fortios_firewall_profile_protocol_options – Configure protocol options in Fortinet’s FortiOS and FortiGate.¶
New in version 2.0.0.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and profile_protocol_options category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
FortiOS Version Compatibility¶
v6.0.0 |
v6.0.5 |
v6.0.11 |
v6.2.0 |
v6.2.3 |
v6.2.5 |
v6.2.7 |
v6.4.0 |
v6.4.1 |
v6.4.4 |
v7.0.0 |
v7.0.1 |
v7.0.2 |
v7.0.3 |
v7.0.4 |
v7.0.5 |
v7.0.6 |
v7.0.7 |
v7.0.8 |
v7.2.0 |
v7.2.1 |
v7.2.2 |
|
fortios_firewall_profile_protocol_options | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes |
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
- firewall_profile_protocol_options - Configure protocol options. type: dict more...
- cifs - Configure CIFS protocol options. type: dict more...
- domain_controller - Domain for which to decrypt CIFS traffic. Source user.domain-controller.name credential-store.domain-controller.server-name. type: str more...
- options - One or more options that can be applied to the session. type: list choices: oversize more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- server_credential_type - CIFS server credential type. type: str choices: none, credential-replication, credential-keytab more...
- server_keytab - Server keytab. type: list more...
- keytab - Base64 encoded keytab file containing credential of the server. type: str more...
- principal - Service principal. For example, host/cifsserver.example.com@example.com. type: str more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- tcp_window_maximum - Maximum dynamic TCP window size. type: int more...
- tcp_window_minimum - Minimum dynamic TCP window size. type: int more...
- tcp_window_size - Set TCP static window size. type: int more...
- tcp_window_type - TCP window type to use for this protocol. type: str choices: auto-tuning, system, static, dynamic more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- comment - Optional comments. type: str more...
- dns - Configure DNS protocol options. type: dict more...
- ports - Ports to scan for content (1 - 65535). type: list
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- ftp - Configure FTP protocol options. type: dict more...
- comfort_amount - Amount of data to send in a transmission for client comforting (1 - 65535 bytes). type: int more...
- comfort_interval - Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). type: int more...
- explicit_ftp_tls - Enable/disable FTP redirection for explicit FTPS. type: str choices: enable, disable more...
- inspect_all - Enable/disable the inspection of all ports for the protocol. type: str choices: enable, disable more...
- options - One or more options that can be applied to the session. type: list choices: clientcomfort, oversize, splice, bypass-rest-command, bypass-mode-command more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- ssl_offloaded - SSL decryption and encryption performed by an external device. type: str choices: no, yes more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- stream_based_uncompressed_limit - Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). type: int more...
- tcp_window_maximum - Maximum dynamic TCP window size. type: int more...
- tcp_window_minimum - Minimum dynamic TCP window size. type: int more...
- tcp_window_size - Set TCP static window size. type: int more...
- tcp_window_type - TCP window type to use for this protocol. type: str choices: auto-tuning, system, static, dynamic more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- http - Configure HTTP protocol options. type: dict more...
- address_ip_rating - Enable/disable IP based URL rating. type: str choices: enable, disable more...
- block_page_status_code - Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599). type: int more...
- comfort_amount - Amount of data to send in a transmission for client comforting (1 - 65535 bytes). type: int more...
- comfort_interval - Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). type: int more...
- fortinet_bar - Enable/disable Fortinet bar on HTML content. type: str choices: enable, disable more...
- fortinet_bar_port - Port for use by Fortinet Bar (1 - 65535). type: int more...
- h2c - Enable/disable h2c HTTP connection upgrade. type: str choices: enable, disable more...
- http_policy - Enable/disable HTTP policy check. type: str choices: disable, enable more...
- inspect_all - Enable/disable the inspection of all ports for the protocol. type: str choices: enable, disable more...
- options - One or more options that can be applied to the session. type: list choices: clientcomfort, servercomfort, oversize, chunkedbypass more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- post_lang - ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets). type: list choices: jisx0201, jisx0208, jisx0212, gb2312, ksc5601-ex, euc-jp, sjis, iso2022-jp, iso2022-jp-1, iso2022-jp-2, euc-cn, ces-gbk, hz, ces-big5, euc-kr, iso2022-jp-3, iso8859-1, tis620, cp874, cp1252, cp1251 more...
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- range_block - Enable/disable blocking of partial downloads. type: str choices: disable, enable more...
- retry_count - Number of attempts to retry HTTP connection (0 - 100). type: int more...
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- ssl_offloaded - SSL decryption and encryption performed by an external device. type: str choices: no, yes more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- stream_based_uncompressed_limit - Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). type: int more...
- streaming_content_bypass - Enable/disable bypassing of streaming content from buffering. type: str choices: enable, disable more...
- strip_x_forwarded_for - Enable/disable stripping of HTTP X-Forwarded-For header. type: str choices: disable, enable more...
- switching_protocols - Bypass from scanning, or block a connection that attempts to switch protocol. type: str choices: bypass, block more...
- tcp_window_maximum - Maximum dynamic TCP window size. type: int more...
- tcp_window_minimum - Minimum dynamic TCP window size. type: int more...
- tcp_window_size - Set TCP static window size. type: int more...
- tcp_window_type - TCP window type to use for this protocol. type: str choices: auto-tuning, system, static, dynamic more...
- tunnel_non_http - Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port. type: str choices: enable, disable more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- unknown_http_version - How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1. type: str choices: reject, tunnel, best-effort more...
- verify_dns_for_policy_matching - Enable/disable verification of DNS for policy matching. type: str choices: enable, disable more...
- imap - Configure IMAP protocol options. type: dict more...
- inspect_all - Enable/disable the inspection of all ports for the protocol. type: str choices: enable, disable more...
- options - One or more options that can be applied to the session. type: list choices: fragmail, oversize more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- ssl_offloaded - SSL decryption and encryption performed by an external device. type: str choices: no, yes more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- mail_signature - Configure Mail signature. type: dict more...
- signature - Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks). type: str more...
- status - Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate. type: str choices: disable, enable more...
- mapi - Configure MAPI protocol options. type: dict more...
- options - One or more options that can be applied to the session. type: list choices: fragmail, oversize more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- name - Name. type: str required: true more...
- nntp - Configure NNTP protocol options. type: dict more...
- inspect_all - Enable/disable the inspection of all ports for the protocol. type: str choices: enable, disable more...
- options - One or more options that can be applied to the session. type: list choices: oversize, splice more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- oversize_log - Enable/disable logging for antivirus oversize file blocking. type: str choices: disable, enable more...
- pop3 - Configure POP3 protocol options. type: dict more...
- inspect_all - Enable/disable the inspection of all ports for the protocol. type: str choices: enable, disable more...
- options - One or more options that can be applied to the session. type: list choices: fragmail, oversize more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- ssl_offloaded - SSL decryption and encryption performed by an external device. type: str choices: no, yes more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- replacemsg_group - Name of the replacement message group to be used. Source system.replacemsg-group.name. type: str more...
- rpc_over_http - Enable/disable inspection of RPC over HTTP. type: str choices: enable, disable more...
- smtp - Configure SMTP protocol options. type: dict more...
- inspect_all - Enable/disable the inspection of all ports for the protocol. type: str choices: enable, disable more...
- options - One or more options that can be applied to the session. type: list choices: fragmail, oversize, splice more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- ports - Ports to scan for content (1 - 65535). type: list
- proxy_after_tcp_handshake - Proxy traffic after the TCP 3-way handshake has been established (not before). type: str choices: enable, disable more...
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- server_busy - Enable/disable SMTP server busy when server not available. type: str choices: enable, disable more...
- ssl_offloaded - SSL decryption and encryption performed by an external device. type: str choices: no, yes more...
- status - Enable/disable the active status of scanning for this protocol. type: str choices: enable, disable more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- ssh - Configure SFTP and SCP protocol options. type: dict more...
- comfort_amount - Amount of data to send in a transmission for client comforting (1 - 65535 bytes). type: int more...
- comfort_interval - Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec). type: int more...
- options - One or more options that can be applied to the session. type: list choices: oversize, clientcomfort, servercomfort more...
- oversize_limit - Maximum in-memory file size that can be scanned (1 - 383 MB). type: int more...
- scan_bzip2 - Enable/disable scanning of BZip2 compressed files. type: str choices: enable, disable more...
- ssl_offloaded - SSL decryption and encryption performed by an external device. type: str choices: no, yes more...
- stream_based_uncompressed_limit - Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions (unlimited = 0). type: int more...
- tcp_window_maximum - Maximum dynamic TCP window size. type: int more...
- tcp_window_minimum - Minimum dynamic TCP window size. type: int more...
- tcp_window_size - Set TCP static window size. type: int more...
- tcp_window_type - TCP window type to use for this protocol. type: str choices: auto-tuning, system, static, dynamic more...
- uncompressed_nest_limit - Maximum nested levels of compression that can be uncompressed and scanned (2 - 100). type: int more...
- uncompressed_oversize_limit - Maximum in-memory uncompressed file size that can be scanned (1 - 383 MB). type: int more...
- switching_protocols_log - Enable/disable logging for HTTP/HTTPS switching protocols. type: str choices: disable, enable more...
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure protocol options.
fortios_firewall_profile_protocol_options:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_profile_protocol_options:
cifs:
domain_controller: "<your_own_value> (source user.domain-controller.name credential-store.domain-controller.server-name)"
options: "oversize"
oversize_limit: "10"
ports: "<your_own_value>"
scan_bzip2: "enable"
server_credential_type: "none"
server_keytab:
-
keytab: "<your_own_value>"
principal: "<your_own_value>"
status: "enable"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
comment: "Optional comments."
dns:
ports: "<your_own_value>"
status: "enable"
ftp:
comfort_amount: "1"
comfort_interval: "10"
explicit_ftp_tls: "enable"
inspect_all: "enable"
options: "clientcomfort"
oversize_limit: "10"
ports: "<your_own_value>"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
stream_based_uncompressed_limit: "0"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
http:
address_ip_rating: "enable"
block_page_status_code: "403"
comfort_amount: "1"
comfort_interval: "10"
fortinet_bar: "enable"
fortinet_bar_port: "32767"
h2c: "enable"
http_policy: "disable"
inspect_all: "enable"
options: "clientcomfort"
oversize_limit: "10"
ports: "<your_own_value>"
post_lang: "jisx0201"
proxy_after_tcp_handshake: "enable"
range_block: "disable"
retry_count: "0"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
stream_based_uncompressed_limit: "0"
streaming_content_bypass: "enable"
strip_x_forwarded_for: "disable"
switching_protocols: "bypass"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
tunnel_non_http: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
unknown_http_version: "reject"
verify_dns_for_policy_matching: "enable"
imap:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
mail_signature:
signature: "<your_own_value>"
status: "disable"
mapi:
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
scan_bzip2: "enable"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
name: "default_name_97"
nntp:
inspect_all: "enable"
options: "oversize"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
oversize_log: "disable"
pop3:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
rpc_over_http: "enable"
smtp:
inspect_all: "enable"
options: "fragmail"
oversize_limit: "10"
ports: "<your_own_value>"
proxy_after_tcp_handshake: "enable"
scan_bzip2: "enable"
server_busy: "enable"
ssl_offloaded: "no"
status: "enable"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
ssh:
comfort_amount: "1"
comfort_interval: "10"
options: "oversize"
oversize_limit: "10"
scan_bzip2: "enable"
ssl_offloaded: "no"
stream_based_uncompressed_limit: "0"
tcp_window_maximum: "8388608"
tcp_window_minimum: "131072"
tcp_window_size: "262144"
tcp_window_type: "auto-tuning"
uncompressed_nest_limit: "12"
uncompressed_oversize_limit: "10"
switching_protocols_log: "disable"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3