fortios_firewall_access_proxy – Configure IPv4 access proxy in Fortinet’s FortiOS and FortiGate.
New in version 2.0.0.
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.15
Tips
Using member operation to add an element to an existing object.
FortiOS Version Compatibility
Supported Version Ranges: v7.0.0 -> 7.4.3
Parameters
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
- firewall_access_proxy - Configure IPv4 access proxy. type: dict more...
- add_vhost_domain_to_dnsdb - Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel. type: str choices: enable, disable more...
- api_gateway - Set IPv4 API Gateway. type: list member_path: api_gateway:id more...
- application - SaaS application controlled by this Access Proxy. type: list member_path: api_gateway:id/application:name more...
- name - SaaS application name. type: str required: true more...
- h2_support - HTTP2 support, default=Enable. type: str choices: enable, disable more...
- h3_support - HTTP3/QUIC support, default=Disable. type: str choices: enable, disable more...
- http_cookie_age - Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. type: int more...
- http_cookie_domain - Domain that HTTP cookie persistence should apply to. type: str more...
- http_cookie_domain_from_host - Enable/disable use of HTTP cookie domain from host field in HTTP. type: str choices: disable, enable more...
- http_cookie_generation - Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. type: int more...
- http_cookie_path - Limit HTTP cookie persistence to the specified path. type: str more...
- http_cookie_share - Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. type: str choices: disable, same-ip more...
- https_cookie_secure - Enable/disable verification that inserted HTTPS cookies are secure. type: str choices: disable, enable more...
- id - API Gateway ID. see Notes. type: int required: true more...
- ldb_method - Method used to distribute sessions to real servers. type: str choices: static, round-robin, weighted, first-alive, http-host, least-session, least-rtt more...
- persistence - Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. type: str choices: none, http-cookie more...
- quic - QUIC setting. type: dict more...
- ack_delay_exponent - ACK delay exponent (1 - 20). type: int more...
- active_connection_id_limit - Active connection ID limit (1 - 8). type: int more...
- active_migration - Enable/disable active migration . type: str choices: enable, disable more...
- grease_quic_bit - Enable/disable grease QUIC bit . type: str choices: enable, disable more...
- max_ack_delay - Maximum ACK delay in milliseconds (1 - 16383). type: int more...
- max_datagram_frame_size - Maximum datagram frame size in bytes (1 - 1500). type: int more...
- max_idle_timeout - Maximum idle timeout milliseconds (1 - 60000). type: int more...
- max_udp_payload_size - Maximum UDP payload size in bytes (1200 - 1500). type: int more...
- realservers - Select the real servers that this Access Proxy will distribute traffic to. type: list member_path: api_gateway:id/realservers:id more...
- addr_type - Type of address. type: str choices: ip, fqdn more...
- address - Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name. type: str more...
- domain - Wildcard domain name of the real server. type: str more...
- external_auth - Enable/disable use of external browser as user-agent for SAML user authentication. type: str choices: enable, disable more...
- health_check - Enable to check the responsiveness of the real server before forwarding traffic. type: str choices: disable, enable more...
- health_check_proto - Protocol of the health check monitor to use when polling to determine server"s connectivity status. type: str choices: ping, http, tcp-connect more...
- holddown_interval - Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). type: str choices: enable, disable more...
- http_host - HTTP server domain name in HTTP header. type: str more...
- id - Real server ID. see Notes. type: int required: true more...
- ip - IP address of the real server. type: str more...
- mappedport - Port for communicating with the real server. type: str more...
- port - Port for communicating with the real server. type: int more...
- ssh_client_cert - Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name. type: str more...
- ssh_host_key - One or more server host key. type: list member_path: api_gateway:id/realservers:id/ssh_host_key:name more...
- name - Server host key name. Source firewall.ssh.host-key.name. type: str required: true more...
- ssh_host_key_validation - Enable/disable SSH real server host key validation. type: str choices: disable, enable more...
- status - Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. type: str choices: active, standby, disable more...
- translate_host - Enable/disable translation of hostname/IP from virtual server to real server. type: str choices: enable, disable more...
- tunnel_encryption - Tunnel encryption. type: str choices: enable, disable more...
- type - TCP forwarding server type. type: str choices: tcp-forwarding, ssh more...
- weight - Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. type: int more...
- saml_redirect - Enable/disable SAML redirection after successful authentication. type: str choices: disable, enable more...
- saml_server - SAML service provider configuration for VIP authentication. Source user.saml.name. type: str more...
- service - Service. type: str choices: http, https, tcp-forwarding, samlsp, web-portal, saas more...
- ssl_algorithm - Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. type: str choices: high, medium, low, custom more...
- ssl_cipher_suites - SSL/TLS cipher suites to offer to a server, ordered by priority. type: list member_path: api_gateway:id/ssl_cipher_suites:priority more...
- cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...
- priority - SSL/TLS cipher suites priority. see Notes. type: int required: true more...
- versions - SSL/TLS versions that the cipher suite can be used with. type: list choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_dh_bits - Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. type: str choices: 768, 1024, 1536, 2048, 3072, 4096 more...
- ssl_max_version - Highest SSL/TLS version acceptable from a server. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_min_version - Lowest SSL/TLS version acceptable from a server. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_renegotiation - Enable/disable secure renegotiation to comply with RFC 5746. type: str choices: enable, disable more...
- ssl_vpn_web_portal - SSL-VPN web portal. Source vpn.ssl.web.portal.name. type: str more...
- url_map - URL pattern to match. type: str more...
- url_map_type - Type of url-map. type: str choices: sub-string, wildcard, regex more...
- virtual_host - Virtual host. Source firewall.access-proxy-virtual-host.name. type: str more...
- api_gateway6 - Set IPv6 API Gateway. type: list member_path: api_gateway6:id more...
- application - SaaS application controlled by this Access Proxy. type: list member_path: api_gateway6:id/application:name more...
- name - SaaS application name. type: str required: true more...
- h2_support - HTTP2 support, default=Enable. type: str choices: enable, disable more...
- h3_support - HTTP3/QUIC support, default=Disable. type: str choices: enable, disable more...
- http_cookie_age - Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. type: int more...
- http_cookie_domain - Domain that HTTP cookie persistence should apply to. type: str more...
- http_cookie_domain_from_host - Enable/disable use of HTTP cookie domain from host field in HTTP. type: str choices: disable, enable more...
- http_cookie_generation - Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. type: int more...
- http_cookie_path - Limit HTTP cookie persistence to the specified path. type: str more...
- http_cookie_share - Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. type: str choices: disable, same-ip more...
- https_cookie_secure - Enable/disable verification that inserted HTTPS cookies are secure. type: str choices: disable, enable more...
- id - API Gateway ID. see Notes. type: int required: true more...
- ldb_method - Method used to distribute sessions to real servers. type: str choices: static, round-robin, weighted, first-alive, http-host more...
- persistence - Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. type: str choices: none, http-cookie more...
- quic - QUIC setting. type: dict more...
- ack_delay_exponent - ACK delay exponent (1 - 20). type: int more...
- active_connection_id_limit - Active connection ID limit (1 - 8). type: int more...
- active_migration - Enable/disable active migration . type: str choices: enable, disable more...
- grease_quic_bit - Enable/disable grease QUIC bit . type: str choices: enable, disable more...
- max_ack_delay - Maximum ACK delay in milliseconds (1 - 16383). type: int more...
- max_datagram_frame_size - Maximum datagram frame size in bytes (1 - 1500). type: int more...
- max_idle_timeout - Maximum idle timeout milliseconds (1 - 60000). type: int more...
- max_udp_payload_size - Maximum UDP payload size in bytes (1200 - 1500). type: int more...
- realservers - Select the real servers that this Access Proxy will distribute traffic to. type: list member_path: api_gateway6:id/realservers:id more...
- addr_type - Type of address. type: str choices: ip, fqdn more...
- address - Address or address group of the real server. Source firewall.address6.name firewall.addrgrp6.name. type: str more...
- domain - Wildcard domain name of the real server. type: str more...
- external_auth - Enable/disable use of external browser as user-agent for SAML user authentication. type: str choices: enable, disable more...
- health_check - Enable to check the responsiveness of the real server before forwarding traffic. type: str choices: disable, enable more...
- health_check_proto - Protocol of the health check monitor to use when polling to determine server"s connectivity status. type: str choices: ping, http, tcp-connect more...
- holddown_interval - Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). type: str choices: enable, disable more...
- http_host - HTTP server domain name in HTTP header. type: str more...
- id - Real server ID. see Notes. type: int required: true more...
- ip - IPv6 address of the real server. type: str more...
- mappedport - Port for communicating with the real server. type: str more...
- port - Port for communicating with the real server. type: int more...
- ssh_client_cert - Set access-proxy SSH client certificate profile. Source firewall.access-proxy-ssh-client-cert.name. type: str more...
- ssh_host_key - One or more server host key. type: list member_path: api_gateway6:id/realservers:id/ssh_host_key:name more...
- name - Server host key name. Source firewall.ssh.host-key.name. type: str required: true more...
- ssh_host_key_validation - Enable/disable SSH real server host key validation. type: str choices: disable, enable more...
- status - Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. type: str choices: active, standby, disable more...
- translate_host - Enable/disable translation of hostname/IP from virtual server to real server. type: str choices: enable, disable more...
- tunnel_encryption - Tunnel encryption. type: str choices: enable, disable more...
- type - TCP forwarding server type. type: str choices: tcp-forwarding, ssh more...
- weight - Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. type: int more...
- saml_redirect - Enable/disable SAML redirection after successful authentication. type: str choices: disable, enable more...
- saml_server - SAML service provider configuration for VIP authentication. Source user.saml.name. type: str more...
- service - Service. type: str choices: http, https, tcp-forwarding, samlsp, web-portal, saas more...
- ssl_algorithm - Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. type: str choices: high, medium, low more...
- ssl_cipher_suites - SSL/TLS cipher suites to offer to a server, ordered by priority. type: list member_path: api_gateway6:id/ssl_cipher_suites:priority more...
- cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...
- priority - SSL/TLS cipher suites priority. see Notes. type: int required: true more...
- versions - SSL/TLS versions that the cipher suite can be used with. type: list choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_dh_bits - Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. type: str choices: 768, 1024, 1536, 2048, 3072, 4096 more...
- ssl_max_version - Highest SSL/TLS version acceptable from a server. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_min_version - Lowest SSL/TLS version acceptable from a server. type: str choices: tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
- ssl_renegotiation - Enable/disable secure renegotiation to comply with RFC 5746. type: str choices: enable, disable more...
- ssl_vpn_web_portal - SSL-VPN web portal. Source vpn.ssl.web.portal.name. type: str more...
- url_map - URL pattern to match. type: str more...
- url_map_type - Type of url-map. type: str choices: sub-string, wildcard, regex more...
- virtual_host - Virtual host. Source firewall.access-proxy-virtual-host.name. type: str more...
- auth_portal - Enable/disable authentication portal. type: str choices: disable, enable more...
- auth_virtual_host - Virtual host for authentication portal. Source firewall.access-proxy-virtual-host.name. type: str more...
- client_cert - Enable/disable to request client certificate. type: str choices: disable, enable more...
- decrypted_traffic_mirror - Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name. type: str more...
- empty_cert_action - Action of an empty client certificate. type: str choices: accept, block, accept-unmanageable more...
- http_supported_max_version - Maximum supported HTTP versions. default = HTTP2 type: str choices: http1, http2 more...
- ldb_method - Method used to distribute sessions to SSL real servers. type: str choices: static, round-robin, weighted, least-session, least-rtt, first-alive more...
- log_blocked_traffic - Enable/disable logging of blocked traffic. type: str choices: enable, disable more...
- name - Access Proxy name. type: str required: true more...
- realservers - Select the SSL real servers that this Access Proxy will distribute traffic to. type: list member_path: realservers:id more...
- id - Real server ID. see Notes. type: int required: true more...
- ip - IP address of the real server. type: str more...
- port - Port for communicating with the real server. type: int more...
- status - Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. type: str choices: active, standby, disable more...
- weight - Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. type: int more...
- server_pubkey_auth - Enable/disable SSH real server public key authentication. type: str choices: disable, enable more...
- server_pubkey_auth_settings - Server SSH public key authentication settings. type: dict more...
- auth_ca - Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name. type: str more...
- cert_extension - Configure certificate extension for user certificate. type: list member_path: server_pubkey_auth_settings/cert_extension:name more...
- critical - Critical option. type: str choices: no, yes more...
- data - Name of certificate extension. type: str more...
- name - Name of certificate extension. type: str required: true more...
- type - Type of certificate extension. type: str choices: fixed, user more...
- permit_agent_forwarding - Enable/disable appending permit-agent-forwarding certificate extension. type: str choices: enable, disable more...
- permit_port_forwarding - Enable/disable appending permit-port-forwarding certificate extension. type: str choices: enable, disable more...
- permit_pty - Enable/disable appending permit-pty certificate extension. type: str choices: enable, disable more...
- permit_user_rc - Enable/disable appending permit-user-rc certificate extension. type: str choices: enable, disable more...
- permit_x11_forwarding - Enable/disable appending permit-x11-forwarding certificate extension. type: str choices: enable, disable more...
- source_address - Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address. type: str choices: enable, disable more...
- svr_pool_multiplex - Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway. type: str choices: enable, disable more...
- svr_pool_server_max_concurrent_request - Maximum number of concurrent requests that servers in server pool could handle . type: int more...
- svr_pool_server_max_request - Maximum number of requests that servers in server pool handle before disconnecting . type: int more...
- svr_pool_ttl - Time-to-live in the server pool for idle connections to servers. type: int more...
- user_agent_detect - Enable/disable to detect device type by HTTP user-agent if no client certificate provided. type: str choices: disable, enable more...
- vip - Virtual IP name. Source firewall.vip.name. type: str more...
Notes
Note
Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- name: Configure IPv4 access proxy.
fortinet.fortios.fortios_firewall_access_proxy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_access_proxy:
add_vhost_domain_to_dnsdb: "enable"
api_gateway:
-
application:
-
name: "default_name_6"
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "16"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
domain: "<your_own_value>"
external_auth: "enable"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "37"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_43 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
translate_host: "enable"
tunnel_encryption: "enable"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
api_gateway6:
-
application:
-
name: "default_name_68"
h2_support: "enable"
h3_support: "enable"
http_cookie_age: "60"
http_cookie_domain: "<your_own_value>"
http_cookie_domain_from_host: "disable"
http_cookie_generation: "0"
http_cookie_path: "<your_own_value>"
http_cookie_share: "disable"
https_cookie_secure: "disable"
id: "78"
ldb_method: "static"
persistence: "none"
quic:
ack_delay_exponent: "3"
active_connection_id_limit: "2"
active_migration: "enable"
grease_quic_bit: "enable"
max_ack_delay: "25"
max_datagram_frame_size: "1500"
max_idle_timeout: "30000"
max_udp_payload_size: "1500"
realservers:
-
addr_type: "ip"
address: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
domain: "<your_own_value>"
external_auth: "enable"
health_check: "disable"
health_check_proto: "ping"
holddown_interval: "enable"
http_host: "myhostname"
id: "99"
ip: "<your_own_value>"
mappedport: "<your_own_value>"
port: "443"
ssh_client_cert: "<your_own_value> (source firewall.access-proxy-ssh-client-cert.name)"
ssh_host_key:
-
name: "default_name_105 (source firewall.ssh.host-key.name)"
ssh_host_key_validation: "disable"
status: "active"
translate_host: "enable"
tunnel_encryption: "enable"
type: "tcp-forwarding"
weight: "1"
saml_redirect: "disable"
saml_server: "<your_own_value> (source user.saml.name)"
service: "http"
ssl_algorithm: "high"
ssl_cipher_suites:
-
cipher: "TLS-AES-128-GCM-SHA256"
priority: "<you_own_value>"
versions: "tls-1.0"
ssl_dh_bits: "768"
ssl_max_version: "tls-1.0"
ssl_min_version: "tls-1.0"
ssl_renegotiation: "enable"
ssl_vpn_web_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
url_map: "<your_own_value>"
url_map_type: "sub-string"
virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
auth_portal: "disable"
auth_virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
client_cert: "disable"
decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
empty_cert_action: "accept"
http_supported_max_version: "http1"
ldb_method: "static"
log_blocked_traffic: "enable"
name: "default_name_136"
realservers:
-
id: "138"
ip: "<your_own_value>"
port: "0"
status: "active"
weight: "1"
server_pubkey_auth: "disable"
server_pubkey_auth_settings:
auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
cert_extension:
-
critical: "no"
data: "<your_own_value>"
name: "default_name_149"
type: "fixed"
permit_agent_forwarding: "enable"
permit_port_forwarding: "enable"
permit_pty: "enable"
permit_user_rc: "enable"
permit_x11_forwarding: "enable"
source_address: "enable"
svr_pool_multiplex: "enable"
svr_pool_server_max_concurrent_request: "0"
svr_pool_server_max_request: "0"
svr_pool_ttl: "15"
user_agent_detect: "disable"
vip: "<your_own_value> (source firewall.vip.name)"
Return Values
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3
Status
This module is not guaranteed to have a backwards compatible interface.