fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| host
string
|
FortiOS or FortiGate IP address.
|
||||
| https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
|||
| password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
|||
| ssl_verify
boolean
added in 2.9
|
|
Ensures FortiGate certificate must be verified by a proper CA.
|
|||
| username
string
|
FortiOS or FortiGate username.
|
||||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|||
| vpn_ssl_settings
dictionary
|
Default:
null
|
Configure SSL VPN.
|
|||
| auth_timeout
integer
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
|
||||
| authentication_rule
list
|
Authentication rule for SSL VPN.
|
||||
| auth
string
|
|
SSL VPN authentication method restriction.
|
|||
| cipher
string
|
|
SSL VPN cipher strength.
|
|||
| client_cert
string
|
|
Enable/disable SSL VPN client certificate restrictive.
|
|||
| groups
list
|
User groups.
|
||||
| name
string / required
|
Group name. Source user.group.name.
|
||||
| id
integer / required
|
ID (0 - 4294967295).
|
||||
| portal
string
|
SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
| realm
string
|
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
|
||||
| source_address
list
|
Source address of incoming traffic.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| source_address6
list
|
IPv6 source address of incoming traffic.
|
||||
| name
string / required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| source_address6_negate
string
|
|
Enable/disable negated source IPv6 address match.
|
|||
| source_address_negate
string
|
|
Enable/disable negated source address match.
|
|||
| source_interface
list
|
SSL VPN source interface of incoming traffic.
|
||||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
| users
list
|
User name.
|
||||
| name
string / required
|
User name. Source user.local.name.
|
||||
| auto_tunnel_static_route
string
|
|
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
|
|||
| banned_cipher
string
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
|
|||
| check_referer
string
|
|
Enable/disable verification of referer field in HTTP request header.
|
|||
| default_portal
string
|
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
| deflate_compression_level
integer
|
Compression level (0~9).
|
||||
| deflate_min_data_size
integer
|
Minimum amount of data that triggers compression (200 - 65535 bytes).
|
||||
| dns_server1
string
|
DNS server 1.
|
||||
| dns_server2
string
|
DNS server 2.
|
||||
| dns_suffix
string
|
DNS suffix used for SSL-VPN clients.
|
||||
| dtls_hello_timeout
integer
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec).
|
||||
| dtls_tunnel
string
|
|
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
|
|||
| force_two_factor_auth
string
|
|
Enable to force two-factor authentication for all SSL-VPNs.
|
|||
| header_x_forwarded_for
string
|
|
Forward the same, add, or remove HTTP header.
|
|||
| http_compression
string
|
|
Enable to allow HTTP compression over SSL-VPN tunnels.
|
|||
| http_only_cookie
string
|
|
Enable/disable SSL-VPN support for HttpOnly cookies.
|
|||
| http_request_body_timeout
integer
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec).
|
||||
| http_request_header_timeout
integer
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec).
|
||||
| https_redirect
string
|
|
Enable/disable redirect of port 80 to SSL-VPN port.
|
|||
| idle_timeout
integer
|
SSL VPN disconnects if idle for specified time in seconds.
|
||||
| ipv6_dns_server1
string
|
IPv6 DNS server 1.
|
||||
| ipv6_dns_server2
string
|
IPv6 DNS server 2.
|
||||
| ipv6_wins_server1
string
|
IPv6 WINS server 1.
|
||||
| ipv6_wins_server2
string
|
IPv6 WINS server 2.
|
||||
| login_attempt_limit
integer
|
SSL VPN maximum login attempt times before block (0 - 10).
|
||||
| login_block_time
integer
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec).
|
||||
| login_timeout
integer
|
SSLVPN maximum login timeout (10 - 180 sec).
|
||||
| port
integer
|
SSL-VPN access port (1 - 65535).
|
||||
| port_precedence
string
|
|
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
|
|||
| reqclientcert
string
|
|
Enable to require client certificates for all SSL-VPN users.
|
|||
| route_source_interface
string
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
|
|||
| servercert
string
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
|
||||
| source_address
list
|
Source address of incoming traffic.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| source_address6
list
|
IPv6 source address of incoming traffic.
|
||||
| name
string / required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| source_address6_negate
string
|
|
Enable/disable negated source IPv6 address match.
|
|||
| source_address_negate
string
|
|
Enable/disable negated source address match.
|
|||
| source_interface
list
|
SSL VPN source interface of incoming traffic.
|
||||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
| ssl_client_renegotiation
string
|
|
Enable to allow client renegotiation by the server if the tunnel goes down.
|
|||
| ssl_insert_empty_fragment
string
|
|
Enable/disable insertion of empty fragment.
|
|||
| tlsv1_0
string
|
|
Enable/disable TLSv1.0.
|
|||
| tlsv1_1
string
|
|
Enable/disable TLSv1.1.
|
|||
| tlsv1_2
string
|
|
Enable/disable TLSv1.2.
|
|||
| tunnel_ip_pools
list
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| tunnel_ipv6_pools
list
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| unsafe_legacy_renegotiation
string
|
|
Enable/disable unsafe legacy re-negotiation.
|
|||
| url_obscuration
string
|
|
Enable to obscure the host name of the URL of the web browser display.
|
|||
| wins_server1
string
|
WINS server 1.
|
||||
| wins_server2
string
|
WINS server 2.
|
||||
| x_content_type_options
string
|
|
Add HTTP X-Content-Type-Options header.
|
|||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
vpn_ssl_settings:
auth_timeout: "3"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_9 (source user.group.name)"
id: "10"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_14 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_17 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_20 (source system.interface.name system.zone.name)"
users:
-
name: "default_name_22 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "27"
deflate_min_data_size: "28"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "32"
dtls_tunnel: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "38"
http_request_header_timeout: "39"
https_redirect: "enable"
idle_timeout: "41"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "46"
login_block_time: "47"
login_timeout: "48"
port: "49"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_55 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_58 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_61 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tunnel_ip_pools:
-
name: "default_name_68 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_70 (source firewall.address6.name firewall.addrgrp6.name)"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_vpn_ssl_settings_module.html