fortios_system_settings – Configure VDOM settings in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host
string
|
FortiOS or FortiGate IP address.
|
|||
| https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
||
| password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
||
| ssl_verify
boolean
added in 2.9
|
|
Ensures FortiGate certificate must be verified by a proper CA.
|
||
| system_settings
dictionary
|
Default:
null
|
Configure VDOM settings.
|
||
| allow_linkdown_path
string
|
|
Enable/disable link down path.
|
||
| allow_subnet_overlap
string
|
|
Enable/disable allowing interface subnets to use overlapping IP addresses.
|
||
| asymroute
string
|
|
Enable/disable IPv4 asymmetric routing.
|
||
| asymroute6
string
|
|
Enable/disable asymmetric IPv6 routing.
|
||
| asymroute6_icmp
string
|
|
Enable/disable asymmetric ICMPv6 routing.
|
||
| asymroute_icmp
string
|
|
Enable/disable ICMP asymmetric routing.
|
||
| bfd
string
|
|
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
|
||
| bfd_desired_min_tx
integer
|
BFD desired minimal transmit interval (1 - 100000 ms).
|
|||
| bfd_detect_mult
integer
|
BFD detection multiplier (1 - 50).
|
|||
| bfd_dont_enforce_src_port
string
|
|
Enable to not enforce verifying the source port of BFD Packets.
|
||
| bfd_required_min_rx
integer
|
BFD required minimal receive interval (1 - 100000 ms).
|
|||
| block_land_attack
string
|
|
Enable/disable blocking of land attacks.
|
||
| central_nat
string
|
|
Enable/disable central NAT.
|
||
| comments
string
|
VDOM comments.
|
|||
| compliance_check
string
|
|
Enable/disable PCI DSS compliance checking.
|
||
| default_voip_alg_mode
string
|
|
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
|
||
| deny_tcp_with_icmp
string
|
|
Enable/disable denying TCP by sending an ICMP communication prohibited packet.
|
||
| device
string
|
Interface to use for management access for NAT mode. Source system.interface.name.
|
|||
| dhcp6_server_ip
string
|
DHCPv6 server IPv6 address.
|
|||
| dhcp_proxy
string
|
|
Enable/disable the DHCP Proxy.
|
||
| dhcp_server_ip
string
|
DHCP Server IPv4 address.
|
|||
| discovered_device_timeout
integer
|
Timeout for discovered devices (1 - 365 days).
|
|||
| ecmp_max_paths
integer
|
Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 100).
|
|||
| email_portal_check_dns
string
|
|
Enable/disable using DNS to validate email addresses collected by a captive portal.
|
||
| firewall_session_dirty
string
|
|
Select how to manage sessions affected by firewall policy configuration changes.
|
||
| fw_session_hairpin
string
|
|
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
|
||
| gateway
string
|
Transparent mode IPv4 default gateway IP address.
|
|||
| gateway6
string
|
Transparent mode IPv4 default gateway IP address.
|
|||
| gui_advanced_policy
string
|
|
Enable/disable advanced policy configuration on the GUI.
|
||
| gui_allow_unnamed_policy
string
|
|
Enable/disable the requirement for policy naming on the GUI.
|
||
| gui_antivirus
string
|
|
Enable/disable AntiVirus on the GUI.
|
||
| gui_ap_profile
string
|
|
Enable/disable FortiAP profiles on the GUI.
|
||
| gui_application_control
string
|
|
Enable/disable application control on the GUI.
|
||
| gui_default_policy_columns
list
|
Default columns to display for policy lists on GUI.
|
|||
| name
string / required
|
Select column name.
|
|||
| gui_dhcp_advanced
string
|
|
Enable/disable advanced DHCP options on the GUI.
|
||
| gui_dlp
string
|
|
Enable/disable DLP on the GUI.
|
||
| gui_dns_database
string
|
|
Enable/disable DNS database settings on the GUI.
|
||
| gui_dnsfilter
string
|
|
Enable/disable DNS Filtering on the GUI.
|
||
| gui_domain_ip_reputation
string
|
|
Enable/disable Domain and IP Reputation on the GUI.
|
||
| gui_dos_policy
string
|
|
Enable/disable DoS policies on the GUI.
|
||
| gui_dynamic_profile_display
string
|
|
Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
|
||
| gui_dynamic_routing
string
|
|
Enable/disable dynamic routing on the GUI.
|
||
| gui_email_collection
string
|
|
Enable/disable email collection on the GUI.
|
||
| gui_endpoint_control
string
|
|
Enable/disable endpoint control on the GUI.
|
||
| gui_endpoint_control_advanced
string
|
|
Enable/disable advanced endpoint control options on the GUI.
|
||
| gui_explicit_proxy
string
|
|
Enable/disable the explicit proxy on the GUI.
|
||
| gui_fortiap_split_tunneling
string
|
|
Enable/disable FortiAP split tunneling on the GUI.
|
||
| gui_fortiextender_controller
string
|
|
Enable/disable FortiExtender on the GUI.
|
||
| gui_icap
string
|
|
Enable/disable ICAP on the GUI.
|
||
| gui_implicit_policy
string
|
|
Enable/disable implicit firewall policies on the GUI.
|
||
| gui_ips
string
|
|
Enable/disable IPS on the GUI.
|
||
| gui_load_balance
string
|
|
Enable/disable server load balancing on the GUI.
|
||
| gui_local_in_policy
string
|
|
Enable/disable Local-In policies on the GUI.
|
||
| gui_local_reports
string
|
|
Enable/disable local reports on the GUI.
|
||
| gui_multicast_policy
string
|
|
Enable/disable multicast firewall policies on the GUI.
|
||
| gui_multiple_interface_policy
string
|
|
Enable/disable adding multiple interfaces to a policy on the GUI.
|
||
| gui_multiple_utm_profiles
string
|
|
Enable/disable multiple UTM profiles on the GUI.
|
||
| gui_nat46_64
string
|
|
Enable/disable NAT46 and NAT64 settings on the GUI.
|
||
| gui_object_colors
string
|
|
Enable/disable object colors on the GUI.
|
||
| gui_policy_based_ipsec
string
|
|
Enable/disable policy-based IPsec VPN on the GUI.
|
||
| gui_policy_learning
string
|
|
Enable/disable firewall policy learning mode on the GUI.
|
||
| gui_replacement_message_groups
string
|
|
Enable/disable replacement message groups on the GUI.
|
||
| gui_spamfilter
string
|
|
Enable/disable Antispam on the GUI.
|
||
| gui_sslvpn_personal_bookmarks
string
|
|
Enable/disable SSL-VPN personal bookmark management on the GUI.
|
||
| gui_sslvpn_realms
string
|
|
Enable/disable SSL-VPN realms on the GUI.
|
||
| gui_switch_controller
string
|
|
Enable/disable the switch controller on the GUI.
|
||
| gui_threat_weight
string
|
|
Enable/disable threat weight on the GUI.
|
||
| gui_traffic_shaping
string
|
|
Enable/disable traffic shaping on the GUI.
|
||
| gui_voip_profile
string
|
|
Enable/disable VoIP profiles on the GUI.
|
||
| gui_vpn
string
|
|
Enable/disable VPN tunnels on the GUI.
|
||
| gui_waf_profile
string
|
|
Enable/disable Web Application Firewall on the GUI.
|
||
| gui_wan_load_balancing
string
|
|
Enable/disable SD-WAN on the GUI.
|
||
| gui_wanopt_cache
string
|
|
Enable/disable WAN Optimization and Web Caching on the GUI.
|
||
| gui_webfilter
string
|
|
Enable/disable Web filtering on the GUI.
|
||
| gui_webfilter_advanced
string
|
|
Enable/disable advanced web filtering on the GUI.
|
||
| gui_wireless_controller
string
|
|
Enable/disable the wireless controller on the GUI.
|
||
| http_external_dest
string
|
|
Offload HTTP traffic to FortiWeb or FortiCache.
|
||
| ike_dn_format
string
|
|
Configure IKE ASN.1 Distinguished Name format conventions.
|
||
| ike_quick_crash_detect
string
|
|
Enable/disable IKE quick crash detection (RFC 6290).
|
||
| ike_session_resume
string
|
|
Enable/disable IKEv2 session resumption (RFC 5723).
|
||
| implicit_allow_dns
string
|
|
Enable/disable implicitly allowing DNS traffic.
|
||
| inspection_mode
string
|
|
Inspection mode (proxy-based or flow-based).
|
||
| ip
string
|
IP address and netmask.
|
|||
| ip6
string
|
IPv6 address prefix for NAT mode.
|
|||
| link_down_access
string
|
|
Enable/disable link down access traffic.
|
||
| lldp_transmission
string
|
|
Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
|
||
| mac_ttl
integer
|
Duration of MAC addresses in Transparent mode (300 - 8640000 sec).
|
|||
| manageip
string
|
Transparent mode IPv4 management IP address and netmask.
|
|||
| manageip6
string
|
Transparent mode IPv6 management IP address and netmask.
|
|||
| multicast_forward
string
|
|
Enable/disable multicast forwarding.
|
||
| multicast_skip_policy
string
|
|
Enable/disable allowing multicast traffic through the FortiGate without a policy check.
|
||
| multicast_ttl_notchange
string
|
|
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
|
||
| ngfw_mode
string
|
|
Next Generation Firewall (NGFW) mode.
|
||
| opmode
string
|
|
Firewall operation mode (NAT or Transparent).
|
||
| prp_trailer_action
string
|
|
Enable/disable action to take on PRP trailer.
|
||
| sccp_port
integer
|
TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535).
|
|||
| ses_denied_traffic
string
|
|
Enable/disable including denied session in the session table.
|
||
| sip_helper
string
|
|
Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
|
||
| sip_nat_trace
string
|
|
Enable/disable recording the original SIP source IP address when NAT is used.
|
||
| sip_ssl_port
integer
|
TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535).
|
|||
| sip_tcp_port
integer
|
TCP port the SIP proxy monitors for SIP traffic (0 - 65535).
|
|||
| sip_udp_port
integer
|
UDP port the SIP proxy monitors for SIP traffic (0 - 65535).
|
|||
| snat_hairpin_traffic
string
|
|
Enable/disable source NAT (SNAT) for hairpin traffic.
|
||
| ssl_ssh_profile
string
|
Profile for SSL/SSH inspection. Source firewall.ssl-ssh-profile.name.
|
|||
| status
string
|
|
Enable/disable this VDOM.
|
||
| strict_src_check
string
|
|
Enable/disable strict source verification.
|
||
| tcp_session_without_syn
string
|
|
Enable/disable allowing TCP session without SYN flags.
|
||
| utf8_spam_tagging
string
|
|
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
|
||
| v4_ecmp_mode
string
|
|
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
|
||
| vpn_stats_log
string
|
|
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
|
||
| vpn_stats_period
integer
|
Period to send VPN log statistics (60 - 86400 sec).
|
|||
| wccp_cache_engine
string
|
|
Enable/disable WCCP cache engine.
|
||
| username
string
|
FortiOS or FortiGate username.
|
|||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure VDOM settings.
fortios_system_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_settings:
allow_linkdown_path: "enable"
allow_subnet_overlap: "enable"
asymroute: "enable"
asymroute_icmp: "enable"
asymroute6: "enable"
asymroute6_icmp: "enable"
bfd: "enable"
bfd_desired_min_tx: "10"
bfd_detect_mult: "11"
bfd_dont_enforce_src_port: "enable"
bfd_required_min_rx: "13"
block_land_attack: "disable"
central_nat: "enable"
comments: "<your_own_value>"
compliance_check: "enable"
default_voip_alg_mode: "proxy-based"
deny_tcp_with_icmp: "enable"
device: "<your_own_value> (source system.interface.name)"
dhcp_proxy: "enable"
dhcp_server_ip: "<your_own_value>"
dhcp6_server_ip: "<your_own_value>"
discovered_device_timeout: "24"
ecmp_max_paths: "25"
email_portal_check_dns: "disable"
firewall_session_dirty: "check-all"
fw_session_hairpin: "enable"
gateway: "<your_own_value>"
gateway6: "<your_own_value>"
gui_advanced_policy: "enable"
gui_allow_unnamed_policy: "enable"
gui_antivirus: "enable"
gui_ap_profile: "enable"
gui_application_control: "enable"
gui_default_policy_columns:
-
name: "default_name_37"
gui_dhcp_advanced: "enable"
gui_dlp: "enable"
gui_dns_database: "enable"
gui_dnsfilter: "enable"
gui_domain_ip_reputation: "enable"
gui_dos_policy: "enable"
gui_dynamic_profile_display: "enable"
gui_dynamic_routing: "enable"
gui_email_collection: "enable"
gui_endpoint_control: "enable"
gui_endpoint_control_advanced: "enable"
gui_explicit_proxy: "enable"
gui_fortiap_split_tunneling: "enable"
gui_fortiextender_controller: "enable"
gui_icap: "enable"
gui_implicit_policy: "enable"
gui_ips: "enable"
gui_load_balance: "enable"
gui_local_in_policy: "enable"
gui_local_reports: "enable"
gui_multicast_policy: "enable"
gui_multiple_interface_policy: "enable"
gui_multiple_utm_profiles: "enable"
gui_nat46_64: "enable"
gui_object_colors: "enable"
gui_policy_based_ipsec: "enable"
gui_policy_learning: "enable"
gui_replacement_message_groups: "enable"
gui_spamfilter: "enable"
gui_sslvpn_personal_bookmarks: "enable"
gui_sslvpn_realms: "enable"
gui_switch_controller: "enable"
gui_threat_weight: "enable"
gui_traffic_shaping: "enable"
gui_voip_profile: "enable"
gui_vpn: "enable"
gui_waf_profile: "enable"
gui_wan_load_balancing: "enable"
gui_wanopt_cache: "enable"
gui_webfilter: "enable"
gui_webfilter_advanced: "enable"
gui_wireless_controller: "enable"
http_external_dest: "fortiweb"
ike_dn_format: "with-space"
ike_quick_crash_detect: "enable"
ike_session_resume: "enable"
implicit_allow_dns: "enable"
inspection_mode: "proxy"
ip: "<your_own_value>"
ip6: "<your_own_value>"
link_down_access: "enable"
lldp_transmission: "enable"
mac_ttl: "90"
manageip: "<your_own_value>"
manageip6: "<your_own_value>"
multicast_forward: "enable"
multicast_skip_policy: "enable"
multicast_ttl_notchange: "enable"
ngfw_mode: "profile-based"
opmode: "nat"
prp_trailer_action: "enable"
sccp_port: "99"
ses_denied_traffic: "enable"
sip_helper: "enable"
sip_nat_trace: "enable"
sip_ssl_port: "103"
sip_tcp_port: "104"
sip_udp_port: "105"
snat_hairpin_traffic: "enable"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
strict_src_check: "enable"
tcp_session_without_syn: "enable"
utf8_spam_tagging: "enable"
v4_ecmp_mode: "source-ip-based"
vpn_stats_log: "ipsec"
vpn_stats_period: "114"
wccp_cache_engine: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_system_settings_module.html