:source: fortios_vpn_certificate_setting.py
:orphan:
.. fortios_vpn_certificate_setting:
fortios_vpn_certificate_setting -- VPN certificate setting in Fortinet's FortiOS and FortiGate.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.. versionadded:: 2.0.0
.. contents::
:local:
:depth: 1
Synopsis
--------
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_certificate feature and setting category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
------------
The below requirements are needed on the host that executes this module.
- ansible>=2.16
Tips
----
Using member operation to add an element to an existing object.
FortiOS Version Compatibility
-----------------------------
Supported Version Ranges: v6.0.0 -> v7.6.6
Parameters
----------
.. raw:: html
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: false
- enable_log - Enable/Disable logging for task. type: bool required: false default: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- member_path - Member attribute path to operate on. type: str
- member_state - Add or delete a member under specified attribute path. type: str choices: present, absent
- vpn_certificate_setting - VPN certificate setting. type: dict
more...
| Supported Version Ranges |
| vpn_certificate_setting |
v6.0.0 -> 7.6.6 |
- cert_expire_warning - Number of days before a certificate expires to send a warning. Set to 0 to disable sending of the warning (0 - 100). type: int
more...
|
Supported Version Ranges |
| cert_expire_warning |
v7.2.1 -> 7.6.6 |
- certname_dsa1024 - 1024 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_dsa1024 |
v6.0.0 -> 7.6.6 |
- certname_dsa2048 - 2048 bit DSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_dsa2048 |
v6.0.0 -> 7.6.6 |
- certname_ecdsa256 - 256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_ecdsa256 |
v6.0.0 -> 7.6.6 |
- certname_ecdsa384 - 384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_ecdsa384 |
v6.0.0 -> 7.6.6 |
- certname_ecdsa521 - 521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_ecdsa521 |
v6.2.0 -> 7.6.6 |
- certname_ed25519 - 253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_ed25519 |
v6.2.0 -> 7.6.6 |
- certname_ed448 - 456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_ed448 |
v6.2.0 -> 7.6.6 |
- certname_rsa1024 - 1024 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_rsa1024 |
v6.0.0 -> 7.6.6 |
- certname_rsa2048 - 2048 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_rsa2048 |
v6.0.0 -> 7.6.6 |
- certname_rsa4096 - 4096 bit RSA key certificate for re-signing server certificates for SSL inspection. Source vpn.certificate.local.name. type: str
more...
|
Supported Version Ranges |
| certname_rsa4096 |
v6.2.0 -> 7.6.6 |
- check_ca_cert - Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . type: str choices: enable, disable
more...
|
Supported Version Ranges |
| check_ca_cert |
v6.0.0 -> 7.6.6 |
| [enable] |
v6.0.0 -> 7.6.6 |
| [disable] |
v6.0.0 -> 7.6.6 |
- check_ca_chain - Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . type: str choices: enable, disable
more...
|
Supported Version Ranges |
| check_ca_chain |
v6.0.0 -> 7.6.6 |
| [enable] |
v6.0.0 -> 7.6.6 |
| [disable] |
v6.0.0 -> 7.6.6 |
- cmp_key_usage_checking - Enable/disable server certificate key usage checking in CMP mode . type: str choices: enable, disable
more...
|
Supported Version Ranges |
| cmp_key_usage_checking |
v6.0.0 -> v6.0.0 |
v6.0.11 -> v6.2.0 |
v6.2.5 -> 7.6.6 |
| [enable] |
v6.0.0 -> v6.0.0 |
| [disable] |
v6.0.0 -> v6.0.0 |
- cmp_save_extra_certs - Enable/disable saving extra certificates in CMP mode . type: str choices: enable, disable
more...
|
Supported Version Ranges |
| cmp_save_extra_certs |
v6.0.0 -> 7.6.6 |
| [enable] |
v6.0.0 -> 7.6.6 |
| [disable] |
v6.0.0 -> 7.6.6 |
- cn_allow_multi - When searching for a matching certificate, allow multiple CN fields in certificate subject name . type: str choices: disable, enable
more...
|
Supported Version Ranges |
| cn_allow_multi |
v7.0.1 -> 7.6.6 |
| [disable] |
v7.0.1 -> 7.6.6 |
| [enable] |
v7.0.1 -> 7.6.6 |
- cn_match - When searching for a matching certificate, control how to do CN value matching with certificate subject name . type: str choices: substring, value
more...
|
Supported Version Ranges |
| cn_match |
v6.0.0 -> 7.6.6 |
| [substring] |
v6.0.0 -> 7.6.6 |
| [value] |
v6.0.0 -> 7.6.6 |
- crl_verification - CRL verification options. type: dict
more...
| Supported Version Ranges |
| crl_verification |
v7.0.1 -> 7.6.6 |
- chain_crl_absence - CRL verification option when CRL of any certificate in chain is absent . type: str choices: ignore, revoke
more...
|
Supported Version Ranges |
| chain_crl_absence |
v7.0.1 -> 7.6.6 |
| [ignore] |
v7.0.1 -> 7.6.6 |
| [revoke] |
v7.0.1 -> 7.6.6 |
- expiry - CRL verification option when CRL is expired . type: str choices: ignore, revoke
more...
|
Supported Version Ranges |
| expiry |
v7.0.1 -> 7.6.6 |
| [ignore] |
v7.0.1 -> 7.6.6 |
| [revoke] |
v7.0.1 -> 7.6.6 |
- leaf_crl_absence - CRL verification option when leaf CRL is absent . type: str choices: ignore, revoke
more...
|
Supported Version Ranges |
| leaf_crl_absence |
v7.0.1 -> 7.6.6 |
| [ignore] |
v7.0.1 -> 7.6.6 |
| [revoke] |
v7.0.1 -> 7.6.6 |
- interface - Specify outgoing interface to reach server. Source system.interface.name. type: str
more...
|
Supported Version Ranges |
| interface |
v6.2.0 -> v6.2.0 |
v6.2.5 -> v6.4.0 |
v6.4.4 -> 7.6.6 |
- interface_select_method - Specify how to select outgoing interface to reach server. type: str choices: auto, sdwan, specify
more...
|
Supported Version Ranges |
| interface_select_method |
v6.2.0 -> v6.2.0 |
v6.2.5 -> v6.4.0 |
v6.4.4 -> 7.6.6 |
| [auto] |
v6.2.0 -> v6.2.0 |
| [sdwan] |
v6.2.0 -> v6.2.0 |
| [specify] |
v6.2.0 -> v6.2.0 |
- ocsp_default_server - Default OCSP server. Source vpn.certificate.ocsp-server.name. type: str
more...
|
Supported Version Ranges |
| ocsp_default_server |
v6.0.0 -> 7.6.6 |
- ocsp_option - Specify whether the OCSP URL is from certificate or configured OCSP server. type: str choices: certificate, server
more...
|
Supported Version Ranges |
| ocsp_option |
v6.2.0 -> 7.6.6 |
| [certificate] |
v6.2.0 -> 7.6.6 |
| [server] |
v6.2.0 -> 7.6.6 |
- ocsp_status - Enable/disable receiving certificates using the OCSP. type: str choices: enable, mandatory, disable
more...
|
Supported Version Ranges |
| ocsp_status |
v6.0.0 -> 7.6.6 |
| [enable] |
v6.0.0 -> 7.6.6 |
| [mandatory] |
v7.4.2 -> 7.6.6 |
| [disable] |
v6.0.0 -> 7.6.6 |
- proxy - Proxy server FQDN or IP for OCSP/CA queries during certificate verification. type: str
more...
|
Supported Version Ranges |
| proxy |
v7.2.4 -> 7.6.6 |
- proxy_password - Proxy server password. type: str
more...
|
Supported Version Ranges |
| proxy_password |
v7.2.4 -> 7.6.6 |
- proxy_port - Proxy server port (1 - 65535). type: int
more...
|
Supported Version Ranges |
| proxy_port |
v7.2.4 -> 7.6.6 |
- proxy_username - Proxy server user name. type: str
more...
|
Supported Version Ranges |
| proxy_username |
v7.2.4 -> 7.6.6 |
- source_ip - Source IP address for dynamic AIA and OCSP queries. type: str
more...
|
Supported Version Ranges |
| source_ip |
v7.4.0 -> 7.6.6 |
- ssl_min_proto_version - Minimum supported protocol version for SSL/TLS connections . type: str choices: default, SSLv3, TLSv1, TLSv1-1, TLSv1-2, TLSv1-3
more...
|
Supported Version Ranges |
| ssl_min_proto_version |
v6.0.0 -> 7.6.6 |
| [default] |
v6.0.0 -> 7.6.6 |
| [SSLv3] |
v6.0.0 -> 7.6.6 |
| [TLSv1] |
v6.0.0 -> 7.6.6 |
| [TLSv1-1] |
v6.0.0 -> 7.6.6 |
| [TLSv1-2] |
v6.0.0 -> 7.6.6 |
| [TLSv1-3] |
v7.4.1 -> 7.6.6 |
- ssl_ocsp_option - Specify whether the OCSP URL is from the certificate or the default OCSP server. type: str choices: certificate, server
more...
|
Supported Version Ranges |
| ssl_ocsp_option |
v6.0.0 -> v6.0.11 |
| [certificate] |
v6.0.0 -> v6.0.11 |
| [server] |
v6.0.0 -> v6.0.11 |
- ssl_ocsp_source_ip - Source IP address to use to communicate with the OCSP server. type: str
more...
|
Supported Version Ranges |
| ssl_ocsp_source_ip |
v6.2.0 -> v6.2.0 |
v6.2.5 -> v7.2.4 |
- ssl_ocsp_status - Enable/disable SSL OCSP. type: str choices: enable, disable
more...
|
Supported Version Ranges |
| ssl_ocsp_status |
v6.0.0 -> v6.0.11 |
| [enable] |
v6.0.0 -> v6.0.11 |
| [disable] |
v6.0.0 -> v6.0.11 |
- strict_crl_check - Enable/disable strict mode CRL checking. type: str choices: enable, disable
more...
|
Supported Version Ranges |
| strict_crl_check |
v6.0.0 -> v7.0.0 |
| [enable] |
v6.0.0 -> v7.0.0 |
| [disable] |
v6.0.0 -> v7.0.0 |
- strict_ocsp_check - Enable/disable strict mode OCSP checking. type: str choices: enable, disable
more...
|
Supported Version Ranges |
| strict_ocsp_check |
v6.0.0 -> 7.6.6 |
| [enable] |
v6.0.0 -> 7.6.6 |
| [disable] |
v6.0.0 -> 7.6.6 |
- subject_match - When searching for a matching certificate, control how to do RDN value matching with certificate subject name . type: str choices: substring, value
more...
|
Supported Version Ranges |
| subject_match |
v6.0.0 -> 7.6.6 |
| [substring] |
v6.0.0 -> 7.6.6 |
| [value] |
v6.0.0 -> 7.6.6 |
- subject_set - When searching for a matching certificate, control how to do RDN set matching with certificate subject name . type: str choices: subset, superset
more...
|
Supported Version Ranges |
| subject_set |
v7.0.1 -> 7.6.6 |
| [subset] |
v7.0.1 -> 7.6.6 |
| [superset] |
v7.0.1 -> 7.6.6 |
- vrf_select - VRF ID used for connection to server. type: int
more...
|
Supported Version Ranges |
| vrf_select |
v7.6.1 -> 7.6.6 |
Notes
-----
.. note::
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
- The module supports check_mode.
Examples
--------
.. code-block:: yaml+jinja
- name: VPN certificate setting.
fortinet.fortios.fortios_vpn_certificate_setting:
vdom: "{{ vdom }}"
vpn_certificate_setting:
cert_expire_warning: "14"
certname_dsa1024: " (source vpn.certificate.local.name)"
certname_dsa2048: " (source vpn.certificate.local.name)"
certname_ecdsa256: " (source vpn.certificate.local.name)"
certname_ecdsa384: " (source vpn.certificate.local.name)"
certname_ecdsa521: " (source vpn.certificate.local.name)"
certname_ed25519: " (source vpn.certificate.local.name)"
certname_ed448: " (source vpn.certificate.local.name)"
certname_rsa1024: " (source vpn.certificate.local.name)"
certname_rsa2048: " (source vpn.certificate.local.name)"
certname_rsa4096: " (source vpn.certificate.local.name)"
check_ca_cert: "enable"
check_ca_chain: "enable"
cmp_key_usage_checking: "enable"
cmp_save_extra_certs: "enable"
cn_allow_multi: "disable"
cn_match: "substring"
crl_verification:
chain_crl_absence: "ignore"
expiry: "ignore"
leaf_crl_absence: "ignore"
interface: " (source system.interface.name)"
interface_select_method: "auto"
ocsp_default_server: " (source vpn.certificate.ocsp-server.name)"
ocsp_option: "certificate"
ocsp_status: "enable"
proxy: ""
proxy_password: ""
proxy_port: "8080"
proxy_username: ""
source_ip: "84.230.14.43"
ssl_min_proto_version: "default"
ssl_ocsp_option: "certificate"
ssl_ocsp_source_ip: ""
ssl_ocsp_status: "enable"
strict_crl_check: "enable"
strict_ocsp_check: "enable"
subject_match: "substring"
subject_set: "subset"
vrf_select: "0"
Return Values
-------------
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
.. raw:: html
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3
Status
------
- This module is not guaranteed to have a backwards compatible interface.
Authors
-------
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
.. hint::
If you notice any issues in this documentation, you can create a pull request to improve it.