fortios_firewall_vip – Configure virtual IP for IPv4 in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and vip category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.15

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility

Supported Version Ranges: v6.0.0 -> 7.4.3

Parameters

• access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
• enable_log - Enable/Disable logging for task. type: bool required: false default: False
• vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
• member_path - Member attribute path to operate on. type: str
• member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
• state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
• firewall_vip - Configure virtual IP for IPv4. type: dict more...

  	Supported Version Ranges
  firewall_vip	v6.0.0 -> 7.4.3

• add_nat46_route - Enable/disable adding NAT46 route. type: str choices: disable, enable more...

  	Supported Version Ranges
  add_nat46_route	v7.0.1 -> 7.4.3
  [disable]	v7.0.1 -> 7.4.3
  [enable]	v7.0.1 -> 7.4.3

• arp_reply - Enable to respond to ARP requests for this virtual IP address. Enabled by default. type: str choices: disable, enable more...

  	Supported Version Ranges
  arp_reply	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• color - Color of icon on the GUI. type: int more...

  	Supported Version Ranges
  color	v6.0.0 -> 7.4.3

• comment - Comment. type: str more...

  	Supported Version Ranges
  comment	v6.0.0 -> 7.4.3

• dns_mapping_ttl - DNS mapping TTL (Set to zero to use TTL in DNS response). type: int more...

  	Supported Version Ranges
  dns_mapping_ttl	v6.0.0 -> 7.4.3

• extaddr - External FQDN address name. type: list member_path: extaddr:name more...

  	Supported Version Ranges
  extaddr	v6.0.0 -> 7.4.3

• name - Address name. Source firewall.address.name firewall.addrgrp.name. type: str required: true more...

  	Supported Version Ranges
  name	v6.0.0 -> 7.4.3

• extintf - Interface connected to the source network that receives the packets that will be forwarded to the destination network. Source system .interface.name. type: str more...

  	Supported Version Ranges
  extintf	v6.0.0 -> 7.4.3

• extip - IP address or address range on the external interface that you want to map to an address or address range on the destination network. type: str more...

  	Supported Version Ranges
  extip	v6.0.0 -> 7.4.3

• extport - Incoming port number range that you want to map to a port number range on the destination network. type: str more...

  	Supported Version Ranges
  extport	v6.0.0 -> 7.4.3

• gratuitous_arp_interval - Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable. type: int more...

  	Supported Version Ranges
  gratuitous_arp_interval	v6.0.0 -> 7.4.3

• gslb_domain_name - Domain to use when integrating with FortiGSLB. type: str more...

  	Supported Version Ranges
  gslb_domain_name	v7.4.2 -> 7.4.3

• gslb_hostname - Hostname to use within the configured FortiGSLB domain. type: str more...

  	Supported Version Ranges
  gslb_hostname	v7.4.2 -> 7.4.3

• gslb_public_ips - Publicly accessible IP addresses for the FortiGSLB service. type: list member_path: gslb_public_ips:index more...

  	Supported Version Ranges
  gslb_public_ips	v7.4.2 -> 7.4.3

• index - Index of this public IP setting. see Notes. type: int required: true more...

  	Supported Version Ranges
  index	v7.4.2 -> 7.4.3

• ip - The publicly accessible IP address. type: str more...

  	Supported Version Ranges
  ip	v7.4.2 -> 7.4.3

• h2_support - Enable/disable HTTP2 support . type: str choices: enable, disable more...

  	Supported Version Ranges
  h2_support	v7.4.1 -> 7.4.3
  [enable]	v7.4.1 -> 7.4.3
  [disable]	v7.4.1 -> 7.4.3

• h3_support - Enable/disable HTTP3/QUIC support . type: str choices: enable, disable more...

  	Supported Version Ranges
  h3_support	v7.4.1 -> 7.4.3
  [enable]	v7.4.1 -> 7.4.3
  [disable]	v7.4.1 -> 7.4.3

• http_cookie_age - Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. type: int more...

  	Supported Version Ranges
  http_cookie_age	v6.0.0 -> 7.4.3

• http_cookie_domain - Domain that HTTP cookie persistence should apply to. type: str more...

  	Supported Version Ranges
  http_cookie_domain	v6.0.0 -> 7.4.3

• http_cookie_domain_from_host - Enable/disable use of HTTP cookie domain from host field in HTTP. type: str choices: disable, enable more...

  	Supported Version Ranges
  http_cookie_domain_from_host	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• http_cookie_generation - Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. type: int more...

  	Supported Version Ranges
  http_cookie_generation	v6.0.0 -> 7.4.3

• http_cookie_path - Limit HTTP cookie persistence to the specified path. type: str more...

  	Supported Version Ranges
  http_cookie_path	v6.0.0 -> 7.4.3

• http_cookie_share - Control sharing of cookies across virtual servers. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. type: str choices: disable, same-ip more...

  	Supported Version Ranges
  http_cookie_share	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [same-ip]	v6.0.0 -> 7.4.3

• http_ip_header - For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. type: str choices: enable, disable more...

  	Supported Version Ranges
  http_ip_header	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• http_ip_header_name - For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. type: str more...

  	Supported Version Ranges
  http_ip_header_name	v6.0.0 -> 7.4.3

• http_multiplex - Enable/disable HTTP multiplexing. type: str choices: enable, disable more...

  	Supported Version Ranges
  http_multiplex	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• http_multiplex_max_concurrent_request - Maximum number of concurrent requests that a multiplex server can handle . type: int more...

  	Supported Version Ranges
  http_multiplex_max_concurrent_request	v7.4.1 -> 7.4.3

• http_multiplex_max_request - Maximum number of requests that a multiplex server can handle before disconnecting sessions . type: int more...

  	Supported Version Ranges
  http_multiplex_max_request	v7.2.4 -> 7.4.3

• http_multiplex_ttl - Time-to-live for idle connections to servers. type: int more...

  	Supported Version Ranges
  http_multiplex_ttl	v7.2.4 -> 7.4.3

• http_redirect - Enable/disable redirection of HTTP to HTTPS. type: str choices: enable, disable more...

  	Supported Version Ranges
  http_redirect	v6.2.0 -> 7.4.3
  [enable]	v6.2.0 -> 7.4.3
  [disable]	v6.2.0 -> 7.4.3

• http_supported_max_version - Maximum supported HTTP versions. default = HTTP2 type: str choices: http1, http2 more...

  	Supported Version Ranges
  http_supported_max_version	v7.2.4 -> v7.4.0
  [http1]	v7.2.4 -> v7.4.0
  [http2]	v7.2.4 -> v7.4.0

• https_cookie_secure - Enable/disable verification that inserted HTTPS cookies are secure. type: str choices: disable, enable more...

  	Supported Version Ranges
  https_cookie_secure	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• id - Custom defined ID. type: int more...

  	Supported Version Ranges
  id	v6.0.0 -> 7.4.3

• ipv6_mappedip - Range of mapped IPv6 addresses. Specify the start IPv6 address followed by a space and the end IPv6 address. type: str more...

  	Supported Version Ranges
  ipv6_mappedip	v7.0.1 -> 7.4.3

• ipv6_mappedport - IPv6 port number range on the destination network to which the external port number range is mapped. type: str more...

  	Supported Version Ranges
  ipv6_mappedport	v7.0.1 -> 7.4.3

• ldb_method - Method used to distribute sessions to real servers. type: str choices: static, round-robin, weighted, least-session, least-rtt, first-alive, http-host more...

  	Supported Version Ranges
  ldb_method	v6.0.0 -> 7.4.3
  [static]	v6.0.0 -> 7.4.3
  [round-robin]	v6.0.0 -> 7.4.3
  [weighted]	v6.0.0 -> 7.4.3
  [least-session]	v6.0.0 -> 7.4.3
  [least-rtt]	v6.0.0 -> 7.4.3
  [first-alive]	v6.0.0 -> 7.4.3
  [http-host]	v6.0.0 -> 7.4.3

• mapped_addr - Mapped FQDN address name. Source firewall.address.name. type: str more...

  	Supported Version Ranges
  mapped_addr	v6.0.0 -> 7.4.3

• mappedip - IP address or address range on the destination network to which the external IP address is mapped. type: list member_path: mappedip:range more...

  	Supported Version Ranges
  mappedip	v6.0.0 -> 7.4.3

• range - Mapped IP range. type: str required: true more...

  	Supported Version Ranges
  range	v6.0.0 -> 7.4.3

• mappedport - Port number range on the destination network to which the external port number range is mapped. type: str more...

  	Supported Version Ranges
  mappedport	v6.0.0 -> 7.4.3

• max_embryonic_connections - Maximum number of incomplete connections. type: int more...

  	Supported Version Ranges
  max_embryonic_connections	v6.0.0 -> 7.4.3

• monitor - Name of the health check monitor to use when polling to determine a virtual server"s connectivity status. type: list member_path: monitor:name more...

  	Supported Version Ranges
  monitor	v6.0.0 -> 7.4.3

• name - Health monitor name. Source firewall.ldb-monitor.name. type: str required: true more...

  	Supported Version Ranges
  name	v6.0.0 -> 7.4.3

• name - Virtual IP name. type: str required: true more...

  	Supported Version Ranges
  name	v6.0.0 -> 7.4.3

• nat_source_vip - Enable/disable forcing the source NAT mapped IP to the external IP for all traffic. type: str choices: disable, enable more...

  	Supported Version Ranges
  nat_source_vip	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• nat44 - Enable/disable NAT44. type: str choices: disable, enable more...

  	Supported Version Ranges
  nat44	v7.0.1 -> 7.4.3
  [disable]	v7.0.1 -> 7.4.3
  [enable]	v7.0.1 -> 7.4.3

• nat46 - Enable/disable NAT46. type: str choices: disable, enable more...

  	Supported Version Ranges
  nat46	v7.0.1 -> 7.4.3
  [disable]	v7.0.1 -> 7.4.3
  [enable]	v7.0.1 -> 7.4.3

• one_click_gslb_server - Enable/disable one click GSLB server integration with FortiGSLB. type: str choices: disable, enable more...

  	Supported Version Ranges
  one_click_gslb_server	v7.4.2 -> 7.4.3
  [disable]	v7.4.2 -> 7.4.3
  [enable]	v7.4.2 -> 7.4.3

• outlook_web_access - Enable to add the Front-End-Https header for Microsoft Outlook Web Access. type: str choices: disable, enable more...

  	Supported Version Ranges
  outlook_web_access	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• persistence - Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. type: str choices: none, http-cookie, ssl-session-id more...

  	Supported Version Ranges
  persistence	v6.0.0 -> 7.4.3
  [none]	v6.0.0 -> 7.4.3
  [http-cookie]	v6.0.0 -> 7.4.3
  [ssl-session-id]	v6.0.0 -> 7.4.3

• portforward - Enable/disable port forwarding. type: str choices: disable, enable more...

  	Supported Version Ranges
  portforward	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• portmapping_type - Port mapping type. type: str choices: 1-to-1, m-to-n more...

  	Supported Version Ranges
  portmapping_type	v6.0.0 -> 7.4.3
  [1-to-1]	v6.0.0 -> 7.4.3
  [m-to-n]	v6.0.0 -> 7.4.3

• protocol - Protocol to use when forwarding packets. type: str choices: tcp, udp, sctp, icmp more...

  	Supported Version Ranges
  protocol	v6.0.0 -> 7.4.3
  [tcp]	v6.0.0 -> 7.4.3
  [udp]	v6.0.0 -> 7.4.3
  [sctp]	v6.0.0 -> 7.4.3
  [icmp]	v6.0.0 -> 7.4.3

• quic - QUIC setting. type: dict more...

  	Supported Version Ranges
  quic	v7.4.1 -> 7.4.3

• ack_delay_exponent - ACK delay exponent (1 - 20). type: int more...

  	Supported Version Ranges
  ack_delay_exponent	v7.4.1 -> 7.4.3

• active_connection_id_limit - Active connection ID limit (1 - 8). type: int more...

  	Supported Version Ranges
  active_connection_id_limit	v7.4.1 -> 7.4.3

• active_migration - Enable/disable active migration . type: str choices: enable, disable more...

  	Supported Version Ranges
  active_migration	v7.4.1 -> 7.4.3
  [enable]	v7.4.1 -> 7.4.3
  [disable]	v7.4.1 -> 7.4.3

• grease_quic_bit - Enable/disable grease QUIC bit . type: str choices: enable, disable more...

  	Supported Version Ranges
  grease_quic_bit	v7.4.1 -> 7.4.3
  [enable]	v7.4.1 -> 7.4.3
  [disable]	v7.4.1 -> 7.4.3

• max_ack_delay - Maximum ACK delay in milliseconds (1 - 16383). type: int more...

  	Supported Version Ranges
  max_ack_delay	v7.4.1 -> 7.4.3

• max_datagram_frame_size - Maximum datagram frame size in bytes (1 - 1500). type: int more...

  	Supported Version Ranges
  max_datagram_frame_size	v7.4.1 -> 7.4.3

• max_idle_timeout - Maximum idle timeout milliseconds (1 - 60000). type: int more...

  	Supported Version Ranges
  max_idle_timeout	v7.4.1 -> 7.4.3

• max_udp_payload_size - Maximum UDP payload size in bytes (1200 - 1500). type: int more...

  	Supported Version Ranges
  max_udp_payload_size	v7.4.1 -> 7.4.3

• realservers - Select the real servers that this server load balancing VIP will distribute traffic to. type: list member_path: realservers:id more...

  	Supported Version Ranges
  realservers	v6.0.0 -> 7.4.3

• address - Dynamic address of the real server. Source firewall.address.name. type: str more...

  	Supported Version Ranges
  address	v6.4.0 -> 7.4.3

• client_ip - Only clients in this IP range can connect to this real server. type: str more...

  	Supported Version Ranges
  client_ip	v6.0.0 -> 7.4.3

• healthcheck - Enable to check the responsiveness of the real server before forwarding traffic. type: str choices: disable, enable, vip more...

  	Supported Version Ranges
  healthcheck	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [vip]	v6.0.0 -> 7.4.3

• holddown_interval - Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active. type: int more...

  	Supported Version Ranges
  holddown_interval	v6.0.0 -> 7.4.3

• http_host - HTTP server domain name in HTTP header. type: str more...

  	Supported Version Ranges
  http_host	v6.0.0 -> 7.4.3

• id - Real server ID. see Notes. type: int required: true more...

  	Supported Version Ranges
  id	v6.0.0 -> 7.4.3

• ip - IP address of the real server. type: str more...

  	Supported Version Ranges
  ip	v6.0.0 -> 7.4.3

• max_connections - Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers. type: int more...

  	Supported Version Ranges
  max_connections	v6.0.0 -> 7.4.3

• monitor - Name of the health check monitor to use when polling to determine a virtual server"s connectivity status. Source firewall .ldb-monitor.name. type: list member_path: realservers:id/monitor:name more...

  	Supported Version Ranges
  monitor	v6.0.0 -> 7.4.3

• name - Health monitor name. Source firewall.ldb-monitor.name. type: str required: true more...

  	Supported Version Ranges
  name	v6.4.0 -> 7.4.3

• port - Port for communicating with the real server. Required if port forwarding is enabled. type: int more...

  	Supported Version Ranges
  port	v6.0.0 -> 7.4.3

• status - Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. type: str choices: active, standby, disable more...

  	Supported Version Ranges
  status	v6.0.0 -> 7.4.3
  [active]	v6.0.0 -> 7.4.3
  [standby]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• translate_host - Enable/disable translation of hostname/IP from virtual server to real server. type: str choices: enable, disable more...

  	Supported Version Ranges
  translate_host	v7.2.4 -> 7.4.3
  [enable]	v7.2.4 -> 7.4.3
  [disable]	v7.2.4 -> 7.4.3

• type - Type of address. type: str choices: ip, address more...

  	Supported Version Ranges
  type	v6.4.0 -> 7.4.3
  [ip]	v6.4.0 -> 7.4.3
  [address]	v6.4.0 -> 7.4.3

• weight - Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. type: int more...

  	Supported Version Ranges
  weight	v6.0.0 -> 7.4.3

• server_type - Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). type: str choices: http, https, imaps, pop3s, smtps, ssl, tcp, udp, ip, ssh more...

  	Supported Version Ranges
  server_type	v6.0.0 -> 7.4.3
  [http]	v6.0.0 -> 7.4.3
  [https]	v6.0.0 -> 7.4.3
  [imaps]	v6.0.0 -> 7.4.3
  [pop3s]	v6.0.0 -> 7.4.3
  [smtps]	v6.0.0 -> 7.4.3
  [ssl]	v6.0.0 -> 7.4.3
  [tcp]	v6.0.0 -> 7.4.3
  [udp]	v6.0.0 -> 7.4.3
  [ip]	v6.0.0 -> 7.4.3
  [ssh]	v7.0.0 -> v7.0.0

• service - Service name. type: list member_path: service:name more...

  	Supported Version Ranges
  service	v6.0.0 -> 7.4.3

• name - Service name. Source firewall.service.custom.name firewall.service.group.name. type: str required: true more...

  	Supported Version Ranges
  name	v6.0.0 -> 7.4.3

• src_filter - Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces. type: list member_path: src_filter:range more...

  	Supported Version Ranges
  src_filter	v6.0.0 -> 7.4.3

• range - Source-filter range. type: str required: true more...

  	Supported Version Ranges
  range	v6.0.0 -> 7.4.3

• srcintf_filter - Interfaces to which the VIP applies. Separate the names with spaces. type: list member_path: srcintf_filter:interface_name more...

  	Supported Version Ranges
  srcintf_filter	v6.0.0 -> 7.4.3

• interface_name - Interface name. Source system.interface.name. type: str required: true more...

  	Supported Version Ranges
  interface_name	v6.0.0 -> 7.4.3

• ssl_accept_ffdhe_groups - Enable/disable FFDHE cipher suite for SSL key exchange. type: str choices: enable, disable more...

  	Supported Version Ranges
  ssl_accept_ffdhe_groups	v7.0.4 -> 7.4.3
  [enable]	v7.0.4 -> 7.4.3
  [disable]	v7.0.4 -> 7.4.3

• ssl_algorithm - Permitted encryption algorithms for SSL sessions according to encryption strength. type: str choices: high, medium, low, custom more...

  	Supported Version Ranges
  ssl_algorithm	v6.0.0 -> 7.4.3
  [high]	v6.0.0 -> 7.4.3
  [medium]	v6.0.0 -> 7.4.3
  [low]	v6.0.0 -> 7.4.3
  [custom]	v6.0.0 -> 7.4.3

• ssl_certificate - The name of the certificate to use for SSL handshake. Source vpn.certificate.local.name. type: str more...

  	Supported Version Ranges
  ssl_certificate	v6.0.0 -> v7.4.1

• ssl_certificate_dict - Name of the certificate to use for SSL handshake. Use the parameter ssl-certificate instead if the fortiOS firmwear <= 7.4.1 type: list member_path: ssl_certificate_dict:name more...

  	Supported Version Ranges
  ssl_certificate_dict	v7.4.2 -> 7.4.3

• name - Certificate list. Source vpn.certificate.local.name. type: str required: true more...

  	Supported Version Ranges
  name	v7.4.2 -> 7.4.3

• ssl_cipher_suites - SSL/TLS cipher suites acceptable from a client, ordered by priority. type: list member_path: ssl_cipher_suites:priority more...

  	Supported Version Ranges
  ssl_cipher_suites	v6.0.0 -> 7.4.3

• cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...

  	Supported Version Ranges
  cipher	v6.0.0 -> 7.4.3
  [TLS-AES-128-GCM-SHA256]	v6.2.0 -> 7.4.3
  [TLS-AES-256-GCM-SHA384]	v6.2.0 -> 7.4.3
  [TLS-CHACHA20-POLY1305-SHA256]	v6.2.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA]	v7.0.1 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-SEED-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-SEED-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-SEED-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-RC4-128-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-RC4-128-MD5]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-RC4-128-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-DES-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-DES-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-DES-CBC-SHA]	v6.0.0 -> 7.4.3

• priority - SSL/TLS cipher suites priority. see Notes. type: int required: true more...

  	Supported Version Ranges
  priority	v6.0.0 -> 7.4.3

• versions - SSL/TLS versions that the cipher suite can be used with. type: list choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...

  	Supported Version Ranges
  versions	v6.0.0 -> 7.4.3
  [ssl-3.0]	v6.0.0 -> 7.4.3
  [tls-1.0]	v6.0.0 -> 7.4.3
  [tls-1.1]	v6.0.0 -> 7.4.3
  [tls-1.2]	v6.0.0 -> 7.4.3
  [tls-1.3]	v6.2.0 -> 7.4.3

• ssl_client_fallback - Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). type: str choices: disable, enable more...

  	Supported Version Ranges
  ssl_client_fallback	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• ssl_client_rekey_count - Maximum length of data in MB before triggering a client rekey (0 = disable). type: int more...

  	Supported Version Ranges
  ssl_client_rekey_count	v6.2.0 -> 7.4.3

• ssl_client_renegotiation - Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. type: str choices: allow, deny, secure more...

  	Supported Version Ranges
  ssl_client_renegotiation	v6.0.0 -> 7.4.3
  [allow]	v6.0.0 -> 7.4.3
  [deny]	v6.0.0 -> 7.4.3
  [secure]	v6.0.0 -> 7.4.3

• ssl_client_session_state_max - Maximum number of client to FortiGate SSL session states to keep. type: int more...

  	Supported Version Ranges
  ssl_client_session_state_max	v6.0.0 -> 7.4.3

• ssl_client_session_state_timeout - Number of minutes to keep client to FortiGate SSL session state. type: int more...

  	Supported Version Ranges
  ssl_client_session_state_timeout	v6.0.0 -> 7.4.3

• ssl_client_session_state_type - How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. type: str choices: disable, time, count, both more...

  	Supported Version Ranges
  ssl_client_session_state_type	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [time]	v6.0.0 -> 7.4.3
  [count]	v6.0.0 -> 7.4.3
  [both]	v6.0.0 -> 7.4.3

• ssl_dh_bits - Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. type: str choices: 768, 1024, 1536, 2048, 3072, 4096 more...

  	Supported Version Ranges
  ssl_dh_bits	v6.0.0 -> 7.4.3
  [768]	v6.0.0 -> 7.4.3
  [1024]	v6.0.0 -> 7.4.3
  [1536]	v6.0.0 -> 7.4.3
  [2048]	v6.0.0 -> 7.4.3
  [3072]	v6.0.0 -> 7.4.3
  [4096]	v6.0.0 -> 7.4.3

• ssl_hpkp - Enable/disable including HPKP header in response. type: str choices: disable, enable, report-only more...

  	Supported Version Ranges
  ssl_hpkp	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [report-only]	v6.0.0 -> 7.4.3

• ssl_hpkp_age - Number of seconds the client should honor the HPKP setting. type: int more...

  	Supported Version Ranges
  ssl_hpkp_age	v6.0.0 -> 7.4.3

• ssl_hpkp_backup - Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. type: str more...

  	Supported Version Ranges
  ssl_hpkp_backup	v6.0.0 -> 7.4.3

• ssl_hpkp_include_subdomains - Indicate that HPKP header applies to all subdomains. type: str choices: disable, enable more...

  	Supported Version Ranges
  ssl_hpkp_include_subdomains	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• ssl_hpkp_primary - Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. type: str more...

  	Supported Version Ranges
  ssl_hpkp_primary	v6.0.0 -> 7.4.3

• ssl_hpkp_report_uri - URL to report HPKP violations to. type: str more...

  	Supported Version Ranges
  ssl_hpkp_report_uri	v6.0.0 -> 7.4.3

• ssl_hsts - Enable/disable including HSTS header in response. type: str choices: disable, enable more...

  	Supported Version Ranges
  ssl_hsts	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• ssl_hsts_age - Number of seconds the client should honor the HSTS setting. type: int more...

  	Supported Version Ranges
  ssl_hsts_age	v6.0.0 -> 7.4.3

• ssl_hsts_include_subdomains - Indicate that HSTS header applies to all subdomains. type: str choices: disable, enable more...

  	Supported Version Ranges
  ssl_hsts_include_subdomains	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• ssl_http_location_conversion - Enable to replace HTTP with HTTPS in the reply"s Location HTTP header field. type: str choices: enable, disable more...

  	Supported Version Ranges
  ssl_http_location_conversion	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• ssl_http_match_host - Enable/disable HTTP host matching for location conversion. type: str choices: enable, disable more...

  	Supported Version Ranges
  ssl_http_match_host	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• ssl_max_version - Highest SSL/TLS version acceptable from a client. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...

  	Supported Version Ranges
  ssl_max_version	v6.0.0 -> 7.4.3
  [ssl-3.0]	v6.0.0 -> 7.4.3
  [tls-1.0]	v6.0.0 -> 7.4.3
  [tls-1.1]	v6.0.0 -> 7.4.3
  [tls-1.2]	v6.0.0 -> 7.4.3
  [tls-1.3]	v6.2.0 -> 7.4.3

• ssl_min_version - Lowest SSL/TLS version acceptable from a client. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...

  	Supported Version Ranges
  ssl_min_version	v6.0.0 -> 7.4.3
  [ssl-3.0]	v6.0.0 -> 7.4.3
  [tls-1.0]	v6.0.0 -> 7.4.3
  [tls-1.1]	v6.0.0 -> 7.4.3
  [tls-1.2]	v6.0.0 -> 7.4.3
  [tls-1.3]	v6.2.0 -> 7.4.3

• ssl_mode - Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). type: str choices: half, full more...

  	Supported Version Ranges
  ssl_mode	v6.0.0 -> 7.4.3
  [half]	v6.0.0 -> 7.4.3
  [full]	v6.0.0 -> 7.4.3

• ssl_pfs - Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. type: str choices: require, deny, allow more...

  	Supported Version Ranges
  ssl_pfs	v6.0.0 -> 7.4.3
  [require]	v6.0.0 -> 7.4.3
  [deny]	v6.0.0 -> 7.4.3
  [allow]	v6.0.0 -> 7.4.3

• ssl_send_empty_frags - Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. type: str choices: enable, disable more...

  	Supported Version Ranges
  ssl_send_empty_frags	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• ssl_server_algorithm - Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. type: str choices: high, medium, low, custom, client more...

  	Supported Version Ranges
  ssl_server_algorithm	v6.0.0 -> 7.4.3
  [high]	v6.0.0 -> 7.4.3
  [medium]	v6.0.0 -> 7.4.3
  [low]	v6.0.0 -> 7.4.3
  [custom]	v6.0.0 -> 7.4.3
  [client]	v6.0.0 -> 7.4.3

• ssl_server_cipher_suites - SSL/TLS cipher suites to offer to a server, ordered by priority. type: list member_path: ssl_server_cipher_suites:priority more...

  	Supported Version Ranges
  ssl_server_cipher_suites	v6.0.0 -> 7.4.3

• cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...

  	Supported Version Ranges
  cipher	v6.0.0 -> 7.4.3
  [TLS-AES-128-GCM-SHA256]	v6.2.0 -> 7.4.3
  [TLS-AES-256-GCM-SHA384]	v6.2.0 -> 7.4.3
  [TLS-CHACHA20-POLY1305-SHA256]	v6.2.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA]	v7.0.1 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-128-GCM-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-AES-256-GCM-SHA384]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-SEED-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-SEED-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-SEED-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-RC4-128-SHA]	v6.0.0 -> 7.4.3
  [TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-3DES-EDE-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-RC4-128-MD5]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-RC4-128-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-RSA-WITH-DES-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-DHE-DSS-WITH-DES-CBC-SHA]	v6.0.0 -> 7.4.3
  [TLS-RSA-WITH-DES-CBC-SHA]	v6.0.0 -> 7.4.3

• priority - SSL/TLS cipher suites priority. see Notes. type: int required: true more...

  	Supported Version Ranges
  priority	v6.0.0 -> 7.4.3

• versions - SSL/TLS versions that the cipher suite can be used with. type: list choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...

  	Supported Version Ranges
  versions	v6.0.0 -> 7.4.3
  [ssl-3.0]	v6.0.0 -> 7.4.3
  [tls-1.0]	v6.0.0 -> 7.4.3
  [tls-1.1]	v6.0.0 -> 7.4.3
  [tls-1.2]	v6.0.0 -> 7.4.3
  [tls-1.3]	v6.2.0 -> 7.4.3

• ssl_server_max_version - Highest SSL/TLS version acceptable from a server. Use the client setting by default. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3, client more...

  	Supported Version Ranges
  ssl_server_max_version	v6.0.0 -> 7.4.3
  [ssl-3.0]	v6.0.0 -> 7.4.3
  [tls-1.0]	v6.0.0 -> 7.4.3
  [tls-1.1]	v6.0.0 -> 7.4.3
  [tls-1.2]	v6.0.0 -> 7.4.3
  [tls-1.3]	v6.2.0 -> 7.4.3
  [client]	v6.0.0 -> 7.4.3

• ssl_server_min_version - Lowest SSL/TLS version acceptable from a server. Use the client setting by default. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3, client more...

  	Supported Version Ranges
  ssl_server_min_version	v6.0.0 -> 7.4.3
  [ssl-3.0]	v6.0.0 -> 7.4.3
  [tls-1.0]	v6.0.0 -> 7.4.3
  [tls-1.1]	v6.0.0 -> 7.4.3
  [tls-1.2]	v6.0.0 -> 7.4.3
  [tls-1.3]	v6.2.0 -> 7.4.3
  [client]	v6.0.0 -> 7.4.3

• ssl_server_renegotiation - Enable/disable secure renegotiation to comply with RFC 5746. type: str choices: enable, disable more...

  	Supported Version Ranges
  ssl_server_renegotiation	v7.2.4 -> 7.4.3
  [enable]	v7.2.4 -> 7.4.3
  [disable]	v7.2.4 -> 7.4.3

• ssl_server_session_state_max - Maximum number of FortiGate to Server SSL session states to keep. type: int more...

  	Supported Version Ranges
  ssl_server_session_state_max	v6.0.0 -> 7.4.3

• ssl_server_session_state_timeout - Number of minutes to keep FortiGate to Server SSL session state. type: int more...

  	Supported Version Ranges
  ssl_server_session_state_timeout	v6.0.0 -> 7.4.3

• ssl_server_session_state_type - How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. type: str choices: disable, time, count, both more...

  	Supported Version Ranges
  ssl_server_session_state_type	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [time]	v6.0.0 -> 7.4.3
  [count]	v6.0.0 -> 7.4.3
  [both]	v6.0.0 -> 7.4.3

• status - Enable/disable VIP. type: str choices: disable, enable more...

  	Supported Version Ranges
  status	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3

• type - Configure a static NAT, load balance, server load balance, access proxy, DNS translation, or FQDN VIP. type: str choices: static-nat, load-balance, server-load-balance, dns-translation, fqdn, access-proxy more...

  	Supported Version Ranges
  type	v6.0.0 -> 7.4.3
  [static-nat]	v6.0.0 -> 7.4.3
  [load-balance]	v6.0.0 -> 7.4.3
  [server-load-balance]	v6.0.0 -> 7.4.3
  [dns-translation]	v6.0.0 -> 7.4.3
  [fqdn]	v6.0.0 -> 7.4.3
  [access-proxy]	v7.0.0 -> 7.4.3

• uuid - Universally Unique Identifier (UUID; automatically assigned but can be manually reset). type: str more...

  	Supported Version Ranges
  uuid	v6.0.0 -> 7.4.3

• weblogic_server - Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. type: str choices: disable, enable more...

  	Supported Version Ranges
  weblogic_server	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

• websphere_server - Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. type: str choices: disable, enable more...

  	Supported Version Ranges
  websphere_server	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3

Notes

Note

• Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: Configure virtual IP for IPv4.
  fortinet.fortios.fortios_firewall_vip:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_vip:
          add_nat46_route: "disable"
          arp_reply: "disable"
          color: "0"
          comment: "Comment."
          dns_mapping_ttl: "0"
          extaddr:
              -
                  name: "default_name_9 (source firewall.address.name firewall.addrgrp.name)"
          extintf: "<your_own_value> (source system.interface.name)"
          extip: "<your_own_value>"
          extport: "<your_own_value>"
          gratuitous_arp_interval: "0"
          gslb_domain_name: "<your_own_value>"
          gslb_hostname: "myhostname"
          gslb_public_ips:
              -
                  index: "<you_own_value>"
                  ip: "<your_own_value>"
          h2_support: "enable"
          h3_support: "enable"
          http_cookie_age: "60"
          http_cookie_domain: "<your_own_value>"
          http_cookie_domain_from_host: "disable"
          http_cookie_generation: "0"
          http_cookie_path: "<your_own_value>"
          http_cookie_share: "disable"
          http_ip_header: "enable"
          http_ip_header_name: "<your_own_value>"
          http_multiplex: "enable"
          http_multiplex_max_concurrent_request: "0"
          http_multiplex_max_request: "0"
          http_multiplex_ttl: "15"
          http_redirect: "enable"
          http_supported_max_version: "http1"
          https_cookie_secure: "disable"
          id: "36"
          ipv6_mappedip: "<your_own_value>"
          ipv6_mappedport: "<your_own_value>"
          ldb_method: "static"
          mapped_addr: "<your_own_value> (source firewall.address.name)"
          mappedip:
              -
                  range: "<your_own_value>"
          mappedport: "<your_own_value>"
          max_embryonic_connections: "1000"
          monitor:
              -
                  name: "default_name_46 (source firewall.ldb-monitor.name)"
          name: "default_name_47"
          nat_source_vip: "disable"
          nat44: "disable"
          nat46: "disable"
          one_click_gslb_server: "disable"
          outlook_web_access: "disable"
          persistence: "none"
          portforward: "disable"
          portmapping_type: "1-to-1"
          protocol: "tcp"
          quic:
              ack_delay_exponent: "3"
              active_connection_id_limit: "2"
              active_migration: "enable"
              grease_quic_bit: "enable"
              max_ack_delay: "25"
              max_datagram_frame_size: "1500"
              max_idle_timeout: "30000"
              max_udp_payload_size: "1500"
          realservers:
              -
                  address: "<your_own_value> (source firewall.address.name)"
                  client_ip: "<your_own_value>"
                  healthcheck: "disable"
                  holddown_interval: "300"
                  http_host: "myhostname"
                  id: "72"
                  ip: "<your_own_value>"
                  max_connections: "0"
                  monitor:
                      -
                          name: "default_name_76 (source firewall.ldb-monitor.name)"
                  port: "0"
                  status: "active"
                  translate_host: "enable"
                  type: "ip"
                  weight: "1"
          server_type: "http"
          service:
              -
                  name: "default_name_84 (source firewall.service.custom.name firewall.service.group.name)"
          src_filter:
              -
                  range: "<your_own_value>"
          srcintf_filter:
              -
                  interface_name: "<your_own_value> (source system.interface.name)"
          ssl_accept_ffdhe_groups: "enable"
          ssl_algorithm: "high"
          ssl_certificate: "<your_own_value> (source vpn.certificate.local.name)"
          ssl_certificate_dict:
              -
                  name: "default_name_93 (source vpn.certificate.local.name)"
          ssl_cipher_suites:
              -
                  cipher: "TLS-AES-128-GCM-SHA256"
                  priority: "<you_own_value>"
                  versions: "ssl-3.0"
          ssl_client_fallback: "disable"
          ssl_client_rekey_count: "0"
          ssl_client_renegotiation: "allow"
          ssl_client_session_state_max: "1000"
          ssl_client_session_state_timeout: "30"
          ssl_client_session_state_type: "disable"
          ssl_dh_bits: "768"
          ssl_hpkp: "disable"
          ssl_hpkp_age: "5184000"
          ssl_hpkp_backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
          ssl_hpkp_include_subdomains: "disable"
          ssl_hpkp_primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
          ssl_hpkp_report_uri: "<your_own_value>"
          ssl_hsts: "disable"
          ssl_hsts_age: "5184000"
          ssl_hsts_include_subdomains: "disable"
          ssl_http_location_conversion: "enable"
          ssl_http_match_host: "enable"
          ssl_max_version: "ssl-3.0"
          ssl_min_version: "ssl-3.0"
          ssl_mode: "half"
          ssl_pfs: "require"
          ssl_send_empty_frags: "enable"
          ssl_server_algorithm: "high"
          ssl_server_cipher_suites:
              -
                  cipher: "TLS-AES-128-GCM-SHA256"
                  priority: "<you_own_value>"
                  versions: "ssl-3.0"
          ssl_server_max_version: "ssl-3.0"
          ssl_server_min_version: "ssl-3.0"
          ssl_server_renegotiation: "enable"
          ssl_server_session_state_max: "100"
          ssl_server_session_state_timeout: "60"
          ssl_server_session_state_type: "disable"
          status: "disable"
          type: "static-nat"
          uuid: "<your_own_value>"
          weblogic_server: "disable"
          websphere_server: "disable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

• build - Build number of the fortigate image returned: always type: str sample: 1547
• http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
• http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
• mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
• name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
• path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
• revision - Internal revision number returned: always type: str sample: 17.0.2.10658
• serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
• status - Indication of the operation's result returned: always type: str sample: success
• vdom - Virtual domain used returned: always type: str sample: root
• version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

• This module is not guaranteed to have a backwards compatible interface.

Authors

• Link Zheng (@chillancezen)

• Jie Xue (@JieX19)

• Hongbin Lu (@fgtdev-hblu)

• Frank Shen (@frankshen01)

• Miguel Angel Munoz (@mamunozgonzalez)

• Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.