fortinet.fortios.fortios_firewall_proxy_policy – Configure proxy policies in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_proxy_policy.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and proxy_policy category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| access_token
string
|
Token-based authentication. Generated from GUI of Fortigate.
|
|||
| enable_log
boolean
|
|
Enable/Disable logging for task.
|
||
| firewall_proxy_policy
dictionary
|
Configure proxy policies.
|
|||
| access_proxy
list / elements=string
|
Access Proxy.
|
|||
| name
string / required
|
Access Proxy name. Source firewall.access-proxy.name.
|
|||
| action
string
|
|
Accept or deny traffic matching the policy parameters.
|
||
| application_list
string
|
Name of an existing Application list. Source application.list.name.
|
|||
| av_profile
string
|
Name of an existing Antivirus profile. Source antivirus.profile.name.
|
|||
| cifs_profile
string
|
Name of an existing CIFS profile. Source cifs.profile.name.
|
|||
| comments
string
|
Optional comments.
|
|||
| decrypted_traffic_mirror
string
|
Decrypted traffic mirror. Source firewall.decrypted-traffic-mirror.name.
|
|||
| device_ownership
string
|
|
When enabled, the ownership enforcement will be done at policy level.
|
||
| disclaimer
string
|
|
Web proxy disclaimer setting: by domain, policy, or user.
|
||
| dlp_sensor
string
|
Name of an existing DLP sensor. Source dlp.sensor.name.
|
|||
| dstaddr
list / elements=string
|
Destination address objects.
|
|||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name.
|
|||
| dstaddr6
list / elements=string
|
IPv6 destination address objects.
|
|||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall.vipgrp64.name system.external-resource.name.
|
|||
| dstaddr_negate
string
|
|
When enabled, destination addresses match against any address EXCEPT the specified destination addresses.
|
||
| dstintf
list / elements=string
|
Destination interface names.
|
|||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
| emailfilter_profile
string
|
Name of an existing email filter profile. Source emailfilter.profile.name.
|
|||
| file_filter_profile
string
|
Name of an existing file-filter profile. Source file-filter.profile.name.
|
|||
| global_label
string
|
Global web-based manager visible label.
|
|||
| groups
list / elements=string
|
Names of group objects.
|
|||
| name
string / required
|
Group name. Source user.group.name.
|
|||
| http_tunnel_auth
string
|
|
Enable/disable HTTP tunnel authentication.
|
||
| icap_profile
string
|
Name of an existing ICAP profile. Source icap.profile.name.
|
|||
| internet_service
string
|
|
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
|
||
| internet_service_custom
list / elements=string
|
Custom Internet Service name.
|
|||
| name
string / required
|
Custom name. Source firewall.internet-service-custom.name.
|
|||
| internet_service_custom_group
list / elements=string
|
Custom Internet Service group name.
|
|||
| name
string / required
|
Custom Internet Service group name. Source firewall.internet-service-custom-group.name.
|
|||
| internet_service_group
list / elements=string
|
Internet Service group name.
|
|||
| name
string / required
|
Internet Service group name. Source firewall.internet-service-group.name.
|
|||
| internet_service_id
list / elements=string
|
Internet Service ID.
|
|||
| id
integer / required
|
Internet Service ID. Source firewall.internet-service.id.
|
|||
| internet_service_name
list / elements=string
|
Internet Service name.
|
|||
| name
string / required
|
Internet Service name. Source firewall.internet-service-name.name.
|
|||
| internet_service_negate
string
|
|
When enabled, Internet Services match against any internet service EXCEPT the selected Internet Service.
|
||
| ips_sensor
string
|
Name of an existing IPS sensor. Source ips.sensor.name.
|
|||
| label
string
|
VDOM-specific GUI visible label.
|
|||
| logtraffic
string
|
|
Enable/disable logging traffic through the policy.
|
||
| logtraffic_start
string
|
|
Enable/disable policy log traffic start.
|
||
| mms_profile
string
|
Name of an existing MMS profile. Source firewall.mms-profile.name.
|
|||
| name
string
|
Policy name.
|
|||
| policyid
integer / required
|
Policy ID.
|
|||
| poolname
list / elements=string
|
Name of IP pool object.
|
|||
| name
string / required
|
IP pool name. Source firewall.ippool.name.
|
|||
| profile_group
string
|
Name of profile group. Source firewall.profile-group.name.
|
|||
| profile_protocol_options
string
|
Name of an existing Protocol options profile. Source firewall.profile-protocol-options.name.
|
|||
| profile_type
string
|
|
Determine whether the firewall policy allows security profile groups or single profiles only.
|
||
| proxy
string
|
|
Type of explicit proxy.
|
||
| redirect_url
string
|
Redirect URL for further explicit web proxy processing.
|
|||
| replacemsg_override_group
string
|
Authentication replacement message override group. Source system.replacemsg-group.name.
|
|||
| scan_botnet_connections
string
|
|
Enable/disable scanning of connections to Botnet servers.
|
||
| schedule
string
|
Name of schedule object. Source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name.
|
|||
| service
list / elements=string
|
Name of service objects.
|
|||
| name
string / required
|
Service name. Source firewall.service.custom.name firewall.service.group.name.
|
|||
| service_negate
string
|
|
When enabled, services match against any service EXCEPT the specified destination services.
|
||
| session_ttl
integer
|
TTL in seconds for sessions accepted by this policy (0 means use the system ).
|
|||
| spamfilter_profile
string
|
Name of an existing Spam filter profile. Source spamfilter.profile.name.
|
|||
| srcaddr
list / elements=string
|
Source address objects.
|
|||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system .external-resource.name.
|
|||
| srcaddr6
list / elements=string
|
IPv6 source address objects.
|
|||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name system.external-resource.name.
|
|||
| srcaddr_negate
string
|
|
When enabled, source addresses match against any address EXCEPT the specified source addresses.
|
||
| srcintf
list / elements=string
|
Source interface names.
|
|||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
|||
| ssh_filter_profile
string
|
Name of an existing SSH filter profile. Source ssh-filter.profile.name.
|
|||
| ssh_policy_redirect
string
|
|
Redirect SSH traffic to matching transparent proxy policy.
|
||
| ssl_ssh_profile
string
|
Name of an existing SSL SSH profile. Source firewall.ssl-ssh-profile.name.
|
|||
| status
string
|
|
Enable/disable the active status of the policy.
|
||
| transparent
string
|
|
Enable to use the IP address of the client to connect to the server.
|
||
| users
list / elements=string
|
Names of user objects.
|
|||
| name
string / required
|
Group name. Source user.local.name.
|
|||
| utm_status
string
|
|
Enable the use of UTM profiles/sensors/lists.
|
||
| uuid
string
|
Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
|
|||
| videofilter_profile
string
|
Name of an existing VideoFilter profile. Source videofilter.profile.name.
|
|||
| voip_profile
string
|
Name of an existing VoIP profile. Source voip.profile.name.
|
|||
| waf_profile
string
|
Name of an existing Web application firewall profile. Source waf.profile.name.
|
|||
| webcache
string
|
|
Enable/disable web caching.
|
||
| webcache_https
string
|
|
Enable/disable web caching for HTTPS (Requires deep-inspection enabled in ssl-ssh-profile).
|
||
| webfilter_profile
string
|
Name of an existing Web filter profile. Source webfilter.profile.name.
|
|||
| webproxy_forward_server
string
|
Name of web proxy forward server. Source web-proxy.forward-server.name web-proxy.forward-server-group.name.
|
|||
| webproxy_profile
string
|
Name of web proxy profile. Source web-proxy.profile.name.
|
|||
| ztna_ems_tag
list / elements=string
|
ZTNA EMS Tag names.
|
|||
| name
string / required
|
EMS Tag name. Source firewall.address.name firewall.addrgrp.name.
|
|||
| state
string / required
|
|
Indicates whether to create or remove the object.
|
||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure proxy policies.
fortios_firewall_proxy_policy:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_proxy_policy:
access_proxy:
-
name: "default_name_4 (source firewall.access-proxy.name)"
action: "accept"
application_list: "<your_own_value> (source application.list.name)"
av_profile: "<your_own_value> (source antivirus.profile.name)"
cifs_profile: "<your_own_value> (source cifs.profile.name)"
comments: "<your_own_value>"
decrypted_traffic_mirror: "<your_own_value> (source firewall.decrypted-traffic-mirror.name)"
device_ownership: "enable"
disclaimer: "disable"
dlp_sensor: "<your_own_value> (source dlp.sensor.name)"
dstaddr:
-
name: "default_name_15 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name firewall.vip
.name firewall.vipgrp.name firewall.vip46.name firewall.vipgrp46.name system.external-resource.name)"
dstaddr_negate: "enable"
dstaddr6:
-
name: "default_name_18 (source firewall.address6.name firewall.addrgrp6.name firewall.vip6.name firewall.vipgrp6.name firewall.vip64.name firewall
.vipgrp64.name system.external-resource.name)"
dstintf:
-
name: "default_name_20 (source system.interface.name system.zone.name)"
emailfilter_profile: "<your_own_value> (source emailfilter.profile.name)"
file_filter_profile: "<your_own_value> (source file-filter.profile.name)"
global_label: "<your_own_value>"
groups:
-
name: "default_name_25 (source user.group.name)"
http_tunnel_auth: "enable"
icap_profile: "<your_own_value> (source icap.profile.name)"
internet_service: "enable"
internet_service_custom:
-
name: "default_name_30 (source firewall.internet-service-custom.name)"
internet_service_custom_group:
-
name: "default_name_32 (source firewall.internet-service-custom-group.name)"
internet_service_group:
-
name: "default_name_34 (source firewall.internet-service-group.name)"
internet_service_id:
-
id: "36 (source firewall.internet-service.id)"
internet_service_name:
-
name: "default_name_38 (source firewall.internet-service-name.name)"
internet_service_negate: "enable"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
label: "<your_own_value>"
logtraffic: "all"
logtraffic_start: "enable"
mms_profile: "<your_own_value> (source firewall.mms-profile.name)"
name: "default_name_45"
policyid: "46"
poolname:
-
name: "default_name_48 (source firewall.ippool.name)"
profile_group: "<your_own_value> (source firewall.profile-group.name)"
profile_protocol_options: "<your_own_value> (source firewall.profile-protocol-options.name)"
profile_type: "single"
proxy: "explicit-web"
redirect_url: "<your_own_value>"
replacemsg_override_group: "<your_own_value> (source system.replacemsg-group.name)"
scan_botnet_connections: "disable"
schedule: "<your_own_value> (source firewall.schedule.onetime.name firewall.schedule.recurring.name firewall.schedule.group.name)"
service:
-
name: "default_name_58 (source firewall.service.custom.name firewall.service.group.name)"
service_negate: "enable"
session_ttl: "60"
spamfilter_profile: "<your_own_value> (source spamfilter.profile.name)"
srcaddr:
-
name: "default_name_63 (source firewall.address.name firewall.addrgrp.name firewall.proxy-address.name firewall.proxy-addrgrp.name system
.external-resource.name)"
srcaddr_negate: "enable"
srcaddr6:
-
name: "default_name_66 (source firewall.address6.name firewall.addrgrp6.name system.external-resource.name)"
srcintf:
-
name: "default_name_68 (source system.interface.name system.zone.name)"
ssh_filter_profile: "<your_own_value> (source ssh-filter.profile.name)"
ssh_policy_redirect: "enable"
ssl_ssh_profile: "<your_own_value> (source firewall.ssl-ssh-profile.name)"
status: "enable"
transparent: "enable"
users:
-
name: "default_name_75 (source user.local.name)"
utm_status: "enable"
uuid: "<your_own_value>"
videofilter_profile: "<your_own_value> (source videofilter.profile.name)"
voip_profile: "<your_own_value> (source voip.profile.name)"
waf_profile: "<your_own_value> (source waf.profile.name)"
webcache: "enable"
webcache_https: "disable"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
webproxy_forward_server: "<your_own_value> (source web-proxy.forward-server.name web-proxy.forward-server-group.name)"
webproxy_profile: "<your_own_value> (source web-proxy.profile.name)"
ztna_ems_tag:
-
name: "default_name_87 (source firewall.address.name firewall.addrgrp.name)"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_proxy_policy_module.html