New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
host
-
/ required
|
FortiOS or FortiGate ip adress.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
system_settings
-
|
Default: null
|
Configure VDOM settings.
|
||
allow-subnet-overlap
-
|
|
Enable/disable allowing interface subnets to use overlapping IP addresses.
|
||
asymroute
-
|
|
Enable/disable IPv4 asymmetric routing.
|
||
asymroute-icmp
-
|
|
Enable/disable ICMP asymmetric routing.
|
||
asymroute6
-
|
|
Enable/disable asymmetric IPv6 routing.
|
||
asymroute6-icmp
-
|
|
Enable/disable asymmetric ICMPv6 routing.
|
||
bfd
-
|
|
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
|
||
bfd-desired-min-tx
-
|
BFD desired minimal transmit interval (1 - 100000 ms, default = 50).
|
|||
bfd-detect-mult
-
|
BFD detection multiplier (1 - 50, default = 3).
|
|||
bfd-dont-enforce-src-port
-
|
|
Enable to not enforce verifying the source port of BFD Packets.
|
||
bfd-required-min-rx
-
|
BFD required minimal receive interval (1 - 100000 ms, default = 50).
|
|||
block-land-attack
-
|
|
Enable/disable blocking of land attacks.
|
||
central-nat
-
|
|
Enable/disable central NAT.
|
||
comments
-
|
VDOM comments.
|
|||
compliance-check
-
|
|
Enable/disable PCI DSS compliance checking.
|
||
default-voip-alg-mode
-
|
|
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
|
||
deny-tcp-with-icmp
-
|
|
Enable/disable denying TCP by sending an ICMP communication prohibited packet.
|
||
device
-
|
Interface to use for management access for NAT mode. Source system.interface.name.
|
|||
dhcp-proxy
-
|
|
Enable/disable the DHCP Proxy.
|
||
dhcp-server-ip
-
|
DHCP Server IPv4 address.
|
|||
dhcp6-server-ip
-
|
DHCPv6 server IPv6 address.
|
|||
discovered-device-timeout
-
|
Timeout for discovered devices (1 - 365 days, default = 28).
|
|||
ecmp-max-paths
-
|
Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100, default = 10).
|
|||
email-portal-check-dns
-
|
|
Enable/disable using DNS to validate email addresses collected by a captive portal.
|
||
firewall-session-dirty
-
|
|
Select how to manage sessions affected by firewall policy configuration changes.
|
||
fw-session-hairpin
-
|
|
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
|
||
gateway
-
|
Transparent mode IPv4 default gateway IP address.
|
|||
gateway6
-
|
Transparent mode IPv4 default gateway IP address.
|
|||
gui-advanced-policy
-
|
|
Enable/disable advanced policy configuration on the GUI.
|
||
gui-allow-unnamed-policy
-
|
|
Enable/disable the requirement for policy naming on the GUI.
|
||
gui-antivirus
-
|
|
Enable/disable AntiVirus on the GUI.
|
||
gui-ap-profile
-
|
|
Enable/disable FortiAP profiles on the GUI.
|
||
gui-application-control
-
|
|
Enable/disable application control on the GUI.
|
||
gui-default-policy-columns
-
|
Default columns to display for policy lists on GUI.
|
|||
name
-
/ required
|
Select column name.
|
|||
gui-dhcp-advanced
-
|
|
Enable/disable advanced DHCP options on the GUI.
|
||
gui-dlp
-
|
|
Enable/disable DLP on the GUI.
|
||
gui-dns-database
-
|
|
Enable/disable DNS database settings on the GUI.
|
||
gui-dnsfilter
-
|
|
Enable/disable DNS Filtering on the GUI.
|
||
gui-domain-ip-reputation
-
|
|
Enable/disable Domain and IP Reputation on the GUI.
|
||
gui-dos-policy
-
|
|
Enable/disable DoS policies on the GUI.
|
||
gui-dynamic-profile-display
-
|
|
Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
|
||
gui-dynamic-routing
-
|
|
Enable/disable dynamic routing on the GUI.
|
||
gui-email-collection
-
|
|
Enable/disable email collection on the GUI.
|
||
gui-endpoint-control
-
|
|
Enable/disable endpoint control on the GUI.
|
||
gui-endpoint-control-advanced
-
|
|
Enable/disable advanced endpoint control options on the GUI.
|
||
gui-explicit-proxy
-
|
|
Enable/disable the explicit proxy on the GUI.
|
||
gui-fortiap-split-tunneling
-
|
|
Enable/disable FortiAP split tunneling on the GUI.
|
||
gui-fortiextender-controller
-
|
|
Enable/disable FortiExtender on the GUI.
|
||
gui-icap
-
|
|
Enable/disable ICAP on the GUI.
|
||
gui-implicit-policy
-
|
|
Enable/disable implicit firewall policies on the GUI.
|
||
gui-ips
-
|
|
Enable/disable IPS on the GUI.
|
||
gui-load-balance
-
|
|
Enable/disable server load balancing on the GUI.
|
||
gui-local-in-policy
-
|
|
Enable/disable Local-In policies on the GUI.
|
||
gui-local-reports
-
|
|
Enable/disable local reports on the GUI.
|
||
gui-multicast-policy
-
|
|
Enable/disable multicast firewall policies on the GUI.
|
||
gui-multiple-interface-policy
-
|
|
Enable/disable adding multiple interfaces to a policy on the GUI.
|
||
gui-multiple-utm-profiles
-
|
|
Enable/disable multiple UTM profiles on the GUI.
|
||
gui-nat46-64
-
|
|
Enable/disable NAT46 and NAT64 settings on the GUI.
|
||
gui-object-colors
-
|
|
Enable/disable object colors on the GUI.
|
||
gui-policy-based-ipsec
-
|
|
Enable/disable policy-based IPsec VPN on the GUI.
|
||
gui-policy-learning
-
|
|
Enable/disable firewall policy learning mode on the GUI.
|
||
gui-replacement-message-groups
-
|
|
Enable/disable replacement message groups on the GUI.
|
||
gui-spamfilter
-
|
|
Enable/disable Antispam on the GUI.
|
||
gui-sslvpn-personal-bookmarks
-
|
|
Enable/disable SSL-VPN personal bookmark management on the GUI.
|
||
gui-sslvpn-realms
-
|
|
Enable/disable SSL-VPN realms on the GUI.
|
||
gui-switch-controller
-
|
|
Enable/disable the switch controller on the GUI.
|
||
gui-threat-weight
-
|
|
Enable/disable threat weight on the GUI.
|
||
gui-traffic-shaping
-
|
|
Enable/disable traffic shaping on the GUI.
|
||
gui-voip-profile
-
|
|
Enable/disable VoIP profiles on the GUI.
|
||
gui-vpn
-
|
|
Enable/disable VPN tunnels on the GUI.
|
||
gui-waf-profile
-
|
|
Enable/disable Web Application Firewall on the GUI.
|
||
gui-wan-load-balancing
-
|
|
Enable/disable SD-WAN on the GUI.
|
||
gui-wanopt-cache
-
|
|
Enable/disable WAN Optimization and Web Caching on the GUI.
|
||
gui-webfilter
-
|
|
Enable/disable Web filtering on the GUI.
|
||
gui-webfilter-advanced
-
|
|
Enable/disable advanced web filtering on the GUI.
|
||
gui-wireless-controller
-
|
|
Enable/disable the wireless controller on the GUI.
|
||
http-external-dest
-
|
|
Offload HTTP traffic to FortiWeb or FortiCache.
|
||
ike-dn-format
-
|
|
Configure IKE ASN.1 Distinguished Name format conventions.
|
||
ike-quick-crash-detect
-
|
|
Enable/disable IKE quick crash detection (RFC 6290).
|
||
ike-session-resume
-
|
|
Enable/disable IKEv2 session resumption (RFC 5723).
|
||
implicit-allow-dns
-
|
|
Enable/disable implicitly allowing DNS traffic.
|
||
inspection-mode
-
|
|
Inspection mode (proxy-based or flow-based).
|
||
ip
-
|
IP address and netmask.
|
|||
ip6
-
|
IPv6 address prefix for NAT mode.
|
|||
link-down-access
-
|
|
Enable/disable link down access traffic.
|
||
lldp-transmission
-
|
|
Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
|
||
mac-ttl
-
|
Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).
|
|||
manageip
-
|
Transparent mode IPv4 management IP address and netmask.
|
|||
manageip6
-
|
Transparent mode IPv6 management IP address and netmask.
|
|||
multicast-forward
-
|
|
Enable/disable multicast forwarding.
|
||
multicast-skip-policy
-
|
|
Enable/disable allowing multicast traffic through the FortiGate without a policy check.
|
||
multicast-ttl-notchange
-
|
|
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
|
||
ngfw-mode
-
|
|
Next Generation Firewall (NGFW) mode.
|
||
opmode
-
|
|
Firewall operation mode (NAT or Transparent).
|
||
prp-trailer-action
-
|
|
Enable/disable action to take on PRP trailer.
|
||
sccp-port
-
|
TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).
|
|||
ses-denied-traffic
-
|
|
Enable/disable including denied session in the session table.
|
||
sip-helper
-
|
|
Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
|
||
sip-nat-trace
-
|
|
Enable/disable recording the original SIP source IP address when NAT is used.
|
||
sip-ssl-port
-
|
TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).
|
|||
sip-tcp-port
-
|
TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).
|
|||
sip-udp-port
-
|
UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).
|
|||
snat-hairpin-traffic
-
|
|
Enable/disable source NAT (SNAT) for hairpin traffic.
|
||
ssl-ssh-profile
-
|
Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name.
|
|||
status
-
|
|
Enable/disable this VDOM.
|
||
strict-src-check
-
|
|
Enable/disable strict source verification.
|
||
tcp-session-without-syn
-
|
|
Enable/disable allowing TCP session without SYN flags.
|
||
utf8-spam-tagging
-
|
|
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
|
||
v4-ecmp-mode
-
|
|
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
|
||
vpn-stats-log
-
|
|
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
|
||
vpn-stats-period
-
|
Period to send VPN log statistics (60 - 86400 sec).
|
|||
wccp-cache-engine
-
|
|
Enable/disable WCCP cache engine.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_settings:
allow-subnet-overlap: "enable"
asymroute: "enable"
asymroute-icmp: "enable"
asymroute6: "enable"
asymroute6-icmp: "enable"
bfd: "enable"
bfd-desired-min-tx: "9"
bfd-detect-mult: "10"
bfd-dont-enforce-src-port: "enable"
bfd-required-min-rx: "12"
block-land-attack: "disable"
central-nat: "enable"
comments: "<your_own_value>"
compliance-check: "enable"
default-voip-alg-mode: "proxy-based"
deny-tcp-with-icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp-proxy: "enable"
dhcp-server-ip: "<your_own_value>"
dhcp6-server-ip: "<your_own_value>"
discovered-device-timeout: "23"
ecmp-max-paths: "24"
email-portal-check-dns: "disable"
firewall-session-dirty: "check-all"
fw-session-hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gui-advanced-policy: "enable"
gui-allow-unnamed-policy: "enable"
gui-antivirus: "enable"
gui-ap-profile: "enable"
gui-application-control: "enable"
gui-default-policy-columns:
-
name: "default_name_36"
gui-dhcp-advanced: "enable"
gui-dlp: "enable"
gui-dns-database: "enable"
gui-dnsfilter: "enable"
gui-domain-ip-reputation: "enable"
gui-dos-policy: "enable"
gui-dynamic-profile-display: "enable"
gui-dynamic-routing: "enable"
gui-email-collection: "enable"
gui-endpoint-control: "enable"
gui-endpoint-control-advanced: "enable"
gui-explicit-proxy: "enable"
gui-fortiap-split-tunneling: "enable"
gui-fortiextender-controller: "enable"
gui-icap: "enable"
gui-implicit-policy: "enable"
gui-ips: "enable"
gui-load-balance: "enable"
gui-local-in-policy: "enable"
gui-local-reports: "enable"
gui-multicast-policy: "enable"
gui-multiple-interface-policy: "enable"
gui-multiple-utm-profiles: "enable"
gui-nat46-64: "enable"
gui-object-colors: "enable"
gui-policy-based-ipsec: "enable"
gui-policy-learning: "enable"
gui-replacement-message-groups: "enable"
gui-spamfilter: "enable"
gui-sslvpn-personal-bookmarks: "enable"
gui-sslvpn-realms: "enable"
gui-switch-controller: "enable"
gui-threat-weight: "enable"
gui-traffic-shaping: "enable"
gui-voip-profile: "enable"
gui-vpn: "enable"
gui-waf-profile: "enable"
gui-wan-load-balancing: "enable"
gui-wanopt-cache: "enable"
gui-webfilter: "enable"
gui-webfilter-advanced: "enable"
gui-wireless-controller: "enable"
http-external-dest: "fortiweb"
ike-dn-format: "with-space"
ike-quick-crash-detect: "enable"
ike-session-resume: "enable"
implicit-allow-dns: "enable"
inspection-mode: "proxy"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link-down-access: "enable"
lldp-transmission: "enable"
mac-ttl: "89"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast-forward: "enable"
multicast-skip-policy: "enable"
multicast-ttl-notchange: "enable"
ngfw-mode: "profile-based"
opmode: "nat"
prp-trailer-action: "enable"
sccp-port: "98"
ses-denied-traffic: "enable"
sip-helper: "enable"
sip-nat-trace: "enable"
sip-ssl-port: "102"
sip-tcp-port: "103"
sip-udp-port: "104"
snat-hairpin-traffic: "enable"
ssl-ssh-profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
strict-src-check: "enable"
tcp-session-without-syn: "enable"
utf8-spam-tagging: "enable"
v4-ecmp-mode: "source-ip-based"
vpn-stats-log: "ipsec"
vpn-stats-period: "113"
wccp-cache-engine: "enable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.