fortios_ips_sensor – Configure IPS sensor in Fortinet’s FortiOS and FortiGate.

New in version 2.10.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify ips feature and sensor category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.9.0

FortiOS Version Compatibility


v6.0.0 v6.0.5 v6.0.11 v6.2.0 v6.2.3 v6.2.5 v6.2.7 v6.4.0 v6.4.1 v6.4.4 v7.0.0
fortios_ips_sensor yes yes yes yes yes yes yes yes yes yes yes

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
  • enable_log - Enable/Disable logging for task. type: bool required: False default: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • state - Indicates whether to create or remove the object. type: str required: True choices: present, absent
  • ips_sensor - Configure IPS sensor. type: dict more...
    • block_malicious_url - Enable/disable malicious URL blocking. type: str choices: disable, enable more...
    • comment - Comment. type: str more...
    • entries - IPS sensor filter. type: list more...
      • action - Action taken with traffic in which signatures are detected. type: str choices: pass, block, reset, default more...
      • application - Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications. type: str more...
      • cve - List of CVE IDs of the signatures to add to the sensor type: list more...
        • cve_entry - CVE IDs or CVE wildcards. type: str more...
      • exempt_ip - Traffic from selected source or destination IP addresses is exempt from this signature. type: list more...
        • dst_ip - Destination IP address and netmask. type: str more...
        • id - Exempt IP ID. type: int required: True more...
        • src_ip - Source IP address and netmask. type: str more...
      • id - Rule ID in IPS database (0 - 4294967295). type: int required: True more...
      • location - Protect client or server traffic. type: str more...
      • log - Enable/disable logging of signatures included in filter. type: str choices: disable, enable more...
      • log_attack_context - Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer. type: str choices: disable, enable more...
      • log_packet - Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use. type: str choices: disable, enable more...
      • os - Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems. type: str more...
      • protocol - Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols. type: str more...
      • quarantine - Quarantine method. type: str choices: none, attacker more...
      • quarantine_expiry - Duration of quarantine. (Format type: str more...
      • quarantine_log - Enable/disable quarantine logging. type: str choices: disable, enable more...
      • rate_count - Count of the rate. type: int more...
      • rate_duration - Duration (sec) of the rate. type: int more...
      • rate_mode - Rate limit mode. type: str choices: periodical, continuous more...
      • rate_track - Track the packet protocol field. type: str choices: none, src-ip, dest-ip, dhcp-client-mac, dns-domain more...
      • rule - Identifies the predefined or custom IPS signatures to add to the sensor. type: list more...
        • id - Rule IPS. type: int required: True more...
      • severity - Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity. type: str more...
      • status - Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used. type: str choices: disable, enable, default more...
    • extended_log - Enable/disable extended logging. type: str choices: enable, disable more...
    • filter - IPS sensor filter. type: list more...
      • action - Action of selected rules. type: str choices: pass, block, reset, default more...
      • application - Vulnerable application filter. type: str more...
      • location - Vulnerability location filter. type: str more...
      • log - Enable/disable logging of selected rules. type: str choices: disable, enable more...
      • log_packet - Enable/disable packet logging of selected rules. type: str choices: disable, enable more...
      • name - Filter name. type: str required: True more...
      • os - Vulnerable OS filter. type: str more...
      • protocol - Vulnerable protocol filter. type: str more...
      • quarantine - Quarantine IP or interface. type: str choices: none, attacker more...
      • quarantine_expiry - Duration of quarantine in minute. type: int more...
      • quarantine_log - Enable/disable logging of selected quarantine. type: str choices: disable, enable more...
      • severity - Vulnerability severity filter. type: str more...
      • status - Selected rules status. type: str choices: disable, enable, default more...
    • name - Sensor name. type: str required: True more...
    • override - IPS override rule. type: list more...
      • action - Action of override rule. type: str choices: pass, block, reset more...
      • exempt_ip - Exempted IP. type: list more...
        • dst_ip - Destination IP address and netmask. type: str more...
        • id - Exempt IP ID. type: int required: True more...
        • src_ip - Source IP address and netmask. type: str more...
      • log - Enable/disable logging. type: str choices: disable, enable more...
      • log_packet - Enable/disable packet logging. type: str choices: disable, enable more...
      • quarantine - Quarantine IP or interface. type: str choices: none, attacker more...
      • quarantine_expiry - Duration of quarantine in minute. type: int more...
      • quarantine_log - Enable/disable logging of selected quarantine. type: str choices: disable, enable more...
      • rule_id - Override rule ID. type: int more...
      • status - Enable/disable status of override rule. type: str choices: disable, enable more...
    • replacemsg_group - Replacement message group. Source system.replacemsg-group.name. type: str more...
    • scan_botnet_connections - Block or monitor connections to Botnet servers, or disable Botnet scanning. type: str choices: disable, block, monitor more...

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure IPS sensor.
    fortios_ips_sensor:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      ips_sensor:
        block_malicious_url: "disable"
        comment: "Comment."
        entries:
         -
            action: "pass"
            application: "<your_own_value>"
            cve:
             -
                cve_entry: "<your_own_value>"
            exempt_ip:
             -
                dst_ip: "<your_own_value>"
                id:  "12"
                src_ip: "<your_own_value>"
            id:  "14"
            location: "<your_own_value>"
            log: "disable"
            log_attack_context: "disable"
            log_packet: "disable"
            os: "<your_own_value>"
            protocol: "<your_own_value>"
            quarantine: "none"
            quarantine_expiry: "<your_own_value>"
            quarantine_log: "disable"
            rate_count: "24"
            rate_duration: "25"
            rate_mode: "periodical"
            rate_track: "none"
            rule:
             -
                id:  "29"
            severity: "<your_own_value>"
            status: "disable"
        extended_log: "enable"
        filter:
         -
            action: "pass"
            application: "<your_own_value>"
            location: "<your_own_value>"
            log: "disable"
            log_packet: "disable"
            name: "default_name_39"
            os: "<your_own_value>"
            protocol: "<your_own_value>"
            quarantine: "none"
            quarantine_expiry: "43"
            quarantine_log: "disable"
            severity: "<your_own_value>"
            status: "disable"
        name: "default_name_47"
        override:
         -
            action: "pass"
            exempt_ip:
             -
                dst_ip: "<your_own_value>"
                id:  "52"
                src_ip: "<your_own_value>"
            log: "disable"
            log_packet: "disable"
            quarantine: "none"
            quarantine_expiry: "57"
            quarantine_log: "disable"
            rule_id: "59"
            status: "disable"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        scan_botnet_connections: "disable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)
  • Jie Xue (@JieX19)
  • Hongbin Lu (@fgtdev-hblu)
  • Frank Shen (@frankshen01)
  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.