:source: fortios_firewall_ssl_ssh_profile.py :orphan: .. fortios_firewall_ssl_ssh_profile: fortios_firewall_ssl_ssh_profile -- Configure SSL/SSH protocol options in Fortinet's FortiOS and FortiGate. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .. versionadded:: 2.0.0 .. contents:: :local: :depth: 1 Synopsis -------- - This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and ssl_ssh_profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0 Requirements ------------ The below requirements are needed on the host that executes this module. - ansible>=2.16 Tips ---- Using member operation to add an element to an existing object. FortiOS Version Compatibility ----------------------------- Supported Version Ranges: v6.0.0 -> v7.6.6 Parameters ---------- .. raw:: html Notes ----- .. note:: - Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks - The module supports check_mode. Examples -------- .. code-block:: yaml+jinja - name: Configure SSL/SSH protocol options. fortinet.fortios.fortios_firewall_ssl_ssh_profile: vdom: "{{ vdom }}" state: "present" access_token: "" firewall_ssl_ssh_profile: allowlist: "enable" block_blacklisted_certificates: "disable" block_blocklisted_certificates: "disable" caname: " (source vpn.certificate.local.name vpn.certificate.hsm-local.name)" comment: "Optional comments." dot: cert_validation_failure: "allow" cert_validation_timeout: "allow" client_certificate: "bypass" expired_server_cert: "allow" proxy_after_tcp_handshake: "enable" quic: "inspect" revoked_server_cert: "allow" sni_server_cert_check: "enable" status: "disable" udp_not_quic: "allow" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_server_cert: "allow" ech_outer_sni: - name: "default_name_24" sni: "" ftps: allow_invalid_server_cert: "enable" cert_validation_failure: "allow" cert_validation_timeout: "allow" client_cert_request: "bypass" client_certificate: "bypass" expired_server_cert: "allow" invalid_server_cert: "allow" min_allowed_ssl_version: "ssl-3.0" ports: "" revoked_server_cert: "allow" sni_server_cert_check: "enable" status: "disable" unsupported_ssl: "bypass" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_cert: "allow" untrusted_server_cert: "allow" https: allow_invalid_server_cert: "enable" cert_probe_failure: "allow" cert_validation_failure: "allow" cert_validation_timeout: "allow" client_cert_request: "bypass" client_certificate: "bypass" encrypted_client_hello: "allow" expired_server_cert: "allow" invalid_server_cert: "allow" min_allowed_ssl_version: "ssl-3.0" ports: "" proxy_after_tcp_handshake: "enable" quic: "inspect" revoked_server_cert: "allow" sni_server_cert_check: "enable" status: "disable" udp_not_quic: "allow" unsupported_ssl: "bypass" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_cert: "allow" untrusted_server_cert: "allow" imaps: allow_invalid_server_cert: "enable" cert_validation_failure: "allow" cert_validation_timeout: "allow" client_cert_request: "bypass" client_certificate: "bypass" expired_server_cert: "allow" invalid_server_cert: "allow" ports: "" proxy_after_tcp_handshake: "enable" revoked_server_cert: "allow" sni_server_cert_check: "enable" status: "disable" unsupported_ssl: "bypass" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_cert: "allow" untrusted_server_cert: "allow" mapi_over_https: "enable" name: "default_name_89" pop3s: allow_invalid_server_cert: "enable" cert_validation_failure: "allow" cert_validation_timeout: "allow" client_cert_request: "bypass" client_certificate: "bypass" expired_server_cert: "allow" invalid_server_cert: "allow" ports: "" proxy_after_tcp_handshake: "enable" revoked_server_cert: "allow" sni_server_cert_check: "enable" status: "disable" unsupported_ssl: "bypass" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_cert: "allow" untrusted_server_cert: "allow" rpc_over_https: "enable" server_cert: - name: "default_name_111 (source vpn.certificate.local.name)" server_cert_mode: "re-sign" smtps: allow_invalid_server_cert: "enable" cert_validation_failure: "allow" cert_validation_timeout: "allow" client_cert_request: "bypass" client_certificate: "bypass" expired_server_cert: "allow" invalid_server_cert: "allow" ports: "" proxy_after_tcp_handshake: "enable" revoked_server_cert: "allow" sni_server_cert_check: "enable" status: "disable" unsupported_ssl: "bypass" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_cert: "allow" untrusted_server_cert: "allow" ssh: inspect_all: "disable" ports: "" proxy_after_tcp_handshake: "enable" ssh_algorithm: "compatible" ssh_policy_check: "disable" ssh_tun_policy_check: "disable" status: "disable" unsupported_version: "bypass" ssl: allow_invalid_server_cert: "enable" cert_probe_failure: "allow" cert_validation_failure: "allow" cert_validation_timeout: "allow" client_cert_request: "bypass" client_certificate: "bypass" encrypted_client_hello: "allow" expired_server_cert: "allow" inspect_all: "disable" invalid_server_cert: "allow" min_allowed_ssl_version: "ssl-3.0" revoked_server_cert: "allow" sni_server_cert_check: "enable" unsupported_ssl: "bypass" unsupported_ssl_cipher: "allow" unsupported_ssl_negotiation: "allow" unsupported_ssl_version: "allow" untrusted_cert: "allow" untrusted_server_cert: "allow" ssl_anomalies_log: "disable" ssl_anomaly_log: "disable" ssl_exempt: - address: " (source firewall.address.name firewall.addrgrp.name)" address6: " (source firewall.address6.name firewall.addrgrp6.name)" fortiguard_category: "0" id: "167" regex: "" type: "fortiguard-category" wildcard_fqdn: " (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)" ssl_exemption_ip_rating: "enable" ssl_exemption_log: "disable" ssl_exemptions_log: "disable" ssl_handshake_log: "disable" ssl_negotiation_log: "disable" ssl_server: - ftps_client_cert_request: "bypass" ftps_client_certificate: "bypass" https_client_cert_request: "bypass" https_client_certificate: "bypass" id: "181" imaps_client_cert_request: "bypass" imaps_client_certificate: "bypass" ip: "" pop3s_client_cert_request: "bypass" pop3s_client_certificate: "bypass" smtps_client_cert_request: "bypass" smtps_client_certificate: "bypass" ssl_other_client_cert_request: "bypass" ssl_other_client_certificate: "bypass" ssl_server_cert_log: "disable" supported_alpn: "http1-1" untrusted_caname: " (source vpn.certificate.local.name vpn.certificate.hsm-local.name)" use_ssl_server: "disable" whitelist: "enable" Return Values ------------- Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module: .. raw:: html
  • build - Build number of the fortigate image returned: always type: str sample: 1547
  • http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
  • http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
  • mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
  • name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
  • path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
  • revision - Internal revision number returned: always type: str sample: 17.0.2.10658
  • serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
  • status - Indication of the operation's result returned: always type: str sample: success
  • vdom - Virtual domain used returned: always type: str sample: root
  • version - Version of the FortiGate returned: always type: str sample: v5.6.3
Status ------ - This module is not guaranteed to have a backwards compatible interface. Authors ------- - Link Zheng (@chillancezen) - Jie Xue (@JieX19) - Hongbin Lu (@fgtdev-hblu) - Frank Shen (@frankshen01) - Miguel Angel Munoz (@mamunozgonzalez) - Nicolas Thomas (@thomnico) .. hint:: If you notice any issues in this documentation, you can create a pull request to improve it.