fortinet.fortios.fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 1.1.8).
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings.
New in version 2.8: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| access_token
string
|
Token-based authentication. Generated from GUI of Fortigate.
|
||||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|||
| vpn_ssl_settings
dictionary
|
Configure SSL VPN.
|
||||
| algorithm
string
|
|
Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
|
|||
| auth_timeout
integer
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
|
||||
| authentication_rule
list / elements=string
|
Authentication rule for SSL VPN.
|
||||
| auth
string
|
|
SSL VPN authentication method restriction.
|
|||
| cipher
string
|
|
SSL VPN cipher strength.
|
|||
| client_cert
string
|
|
Enable/disable SSL VPN client certificate restrictive.
|
|||
| groups
list / elements=string
|
User groups.
|
||||
| name
string / required
|
Group name. Source user.group.name.
|
||||
| id
integer / required
|
ID (0 - 4294967295).
|
||||
| portal
string
|
SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
| realm
string
|
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
|
||||
| source_address
list / elements=string
|
Source address of incoming traffic.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| source_address6
list / elements=string
|
IPv6 source address of incoming traffic.
|
||||
| name
string / required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| source_address6_negate
string
|
|
Enable/disable negated source IPv6 address match.
|
|||
| source_address_negate
string
|
|
Enable/disable negated source address match.
|
|||
| source_interface
list / elements=string
|
SSL VPN source interface of incoming traffic.
|
||||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
| users
list / elements=string
|
User name.
|
||||
| name
string / required
|
User name. Source user.local.name.
|
||||
| auto_tunnel_static_route
string
|
|
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
|
|||
| banned_cipher
list / elements=string
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
|
|||
| check_referer
string
|
|
Enable/disable verification of referer field in HTTP request header.
|
|||
| default_portal
string
|
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
| deflate_compression_level
integer
|
Compression level (0~9).
|
||||
| deflate_min_data_size
integer
|
Minimum amount of data that triggers compression (200 - 65535 bytes).
|
||||
| dns_server1
string
|
DNS server 1.
|
||||
| dns_server2
string
|
DNS server 2.
|
||||
| dns_suffix
string
|
DNS suffix used for SSL-VPN clients.
|
||||
| dtls_hello_timeout
integer
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec).
|
||||
| dtls_tunnel
string
|
|
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
|
|||
| force_two_factor_auth
string
|
|
Enable to force two-factor authentication for all SSL-VPNs.
|
|||
| header_x_forwarded_for
string
|
|
Forward the same, add, or remove HTTP header.
|
|||
| http_compression
string
|
|
Enable to allow HTTP compression over SSL-VPN tunnels.
|
|||
| http_only_cookie
string
|
|
Enable/disable SSL-VPN support for HttpOnly cookies.
|
|||
| http_request_body_timeout
integer
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec).
|
||||
| http_request_header_timeout
integer
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec).
|
||||
| https_redirect
string
|
|
Enable/disable redirect of port 80 to SSL-VPN port.
|
|||
| idle_timeout
integer
|
SSL VPN disconnects if idle for specified time in seconds.
|
||||
| ipv6_dns_server1
string
|
IPv6 DNS server 1.
|
||||
| ipv6_dns_server2
string
|
IPv6 DNS server 2.
|
||||
| ipv6_wins_server1
string
|
IPv6 WINS server 1.
|
||||
| ipv6_wins_server2
string
|
IPv6 WINS server 2.
|
||||
| login_attempt_limit
integer
|
SSL VPN maximum login attempt times before block (0 - 10).
|
||||
| login_block_time
integer
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec).
|
||||
| login_timeout
integer
|
SSLVPN maximum login timeout (10 - 180 sec).
|
||||
| port
integer
|
SSL-VPN access port (1 - 65535).
|
||||
| port_precedence
string
|
|
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
|
|||
| reqclientcert
string
|
|
Enable to require client certificates for all SSL-VPN users.
|
|||
| route_source_interface
string
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
|
|||
| servercert
string
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
|
||||
| source_address
list / elements=string
|
Source address of incoming traffic.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| source_address6
list / elements=string
|
IPv6 source address of incoming traffic.
|
||||
| name
string / required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| source_address6_negate
string
|
|
Enable/disable negated source IPv6 address match.
|
|||
| source_address_negate
string
|
|
Enable/disable negated source address match.
|
|||
| source_interface
list / elements=string
|
SSL VPN source interface of incoming traffic.
|
||||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
| ssl_big_buffer
string
|
|
Disable use of the big SSLv3 buffer feature to save memory and force higher security.
|
|||
| ssl_client_renegotiation
string
|
|
Enable to allow client renegotiation by the server if the tunnel goes down.
|
|||
| ssl_insert_empty_fragment
string
|
|
Enable/disable insertion of empty fragment.
|
|||
| sslv3
string
|
|
sslv3
|
|||
| tlsv1_0
string
|
|
Enable/disable TLSv1.0.
|
|||
| tlsv1_1
string
|
|
Enable/disable TLSv1.1.
|
|||
| tlsv1_2
string
|
|
Enable/disable TLSv1.2.
|
|||
| tunnel_ip_pools
list / elements=string
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| tunnel_ipv6_pools
list / elements=string
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| unsafe_legacy_renegotiation
string
|
|
Enable/disable unsafe legacy re-negotiation.
|
|||
| url_obscuration
string
|
|
Enable to obscure the host name of the URL of the web browser display.
|
|||
| wins_server1
string
|
WINS server 1.
|
||||
| wins_server2
string
|
WINS server 2.
|
||||
| x_content_type_options
string
|
|
Add HTTP X-Content-Type-Options header.
|
|||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_timeout: "4"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_10 (source user.group.name)"
id: "11"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_15 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_18 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_21 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_23 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "28"
deflate_min_data_size: "29"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "33"
dtls_tunnel: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "39"
http_request_header_timeout: "40"
https_redirect: "enable"
idle_timeout: "42"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "47"
login_block_time: "48"
login_timeout: "49"
port: "50"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_56 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_59 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_62 (source system.interface.name system.zone.name)"
ssl_big_buffer: "enable"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
sslv3: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tunnel_ip_pools:
-
name: "default_name_71 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_73 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_vpn_ssl_settings_module.html