fortios_ztna_traffic_forward_proxy – Configure ZTNA traffic forward proxy in Fortinet’s FortiOS and FortiGate.

Added in version 2.0.0.

Synopsis

  • This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify ztna feature and traffic_forward_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

  • ansible>=2.15

Tips

Using member operation to add an element to an existing object.

FortiOS Version Compatibility

Supported Version Ranges: v7.6.0

Parameters

  • access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
  • enable_log - Enable/Disable logging for task. type: bool required: false default: False
  • vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
  • member_path - Member attribute path to operate on. type: str
  • member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
  • state - Indicates whether to create or remove the object. type: str required: true choices: present, absent
  • ztna_traffic_forward_proxy - Configure ZTNA traffic forward proxy. type: dict more...
    • auth_portal - Enable/disable authentication portal. type: str choices: disable, enable more...
    • client_cert - Enable/disable to request client certificate. type: str choices: disable, enable more...
    • comment - Comment. type: str more...
    • empty_cert_action - Action of an empty client certificate. type: str choices: accept, block, accept-unmanageable more...
    • h3_support - Enable/disable HTTP3/QUIC support . type: str choices: enable, disable more...
    • interface - interface name Source system.interface.name. type: str more...
    • log_blocked_traffic - Enable/disable logging of blocked traffic. type: str choices: enable, disable more...
    • name - Traffic forward proxy name type: str required: true more...
    • port - Accept incoming traffic on one or more ports (0 - 65535). type: str more...
    • quic - QUIC setting. type: dict more...
      • ack_delay_exponent - ACK delay exponent (1 - 20). type: int more...
      • active_connection_id_limit - Active connection ID limit (1 - 8). type: int more...
      • active_migration - Enable/disable active migration . type: str choices: enable, disable more...
      • grease_quic_bit - Enable/disable grease QUIC bit . type: str choices: enable, disable more...
      • max_ack_delay - Maximum ACK delay in milliseconds (1 - 16383). type: int more...
      • max_datagram_frame_size - Maximum datagram frame size in bytes (1 - 1500). type: int more...
      • max_idle_timeout - Maximum idle timeout milliseconds (1 - 60000). type: int more...
      • max_udp_payload_size - Maximum UDP payload size in bytes (1200 - 1500). type: int more...
    • ssl_accept_ffdhe_groups - Enable/disable FFDHE cipher suite for SSL key exchange. type: str choices: enable, disable more...
    • ssl_algorithm - Permitted encryption algorithms for SSL sessions according to encryption strength. type: str choices: high, medium, low, custom more...
    • ssl_certificate - Name of the certificate to use for SSL handshake. type: list member_path: ssl_certificate:name more...
      • name - Certificate list. Source vpn.certificate.local.name. type: str required: true more...
    • ssl_cipher_suites - SSL/TLS cipher suites acceptable from a client, ordered by priority. type: list member_path: ssl_cipher_suites:priority more...
      • cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...
      • priority - SSL/TLS cipher suites priority. see Notes. type: int required: true more...
      • versions - SSL/TLS versions that the cipher suite can be used with. type: list choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
    • ssl_client_fallback - Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). type: str choices: disable, enable more...
    • ssl_client_rekey_count - Maximum length of data in MB before triggering a client rekey (0 = disable). type: int more...
    • ssl_client_renegotiation - Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. type: str choices: allow, deny, secure more...
    • ssl_client_session_state_max - Maximum number of client to FortiProxy SSL session states to keep. type: int more...
    • ssl_client_session_state_timeout - Number of minutes to keep client to FortiProxy SSL session state. type: int more...
    • ssl_client_session_state_type - How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. type: str choices: disable, time, count, both more...
    • ssl_dh_bits - Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation . type: str choices: 768, 1024, 1536, 2048, 3072, 4096 more...
    • ssl_hpkp - Enable/disable including HPKP header in response. type: str choices: disable, enable, report-only more...
    • ssl_hpkp_age - Number of seconds the client should honor the HPKP setting. type: int more...
    • ssl_hpkp_backup - Certificate to generate backup HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. type: str more...
    • ssl_hpkp_include_subdomains - Indicate that HPKP header applies to all subdomains. type: str choices: disable, enable more...
    • ssl_hpkp_primary - Certificate to generate primary HPKP pin from. Source vpn.certificate.local.name vpn.certificate.ca.name. type: str more...
    • ssl_hpkp_report_uri - URL to report HPKP violations to. type: str more...
    • ssl_hsts - Enable/disable including HSTS header in response. type: str choices: disable, enable more...
    • ssl_hsts_age - Number of seconds the client should honor the HSTS setting. type: int more...
    • ssl_hsts_include_subdomains - Indicate that HSTS header applies to all subdomains. type: str choices: disable, enable more...
    • ssl_http_location_conversion - Enable to replace HTTP with HTTPS in the reply"s Location HTTP header field. type: str choices: enable, disable more...
    • ssl_http_match_host - Enable/disable HTTP host matching for location conversion. type: str choices: enable, disable more...
    • ssl_max_version - Highest SSL/TLS version acceptable from a client. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
    • ssl_min_version - Lowest SSL/TLS version acceptable from a client. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
    • ssl_mode - Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). type: str choices: half, full more...
    • ssl_pfs - Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. type: str choices: require, deny, allow more...
    • ssl_send_empty_frags - Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. type: str choices: enable, disable more...
    • ssl_server_algorithm - Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. type: str choices: high, medium, low, custom, client more...
    • ssl_server_cipher_suites - SSL/TLS cipher suites to offer to a server, ordered by priority. type: list member_path: ssl_server_cipher_suites:priority more...
      • cipher - Cipher suite name. type: str choices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256, TLS-DHE-RSA-WITH-AES-128-CBC-SHA, TLS-DHE-RSA-WITH-AES-256-CBC-SHA, TLS-DHE-RSA-WITH-AES-128-CBC-SHA256, TLS-DHE-RSA-WITH-AES-128-GCM-SHA256, TLS-DHE-RSA-WITH-AES-256-CBC-SHA256, TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, TLS-DHE-DSS-WITH-AES-128-CBC-SHA, TLS-DHE-DSS-WITH-AES-256-CBC-SHA, TLS-DHE-DSS-WITH-AES-128-CBC-SHA256, TLS-DHE-DSS-WITH-AES-128-GCM-SHA256, TLS-DHE-DSS-WITH-AES-256-CBC-SHA256, TLS-DHE-DSS-WITH-AES-256-GCM-SHA384, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA, TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-AES-128-CBC-SHA, TLS-RSA-WITH-AES-256-CBC-SHA, TLS-RSA-WITH-AES-128-CBC-SHA256, TLS-RSA-WITH-AES-128-GCM-SHA256, TLS-RSA-WITH-AES-256-CBC-SHA256, TLS-RSA-WITH-AES-256-GCM-SHA384, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA, TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256, TLS-DHE-RSA-WITH-SEED-CBC-SHA, TLS-DHE-DSS-WITH-SEED-CBC-SHA, TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256, TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384, TLS-RSA-WITH-SEED-CBC-SHA, TLS-RSA-WITH-ARIA-128-CBC-SHA256, TLS-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256, TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384, TLS-ECDHE-RSA-WITH-RC4-128-SHA, TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA, TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-3DES-EDE-CBC-SHA, TLS-RSA-WITH-RC4-128-MD5, TLS-RSA-WITH-RC4-128-SHA, TLS-DHE-RSA-WITH-DES-CBC-SHA, TLS-DHE-DSS-WITH-DES-CBC-SHA, TLS-RSA-WITH-DES-CBC-SHA more...
      • priority - SSL/TLS cipher suites priority. see Notes. type: int required: true more...
      • versions - SSL/TLS versions that the cipher suite can be used with. type: list choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3 more...
    • ssl_server_max_version - Highest SSL/TLS version acceptable from a server. Use the client setting by default. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3, client more...
    • ssl_server_min_version - Lowest SSL/TLS version acceptable from a server. Use the client setting by default. type: str choices: ssl-3.0, tls-1.0, tls-1.1, tls-1.2, tls-1.3, client more...
    • ssl_server_renegotiation - Enable/disable secure renegotiation to comply with RFC 5746. type: str choices: enable, disable more...
    • ssl_server_session_state_max - Maximum number of FortiGate to Server SSL session states to keep. type: int more...
    • ssl_server_session_state_timeout - Number of minutes to keep FortiGate to Server SSL session state. type: int more...
    • ssl_server_session_state_type - How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. type: str choices: disable, time, count, both more...
    • status - Enable/disable the traffic forward proxy for ZTNA traffic. type: str choices: enable, disable more...
    • svr_pool_multiplex - Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway. type: str choices: enable, disable more...
    • svr_pool_server_max_concurrent_request - Maximum number of concurrent requests that servers in server pool could handle . type: int more...
    • svr_pool_server_max_request - Maximum number of requests that servers in server pool handle before disconnecting . type: int more...
    • svr_pool_ttl - Time-to-live in the server pool for idle connections to servers. type: int more...
    • user_agent_detect - Enable/disable to detect device type by HTTP user-agent if no client certificate provided. type: str choices: disable, enable more...

Notes

Note

  • Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

  • The module supports check_mode.

Examples

- name: Configure ZTNA traffic forward proxy.
  fortinet.fortios.fortios_ztna_traffic_forward_proxy:
      vdom: "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      ztna_traffic_forward_proxy:
          auth_portal: "disable"
          client_cert: "disable"
          comment: "Comment."
          empty_cert_action: "accept"
          h3_support: "enable"
          interface: "<your_own_value> (source system.interface.name)"
          log_blocked_traffic: "enable"
          name: "default_name_10"
          port: "<your_own_value>"
          quic:
              ack_delay_exponent: "3"
              active_connection_id_limit: "2"
              active_migration: "enable"
              grease_quic_bit: "enable"
              max_ack_delay: "25"
              max_datagram_frame_size: "1500"
              max_idle_timeout: "30000"
              max_udp_payload_size: "1500"
          ssl_accept_ffdhe_groups: "enable"
          ssl_algorithm: "high"
          ssl_certificate:
              -
                  name: "default_name_24 (source vpn.certificate.local.name)"
          ssl_cipher_suites:
              -
                  cipher: "TLS-AES-128-GCM-SHA256"
                  priority: "<you_own_value>"
                  versions: "ssl-3.0"
          ssl_client_fallback: "disable"
          ssl_client_rekey_count: "0"
          ssl_client_renegotiation: "allow"
          ssl_client_session_state_max: "1000"
          ssl_client_session_state_timeout: "30"
          ssl_client_session_state_type: "disable"
          ssl_dh_bits: "768"
          ssl_hpkp: "disable"
          ssl_hpkp_age: "5184000"
          ssl_hpkp_backup: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
          ssl_hpkp_include_subdomains: "disable"
          ssl_hpkp_primary: "<your_own_value> (source vpn.certificate.local.name vpn.certificate.ca.name)"
          ssl_hpkp_report_uri: "<your_own_value>"
          ssl_hsts: "disable"
          ssl_hsts_age: "5184000"
          ssl_hsts_include_subdomains: "disable"
          ssl_http_location_conversion: "enable"
          ssl_http_match_host: "enable"
          ssl_max_version: "ssl-3.0"
          ssl_min_version: "ssl-3.0"
          ssl_mode: "half"
          ssl_pfs: "require"
          ssl_send_empty_frags: "enable"
          ssl_server_algorithm: "high"
          ssl_server_cipher_suites:
              -
                  cipher: "TLS-AES-128-GCM-SHA256"
                  priority: "<you_own_value>"
                  versions: "ssl-3.0"
          ssl_server_max_version: "ssl-3.0"
          ssl_server_min_version: "ssl-3.0"
          ssl_server_renegotiation: "enable"
          ssl_server_session_state_max: "100"
          ssl_server_session_state_timeout: "60"
          ssl_server_session_state_type: "disable"
          status: "enable"
          svr_pool_multiplex: "enable"
          svr_pool_server_max_concurrent_request: "0"
          svr_pool_server_max_request: "0"
          svr_pool_ttl: "15"
          user_agent_detect: "disable"

Return Values

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3

Status

  • This module is not guaranteed to have a backwards compatible interface.

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Hongbin Lu (@fgtdev-hblu)

  • Frank Shen (@frankshen01)

  • Miguel Angel Munoz (@mamunozgonzalez)

  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.