fortios_firewall_policy6 – Configure IPv6 policies in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and policy6 category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| firewall_policy6
dictionary
|
Default:
null
|
Configure IPv6 policies.
|
||
| action
string
|
|
Policy action (allow/deny/ipsec).
|
||
| app_category
list
|
Application category ID list.
|
|||
| id
integer / required
|
Category IDs.
|
|||
| app_group
list
|
Application group names.
|
|||
| name
string / required
|
Application group names. Source application.group.name.
|
|||
| application
list
|
Application ID list.
|
|||
| id
integer / required
|
Application IDs.
|
|||
| application_list
string
|
Name of an existing Application list. Source application.list.name.
|
|||
| av_profile
string
|
Name of an existing Antivirus profile. Source antivirus.profile.name.
|
|||
| comments
string
|
Comment.
|
|||
| custom_log_fields
list
|
Log field index numbers to append custom log fields to log messages for this policy.
|
|||
| field_id
string
|
Custom log field. Source log.custom-field.id.
|
|||
| devices
list
|
Names of devices or device groups that can be matched by the policy.
|
|||
| name
string / required
|
Device or group name. Source user.device.alias user.device-group.name user.device-category.name.
|
|||
| diffserv_forward
string
|
|
Enable to change packet's DiffServ values to the specified diffservcode-forward value.
|
||
| diffserv_reverse
string
|
|
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
|
||
| diffservcode_forward
string
|
Change packet's DiffServ to this value.
|
|||
| diffservcode_rev
string
|
Change packet's reverse (reply) DiffServ to this value.
|
|||
| dlp_sensor
string
|
Name of an existing DLP sensor. Source dlp.sensor.name.
|
|||
| dscp_match
string
|
|
Enable DSCP check.
|
||
| dscp_negate
string
|
|
Enable negated DSCP match.
|
||
| dscp_value
string
|
DSCP value.
|
|||
| dsri
string
|
|
Enable DSRI to ignore HTTP server responses.
|
||
| dstaddr
list
|
Destination address and address group names.
|
|||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name.
|
|||
| dstaddr_negate
string
|
|
When enabled dstaddr specifies what the destination address must NOT be.
|
||
| dstintf
list
|
Outgoing (egress) interface.
|
|||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
| firewall_session_dirty
string
|
|
How to handle sessions if the configuration of this firewall policy changes.
|
||
| fixedport
string
|
|
Enable to prevent source NAT from changing a session's source port.
|
||
| global_label
string
|
Label for the policy that appears when the GUI is in Global View mode.
|
|||
| groups
list
|
Names of user groups that can authenticate with this policy.
|
|||
| name
string / required
|
Group name. Source user.group.name.
|
|||
| icap_profile
string
|
Name of an existing ICAP profile. Source icap.profile.name.
|
|||
| inbound
string
|
|
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
|
||
| ippool
string
|
|
Enable to use IP Pools for source NAT.
|
||
| ips_sensor
string
|
Name of an existing IPS sensor. Source ips.sensor.name.
|
|||
| label
string
|
Label for the policy that appears when the GUI is in Section View mode.
|
|||
| logtraffic
string
|
|
Enable or disable logging. Log all sessions or security profile sessions.
|
||
| logtraffic_start
string
|
|
Record logs when a session starts and ends.
|
||
| name
string
|
Policy name.
|
|||
| nat
string
|
|
Enable/disable source NAT.
|
||
| natinbound
string
|
|
Policy-based IPsec VPN: apply destination NAT to inbound traffic.
|
||
| natoutbound
string
|
|
Policy-based IPsec VPN: apply source NAT to outbound traffic.
|
||
| outbound
string
|
|
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
|
||
| per_ip_shaper
string
|
Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
|
|||
| policyid
integer / required
|
Policy ID.
|
|||
| poolname
list
|
IP Pool names.
|
|||
| name
string / required
|
IP pool name. Source firewall.ippool6.name.
|
|||
| profile_group
string
|
Name of profile group. Source firewall.profile-group.name.
|
|||
| profile_protocol_options
string
|
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
|
|||
| profile_type
string
|
|
Determine whether the firewall policy allows security profile groups or single profiles only.
|
||
| replacemsg_override_group
string
|
Override the default replacement message group for this policy. Source system.replacemsg-group.name.
|
|||
| rsso
string
|
|
Enable/disable RADIUS single sign-on (RSSO).
|
||
| schedule
string
|
Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
|
|||
| send_deny_packet
string
|
|
Enable/disable return of deny-packet.
|
||
| service
list
|
Service and service group names.
|
|||
| name
string / required
|
Address name. Source firewall.service.custom.name firewall.service.group.name.
|
|||
| service_negate
string
|
|
When enabled service specifies what the service must NOT be.
|
||
| session_ttl
integer
|
Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL.
|
|||
| spamfilter_profile
string
|
Name of an existing Spam filter profile. Source spamfilter.profile.name.
|
|||
| srcaddr
list
|
Source address and address group names.
|
|||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
|||
| srcaddr_negate
string
|
|
When enabled srcaddr specifies what the source address must NOT be.
|
||
| srcintf
list
|
Incoming (ingress) interface.
|
|||
| name
string / required
|
Interface name. Source system.zone.name system.interface.name.
|
|||
| ssh_filter_profile
string
|
Name of an existing SSH filter profile. Source ssh-filter.profile.name.
|
|||
| ssl_mirror
string
|
|
Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
|
||
| ssl_mirror_intf
list
|
SSL mirror interface name.
|
|||
| name
string / required
|
Interface name. Source system.zone.name system.interface.name.
|
|||
| ssl_ssh_profile
string
|
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
|
|||
| state
string
|
|
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
|
||
| status
string
|
|
Enable or disable this policy.
|
||
| tcp_mss_receiver
integer
|
Receiver TCP maximum segment size (MSS).
|
|||
| tcp_mss_sender
integer
|
Sender TCP maximum segment size (MSS).
|
|||
| tcp_session_without_syn
string
|
|
Enable/disable creation of TCP session without SYN flag.
|
||
| timeout_send_rst
string
|
|
Enable/disable sending RST packets when TCP sessions expire.
|
||
| traffic_shaper
string
|
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
|
|||
| traffic_shaper_reverse
string
|
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
|
|||
| url_category
list
|
URL category ID list.
|
|||
| id
integer / required
|
URL category ID.
|
|||
| users
list
|
Names of individual users that can authenticate with this policy.
|
|||
| name
string / required
|
Names of individual users that can authenticate with this policy. Source user.local.name.
|
|||
| utm_status
string
|
|
Enable AV/web/ips protection profile.
|
||
| uuid
string
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|||
| vlan_cos_fwd
integer
|
VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest
|
|||
| vlan_cos_rev
integer
|
VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest
|
|||
| vlan_filter
string
|
Set VLAN filters.
|
|||
| voip_profile
string
|
Name of an existing VoIP profile. Source voip.profile.name.
|
|||
| vpntunnel
string
|
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.
|
|||
| webfilter_profile
string
|
Name of an existing Web filter profile. Source webfilter.profile.name.
|
|||
| host
string
|
FortiOS or FortiGate IP address.
|
|||
| https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
||
| password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
||
| ssl_verify
boolean
added in 2.9
|
|
Ensures FortiGate certificate must be verified by a proper CA.
|
||
| state
string
added in 2.9
|
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
|
||
| username
string
|
FortiOS or FortiGate username.
|
|||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure IPv6 policies.
fortios_firewall_policy6:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
firewall_policy6:
action: "accept"
app_category:
-
id: "5"
app_group:
-
name: "default_name_7 (source application.group.name)"
application:
-
id: "9"
application_list: "<your_own_value> (source application.list.name)"
av_profile: "<your_own_value> (source antivirus.profile.name)"
comments: "<your_own_value>"
custom_log_fields:
-
field_id: "<your_own_value> (source log.custom-field.id)"
devices:
-
name: "default_name_16 (source user.device.alias user.device-group.name user.device-category.name)"
diffserv_forward: "enable"
diffserv_reverse: "enable"
diffservcode_forward: "<your_own_value>"
diffservcode_rev: "<your_own_value>"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dscp_match: "enable"
dscp_negate: "enable"
dscp_value: "<your_own_value>"
dsri: "enable"
dstaddr:
-
name: "default_name_27 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name)"
dstaddr_negate: "enable"
dstintf:
-
name: "default_name_30 (source system.interface.name system.zone.name)"
firewall_session_dirty: "check-all"
fixedport: "enable"
global_label: "<your_own_value>"
groups:
-
name: "default_name_35 (source user.group.name)"
icap_profile: "<your_own_value> (source icap.profile.name)"
inbound: "enable"
ippool: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic_start: "enable"
name: "default_name_43"
nat: "enable"
natinbound: "enable"
natoutbound: "enable"
outbound: "enable"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
policyid: "49"
poolname:
-
name: "default_name_51 (source firewall.ippool6.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
rsso: "enable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
send_deny_packet: "enable"
service:
-
name: "default_name_60 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "62"
spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_65 (source firewall.address6.name firewall.addrgrp6.name)"
srcaddr_negate: "enable"
srcintf:
-
name: "default_name_68 (source system.zone.name system.interface.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssl_mirror: "enable"
ssl_mirror_intf:
-
name: "default_name_72 (source system.zone.name system.interface.name)"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp_mss_receiver: "75"
tcp_mss_sender: "76"
tcp_session_without_syn: "all"
timeout_send_rst: "enable"
traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
url_category:
-
id: "82"
users:
-
name: "default_name_84 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
vlan_cos_fwd: "87"
vlan_cos_rev: "88"
vlan_filter: "<your_own_value>"
voip_profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_firewall_policy6_module.html