fortios_system_fortiguard – Configure FortiGuard services in Fortinet’s FortiOS and FortiGate.

New in version 2.0.0.

Synopsis

• This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and fortiguard category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

• ansible>=2.15

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility

Supported Version Ranges: v6.0.0 -> 7.4.3

Parameters

• access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
• enable_log - Enable/Disable logging for task. type: bool required: false default: False
• vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
• member_path - Member attribute path to operate on. type: str
• member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
• system_fortiguard - Configure FortiGuard services. type: dict more...

  	Supported Version Ranges
  system_fortiguard	v6.0.0 -> 7.4.3

• antispam_cache - Enable/disable FortiGuard antispam request caching. Uses a small amount of memory but improves performance. type: str choices: enable, disable more...

  	Supported Version Ranges
  antispam_cache	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• antispam_cache_mpercent - Maximum percentage of FortiGate memory the antispam cache is allowed to use (1 - 15). type: int more...

  	Supported Version Ranges
  antispam_cache_mpercent	v6.0.0 -> v7.2.4

• antispam_cache_mpermille - Maximum permille of FortiGate memory the antispam cache is allowed to use (1 - 150). type: int more...

  	Supported Version Ranges
  antispam_cache_mpermille	v7.4.0 -> 7.4.3

• antispam_cache_ttl - Time-to-live for antispam cache entries in seconds (300 - 86400). Lower times reduce the cache size. Higher times may improve performance since the cache will have more entries. type: int more...

  	Supported Version Ranges
  antispam_cache_ttl	v6.0.0 -> 7.4.3

• antispam_expiration - Expiration date of the FortiGuard antispam contract. type: int more...

  	Supported Version Ranges
  antispam_expiration	v6.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• antispam_force_off - Enable/disable turning off the FortiGuard antispam service. type: str choices: enable, disable more...

  	Supported Version Ranges
  antispam_force_off	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• antispam_license - Interval of time between license checks for the FortiGuard antispam contract. type: int more...

  	Supported Version Ranges
  antispam_license	v6.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• antispam_timeout - Antispam query time out (1 - 30 sec). type: int more...

  	Supported Version Ranges
  antispam_timeout	v6.0.0 -> 7.4.3

• anycast_sdns_server_ip - IP address of the FortiGuard anycast DNS rating server. type: str more...

  	Supported Version Ranges
  anycast_sdns_server_ip	v6.4.0 -> 7.4.3

• anycast_sdns_server_port - Port to connect to on the FortiGuard anycast DNS rating server. type: int more...

  	Supported Version Ranges
  anycast_sdns_server_port	v6.4.0 -> 7.4.3

• auto_firmware_upgrade - Enable/disable automatic patch-level firmware upgrade from FortiGuard. The FortiGate unit searches for new patches only in the same major and minor version. type: str choices: enable, disable more...

  	Supported Version Ranges
  auto_firmware_upgrade	v7.2.1 -> 7.4.3
  [enable]	v7.2.1 -> 7.4.3
  [disable]	v7.2.1 -> 7.4.3

• auto_firmware_upgrade_day - Allowed day(s) of the week to install an automatic patch-level firmware upgrade from FortiGuard . Disallow any day of the week to use auto-firmware-upgrade-delay instead, which waits for designated days before installing an automatic patch-level firmware upgrade. type: list choices: sunday, monday, tuesday, wednesday, thursday, friday, saturday more...

  	Supported Version Ranges
  auto_firmware_upgrade_day	v7.2.1 -> 7.4.3
  [sunday]	v7.2.1 -> 7.4.3
  [monday]	v7.2.1 -> 7.4.3
  [tuesday]	v7.2.1 -> 7.4.3
  [wednesday]	v7.2.1 -> 7.4.3
  [thursday]	v7.2.1 -> 7.4.3
  [friday]	v7.2.1 -> 7.4.3
  [saturday]	v7.2.1 -> 7.4.3

• auto_firmware_upgrade_delay - Delay of day(s) before installing an automatic patch-level firmware upgrade from FortiGuard of the week for installing an automatic patch-level firmware upgrade. type: int more...

  	Supported Version Ranges
  auto_firmware_upgrade_delay	v7.4.0 -> 7.4.3

• auto_firmware_upgrade_end_hour - End time in the designated time window for automatic patch-level firmware upgrade from FortiGuard in 24 hour time (0 ~ 23). When the end time is smaller than the start time, the end time is interpreted as the next day. The actual upgrade time is selected randomly within the time window. type: int more...

  	Supported Version Ranges
  auto_firmware_upgrade_end_hour	v7.2.1 -> 7.4.3

• auto_firmware_upgrade_start_hour - Start time in the designated time window for automatic patch-level firmware upgrade from FortiGuard in 24 hour time (0 ~ 23). The actual upgrade time is selected randomly within the time window. type: int more...

  	Supported Version Ranges
  auto_firmware_upgrade_start_hour	v7.2.1 -> 7.4.3

• auto_join_forticloud - Automatically connect to and login to FortiCloud. type: str choices: enable, disable more...

  	Supported Version Ranges
  auto_join_forticloud
  [enable]	v7.0.0 -> v7.0.12	v7.2.1 -> v7.2.2	v7.4.0 -> 7.4.3
  [disable]	v7.0.0 -> v7.0.12	v7.2.1 -> v7.2.2	v7.4.0 -> 7.4.3

• ddns_server_ip - IP address of the FortiDDNS server. type: str more...

  	Supported Version Ranges
  ddns_server_ip	v6.0.0 -> 7.4.3

• ddns_server_ip6 - IPv6 address of the FortiDDNS server. type: str more...

  	Supported Version Ranges
  ddns_server_ip6	v7.0.1 -> 7.4.3

• ddns_server_port - Port used to communicate with FortiDDNS servers. type: int more...

  	Supported Version Ranges
  ddns_server_port	v6.0.0 -> 7.4.3

• FDS_license_expiring_days - Threshold for number of days before FortiGuard license expiration to generate license expiring event log (1 - 100 days). type: int more...

  	Supported Version Ranges
  FDS_license_expiring_days	v7.4.0 -> 7.4.3

• fortiguard_anycast - Enable/disable use of FortiGuard"s Anycast network. type: str choices: enable, disable more...

  	Supported Version Ranges
  fortiguard_anycast	v6.2.0 -> 7.4.3
  [enable]	v6.2.0 -> 7.4.3
  [disable]	v6.2.0 -> 7.4.3

• fortiguard_anycast_source - Configure which of Fortinet"s servers to provide FortiGuard services in FortiGuard"s anycast network. Default is Fortinet. type: str choices: fortinet, aws, debug more...

  	Supported Version Ranges
  fortiguard_anycast_source	v6.2.0 -> 7.4.3
  [fortinet]	v6.2.0 -> 7.4.3
  [aws]	v6.2.0 -> 7.4.3
  [debug]	v6.2.0 -> 7.4.3

• interface - Specify outgoing interface to reach server. Source system.interface.name. type: str more...

  	Supported Version Ranges
  interface	v6.2.0 -> v6.2.0	v6.2.5 -> 7.4.3

• interface_select_method - Specify how to select outgoing interface to reach server. type: str choices: auto, sdwan, specify more...

  	Supported Version Ranges
  interface_select_method	v6.2.0 -> v6.2.0	v6.2.5 -> 7.4.3
  [auto]	v6.2.0 -> v6.2.0
  [sdwan]	v6.2.0 -> v6.2.0
  [specify]	v6.2.0 -> v6.2.0

• load_balance_servers - Number of servers to alternate between as first FortiGuard option. type: int more...

  	Supported Version Ranges
  load_balance_servers	v6.0.0 -> 7.4.3

• outbreak_prevention_cache - Enable/disable FortiGuard Virus Outbreak Prevention cache. type: str choices: enable, disable more...

  	Supported Version Ranges
  outbreak_prevention_cache	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• outbreak_prevention_cache_mpercent - Maximum percent of memory FortiGuard Virus Outbreak Prevention cache can use (1 - 15%). type: int more...

  	Supported Version Ranges
  outbreak_prevention_cache_mpercent	v6.0.0 -> v7.2.4

• outbreak_prevention_cache_mpermille - Maximum permille of memory FortiGuard Virus Outbreak Prevention cache can use (1 - 150 permille). type: int more...

  	Supported Version Ranges
  outbreak_prevention_cache_mpermille	v7.4.0 -> 7.4.3

• outbreak_prevention_cache_ttl - Time-to-live for FortiGuard Virus Outbreak Prevention cache entries (300 - 86400 sec). type: int more...

  	Supported Version Ranges
  outbreak_prevention_cache_ttl	v6.0.0 -> 7.4.3

• outbreak_prevention_expiration - Expiration date of FortiGuard Virus Outbreak Prevention contract. type: int more...

  	Supported Version Ranges
  outbreak_prevention_expiration	v6.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• outbreak_prevention_force_off - Turn off FortiGuard Virus Outbreak Prevention service. type: str choices: enable, disable more...

  	Supported Version Ranges
  outbreak_prevention_force_off	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• outbreak_prevention_license - Interval of time between license checks for FortiGuard Virus Outbreak Prevention contract. type: int more...

  	Supported Version Ranges
  outbreak_prevention_license	v6.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• outbreak_prevention_timeout - FortiGuard Virus Outbreak Prevention time out (1 - 30 sec). type: int more...

  	Supported Version Ranges
  outbreak_prevention_timeout	v6.0.0 -> 7.4.3

• persistent_connection - Enable/disable use of persistent connection to receive update notification from FortiGuard. type: str choices: enable, disable more...

  	Supported Version Ranges
  persistent_connection	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3

• port - Port used to communicate with the FortiGuard servers. type: str choices: 8888, 53, 80, 443 more...

  	Supported Version Ranges
  port	v6.0.0 -> 7.4.3
  [8888]	v6.0.0 -> 7.4.3
  [53]	v6.0.0 -> 7.4.3
  [80]	v6.0.0 -> 7.4.3
  [443]	v6.2.0 -> 7.4.3

• protocol - Protocol used to communicate with the FortiGuard servers. type: str choices: udp, http, https more...

  	Supported Version Ranges
  protocol	v6.0.0 -> v6.0.0	v6.0.11 -> 7.4.3
  [udp]	v6.0.0 -> v6.0.0
  [http]	v6.0.0 -> v6.0.0
  [https]	v6.0.0 -> v6.0.0

• proxy_password - Proxy user password. type: str more...

  	Supported Version Ranges
  proxy_password	v6.2.0 -> 7.4.3

• proxy_server_ip - Hostname or IPv4 address of the proxy server. type: str more...

  	Supported Version Ranges
  proxy_server_ip	v6.2.0 -> 7.4.3

• proxy_server_port - Port used to communicate with the proxy server. type: int more...

  	Supported Version Ranges
  proxy_server_port	v6.2.0 -> 7.4.3

• proxy_username - Proxy user name. type: str more...

  	Supported Version Ranges
  proxy_username	v6.2.0 -> 7.4.3

• sandbox_inline_scan - Enable/disable FortiCloud Sandbox inline-scan. type: str choices: enable, disable more...

  	Supported Version Ranges
  sandbox_inline_scan	v7.2.1 -> 7.4.3
  [enable]	v7.2.1 -> 7.4.3
  [disable]	v7.2.1 -> 7.4.3

• sandbox_region - FortiCloud Sandbox region. type: str more...

  	Supported Version Ranges
  sandbox_region	v6.2.0 -> 7.4.3

• sdns_options - Customization options for the FortiGuard DNS service. type: list choices: include-question-section more...

  	Supported Version Ranges
  sdns_options	v6.4.0 -> 7.4.3
  [include-question-section]	v6.4.0 -> 7.4.3

• sdns_server_ip - IP address of the FortiGuard DNS rating server. type: list
• sdns_server_port - Port to connect to on the FortiGuard DNS rating server. type: int more...

  	Supported Version Ranges
  sdns_server_port	v6.0.0 -> 7.4.3

• service_account_id - Service account ID. type: str more...

  	Supported Version Ranges
  service_account_id	v6.0.0 -> v6.0.11	v6.2.3 -> v6.2.3	v7.0.12 -> v7.0.12	v7.2.1 -> 7.4.3

• source_ip - Source IPv4 address used to communicate with FortiGuard. type: str more...

  	Supported Version Ranges
  source_ip	v6.0.0 -> 7.4.3

• source_ip6 - Source IPv6 address used to communicate with FortiGuard. type: str more...

  	Supported Version Ranges
  source_ip6	v6.0.0 -> 7.4.3

• update_build_proxy - Enable/disable proxy dictionary rebuild. type: str choices: enable, disable more...

  	Supported Version Ranges
  update_build_proxy	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3

• update_dldb - Enable/disable DLP signature update. type: str choices: enable, disable more...

  	Supported Version Ranges
  update_dldb	v7.4.0 -> 7.4.3
  [enable]	v7.4.0 -> 7.4.3
  [disable]	v7.4.0 -> 7.4.3

• update_extdb - Enable/disable external resource update. type: str choices: enable, disable more...

  	Supported Version Ranges
  update_extdb	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3

• update_ffdb - Enable/disable Internet Service Database update. type: str choices: enable, disable more...

  	Supported Version Ranges
  update_ffdb	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3

• update_server_location - Location from which to receive FortiGuard updates. type: str choices: automatic, usa, eu, any more...

  	Supported Version Ranges
  update_server_location	v6.0.0 -> 7.4.3
  [automatic]	v7.0.2 -> 7.4.3
  [usa]	v6.0.0 -> 7.4.3
  [eu]	v7.0.2 -> 7.4.3
  [any]	v6.0.0 -> v7.0.1

• update_uwdb - Enable/disable allowlist update. type: str choices: enable, disable more...

  	Supported Version Ranges
  update_uwdb	v7.0.0 -> 7.4.3
  [enable]	v7.0.0 -> 7.4.3
  [disable]	v7.0.0 -> 7.4.3

• vdom - FortiGuard Service virtual domain name. Source system.vdom.name. type: str more...

  	Supported Version Ranges
  vdom	v7.2.0 -> 7.4.3

• videofilter_expiration - Expiration date of the FortiGuard video filter contract. type: int more...

  	Supported Version Ranges
  videofilter_expiration	v7.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• videofilter_license - Interval of time between license checks for the FortiGuard video filter contract. type: int more...

  	Supported Version Ranges
  videofilter_license	v7.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• webfilter_cache - Enable/disable FortiGuard web filter caching. type: str choices: enable, disable more...

  	Supported Version Ranges
  webfilter_cache	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• webfilter_cache_ttl - Time-to-live for web filter cache entries in seconds (300 - 86400). type: int more...

  	Supported Version Ranges
  webfilter_cache_ttl	v6.0.0 -> 7.4.3

• webfilter_expiration - Expiration date of the FortiGuard web filter contract. type: int more...

  	Supported Version Ranges
  webfilter_expiration	v6.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• webfilter_force_off - Enable/disable turning off the FortiGuard web filtering service. type: str choices: enable, disable more...

  	Supported Version Ranges
  webfilter_force_off	v6.0.0 -> 7.4.3
  [enable]	v6.0.0 -> 7.4.3
  [disable]	v6.0.0 -> 7.4.3

• webfilter_license - Interval of time between license checks for the FortiGuard web filter contract. type: int more...

  	Supported Version Ranges
  webfilter_license	v6.0.0 -> v7.0.5	v7.2.0 -> v7.2.0

• webfilter_timeout - Web filter query time out (1 - 30 sec). type: int more...

  	Supported Version Ranges
  webfilter_timeout	v6.0.0 -> 7.4.3

Notes

Note

• Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- name: Configure FortiGuard services.
  fortinet.fortios.fortios_system_fortiguard:
      vdom: "{{ vdom }}"
      system_fortiguard:
          antispam_cache: "enable"
          antispam_cache_mpercent: "2"
          antispam_cache_mpermille: "1"
          antispam_cache_ttl: "1800"
          antispam_expiration: "0"
          antispam_force_off: "enable"
          antispam_license: "4294967295"
          antispam_timeout: "7"
          anycast_sdns_server_ip: "<your_own_value>"
          anycast_sdns_server_port: "853"
          auto_firmware_upgrade: "enable"
          auto_firmware_upgrade_day: "sunday"
          auto_firmware_upgrade_delay: "3"
          auto_firmware_upgrade_end_hour: "4"
          auto_firmware_upgrade_start_hour: "1"
          auto_join_forticloud: "enable"
          ddns_server_ip: "<your_own_value>"
          ddns_server_ip6: "<your_own_value>"
          ddns_server_port: "443"
          FDS_license_expiring_days: "15"
          fortiguard_anycast: "enable"
          fortiguard_anycast_source: "fortinet"
          interface: "<your_own_value> (source system.interface.name)"
          interface_select_method: "auto"
          load_balance_servers: "1"
          outbreak_prevention_cache: "enable"
          outbreak_prevention_cache_mpercent: "2"
          outbreak_prevention_cache_mpermille: "1"
          outbreak_prevention_cache_ttl: "300"
          outbreak_prevention_expiration: "0"
          outbreak_prevention_force_off: "enable"
          outbreak_prevention_license: "4294967295"
          outbreak_prevention_timeout: "7"
          persistent_connection: "enable"
          port: "8888"
          protocol: "udp"
          proxy_password: "<your_own_value>"
          proxy_server_ip: "<your_own_value>"
          proxy_server_port: "0"
          proxy_username: "<your_own_value>"
          sandbox_inline_scan: "enable"
          sandbox_region: "<your_own_value>"
          sdns_options: "include-question-section"
          sdns_server_ip: "<your_own_value>"
          sdns_server_port: "53"
          service_account_id: "<your_own_value>"
          source_ip: "84.230.14.43"
          source_ip6: "<your_own_value>"
          update_build_proxy: "enable"
          update_dldb: "enable"
          update_extdb: "enable"
          update_ffdb: "enable"
          update_server_location: "automatic"
          update_uwdb: "enable"
          vdom: "<your_own_value> (source system.vdom.name)"
          videofilter_expiration: "0"
          videofilter_license: "4294967295"
          webfilter_cache: "enable"
          webfilter_cache_ttl: "3600"
          webfilter_expiration: "0"
          webfilter_force_off: "enable"
          webfilter_license: "4294967295"
          webfilter_timeout: "15"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

• build - Build number of the fortigate image returned: always type: str sample: 1547
• http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
• http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
• mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
• name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
• path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
• revision - Internal revision number returned: always type: str sample: 17.0.2.10658
• serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
• status - Indication of the operation's result returned: always type: str sample: success
• vdom - Virtual domain used returned: always type: str sample: root
• version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

• This module is not guaranteed to have a backwards compatible interface.

Authors

• Link Zheng (@chillancezen)

• Jie Xue (@JieX19)

• Hongbin Lu (@fgtdev-hblu)

• Frank Shen (@frankshen01)

• Miguel Angel Munoz (@mamunozgonzalez)

• Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.