fortinet.fortios.fortios_firewall_access_proxy – Configure Access Proxy in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_firewall_access_proxy.

New in version 2.10: of fortinet.fortios

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and access_proxy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

Parameters

Parameter				Choices/Defaults	Comments
access_token string					Token-based authentication. Generated from GUI of Fortigate.
enable_log boolean				Choices: no ← yes	Enable/Disable logging for task.
firewall_access_proxy dictionary					Configure Access Proxy.
	api_gateway list / elements=string				Set API Gateway.
		http_cookie_age integer			Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.
		http_cookie_domain string			Domain that HTTP cookie persistence should apply to.
		http_cookie_domain_from_host string		Choices: disable enable	Enable/disable use of HTTP cookie domain from host field in HTTP.
		http_cookie_generation integer			Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.
		http_cookie_path string			Limit HTTP cookie persistence to the specified path.
		http_cookie_share string		Choices: disable same-ip	Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
		https_cookie_secure string		Choices: disable enable	Enable/disable verification that inserted HTTPS cookies are secure.
		id integer / required			API Gateway ID.
		ldb_method string		Choices: static round-robin weighted least-session least-rtt first-alive http-host	Method used to distribute sessions to real servers.
		persistence string		Choices: none http-cookie	Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
		realservers list / elements=string			Select the real servers that this Access Proxy will distribute traffic to.
			address string		Address or address group of the real server. Source firewall.address.name firewall.addrgrp.name.
			health_check string	Choices: disable enable	Enable to check the responsiveness of the real server before forwarding traffic.
			health_check_proto string	Choices: ping http tcp-connect	Protocol of the health check monitor to use when polling to determine server"s connectivity status.
			http_host string		HTTP server domain name in HTTP header.
			id integer / required		Real server ID.
			ip string		IP address of the real server.
			mappedport string		Port for communicating with the real server.
			port integer		Port for communicating with the real server.
			status string	Choices: active standby disable	Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
			weight integer		Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.
		saml_server string			SAML service provider configuration for VIP authentication. Source user.saml.name.
		service string		Choices: http https tcp-forwarding samlsp	Service.
		ssl_algorithm string		Choices: high medium low custom	Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
		ssl_cipher_suites list / elements=string			SSL/TLS cipher suites to offer to a server, ordered by priority.
			cipher string	Choices: TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 TLS-DHE-RSA-WITH-AES-128-CBC-SHA TLS-DHE-RSA-WITH-AES-256-CBC-SHA TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-DSS-WITH-AES-128-CBC-SHA TLS-DHE-DSS-WITH-AES-256-CBC-SHA TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-AES-128-CBC-SHA TLS-RSA-WITH-AES-256-CBC-SHA TLS-RSA-WITH-AES-128-CBC-SHA256 TLS-RSA-WITH-AES-128-GCM-SHA256 TLS-RSA-WITH-AES-256-CBC-SHA256 TLS-RSA-WITH-AES-256-GCM-SHA384 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 TLS-DHE-RSA-WITH-SEED-CBC-SHA TLS-DHE-DSS-WITH-SEED-CBC-SHA TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 TLS-RSA-WITH-SEED-CBC-SHA TLS-RSA-WITH-ARIA-128-CBC-SHA256 TLS-RSA-WITH-ARIA-256-CBC-SHA384 TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 TLS-ECDHE-RSA-WITH-RC4-128-SHA TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA TLS-RSA-WITH-3DES-EDE-CBC-SHA TLS-RSA-WITH-RC4-128-MD5 TLS-RSA-WITH-RC4-128-SHA TLS-DHE-RSA-WITH-DES-CBC-SHA TLS-DHE-DSS-WITH-DES-CBC-SHA TLS-RSA-WITH-DES-CBC-SHA	Cipher suite name.
			priority integer / required		SSL/TLS cipher suites priority.
			versions string	Choices: tls-1.0 tls-1.1 tls-1.2 tls-1.3	SSL/TLS versions that the cipher suite can be used with.
		ssl_dh_bits string		Choices: 768 1024 1536 2048 3072 4096	Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
		ssl_max_version string		Choices: tls-1.0 tls-1.1 tls-1.2 tls-1.3	Highest SSL/TLS version acceptable from a server.
		ssl_min_version string		Choices: tls-1.0 tls-1.1 tls-1.2 tls-1.3	Lowest SSL/TLS version acceptable from a server.
		url_map string			URL pattern to match.
		url_map_type string		Choices: sub-string wildcard regex	Type of url-map.
		virtual_host string			Virtual host. Source firewall.access-proxy-virtual-host.name.
	client_cert string			Choices: disable enable	Enable/disable to request client certificate.
	empty_cert_action string			Choices: accept block	Action of an empty client certificate.
	ldb_method string			Choices: static round-robin weighted least-session least-rtt first-alive	Method used to distribute sessions to SSL real servers.
	name string / required				Access Proxy name.
	realservers list / elements=string				Select the SSL real servers that this Access Proxy will distribute traffic to.
		id integer / required			Real server ID.
		ip string			IP address of the real server.
		port integer			Port for communicating with the real server.
		status string		Choices: active standby disable	Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
		weight integer			Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.
	server_pubkey_auth string			Choices: disable enable	Enable/disable SSH real server public key authentication.
	server_pubkey_auth_settings dictionary				Server SSH public key authentication settings.
		auth_ca string			Name of the SSH server public key authentication CA. Source firewall.ssh.local-ca.name.
		cert_extension list / elements=string			Configure certificate extension for user certificate.
			critical string	Choices: False True	Critical option.
			data string		Name of certificate extension.
			name string / required		Name of certificate extension.
			type string	Choices: fixed user	Type of certificate extension.
		permit_agent_forwarding string		Choices: enable disable	Enable/disable appending permit-agent-forwarding certificate extension.
		permit_port_forwarding string		Choices: enable disable	Enable/disable appending permit-port-forwarding certificate extension.
		permit_pty string		Choices: enable disable	Enable/disable appending permit-pty certificate extension.
		permit_user_rc string		Choices: enable disable	Enable/disable appending permit-user-rc certificate extension.
		permit_x11_forwarding string		Choices: enable disable	Enable/disable appending permit-x11-forwarding certificate extension.
		source_address string		Choices: enable disable	Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address.
	vip string				Virtual IP name. Source firewall.vip.name.
state string / required				Choices: present absent	Indicates whether to create or remove the object.
vdom string				Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure Access Proxy.
    fortios_firewall_access_proxy:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      firewall_access_proxy:
        api_gateway:
         -
            http_cookie_age: "4"
            http_cookie_domain: "<your_own_value>"
            http_cookie_domain_from_host: "disable"
            http_cookie_generation: "7"
            http_cookie_path: "<your_own_value>"
            http_cookie_share: "disable"
            https_cookie_secure: "disable"
            id:  "11"
            ldb_method: "static"
            persistence: "none"
            realservers:
             -
                address: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
                health_check: "disable"
                health_check_proto: "ping"
                http_host: "myhostname"
                id:  "19"
                ip: "<your_own_value>"
                mappedport: "<your_own_value>"
                port: "22"
                status: "active"
                weight: "24"
            saml_server: "<your_own_value> (source user.saml.name)"
            service: "http"
            ssl_algorithm: "high"
            ssl_cipher_suites:
             -
                cipher: "TLS-AES-128-GCM-SHA256"
                priority: "30"
                versions: "tls-1.0"
            ssl_dh_bits: "768"
            ssl_max_version: "tls-1.0"
            ssl_min_version: "tls-1.0"
            url_map: "<your_own_value>"
            url_map_type: "sub-string"
            virtual_host: "myhostname (source firewall.access-proxy-virtual-host.name)"
        client_cert: "disable"
        empty_cert_action: "accept"
        ldb_method: "static"
        name: "default_name_41"
        realservers:
         -
            id:  "43"
            ip: "<your_own_value>"
            port: "45"
            status: "active"
            weight: "47"
        server_pubkey_auth: "disable"
        server_pubkey_auth_settings:
            auth_ca: "<your_own_value> (source firewall.ssh.local-ca.name)"
            cert_extension:
             -
                critical: "no"
                data: "<your_own_value>"
                name: "default_name_54"
                type: "fixed"
            permit_agent_forwarding: "enable"
            permit_port_forwarding: "enable"
            permit_pty: "enable"
            permit_user_rc: "enable"
            permit_x11_forwarding: "enable"
            source_address: "enable"
        vip: "<your_own_value> (source firewall.vip.name)"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_access_proxy_module.html

Docs

Docs4dev

Title here