New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
firewall_ssl_ssh_profile
-
|
Default: null
|
Configure SSL/SSH protocol options.
|
||
caname
-
|
CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
|
|||
comment
-
|
Optional comments.
|
|||
ftps
-
|
Configure FTPS options.
|
|||
allow-invalid-server-cert
-
|
|
When enabled, allows SSL sessions whose server certificate validation failed.
|
||
client-cert-request
-
|
|
Action based on client certificate request.
|
||
ports
-
|
Ports to use for scanning (1 - 65535, default = 443).
|
|||
status
-
|
|
Configure protocol inspection status.
|
||
unsupported-ssl
-
|
|
Action based on the SSL encryption used being unsupported.
|
||
untrusted-cert
-
|
|
Allow, ignore, or block the untrusted SSL session server certificate.
|
||
https
-
|
Configure HTTPS options.
|
|||
allow-invalid-server-cert
-
|
|
When enabled, allows SSL sessions whose server certificate validation failed.
|
||
client-cert-request
-
|
|
Action based on client certificate request.
|
||
ports
-
|
Ports to use for scanning (1 - 65535, default = 443).
|
|||
status
-
|
|
Configure protocol inspection status.
|
||
unsupported-ssl
-
|
|
Action based on the SSL encryption used being unsupported.
|
||
untrusted-cert
-
|
|
Allow, ignore, or block the untrusted SSL session server certificate.
|
||
imaps
-
|
Configure IMAPS options.
|
|||
allow-invalid-server-cert
-
|
|
When enabled, allows SSL sessions whose server certificate validation failed.
|
||
client-cert-request
-
|
|
Action based on client certificate request.
|
||
ports
-
|
Ports to use for scanning (1 - 65535, default = 443).
|
|||
status
-
|
|
Configure protocol inspection status.
|
||
unsupported-ssl
-
|
|
Action based on the SSL encryption used being unsupported.
|
||
untrusted-cert
-
|
|
Allow, ignore, or block the untrusted SSL session server certificate.
|
||
mapi-over-https
-
|
|
Enable/disable inspection of MAPI over HTTPS.
|
||
name
-
/ required
|
Name.
|
|||
pop3s
-
|
Configure POP3S options.
|
|||
allow-invalid-server-cert
-
|
|
When enabled, allows SSL sessions whose server certificate validation failed.
|
||
client-cert-request
-
|
|
Action based on client certificate request.
|
||
ports
-
|
Ports to use for scanning (1 - 65535, default = 443).
|
|||
status
-
|
|
Configure protocol inspection status.
|
||
unsupported-ssl
-
|
|
Action based on the SSL encryption used being unsupported.
|
||
untrusted-cert
-
|
|
Allow, ignore, or block the untrusted SSL session server certificate.
|
||
rpc-over-https
-
|
|
Enable/disable inspection of RPC over HTTPS.
|
||
server-cert
-
|
Certificate used by SSL Inspection to replace server certificate. Source vpn.certificate.local.name.
|
|||
server-cert-mode
-
|
|
Re-sign or replace the server's certificate.
|
||
smtps
-
|
Configure SMTPS options.
|
|||
allow-invalid-server-cert
-
|
|
When enabled, allows SSL sessions whose server certificate validation failed.
|
||
client-cert-request
-
|
|
Action based on client certificate request.
|
||
ports
-
|
Ports to use for scanning (1 - 65535, default = 443).
|
|||
status
-
|
|
Configure protocol inspection status.
|
||
unsupported-ssl
-
|
|
Action based on the SSL encryption used being unsupported.
|
||
untrusted-cert
-
|
|
Allow, ignore, or block the untrusted SSL session server certificate.
|
||
ssh
-
|
Configure SSH options.
|
|||
inspect-all
-
|
|
Level of SSL inspection.
|
||
ports
-
|
Ports to use for scanning (1 - 65535, default = 443).
|
|||
ssh-algorithm
-
|
|
Relative strength of encryption algorithms accepted during negotiation.
|
||
ssh-policy-check
-
|
|
Enable/disable SSH policy check.
|
||
ssh-tun-policy-check
-
|
|
Enable/disable SSH tunnel policy check.
|
||
status
-
|
|
Configure protocol inspection status.
|
||
unsupported-version
-
|
|
Action based on SSH version being unsupported.
|
||
ssl
-
|
Configure SSL options.
|
|||
allow-invalid-server-cert
-
|
|
When enabled, allows SSL sessions whose server certificate validation failed.
|
||
client-cert-request
-
|
|
Action based on client certificate request.
|
||
inspect-all
-
|
|
Level of SSL inspection.
|
||
unsupported-ssl
-
|
|
Action based on the SSL encryption used being unsupported.
|
||
untrusted-cert
-
|
|
Allow, ignore, or block the untrusted SSL session server certificate.
|
||
ssl-anomalies-log
-
|
|
Enable/disable logging SSL anomalies.
|
||
ssl-exempt
-
|
Servers to exempt from SSL inspection.
|
|||
address
-
|
IPv4 address object. Source firewall.address.name firewall.addrgrp.name.
|
|||
address6
-
|
IPv6 address object. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
fortiguard-category
-
|
FortiGuard category ID.
|
|||
id
-
/ required
|
ID number.
|
|||
regex
-
|
Exempt servers by regular expression.
|
|||
type
-
|
|
Type of address object (IPv4 or IPv6) or FortiGuard category.
|
||
wildcard-fqdn
-
|
Exempt servers by wildcard FQDN. Source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name.
|
|||
ssl-exemptions-log
-
|
|
Enable/disable logging SSL exemptions.
|
||
ssl-server
-
|
SSL servers.
|
|||
ftps-client-cert-request
-
|
|
Action based on client certificate request during the FTPS handshake.
|
||
https-client-cert-request
-
|
|
Action based on client certificate request during the HTTPS handshake.
|
||
id
-
/ required
|
SSL server ID.
|
|||
imaps-client-cert-request
-
|
|
Action based on client certificate request during the IMAPS handshake.
|
||
ip
-
|
IPv4 address of the SSL server.
|
|||
pop3s-client-cert-request
-
|
|
Action based on client certificate request during the POP3S handshake.
|
||
smtps-client-cert-request
-
|
|
Action based on client certificate request during the SMTPS handshake.
|
||
ssl-other-client-cert-request
-
|
|
Action based on client certificate request during an SSL protocol handshake.
|
||
state
-
|
|
Indicates whether to create or remove the object
|
||
untrusted-caname
-
|
Untrusted CA certificate used by SSL Inspection. Source vpn.certificate.local.name.
|
|||
use-ssl-server
-
|
|
Enable/disable the use of SSL server table for SSL offloading.
|
||
whitelist
-
|
|
Enable/disable exempting servers by FortiGuard whitelist.
|
||
host
-
/ required
|
FortiOS or FortiGate ip adress.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure SSL/SSH protocol options.
fortios_firewall_ssl_ssh_profile:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
firewall_ssl_ssh_profile:
state: "present"
caname: "<your_own_value> (source vpn.certificate.local.name)"
comment: "Optional comments."
ftps:
allow-invalid-server-cert: "enable"
client-cert-request: "bypass"
ports: "8"
status: "disable"
unsupported-ssl: "bypass"
untrusted-cert: "allow"
https:
allow-invalid-server-cert: "enable"
client-cert-request: "bypass"
ports: "15"
status: "disable"
unsupported-ssl: "bypass"
untrusted-cert: "allow"
imaps:
allow-invalid-server-cert: "enable"
client-cert-request: "bypass"
ports: "22"
status: "disable"
unsupported-ssl: "bypass"
untrusted-cert: "allow"
mapi-over-https: "enable"
name: "default_name_27"
pop3s:
allow-invalid-server-cert: "enable"
client-cert-request: "bypass"
ports: "31"
status: "disable"
unsupported-ssl: "bypass"
untrusted-cert: "allow"
rpc-over-https: "enable"
server-cert: "<your_own_value> (source vpn.certificate.local.name)"
server-cert-mode: "re-sign"
smtps:
allow-invalid-server-cert: "enable"
client-cert-request: "bypass"
ports: "41"
status: "disable"
unsupported-ssl: "bypass"
untrusted-cert: "allow"
ssh:
inspect-all: "disable"
ports: "47"
ssh-algorithm: "compatible"
ssh-policy-check: "disable"
ssh-tun-policy-check: "disable"
status: "disable"
unsupported-version: "bypass"
ssl:
allow-invalid-server-cert: "enable"
client-cert-request: "bypass"
inspect-all: "disable"
unsupported-ssl: "bypass"
untrusted-cert: "allow"
ssl-anomalies-log: "disable"
ssl-exempt:
-
address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
address6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
fortiguard-category: "63"
id: "64"
regex: "<your_own_value>"
type: "fortiguard-category"
wildcard-fqdn: "<your_own_value> (source firewall.wildcard-fqdn.custom.name firewall.wildcard-fqdn.group.name)"
ssl-exemptions-log: "disable"
ssl-server:
-
ftps-client-cert-request: "bypass"
https-client-cert-request: "bypass"
id: "72"
imaps-client-cert-request: "bypass"
ip: "<your_own_value>"
pop3s-client-cert-request: "bypass"
smtps-client-cert-request: "bypass"
ssl-other-client-cert-request: "bypass"
untrusted-caname: "<your_own_value> (source vpn.certificate.local.name)"
use-ssl-server: "disable"
whitelist: "enable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.