fortinet.fortios.fortios_firewall_consolidated_policy – Configure consolidated IPv4/IPv6 policies in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_consolidated_policy.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall_consolidated feature and policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| access_token
string
|
Token-based authentication. Generated from GUI of Fortigate.
|
|||
| enable_log
boolean
|
|
Enable/Disable logging for task.
|
||
| firewall_consolidated_policy
dictionary
|
Configure consolidated IPv4/IPv6 policies.
|
|||
| action
string
|
|
Policy action (allow/deny/ipsec).
|
||
| application_list
string
|
Name of an existing Application list. Source application.list.name.
|
|||
| auto_asic_offload
string
|
|
Enable/disable policy traffic ASIC offloading.
|
||
| av_profile
string
|
Name of an existing Antivirus profile. Source antivirus.profile.name.
|
|||
| captive_portal_exempt
string
|
|
Enable exemption of some users from the captive portal.
|
||
| cifs_profile
string
|
Name of an existing CIFS profile. Source cifs.profile.name.
|
|||
| comments
string
|
Comment.
|
|||
| diffserv_forward
string
|
|
Enable to change packet"s DiffServ values to the specified diffservcode-forward value.
|
||
| diffserv_reverse
string
|
|
Enable to change packet"s reverse (reply) DiffServ values to the specified diffservcode-rev value.
|
||
| diffservcode_forward
string
|
Change packet"s DiffServ to this value.
|
|||
| diffservcode_rev
string
|
Change packet"s reverse (reply) DiffServ to this value.
|
|||
| dlp_sensor
string
|
Name of an existing DLP sensor. Source dlp.sensor.name.
|
|||
| dnsfilter_profile
string
|
Name of an existing DNS filter profile. Source dnsfilter.profile.name.
|
|||
| dstaddr4
list / elements=string
|
Destination IPv4 address name and address group names.
|
|||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name system.external-resource .name.
|
|||
| dstaddr6
list / elements=string
|
Destination IPv6 address name and address group names.
|
|||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system .external-resource.name.
|
|||
| dstaddr_negate
string
|
|
When enabled dstaddr specifies what the destination address must NOT be.
|
||
| dstintf
list / elements=string
|
Outgoing (egress) interface.
|
|||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
| emailfilter_profile
string
|
Name of an existing email filter profile. Source emailfilter.profile.name.
|
|||
| fixedport
string
|
|
Enable to prevent source NAT from changing a session"s source port.
|
||
| fsso_groups
list / elements=string
|
Names of FSSO groups.
|
|||
| name
string / required
|
Names of FSSO groups. Source user.adgrp.name.
|
|||
| global_label
string
|
Label for the policy that appears when the GUI is in Global View mode.
|
|||
| groups
list / elements=string
|
Names of user groups that can authenticate with this policy.
|
|||
| name
string / required
|
Group name. Source user.group.name.
|
|||
| http_policy_redirect
string
|
|
Redirect HTTP(S) traffic to matching transparent web proxy policy.
|
||
| icap_profile
string
|
Name of an existing ICAP profile. Source icap.profile.name.
|
|||
| inbound
string
|
|
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
|
||
| inspection_mode
string
|
|
Policy inspection mode (Flow/proxy). Default is Flow mode.
|
||
| internet_service
string
|
|
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
|
||
| internet_service_custom
list / elements=string
|
Custom Internet Service name.
|
|||
| name
string / required
|
Custom Internet Service name. Source firewall.internet-service-custom.name.
|
|||
| internet_service_custom_group
list / elements=string
|
Custom Internet Service group name.
|
|||
| name
string / required
|
Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
|
|||
| internet_service_group
list / elements=string
|
Internet Service group name.
|
|||
| name
string / required
|
Internet Service group name. Source firewall.internet-service-group.name.
|
|||
| internet_service_id
list / elements=string
|
Internet Service ID.
|
|||
| id
integer / required
|
Internet Service ID. Source firewall.internet-service.id.
|
|||
| internet_service_negate
string
|
|
When enabled internet-service specifies what the service must NOT be.
|
||
| internet_service_src
string
|
|
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
|
||
| internet_service_src_custom
list / elements=string
|
Custom Internet Service source name.
|
|||
| name
string / required
|
Custom Internet Service name. Source firewall.internet-service-custom.name.
|
|||
| internet_service_src_custom_group
list / elements=string
|
Custom Internet Service source group name.
|
|||
| name
string / required
|
Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
|
|||
| internet_service_src_group
list / elements=string
|
Internet Service source group name.
|
|||
| name
string / required
|
Internet Service group name. Source firewall.internet-service-group.name.
|
|||
| internet_service_src_id
list / elements=string
|
Internet Service source ID.
|
|||
| id
integer / required
|
Internet Service ID. Source firewall.internet-service.id.
|
|||
| internet_service_src_negate
string
|
|
When enabled internet-service-src specifies what the service must NOT be.
|
||
| ippool
string
|
|
Enable to use IP Pools for source NAT.
|
||
| ips_sensor
string
|
Name of an existing IPS sensor. Source ips.sensor.name.
|
|||
| logtraffic
string
|
|
Enable or disable logging. Log all sessions or security profile sessions.
|
||
| logtraffic_start
string
|
|
Record logs when a session starts.
|
||
| mms_profile
string
|
Name of an existing MMS profile. Source firewall.mms-profile.name.
|
|||
| name
string
|
Policy name.
|
|||
| nat
string
|
|
Enable/disable source NAT.
|
||
| outbound
string
|
|
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
|
||
| per_ip_shaper
string
|
Per-IP traffic shaper. Source firewall.shaper.per-ip-shaper.name.
|
|||
| policyid
integer / required
|
Policy ID (0 - 4294967294).
|
|||
| poolname4
list / elements=string
|
IPv4 pool names.
|
|||
| name
string / required
|
IPv4 pool name. Source firewall.ippool.name.
|
|||
| poolname6
list / elements=string
|
IPv6 pool names.
|
|||
| name
string / required
|
IPv6 pool name. Source firewall.ippool6.name.
|
|||
| profile_group
string
|
Name of profile group. Source firewall.profile-group.name.
|
|||
| profile_protocol_options
string
|
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
|
|||
| profile_type
string
|
|
Determine whether the firewall policy allows security profile groups or single profiles only.
|
||
| schedule
string
|
Schedule name. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
|
|||
| service
list / elements=string
|
Service and service group names.
|
|||
| name
string / required
|
Service name. Source firewall.service.custom.name firewall.service.group.name.
|
|||
| service_negate
string
|
|
When enabled service specifies what the service must NOT be.
|
||
| session_ttl
integer
|
TTL in seconds for sessions accepted by this policy (0 means use the system ).
|
|||
| srcaddr4
list / elements=string
|
Source IPv4 address name and address group names.
|
|||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name system.external-resource.name.
|
|||
| srcaddr6
list / elements=string
|
Source IPv6 address name and address group names.
|
|||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name.
|
|||
| srcaddr_negate
string
|
|
When enabled srcaddr specifies what the source address must NOT be.
|
||
| srcintf
list / elements=string
|
Incoming (ingress) interface.
|
|||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
| ssh_filter_profile
string
|
Name of an existing SSH filter profile. Source ssh-filter.profile.name.
|
|||
| ssh_policy_redirect
string
|
|
Redirect SSH traffic to matching transparent proxy policy.
|
||
| ssl_ssh_profile
string
|
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
|
|||
| status
string
|
|
Enable or disable this policy.
|
||
| tcp_mss_receiver
integer
|
Receiver TCP maximum segment size (MSS).
|
|||
| tcp_mss_sender
integer
|
Sender TCP maximum segment size (MSS).
|
|||
| traffic_shaper
string
|
Traffic shaper. Source firewall.shaper.traffic-shaper.name.
|
|||
| traffic_shaper_reverse
string
|
Reverse traffic shaper. Source firewall.shaper.traffic-shaper.name.
|
|||
| users
list / elements=string
|
Names of individual users that can authenticate with this policy.
|
|||
| name
string / required
|
User name. Source user.local.name.
|
|||
| utm_status
string
|
|
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
|
||
| uuid
string
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|||
| voip_profile
string
|
Name of an existing VoIP profile. Source voip.profile.name.
|
|||
| vpntunnel
string
|
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. Source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name.
|
|||
| waf_profile
string
|
Name of an existing Web application firewall profile. Source waf.profile.name.
|
|||
| wanopt
string
|
|
Enable/disable WAN optimization.
|
||
| wanopt_detection
string
|
|
WAN optimization auto-detection mode.
|
||
| wanopt_passive_opt
string
|
|
WAN optimization passive mode options. This option decides what IP address will be used to connect to server.
|
||
| wanopt_peer
string
|
WAN optimization peer. Source wanopt.peer.peer-host-id.
|
|||
| wanopt_profile
string
|
WAN optimization profile. Source wanopt.profile.name.
|
|||
| webcache
string
|
|
Enable/disable web cache.
|
||
| webcache_https
string
|
|
Enable/disable web cache for HTTPS.
|
||
| webfilter_profile
string
|
Name of an existing Web filter profile. Source webfilter.profile.name.
|
|||
| webproxy_forward_server
string
|
Webproxy forward server name. Source web-proxy.forward-server.name web-proxy.forward-server-group.name.
|
|||
| webproxy_profile
string
|
Webproxy profile name. Source web-proxy.profile.name.
|
|||
| state
string / required
|
|
Indicates whether to create or remove the object.
|
||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure consolidated IPv4/IPv6 policies.
fortios_firewall_consolidated_policy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_consolidated_policy:
action: "accept"
application_list: "<your_own_value> (source application.list.name)"
auto_asic_offload: "enable"
av_profile: "<your_own_value> (source antivirus.profile.name)"
captive_portal_exempt: "enable"
cifs_profile: "<your_own_value> (source cifs.profile.name)"
comments: "<your_own_value>"
diffserv_forward: "enable"
diffserv_reverse: "enable"
diffservcode_forward: "<your_own_value>"
diffservcode_rev: "<your_own_value>"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dnsfilter_profile: "<your_own_value> (source dnsfilter.profile.name)"
dstaddr_negate: "enable"
dstaddr4:
-
name: "default_name_18 (source firewall.address.name firewall.addrgrp.name firewall.vip.name firewall.vipgrp.name system.external-resource.name)"
dstaddr6:
-
name: "default_name_20 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name system.external-resource
.name)"
dstintf:
-
name: "default_name_22 (source system.interface.name system.zone.name)"
emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)"
fixedport: "enable"
fsso_groups:
-
name: "default_name_26 (source user.adgrp.name)"
global_label: "<your_own_value>"
groups:
-
name: "default_name_29 (source user.group.name)"
http_policy_redirect: "enable"
icap_profile: "<your_own_value> (source icap.profile.name)"
inbound: "enable"
inspection_mode: "proxy"
internet_service: "enable"
internet_service_custom:
-
name: "default_name_36 (source firewall.internet-service-custom.name)"
internet_service_custom_group:
-
name: "default_name_38 (source firewall.internet-service-custom-group.name)"
internet_service_group:
-
name: "default_name_40 (source firewall.internet-service-group.name)"
internet_service_id:
-
id: "42 (source firewall.internet-service.id)"
internet_service_negate: "enable"
internet_service_src: "enable"
internet_service_src_custom:
-
name: "default_name_46 (source firewall.internet-service-custom.name)"
internet_service_src_custom_group:
-
name: "default_name_48 (source firewall.internet-service-custom-group.name)"
internet_service_src_group:
-
name: "default_name_50 (source firewall.internet-service-group.name)"
internet_service_src_id:
-
id: "52 (source firewall.internet-service.id)"
internet_service_src_negate: "enable"
ippool: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
logtraffic: "all"
logtraffic_start: "enable"
mms_profile: "<your_own_value> (source firewall.mms-profile.name)"
name: "default_name_59"
nat: "enable"
outbound: "enable"
per_ip_shaper: "<your_own_value> (source firewall.shaper.per-ip-shaper.name)"
policyid: "63"
poolname4:
-
name: "default_name_65 (source firewall.ippool.name)"
poolname6:
-
name: "default_name_67 (source firewall.ippool6.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
service:
-
name: "default_name_73 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "75"
srcaddr_negate: "enable"
srcaddr4:
-
name: "default_name_78 (source firewall.address.name firewall.addrgrp.name system.external-resource.name)"
srcaddr6:
-
name: "default_name_80 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
srcintf:
-
name: "default_name_82 (source system.interface.name system.zone.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssh_policy_redirect: "enable"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
tcp_mss_receiver: "87"
tcp_mss_sender: "88"
traffic_shaper: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
traffic_shaper_reverse: "<your_own_value> (source firewall.shaper.traffic-shaper.name)"
users:
-
name: "default_name_92 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
voip_profile: "<your_own_value> (source voip.profile.name)"
vpntunnel: "<your_own_value> (source vpn.ipsec.phase1.name vpn.ipsec.manualkey.name)"
waf_profile: "<your_own_value> (source waf.profile.name)"
wanopt: "enable"
wanopt_detection: "active"
wanopt_passive_opt: "default"
wanopt_peer: "<your_own_value> (source wanopt.peer.peer-host-id)"
wanopt_profile: "<your_own_value> (source wanopt.profile.name)"
webcache: "enable"
webcache_https: "disable"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_consolidated_policy_module.html