:source: fortios_vpn_ssl_settings.py
:orphan:
.. fortios_vpn_ssl_settings:
fortios_vpn_ssl_settings -- Configure Agentless VPN in Fortinet's FortiOS and FortiGate.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.. versionadded:: 2.0.0
.. contents::
:local:
:depth: 1
Synopsis
--------
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
------------
The below requirements are needed on the host that executes this module.
- ansible>=2.16
Tips
----
Using member operation to add an element to an existing object.
FortiOS Version Compatibility
-----------------------------
Supported Version Ranges: v6.0.0 -> v7.6.6
Parameters
----------
.. raw:: html
access_token - Token-based authentication. Generated from GUI of Fortigate. type: strrequired: false
enable_log - Enable/Disable logging for task. type: boolrequired: falsedefault: False
vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: strdefault: root
member_path - Member attribute path to operate on. type: str
member_state - Add or delete a member under specified attribute path. type: strchoices: present, absent
algorithm - Force the Agentless VPN security level. High allows only high. Medium allows medium and high. Low allows any. type: strchoices: high, medium, default, low more...
Supported Version Ranges
algorithm
v6.0.0 -> 7.6.6
[high]
v6.0.0 -> 7.6.6
[medium]
v6.0.0 -> 7.6.6
[default]
v6.0.0 -> 7.6.6
[low]
v6.0.0 -> 7.6.6
auth_session_check_source_ip - Enable/disable checking of source IP for authentication session. type: strchoices: enable, disable more...
Supported Version Ranges
auth_session_check_source_ip
v6.2.0 -> 7.6.6
[enable]
v6.2.0 -> 7.6.6
[disable]
v6.2.0 -> 7.6.6
auth_timeout - Agentless VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout). type: int more...
user_peer - Name of user peer. Source user.peer.name. type: str more...
Supported Version Ranges
user_peer
v6.2.0 -> 7.6.6
users - User name. type: listmember_path: authentication_rule:id/users:name more...
Supported Version Ranges
users
v6.0.0 -> 7.6.6
name - User name. Source user.local.name. type: strrequired: true more...
Supported Version Ranges
name
v6.0.0 -> 7.6.6
auto_tunnel_static_route - Enable/disable to auto-create static routes for the SSL-VPN tunnel IP addresses. type: strchoices: enable, disable more...
Supported Version Ranges
auto_tunnel_static_route
v6.0.0 -> v7.6.2
[enable]
v6.0.0 -> v7.6.2
[disable]
v6.0.0 -> v7.6.2
banned_cipher - Select one or more cipher technologies that cannot be used in Agentless VPN negotiations. Only applies to TLS 1.2 and below. type: listchoices: RSA, DHE, ECDHE, DSS, ECDSA, AES, AESGCM, CAMELLIA, 3DES, SHA1, SHA256, SHA384, STATIC, CHACHA20, ARIA, AESCCM, DH, ECDH more...
Supported Version Ranges
banned_cipher
v6.0.0 -> 7.6.6
[RSA]
v6.0.0 -> 7.6.6
[DHE]
v6.0.0 -> 7.6.6
[ECDHE]
v6.0.0 -> 7.6.6
[DSS]
v6.0.0 -> 7.6.6
[ECDSA]
v6.0.0 -> 7.6.6
[AES]
v6.0.0 -> 7.6.6
[AESGCM]
v6.0.0 -> 7.6.6
[CAMELLIA]
v6.0.0 -> 7.6.6
[3DES]
v6.0.0 -> 7.6.6
[SHA1]
v6.0.0 -> 7.6.6
[SHA256]
v6.0.0 -> 7.6.6
[SHA384]
v6.0.0 -> 7.6.6
[STATIC]
v6.0.0 -> 7.6.6
[CHACHA20]
v7.0.0 -> 7.6.6
[ARIA]
v7.0.0 -> 7.6.6
[AESCCM]
v7.0.0 -> 7.6.6
[DH]
v6.0.0 -> v6.0.11
[ECDH]
v6.0.0 -> v6.0.11
browser_language_detection - Enable/disable overriding the configured system language based on the preferred language of the browser. type: strchoices: enable, disable more...
Supported Version Ranges
browser_language_detection
v7.2.0 -> 7.6.6
[enable]
v7.2.0 -> 7.6.6
[disable]
v7.2.0 -> 7.6.6
check_referer - Enable/disable verification of referer field in HTTP request header. type: strchoices: enable, disable more...
Supported Version Ranges
check_referer
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
ciphersuite - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below. type: listchoices: TLS-AES-128-GCM-SHA256, TLS-AES-256-GCM-SHA384, TLS-CHACHA20-POLY1305-SHA256, TLS-AES-128-CCM-SHA256, TLS-AES-128-CCM-8-SHA256 more...
Supported Version Ranges
ciphersuite
v7.0.0 -> 7.6.6
[TLS-AES-128-GCM-SHA256]
v7.0.0 -> 7.6.6
[TLS-AES-256-GCM-SHA384]
v7.0.0 -> 7.6.6
[TLS-CHACHA20-POLY1305-SHA256]
v7.0.0 -> 7.6.6
[TLS-AES-128-CCM-SHA256]
v7.0.0 -> 7.6.6
[TLS-AES-128-CCM-8-SHA256]
v7.0.0 -> 7.6.6
client_sigalgs - Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only. type: strchoices: no-rsa-pss, all more...
http_compression - Enable/disable to allow HTTP compression over Agentless VPN connections. type: strchoices: enable, disable more...
Supported Version Ranges
http_compression
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
http_only_cookie - Enable/disable Agentless VPN support for HttpOnly cookies. type: strchoices: enable, disable more...
Supported Version Ranges
http_only_cookie
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
http_request_body_timeout - Agentless VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec). type: int more...
Supported Version Ranges
http_request_body_timeout
v6.0.0 -> 7.6.6
http_request_header_timeout - Agentless VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec). type: int more...
Supported Version Ranges
http_request_header_timeout
v6.0.0 -> 7.6.6
https_redirect - Enable/disable redirect of port 80 to Agentless VPN port. type: strchoices: enable, disable more...
Supported Version Ranges
https_redirect
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
idle_timeout - Agentless VPN disconnects if idle for specified time in seconds. type: int more...
Supported Version Ranges
idle_timeout
v6.0.0 -> 7.6.6
ipv6_dns_server1 - IPv6 DNS server 1. type: str more...
Supported Version Ranges
ipv6_dns_server1
v6.0.0 -> v7.6.2
ipv6_dns_server2 - IPv6 DNS server 2. type: str more...
Supported Version Ranges
ipv6_dns_server2
v6.0.0 -> v7.6.2
ipv6_wins_server1 - IPv6 WINS server 1. type: str more...
Supported Version Ranges
ipv6_wins_server1
v6.0.0 -> v7.6.2
ipv6_wins_server2 - IPv6 WINS server 2. type: str more...
Supported Version Ranges
ipv6_wins_server2
v6.0.0 -> v7.6.2
login_attempt_limit - Agentless VPN maximum login attempt times before block (0 - 10). type: int more...
Supported Version Ranges
login_attempt_limit
v6.0.0 -> 7.6.6
login_block_time - Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec). type: int more...
Supported Version Ranges
login_block_time
v6.0.0 -> 7.6.6
login_timeout - Agentless VPN maximum login timeout (10 - 180 sec). type: int more...
Supported Version Ranges
login_timeout
v6.0.0 -> 7.6.6
port - Agentless VPN access port (1 - 65535). type: int more...
Supported Version Ranges
port
v6.0.0 -> 7.6.6
port_precedence - Enable/disable, Enable means that if Agentless VPN connections are allowed on an interface admin GUI connections are blocked on that interface. type: strchoices: enable, disable more...
Supported Version Ranges
port_precedence
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
remote_https_cert_check - Configure how the FortiGate unit checks and responds to the remote HTTPS server"s certificate . type: strchoices: no-check, warn-on-error, reject-on-error more...
Supported Version Ranges
remote_https_cert_check
v7.6.5 -> 7.6.6
[no-check]
v7.6.5 -> 7.6.6
[warn-on-error]
v7.6.5 -> 7.6.6
[reject-on-error]
v7.6.5 -> 7.6.6
reqclientcert - Enable/disable to require client certificates for all Agentless VPN users. type: strchoices: enable, disable more...
Supported Version Ranges
reqclientcert
v6.0.0 -> 7.6.6
[enable]
v6.0.0 -> 7.6.6
[disable]
v6.0.0 -> 7.6.6
route_source_interface - Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface. type: strchoices: enable, disable more...
Supported Version Ranges
route_source_interface
v6.0.0 -> v6.2.7
[enable]
v6.0.0 -> v6.2.7
[disable]
v6.0.0 -> v6.2.7
saml_redirect_port - SAML local redirect port in the machine running FortiClient (0 - 65535). 0 is to disable redirection on FGT side. type: int more...
Supported Version Ranges
saml_redirect_port
v7.0.1 -> v7.6.2
server_hostname - Server hostname for HTTPS. When set, will be used for Agentless VPN web proxy host header for any redirection. type: str more...
Supported Version Ranges
server_hostname
v7.4.0 -> 7.6.6
servercert - Name of the server certificate to be used for Agentless VPNs. Source vpn.certificate.local.name. type: str more...
ssl_client_renegotiation - Enable/disable to allow client renegotiation by the server if the tunnel goes down. type: strchoices: disable, enable more...
transform_backward_slashes - Transform backward slashes to forward slashes in URLs. type: strchoices: enable, disable more...
Supported Version Ranges
transform_backward_slashes
v6.4.0 -> 7.6.6
[enable]
v6.4.0 -> 7.6.6
[disable]
v6.4.0 -> 7.6.6
tunnel_addr_assigned_method - Method used for assigning address for tunnel. type: strchoices: first-available, round-robin more...
Supported Version Ranges
tunnel_addr_assigned_method
v7.0.0 -> v7.6.2
[first-available]
v7.0.0 -> v7.6.2
[round-robin]
v7.0.0 -> v7.6.2
tunnel_connect_without_reauth - Enable/disable tunnel connection without re-authorization if previous connection dropped. type: strchoices: enable, disable more...
Supported Version Ranges
tunnel_connect_without_reauth
v6.2.0 -> v7.6.2
[enable]
v6.2.0 -> v7.6.2
[disable]
v6.2.0 -> v7.6.2
tunnel_ip_pools - Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: listmember_path: tunnel_ip_pools:name more...
tunnel_ipv6_pools - Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients. type: listmember_path: tunnel_ipv6_pools:name more...
tunnel_user_session_timeout - Number of seconds after which user sessions are cleaned up after tunnel connection is dropped (1 - 86400). type: int more...
build - Build number of the fortigate image returned: alwaystype: strsample: 1547
http_method - Last method used to provision the content into FortiGate returned: alwaystype: strsample: PUT
http_status - Last result given by FortiGate on last operation applied returned: alwaystype: strsample: 200
mkey - Master key (id) used in the last call to FortiGate returned: successtype: strsample: id
name - Name of the table used to fulfill the request returned: alwaystype: strsample: urlfilter
path - Path of the table used to fulfill the request returned: alwaystype: strsample: webfilter
revision - Internal revision number returned: alwaystype: strsample: 17.0.2.10658
serial - Serial number of the unit returned: alwaystype: strsample: FGVMEVYYQT3AB5352
status - Indication of the operation's result returned: alwaystype: strsample: success
vdom - Virtual domain used returned: alwaystype: strsample: root
version - Version of the FortiGate returned: alwaystype: strsample: v5.6.3
Status
------
- This module is not guaranteed to have a backwards compatible interface.
Authors
-------
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
.. hint::
If you notice any issues in this documentation, you can create a pull request to improve it.