New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
||||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
|||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
|||
username
-
/ required
|
FortiOS or FortiGate username.
|
||||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|||
vpn_ssl_settings
-
|
Default: null
|
Configure SSL VPN.
|
|||
auth-timeout
-
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
|
||||
authentication-rule
-
|
Authentication rule for SSL VPN.
|
||||
auth
-
|
|
SSL VPN authentication method restriction.
|
|||
cipher
-
|
|
SSL VPN cipher strength.
|
|||
client-cert
-
|
|
Enable/disable SSL VPN client certificate restrictive.
|
|||
groups
-
|
User groups.
|
||||
name
-
/ required
|
Group name. Source user.group.name.
|
||||
id
-
/ required
|
ID (0 - 4294967295).
|
||||
portal
-
|
SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
realm
-
|
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
|
||||
source-address
-
|
Source address of incoming traffic.
|
||||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
source-address-negate
-
|
|
Enable/disable negated source address match.
|
|||
source-address6
-
|
IPv6 source address of incoming traffic.
|
||||
name
-
/ required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
source-address6-negate
-
|
|
Enable/disable negated source IPv6 address match.
|
|||
source-interface
-
|
SSL VPN source interface of incoming traffic.
|
||||
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
users
-
|
User name.
|
||||
name
-
/ required
|
User name. Source user.local.name.
|
||||
auto-tunnel-static-route
-
|
|
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
|
|||
banned-cipher
-
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
|
|||
check-referer
-
|
|
Enable/disable verification of referer field in HTTP request header.
|
|||
default-portal
-
|
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
deflate-compression-level
-
|
Compression level (0~9).
|
||||
deflate-min-data-size
-
|
Minimum amount of data that triggers compression (200 - 65535 bytes).
|
||||
dns-server1
-
|
DNS server 1.
|
||||
dns-server2
-
|
DNS server 2.
|
||||
dns-suffix
-
|
DNS suffix used for SSL-VPN clients.
|
||||
dtls-hello-timeout
-
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec, default = 10).
|
||||
dtls-tunnel
-
|
|
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
|
|||
force-two-factor-auth
-
|
|
Enable to force two-factor authentication for all SSL-VPNs.
|
|||
header-x-forwarded-for
-
|
|
Forward the same, add, or remove HTTP header.
|
|||
http-compression
-
|
|
Enable to allow HTTP compression over SSL-VPN tunnels.
|
|||
http-only-cookie
-
|
|
Enable/disable SSL-VPN support for HttpOnly cookies.
|
|||
http-request-body-timeout
-
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec, default = 20).
|
||||
http-request-header-timeout
-
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec, default = 20).
|
||||
https-redirect
-
|
|
Enable/disable redirect of port 80 to SSL-VPN port.
|
|||
idle-timeout
-
|
SSL VPN disconnects if idle for specified time in seconds.
|
||||
ipv6-dns-server1
-
|
IPv6 DNS server 1.
|
||||
ipv6-dns-server2
-
|
IPv6 DNS server 2.
|
||||
ipv6-wins-server1
-
|
IPv6 WINS server 1.
|
||||
ipv6-wins-server2
-
|
IPv6 WINS server 2.
|
||||
login-attempt-limit
-
|
SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no limit).
|
||||
login-block-time
-
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec, default = 60).
|
||||
login-timeout
-
|
SSLVPN maximum login timeout (10 - 180 sec, default = 30).
|
||||
port
-
|
SSL-VPN access port (1 - 65535).
|
||||
port-precedence
-
|
|
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
|
|||
reqclientcert
-
|
|
Enable to require client certificates for all SSL-VPN users.
|
|||
route-source-interface
-
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
|
|||
servercert
-
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
|
||||
source-address
-
|
Source address of incoming traffic.
|
||||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
source-address-negate
-
|
|
Enable/disable negated source address match.
|
|||
source-address6
-
|
IPv6 source address of incoming traffic.
|
||||
name
-
/ required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
source-address6-negate
-
|
|
Enable/disable negated source IPv6 address match.
|
|||
source-interface
-
|
SSL VPN source interface of incoming traffic.
|
||||
name
-
/ required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
ssl-client-renegotiation
-
|
|
Enable to allow client renegotiation by the server if the tunnel goes down.
|
|||
ssl-insert-empty-fragment
-
|
|
Enable/disable insertion of empty fragment.
|
|||
tlsv1-0
-
|
|
Enable/disable TLSv1.0.
|
|||
tlsv1-1
-
|
|
Enable/disable TLSv1.1.
|
|||
tlsv1-2
-
|
|
Enable/disable TLSv1.2.
|
|||
tunnel-ip-pools
-
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
name
-
/ required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
tunnel-ipv6-pools
-
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
name
-
/ required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
unsafe-legacy-renegotiation
-
|
|
Enable/disable unsafe legacy re-negotiation.
|
|||
url-obscuration
-
|
|
Enable to obscure the host name of the URL of the web browser display.
|
|||
wins-server1
-
|
WINS server 1.
|
||||
wins-server2
-
|
WINS server 2.
|
||||
x-content-type-options
-
|
|
Add HTTP X-Content-Type-Options header.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ssl_settings:
auth-timeout: "3"
authentication-rule:
-
auth: "any"
cipher: "any"
client-cert: "enable"
groups:
-
name: "default_name_9 (source user.group.name)"
id: "10"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source-address:
-
name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
source-address-negate: "enable"
source-address6:
-
name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
source-address6-negate: "enable"
source-interface:
-
name: "default_name_20 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_22 (source user.local.name)"
auto-tunnel-static-route: "enable"
banned-cipher: "RSA"
check-referer: "enable"
default-portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate-compression-level: "27"
deflate-min-data-size: "28"
dns-server1: "<your_own_value>"
dns-server2: "<your_own_value>"
dns-suffix: "<your_own_value>"
dtls-hello-timeout: "32"
dtls-tunnel: "enable"
force-two-factor-auth: "enable"
header-x-forwarded-for: "pass"
http-compression: "enable"
http-only-cookie: "enable"
http-request-body-timeout: "38"
http-request-header-timeout: "39"
https-redirect: "enable"
idle-timeout: "41"
ipv6-dns-server1: "<your_own_value>"
ipv6-dns-server2: "<your_own_value>"
ipv6-wins-server1: "<your_own_value>"
ipv6-wins-server2: "<your_own_value>"
login-attempt-limit: "46"
login-block-time: "47"
login-timeout: "48"
port: "49"
port-precedence: "enable"
reqclientcert: "enable"
route-source-interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source-address:
-
name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
source-address-negate: "enable"
source-address6:
-
name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
source-address6-negate: "enable"
source-interface:
-
name: "default_name_61 (source system.interface.name system.zone.name)"
ssl-client-renegotiation: "disable"
ssl-insert-empty-fragment: "enable"
tlsv1-0: "enable"
tlsv1-1: "enable"
tlsv1-2: "enable"
tunnel-ip-pools:
-
name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
tunnel-ipv6-pools:
-
name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe-legacy-renegotiation: "enable"
url-obscuration: "enable"
wins-server1: "<your_own_value>"
wins-server2: "<your_own_value>"
x-content-type-options: "enable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.