fortinet.fortios.fortios_endpoint_control_profile – Configure FortiClient endpoint control profiles in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_endpoint_control_profile.

New in version 2.10: of fortinet.fortios

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify endpoint_control feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

Parameters

Parameter				Choices/Defaults	Comments
access_token string					Token-based authentication. Generated from GUI of Fortigate.
enable_log boolean				Choices: no ← yes	Enable/Disable logging for task.
endpoint_control_profile dictionary					Configure FortiClient endpoint control profiles.
	description string				Description.
	device_groups list / elements=string				Device groups.
		name string / required			Device group object from available options. Source user.device-group.name user.device-category.name.
	forticlient_android_settings dictionary				FortiClient settings for Android platform.
		disable_wf_when_protected string		Choices: enable disable	Enable/disable FortiClient web category filtering when protected by FortiGate.
		forticlient_advanced_vpn string		Choices: enable disable	Enable/disable advanced FortiClient VPN configuration.
		forticlient_advanced_vpn_buffer string			Advanced FortiClient VPN configuration.
		forticlient_vpn_provisioning string		Choices: enable disable	Enable/disable FortiClient VPN provisioning.
		forticlient_vpn_settings list / elements=string			FortiClient VPN settings.
			auth_method string	Choices: psk certificate	Authentication method.
			name string / required		VPN name.
			preshared_key string		Pre-shared secret for PSK authentication.
			remote_gw string		IP address or FQDN of the remote VPN gateway.
			sslvpn_access_port integer		SSL VPN access port (1 - 65535).
			sslvpn_require_certificate string	Choices: enable disable	Enable/disable requiring SSL VPN client certificate.
			type string	Choices: ipsec ssl	VPN type (IPsec or SSL VPN).
		forticlient_wf string		Choices: enable disable	Enable/disable FortiClient web filtering.
		forticlient_wf_profile string			The FortiClient web filter profile to apply. Source webfilter.profile.name.
	forticlient_ios_settings dictionary				FortiClient settings for iOS platform.
		client_vpn_provisioning string		Choices: enable disable	FortiClient VPN provisioning.
		client_vpn_settings list / elements=string			FortiClient VPN settings.
			auth_method string	Choices: psk certificate	Authentication method.
			name string / required		VPN name.
			preshared_key string		Pre-shared secret for PSK authentication.
			remote_gw string		IP address or FQDN of the remote VPN gateway.
			sslvpn_access_port integer		SSL VPN access port (1 - 65535).
			sslvpn_require_certificate string	Choices: enable disable	Enable/disable requiring SSL VPN client certificate.
			type string	Choices: ipsec ssl	VPN type (IPsec or SSL VPN).
			vpn_configuration_content string		Content of VPN configuration.
			vpn_configuration_name string		Name of VPN configuration.
		configuration_content string			Content of configuration profile.
		configuration_name string			Name of configuration profile.
		disable_wf_when_protected string		Choices: enable disable	Enable/disable FortiClient web category filtering when protected by FortiGate.
		distribute_configuration_profile string		Choices: enable disable	Enable/disable configuration profile (.mobileconfig file) distribution.
		forticlient_wf string		Choices: enable disable	Enable/disable FortiClient web filtering.
		forticlient_wf_profile string			The FortiClient web filter profile to apply. Source webfilter.profile.name.
	forticlient_winmac_settings dictionary				FortiClient settings for Windows/Mac platform.
		av_realtime_protection string		Choices: enable disable	Enable/disable FortiClient AntiVirus real-time protection.
		av_signature_up_to_date string		Choices: enable disable	Enable/disable FortiClient AV signature updates.
		forticlient_application_firewall string		Choices: enable disable	Enable/disable the FortiClient application firewall.
		forticlient_application_firewall_list string			FortiClient application firewall rule list. Source application.list.name.
		forticlient_av string		Choices: enable disable	Enable/disable FortiClient AntiVirus scanning.
		forticlient_ems_compliance string		Choices: enable disable	Enable/disable FortiClient Enterprise Management Server (EMS) compliance.
		forticlient_ems_compliance_action string		Choices: block warning	FortiClient EMS compliance action.
		forticlient_ems_entries list / elements=string			FortiClient EMS entries.
			name string / required		FortiClient EMS name. Source endpoint-control.forticlient-ems.name.
		forticlient_linux_ver string			Minimum FortiClient Linux version.
		forticlient_log_upload string		Choices: enable disable	Enable/disable uploading FortiClient logs.
		forticlient_log_upload_level string		Choices: traffic vulnerability event	Select the FortiClient logs to upload.
		forticlient_log_upload_server string			IP address or FQDN of the server to which to upload FortiClient logs.
		forticlient_mac_ver string			Minimum FortiClient Mac OS version.
		forticlient_minimum_software_version string		Choices: enable disable	Enable/disable requiring clients to run FortiClient with a minimum software version number.
		forticlient_operating_system list / elements=string			FortiClient operating system.
			id integer / required		Operating system entry ID.
			os_name string		Customize operating system name or Mac OS format:x.x.x
			os_type string	Choices: custom mac-os win-7 win-80 win-81 win-10 win-2000 win-home-svr win-svr-10 win-svr-2003 win-svr-2003-r2 win-svr-2008 win-svr-2008-r2 win-svr-2012 win-svr-2012-r2 win-sto-svr-2003 win-vista win-xp ubuntu-linux centos-linux redhat-linux fedora-linux	Operating system type.
		forticlient_own_file list / elements=string			Checking the path and filename of the FortiClient application.
			file string		File path and name.
			id integer / required		File ID.
		forticlient_registration_compliance_action string		Choices: block warning	FortiClient registration compliance action.
		forticlient_registry_entry list / elements=string			FortiClient registry entry.
			id integer / required		Registry entry ID.
			registry_entry string		Registry entry.
		forticlient_running_app list / elements=string			Use FortiClient to verify if the listed applications are running on the client.
			app_name string		Application name.
			app_sha256_signature string		App"s SHA256 signature.
			app_sha256_signature2 string		App"s SHA256 Signature.
			app_sha256_signature3 string		App"s SHA256 Signature.
			app_sha256_signature4 string		App"s SHA256 Signature.
			application_check_rule string	Choices: present absent	Application check rule.
			id integer / required		Application ID.
			process_name string		Process name.
			process_name2 string		Process name.
			process_name3 string		Process name.
			process_name4 string		Process name.
		forticlient_security_posture string		Choices: enable disable	Enable/disable FortiClient security posture check options.
		forticlient_security_posture_compliance_action string		Choices: block warning	FortiClient security posture compliance action.
		forticlient_system_compliance string		Choices: enable disable	Enable/disable enforcement of FortiClient system compliance.
		forticlient_system_compliance_action string		Choices: block warning	Block or warn clients not compliant with FortiClient requirements.
		forticlient_vuln_scan string		Choices: enable disable	Enable/disable FortiClient vulnerability scanning.
		forticlient_vuln_scan_compliance_action string		Choices: block warning	FortiClient vulnerability compliance action.
		forticlient_vuln_scan_enforce string		Choices: critical high medium low info	Configure the level of the vulnerability found that causes a FortiClient vulnerability compliance action.
		forticlient_vuln_scan_enforce_grace integer			FortiClient vulnerability scan enforcement grace period (0 - 30 days).
		forticlient_vuln_scan_exempt string		Choices: enable disable	Enable/disable compliance exemption for vulnerabilities that cannot be patched automatically.
		forticlient_wf string		Choices: enable disable	Enable/disable FortiClient web filtering.
		forticlient_wf_profile string			The FortiClient web filter profile to apply. Source webfilter.profile.name.
		forticlient_win_ver string			Minimum FortiClient Windows version.
		os_av_software_installed string		Choices: enable disable	Enable/disable checking for OS recognized AntiVirus software.
		sandbox_address string			FortiSandbox address.
		sandbox_analysis string		Choices: enable disable	Enable/disable sending files to FortiSandbox for analysis.
	on_net_addr list / elements=string				Addresses for on-net detection.
		name string / required			Address object from available options. Source firewall.address.name firewall.addrgrp.name.
	profile_name string				Profile name.
	replacemsg_override_group string				Select an endpoint control replacement message override group from available options. Source system.replacemsg-group.name.
	src_addr list / elements=string				Source addresses.
		name string / required			Address object from available options. Source firewall.address.name firewall.addrgrp.name.
	user_groups list / elements=string				User groups.
		name string / required			User group name. Source user.group.name.
	users list / elements=string				Users.
		name string / required			User name. Source user.local.name.
state string / required				Choices: present absent	Indicates whether to create or remove the object.
vdom string				Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure FortiClient endpoint control profiles.
    fortios_endpoint_control_profile:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      endpoint_control_profile:
        description: "<your_own_value>"
        device_groups:
         -
            name: "default_name_5 (source user.device-group.name user.device-category.name)"
        forticlient_android_settings:
            disable_wf_when_protected: "enable"
            forticlient_advanced_vpn: "enable"
            forticlient_advanced_vpn_buffer: "<your_own_value>"
            forticlient_vpn_provisioning: "enable"
            forticlient_vpn_settings:
             -
                auth_method: "psk"
                name: "default_name_13"
                preshared_key: "<your_own_value>"
                remote_gw: "<your_own_value>"
                sslvpn_access_port: "16"
                sslvpn_require_certificate: "enable"
                type: "ipsec"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient_ios_settings:
            client_vpn_provisioning: "enable"
            client_vpn_settings:
             -
                auth_method: "psk"
                name: "default_name_25"
                preshared_key: "<your_own_value>"
                remote_gw: "<your_own_value>"
                sslvpn_access_port: "28"
                sslvpn_require_certificate: "enable"
                type: "ipsec"
                vpn_configuration_content: "<your_own_value>"
                vpn_configuration_name: "<your_own_value>"
            configuration_content: "<your_own_value>"
            configuration_name: "<your_own_value>"
            disable_wf_when_protected: "enable"
            distribute_configuration_profile: "enable"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
        forticlient_winmac_settings:
            av_realtime_protection: "enable"
            av_signature_up_to_date: "enable"
            forticlient_application_firewall: "enable"
            forticlient_application_firewall_list: "<your_own_value> (source application.list.name)"
            forticlient_av: "enable"
            forticlient_ems_compliance: "enable"
            forticlient_ems_compliance_action: "block"
            forticlient_ems_entries:
             -
                name: "default_name_48 (source endpoint-control.forticlient-ems.name)"
            forticlient_linux_ver: "<your_own_value>"
            forticlient_log_upload: "enable"
            forticlient_log_upload_level: "traffic"
            forticlient_log_upload_server: "<your_own_value>"
            forticlient_mac_ver: "<your_own_value>"
            forticlient_minimum_software_version: "enable"
            forticlient_operating_system:
             -
                id:  "56"
                os_name: "<your_own_value>"
                os_type: "custom"
            forticlient_own_file:
             -
                file: "<your_own_value>"
                id:  "61"
            forticlient_registration_compliance_action: "block"
            forticlient_registry_entry:
             -
                id:  "64"
                registry_entry: "<your_own_value>"
            forticlient_running_app:
             -
                app_name: "<your_own_value>"
                app_sha256_signature: "<your_own_value>"
                app_sha256_signature2: "<your_own_value>"
                app_sha256_signature3: "<your_own_value>"
                app_sha256_signature4: "<your_own_value>"
                application_check_rule: "present"
                id:  "73"
                process_name: "<your_own_value>"
                process_name2: "<your_own_value>"
                process_name3: "<your_own_value>"
                process_name4: "<your_own_value>"
            forticlient_security_posture: "enable"
            forticlient_security_posture_compliance_action: "block"
            forticlient_system_compliance: "enable"
            forticlient_system_compliance_action: "block"
            forticlient_vuln_scan: "enable"
            forticlient_vuln_scan_compliance_action: "block"
            forticlient_vuln_scan_enforce: "critical"
            forticlient_vuln_scan_enforce_grace: "85"
            forticlient_vuln_scan_exempt: "enable"
            forticlient_wf: "enable"
            forticlient_wf_profile: "<your_own_value> (source webfilter.profile.name)"
            forticlient_win_ver: "<your_own_value>"
            os_av_software_installed: "enable"
            sandbox_address: "<your_own_value>"
            sandbox_analysis: "enable"
        on_net_addr:
         -
            name: "default_name_94 (source firewall.address.name firewall.addrgrp.name)"
        profile_name: "<your_own_value>"
        replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
        src_addr:
         -
            name: "default_name_98 (source firewall.address.name firewall.addrgrp.name)"
        user_groups:
         -
            name: "default_name_100 (source user.group.name)"
        users:
         -
            name: "default_name_102 (source user.local.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_endpoint_control_profile_module.html

Docs

Docs4dev

Title here