fortios_firewall_ssl_ssh_profile – Configure SSL/SSH protocol options in Fortinet’s FortiOS and FortiGate.¶

New in version 2.10.

Synopsis
Requirements
FortiOS Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and ssl_ssh_profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

FortiOS Version Compatibility ¶

	`v6.0.0`	`v6.0.5`	`v6.0.11`	`v6.2.0`	`v6.2.3`	`v6.2.5`	`v6.2.7`	`v6.4.0`	`v6.4.1`	`v6.4.4`	`v7.0.0`
fortios_firewall_ssl_ssh_profile	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes

Parameters ¶

access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
enable_log - Enable/Disable logging for task. type: bool required: False default: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
state - Indicates whether to create or remove the object. type: str required: True choices: present, absent
firewall_ssl_ssh_profile - Configure SSL/SSH protocol options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

firewall_ssl_ssh_profile yes yes yes yes yes yes yes yes yes yes yes

allowlist - Enable/disable exempting servers by FortiGuard allowlist. type: str choices: enable, disable more...

v7.0.0

allowlist yes

[enable] yes

[disable] yes

block_blacklisted_certificates - Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. type: str choices: disable, enable more...

block_blocklisted_certificates - Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. type: str choices: disable, enable more...

v7.0.0

block_blocklisted_certificates yes

[disable] yes

[enable] yes
caname - CA certificate used by SSL Inspection. Source vpn.certificate.local.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

caname yes yes yes yes yes yes yes yes yes yes yes
comment - Optional comments. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

comment yes yes yes yes yes yes yes yes yes yes yes
dot - Configure DNS over TLS options. type: dict more...

v7.0.0

dot yes

cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v7.0.0

cert_validation_failure yes

[allow] yes

[block] yes

[ignore] yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v7.0.0

cert_validation_timeout yes

[allow] yes

[block] yes

[ignore] yes
client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v7.0.0

client_certificate yes

[bypass] yes

[inspect] yes

[block] yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v7.0.0

expired_server_cert yes

[allow] yes

[block] yes

[ignore] yes
proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...

v7.0.0

proxy_after_tcp_handshake yes

[enable] yes

[disable] yes
revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v7.0.0

revoked_server_cert yes

[allow] yes

[block] yes

[ignore] yes
sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

v7.0.0

sni_server_cert_check yes

[enable] yes

[strict] yes

[disable] yes
status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...

v7.0.0

status yes

[disable] yes

[deep-inspection] yes
unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v7.0.0

unsupported_ssl_cipher yes

[allow] yes

[block] yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v7.0.0

unsupported_ssl_negotiation yes

[allow] yes

[block] yes
untrusted_server_cert - Action based on server certificate is not issued by a trusted CA. type: str choices: allow, block, ignore more...

v7.0.0

untrusted_server_cert yes

[allow] yes

[block] yes

[ignore] yes

ftps - Configure FTPS options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ftps yes yes yes yes yes yes yes yes yes yes yes

allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...

cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_failure yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_timeout yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...

client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

expired_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...

ports - Ports to use for scanning (1 - 65535). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ports yes yes yes yes yes yes yes yes yes yes yes
revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

revoked_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...

unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...

unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_cipher yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_negotiation yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

untrusted_server_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

https - Configure HTTPS options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

https yes yes yes yes yes yes yes yes yes yes yes

allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...

cert_probe_failure - Action based on certificate probe failure. type: str choices: allow, block more...

v7.0.0

cert_probe_failure yes

[allow] yes

[block] yes
cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_failure yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_timeout yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...

client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

expired_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...

ports - Ports to use for scanning (1 - 65535). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ports yes yes yes yes yes yes yes yes yes yes yes
proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

proxy_after_tcp_handshake yes yes yes yes

[enable] yes yes yes yes

[disable] yes yes yes yes
revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

revoked_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

status - Configure protocol inspection status. type: str choices: disable, certificate-inspection, deep-inspection more...

unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...

unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_cipher yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_negotiation yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

untrusted_server_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

imaps - Configure IMAPS options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

imaps yes yes yes yes yes yes yes yes yes yes yes

allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...

cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_failure yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_timeout yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...

client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

expired_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...

ports - Ports to use for scanning (1 - 65535). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ports yes yes yes yes yes yes yes yes yes yes yes
proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

proxy_after_tcp_handshake yes yes yes yes

[enable] yes yes yes yes

[disable] yes yes yes yes
revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

revoked_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...

unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...

unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_cipher yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_negotiation yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

untrusted_server_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

mapi_over_https - Enable/disable inspection of MAPI over HTTPS. type: str choices: enable, disable more...

name - Name. type: str required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

name yes yes yes yes yes yes yes yes yes yes yes
pop3s - Configure POP3S options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

pop3s yes yes yes yes yes yes yes yes yes yes yes

allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...

cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_failure yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_timeout yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...

client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

expired_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...

ports - Ports to use for scanning (1 - 65535). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ports yes yes yes yes yes yes yes yes yes yes yes
proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

proxy_after_tcp_handshake yes yes yes yes

[enable] yes yes yes yes

[disable] yes yes yes yes
revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

revoked_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...

unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...

unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_cipher yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_negotiation yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

untrusted_server_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

rpc_over_https - Enable/disable inspection of RPC over HTTPS. type: str choices: enable, disable more...

server_cert - Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

server_cert yes yes yes yes yes yes yes yes yes yes yes

server_cert_mode - Re-sign or replace the server"s certificate. type: str choices: re-sign, replace more...

smtps - Configure SMTPS options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

smtps yes yes yes yes yes yes yes yes yes yes yes

allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...

cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_failure yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_timeout yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...

client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

expired_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...

ports - Ports to use for scanning (1 - 65535). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ports yes yes yes yes yes yes yes yes yes yes yes
proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

proxy_after_tcp_handshake yes yes yes yes

[enable] yes yes yes yes

[disable] yes yes yes yes
revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

revoked_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...

unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...

unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_cipher yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_negotiation yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

untrusted_server_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

ssh - Configure SSH options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ssh yes yes yes yes yes yes yes yes yes yes yes

inspect_all - Level of SSL inspection. type: str choices: disable, deep-inspection more...

ports - Ports to use for scanning (1 - 65535). type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ports yes yes yes yes yes yes yes yes yes yes yes
proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

proxy_after_tcp_handshake yes yes yes yes

[enable] yes yes yes yes

[disable] yes yes yes yes

ssh_algorithm - Relative strength of encryption algorithms accepted during negotiation. type: str choices: compatible, high-encryption more...

ssh_policy_check - Enable/disable SSH policy check. type: str choices: disable, enable more...

ssh_tun_policy_check - Enable/disable SSH tunnel policy check. type: str choices: disable, enable more...

status - Configure protocol inspection status. type: str choices: disable, deep-inspection more...

unsupported_version - Action based on SSH version being unsupported. type: str choices: bypass, block more...

ssl - Configure SSL options. type: dict more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ssl yes yes yes yes yes yes yes yes yes yes yes

allow_invalid_server_cert - When enabled, allows SSL sessions whose server certificate validation failed. type: str choices: enable, disable more...

cert_validation_failure - Action based on certificate validation failure. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_failure yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes
cert_validation_timeout - Action based on certificate validation timeout. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

cert_validation_timeout yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

client_cert_request - Action based on client certificate request. type: str choices: bypass, inspect, block more...

client_certificate - Action based on received client certificate. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
expired_server_cert - Action based on server certificate is expired. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

expired_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

inspect_all - Level of SSL inspection. type: str choices: disable, certificate-inspection, deep-inspection more...

invalid_server_cert - Allow or block the invalid SSL session server certificate. type: str choices: allow, block more...

revoked_server_cert - Action based on server certificate is revoked. type: str choices: allow, block, ignore more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

revoked_server_cert yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

[ignore] yes yes yes yes

sni_server_cert_check - Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. type: str choices: enable, strict, disable more...

unsupported_ssl - Action based on the SSL encryption used being unsupported. type: str choices: bypass, inspect, block more...

unsupported_ssl_cipher - Action based on the SSL cipher used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_cipher yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes
unsupported_ssl_negotiation - Action based on the SSL negotiation used being unsupported. type: str choices: allow, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

unsupported_ssl_negotiation yes yes yes yes

[allow] yes yes yes yes

[block] yes yes yes yes

untrusted_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

untrusted_server_cert - Allow, ignore, or block the untrusted SSL session server certificate. type: str choices: allow, block, ignore more...

ssl_anomalies_log - Enable/disable logging SSL anomalies. type: str choices: disable, enable more...

ssl_exempt - Servers to exempt from SSL inspection. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ssl_exempt yes yes yes yes yes yes yes yes yes yes yes

address - IPv4 address object. Source firewall.address.name firewall.addrgrp.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

address yes yes yes yes yes yes yes yes yes yes yes
address6 - IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

address6 yes yes yes yes yes yes yes yes yes yes yes
fortiguard_category - FortiGuard category ID. type: int more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

fortiguard_category yes yes yes yes yes yes yes yes yes yes yes
id - ID number. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes
regex - Exempt servers by regular expression. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

regex yes yes yes yes yes yes yes yes yes yes yes

type - Type of address object (IPv4 or IPv6) or FortiGuard category. type: str choices: fortiguard-category, address, address6, wildcard-fqdn, regex more...

wildcard_fqdn - Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

wildcard_fqdn yes yes yes yes yes yes yes yes yes yes yes

ssl_exemptions_log - Enable/disable logging SSL exemptions. type: str choices: disable, enable more...

ssl_negotiation_log - Enable/disable logging SSL negotiation. type: str choices: disable, enable more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

ssl_negotiation_log yes yes yes yes

[disable] yes yes yes yes

[enable] yes yes yes yes
ssl_server - SSL servers. type: list more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ssl_server yes yes yes yes yes yes yes yes yes yes yes

ftps_client_cert_request - Action based on client certificate request during the FTPS handshake. type: str choices: bypass, inspect, block more...

ftps_client_certificate - Action based on received client certificate during the FTPS handshake. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

ftps_client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes

https_client_cert_request - Action based on client certificate request during the HTTPS handshake. type: str choices: bypass, inspect, block more...

https_client_certificate - Action based on received client certificate during the HTTPS handshake. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

https_client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
id - SSL server ID. type: int required: True more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

id yes yes yes yes yes yes yes yes yes yes yes

imaps_client_cert_request - Action based on client certificate request during the IMAPS handshake. type: str choices: bypass, inspect, block more...

imaps_client_certificate - Action based on received client certificate during the IMAPS handshake. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

imaps_client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes
ip - IPv4 address of the SSL server. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

ip yes yes yes yes yes yes yes yes yes yes yes

pop3s_client_cert_request - Action based on client certificate request during the POP3S handshake. type: str choices: bypass, inspect, block more...

pop3s_client_certificate - Action based on received client certificate during the POP3S handshake. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

pop3s_client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes

smtps_client_cert_request - Action based on client certificate request during the SMTPS handshake. type: str choices: bypass, inspect, block more...

smtps_client_certificate - Action based on received client certificate during the SMTPS handshake. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

smtps_client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes

ssl_other_client_cert_request - Action based on client certificate request during an SSL protocol handshake. type: str choices: bypass, inspect, block more...

ssl_other_client_certificate - Action based on received client certificate during an SSL protocol handshake. type: str choices: bypass, inspect, block more...

v6.4.0 v6.4.1 v6.4.4 v7.0.0

ssl_other_client_certificate yes yes yes yes

[bypass] yes yes yes yes

[inspect] yes yes yes yes

[block] yes yes yes yes

supported_alpn - Configure ALPN option. type: str choices: http1-1, http2, all, none more...

v7.0.0

supported_alpn yes

[http1-1] yes

[http2] yes

[all] yes

[none] yes
untrusted_caname - Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name. type: str more...

v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0

untrusted_caname yes yes yes yes yes yes yes yes yes yes yes

use_ssl_server - Enable/disable the use of SSL server table for SSL offloading. type: str choices: disable, enable more...

whitelist - Enable/disable exempting servers by FortiGuard whitelist. type: str choices: enable, disable more...

Notes ¶

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples ¶

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure SSL/SSH protocol options.
    fortios_firewall_ssl_ssh_profile:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_ssl_ssh_profile:
        allowlist: "enable"
        block_blacklisted_certificates: "disable"
        block_blocklisted_certificates: "disable"
        caname: "<your_own_value> (source vpn.certificate.local.name)"
        comment: "Optional comments."
        dot:
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            proxy_after_tcp_handshake: "enable"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            status: "disable"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_server_cert: "allow"
        ftps:
            allow_invalid_server_cert: "enable"
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_cert_request: "bypass"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            invalid_server_cert: "allow"
            ports: "28"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            status: "disable"
            unsupported_ssl: "bypass"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_cert: "allow"
            untrusted_server_cert: "allow"
        https:
            allow_invalid_server_cert: "enable"
            cert_probe_failure: "allow"
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_cert_request: "bypass"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            invalid_server_cert: "allow"
            ports: "46"
            proxy_after_tcp_handshake: "enable"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            status: "disable"
            unsupported_ssl: "bypass"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_cert: "allow"
            untrusted_server_cert: "allow"
        imaps:
            allow_invalid_server_cert: "enable"
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_cert_request: "bypass"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            invalid_server_cert: "allow"
            ports: "64"
            proxy_after_tcp_handshake: "enable"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            status: "disable"
            unsupported_ssl: "bypass"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_cert: "allow"
            untrusted_server_cert: "allow"
        mapi_over_https: "enable"
        name: "default_name_75"
        pop3s:
            allow_invalid_server_cert: "enable"
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_cert_request: "bypass"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            invalid_server_cert: "allow"
            ports: "84"
            proxy_after_tcp_handshake: "enable"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            status: "disable"
            unsupported_ssl: "bypass"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_cert: "allow"
            untrusted_server_cert: "allow"
        rpc_over_https: "enable"
        server_cert: "<your_own_value> (source vpn.certificate.local.name)"
        server_cert_mode: "re-sign"
        smtps:
            allow_invalid_server_cert: "enable"
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_cert_request: "bypass"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            invalid_server_cert: "allow"
            ports: "105"
            proxy_after_tcp_handshake: "enable"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            status: "disable"
            unsupported_ssl: "bypass"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_cert: "allow"
            untrusted_server_cert: "allow"
        ssh:
            inspect_all: "disable"
            ports: "117"
            proxy_after_tcp_handshake: "enable"
            ssh_algorithm: "compatible"
            ssh_policy_check: "disable"
            ssh_tun_policy_check: "disable"
            status: "disable"
            unsupported_version: "bypass"
        ssl:
            allow_invalid_server_cert: "enable"
            cert_validation_failure: "allow"
            cert_validation_timeout: "allow"
            client_cert_request: "bypass"
            client_certificate: "bypass"
            expired_server_cert: "allow"
            inspect_all: "disable"
            invalid_server_cert: "allow"
            revoked_server_cert: "allow"
            sni_server_cert_check: "enable"
            unsupported_ssl: "bypass"
            unsupported_ssl_cipher: "allow"
            unsupported_ssl_negotiation: "allow"
            untrusted_cert: "allow"
            untrusted_server_cert: "allow"
        ssl_anomalies_log: "disable"
        ssl_exempt:
         -
            address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
            address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
            fortiguard_category: "144"
            id:  "145"
            regex: "<your_own_value>"
            type: "fortiguard-category"
            wildcard_fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
        ssl_exemptions_log: "disable"
        ssl_negotiation_log: "disable"
        ssl_server:
         -
            ftps_client_cert_request: "bypass"
            ftps_client_certificate: "bypass"
            https_client_cert_request: "bypass"
            https_client_certificate: "bypass"
            id:  "156"
            imaps_client_cert_request: "bypass"
            imaps_client_certificate: "bypass"
            ip: "<your_own_value>"
            pop3s_client_cert_request: "bypass"
            pop3s_client_certificate: "bypass"
            smtps_client_cert_request: "bypass"
            smtps_client_certificate: "bypass"
            ssl_other_client_cert_request: "bypass"
            ssl_other_client_certificate: "bypass"
        supported_alpn: "http1-1"
        untrusted_caname: "<your_own_value> (source vpn.certificate.local.name)"
        use_ssl_server: "disable"
        whitelist: "enable"

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

build - Build number of the fortigate image returned: always type: str sample: 1547
http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
revision - Internal revision number returned: always type: str sample: 17.0.2.10658
serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
status - Indication of the operation's result returned: always type: str sample: success
vdom - Virtual domain used returned: always type: str sample: root
version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.

	`v6.0.0`	`v6.0.5`	`v6.0.11`	`v6.2.0`	`v6.2.3`	`v6.2.5`	`v6.2.7`	`v6.4.0`	`v6.4.1`	`v6.4.4`	`v7.0.0`
untrusted_cert	yes	yes	yes	no	no	no	no	no	no	no	no
[allow]	yes	yes	yes	n/a	n/a	n/a	n/a	n/a	n/a	n/a	n/a
[block]	yes	yes	yes	n/a	n/a	n/a	n/a	n/a	n/a	n/a	n/a
[ignore]	yes	yes	yes	n/a	n/a	n/a	n/a	n/a	n/a	n/a	n/a