New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
firewall_proxy_policy
-
|
Default: null
|
Configure proxy policies.
|
||
action
-
|
|
Accept or deny traffic matching the policy parameters.
|
||
application-list
-
|
Name of an existing Application list. Source application.list.name.
|
|||
av-profile
-
|
Name of an existing Antivirus profile. Source antivirus.profile.name.
|
|||
comments
-
|
Optional comments.
|
|||
disclaimer
-
|
|
Web proxy disclaimer setting: by domain, policy, or user.
|
||
dlp-sensor
-
|
Name of an existing DLP sensor. Source dlp.sensor.name.
|
|||
dstaddr
-
|
Destination address objects.
|
|||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name.
|
|||
dstaddr-negate
-
|
|
When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
|
||
dstaddr6
-
|
IPv6 destination address objects.
|
|||
name
-
/ required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall.vipgrp64.name system.external-resource.name.
|
|||
dstintf
-
|
Destination interface names.
|
|||
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
global-label
-
|
Global web-based manager visible label.
|
|||
groups
-
|
Names of group objects.
|
|||
name
-
/ required
|
Group name. Source user.group.name.
|
|||
http-tunnel-auth
-
|
|
Enable/disable HTTP tunnel authentication.
|
||
icap-profile
-
|
Name of an existing ICAP profile. Source icap.profile.name.
|
|||
internet-service
-
|
|
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
|
||
internet-service-custom
-
|
Custom Internet Service name.
|
|||
name
-
/ required
|
Custom name. Source firewall.internet-service-custom.name.
|
|||
internet-service-id
-
|
Internet Service ID.
|
|||
id
-
/ required
|
Internet Service ID. Source firewall.internet-service.id.
|
|||
internet-service-negate
-
|
|
When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
|
||
ips-sensor
-
|
Name of an existing IPS sensor. Source ips.sensor.name.
|
|||
label
-
|
VDOM-specific GUI visible label.
|
|||
logtraffic
-
|
|
Enable/disable logging traffic through the policy.
|
||
logtraffic-start
-
|
|
Enable/disable policy log traffic start.
|
||
policyid
-
/ required
|
Policy ID.
|
|||
poolname
-
|
Name of IP pool object.
|
|||
name
-
/ required
|
IP pool name. Source firewall.ippool.name.
|
|||
profile-group
-
|
Name of profile group. Source firewall.profile-group.name.
|
|||
profile-protocol-options
-
|
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
|
|||
profile-type
-
|
|
Determine whether the firewall policy allows security profile groups or single profiles only.
|
||
proxy
-
|
|
Type of explicit proxy.
|
||
redirect-url
-
|
Redirect URL for further explicit web proxy processing.
|
|||
replacemsg-override-group
-
|
Authentication replacement message override group. Source system.replacemsg-group.name.
|
|||
scan-botnet-connections
-
|
|
Enable/disable scanning of connections to Botnet servers.
|
||
schedule
-
|
Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
|
|||
service
-
|
Name of service objects.
|
|||
name
-
/ required
|
Service name. Source firewall.service.custom.name firewall.service.group.name.
|
|||
service-negate
-
|
|
When enabled, services match against any service EXCEPT the specified destination services.
|
||
session-ttl
-
|
TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
|
|||
spamfilter-profile
-
|
Name of an existing Spam filter profile. Source spamfilter.profile.name.
|
|||
srcaddr
-
|
Source address objects (must be set when using Web proxy).
|
|||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system .external-resource.name.
|
|||
srcaddr-negate
-
|
|
When enabled, source addresses match against any address EXCEPT the specified source addresses.
|
||
srcaddr6
-
|
IPv6 source address objects.
|
|||
name
-
/ required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name.
|
|||
srcintf
-
|
Source interface names.
|
|||
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
ssh-filter-profile
-
|
Name of an existing SSH filter profile. Source ssh-filter.profile.name.
|
|||
ssl-ssh-profile
-
|
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
|
|||
state
-
|
|
Indicates whether to create or remove the object
|
||
status
-
|
|
Enable/disable the active status of the policy.
|
||
transparent
-
|
|
Enable to use the IP address of the client to connect to the server.
|
||
users
-
|
Names of user objects.
|
|||
name
-
/ required
|
Group name. Source user.local.name.
|
|||
utm-status
-
|
|
Enable the use of UTM profiles/sensors/lists.
|
||
uuid
-
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|||
waf-profile
-
|
Name of an existing Web application firewall profile. Source waf.profile.name.
|
|||
webcache
-
|
|
Enable/disable web caching.
|
||
webcache-https
-
|
|
Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
|
||
webfilter-profile
-
|
Name of an existing Web filter profile. Source webfilter.profile.name.
|
|||
webproxy-forward-server
-
|
Name of web proxy forward server. Source web-proxy.forward-server.name web-proxy.forward-server-group.name.
|
|||
webproxy-profile
-
|
Name of web proxy profile. Source web-proxy.profile.name.
|
|||
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure proxy policies.
fortios_firewall_proxy_policy:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
firewall_proxy_policy:
state: "present"
action: "accept"
application-list: "<your_own_value> (source application.list.name)"
av-profile: "<your_own_value> (source antivirus.profile.name)"
comments: "<your_own_value>"
disclaimer: "disable"
dlp-sensor: "<your_own_value> (source dlp.sensor.name)"
dstaddr:
-
name: "default_name_10 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip
.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name)"
dstaddr-negate: "enable"
dstaddr6:
-
name: "default_name_13 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall
.vipgrp64.name system.external-resource.name)"
dstintf:
-
name: "default_name_15 (source system.interface.name system.zone.name)"
global-label: "<your_own_value>"
groups:
-
name: "default_name_18 (source user.group.name)"
http-tunnel-auth: "enable"
icap-profile: "<your_own_value> (source icap.profile.name)"
internet-service: "enable"
internet-service-custom:
-
name: "default_name_23 (source firewall.internet-service-custom.name)"
internet-service-id:
-
id: "25 (source firewall.internet-service.id)"
internet-service-negate: "enable"
ips-sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic-start: "enable"
policyid: "31"
poolname:
-
name: "default_name_33 (source firewall.ippool.name)"
profile-group: "<your_own_value> (source firewall.profile-group.name)"
profile-protocol-options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile-type: "single"
proxy: "explicit-web"
redirect-url: "<your_own_value>"
replacemsg-override-group: "<your_own_value> (source system.replacemsg-group.name)"
scan-botnet-connections: "disable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
service:
-
name: "default_name_43 (source firewall.service.custom.name firewall.service.group.name)"
service-negate: "enable"
session-ttl: "45"
spamfilter-profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_48 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system
.external-resource.name)"
srcaddr-negate: "enable"
srcaddr6:
-
name: "default_name_51 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
srcintf:
-
name: "default_name_53 (source system.interface.name system.zone.name)"
ssh-filter-profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
transparent: "enable"
users:
-
name: "default_name_59 (source user.local.name)"
utm-status: "enable"
uuid: "<your_own_value>"
waf-profile: "<your_own_value> (source waf.profile.name)"
webcache: "enable"
webcache-https: "disable"
webfilter-profile: "<your_own_value> (source webfilter.profile.name)"
webproxy-forward-server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
webproxy-profile: "<your_own_value> (source web-proxy.profile.name)"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.