwarding, samlsp more...
- ssl_algorithm - Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. type: str choices: high, medium, low, custom more...
- ssl_cipher_suites - SSL/TLS cipher suites to offer to a server, ordered by priority. type: list more...
- cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...
- priority - SSL/TLS cipher suites priority. type: int required: True more...
- versions - SSL/TLS versions that the cipher suite can be used with. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_dh_bits - Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. type: str choices: 768, 1024, 1536, 2048, 3072, 4096 more...
- ssl_max_version - Highest SSL/TLS version acceptable from a server. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_min_version - Lowest SSL/TLS version acceptable from a server. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- url_map - URL pattern to match. type: str more...
- url_map_type - Type of url-map. type: str choices: sub-string, wildcard, regex more...
- virtual_host - Virtual host. Source firewall.access-proxy-virtual-host.name. type: str more...
- client_cert - Enable/disable to request client certificate. type: str choices: disable, enable more...
- empty_cert_action - Action of an empty client certificate. type: str choices: accept, block more...
- ldb_method - Method used to distribute sessions to SSL real servers. type: str choices: static, round-robin, weighted, least-session, least-rtt, first-alive more...
- name - Access Proxy name. type: str required: True more...
- realservers - Select the SSL real servers that this Access Proxy will distribute traffic to. type: list more...
- id - Real server ID. type: int required: True more...
- ip - IP address of the real server. type: str more...
- port - Port for communicating with the real server. type: int more...
- status - Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. type: str choices: active, standby, disable more...
- weight - Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. type: int more...
- server_pubkey_auth - Enable/disable SSH real server public key authentication. type: str choices: disable, enable more...
- server_pubkey_auth_settings - Server SSH public key authentication settings. type: dict more...
- auth_ca - Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name. type: str more...
- cert_extension - Configure certificate extension for user certificate. type: list more...
- critical - Critical option. type: str choices: False, True more...
- data - Name of certificate extension. type: str more...
- name - Name of certificate extension. type: str required: True more...
- type - Type of certificate extension. type: str choices: fixed, user more...
- permit_agent_forwarding - Enable/disable appending permit-agent-forwarding certificate extension. type: str choices: enable, disable more...
- permit_port_forwarding - Enable/disable appending permit-port-forwarding certificate extension. type: str choices: enable, disable more...
- permit_pty - Enable/disable appending permit-pty certificate extension. type: str choices: enable, disable more...
- permit_user_rc - Enable/disable appending permit-user-rc certificate extension. type: str choices: enable, disable more...
- permit_x11_forwarding - Enable/disable appending permit-x11-forwarding certificate extension. type: str choices: enable, disable more...
- source_address - Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address. type: str choices: enable, disable more...
- vip - Virtual IP name. Source firewall.vip.name. type: str more...
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure Access Proxy.
fortios_firewall_access_proxy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_access_proxy:
api_gateway:
-
http_cookie_age: "4"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "7"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "11"
ldb_method: "static"
persistence: "none"
realservers:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
health_check: "disable"
health_check_proto: "ping"
http_host: "myhostname"
id: "19"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "22"
status: "active"
weight: "24"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "30"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
client_cert: "disable"
empty_cert_action: "accept"
ldb_method: "static"
name: "default_name_41"
realservers:
-
id: "43"
ip: "<your_own_value>"
port: "45"
status: "active"
weight: "47"
server_pubkey_auth: "disable"
server_pubkey_auth_settings:
auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
cert_extension:
-
critical: "no"
data: "<your_own_value>"
name: "default_name_54"
type: "fixed"
permit_agent_forwarding: "enable"
permit_port_forwarding: "enable"
permit_pty: "enable"
permit_user_rc: "enable"
permit_x11_forwarding: "enable"
source_address: "enable"
vip: "<your_own_value> (source firewall.vip.name)"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3