fortinet.fortios.fortios_ips_sensor – Configure IPS sensor in Fortinet’s FortiOS and FortiGate.

Note

This plugin is part of the fortinet.fortios collection (version 2.1.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortios.

To use it in a playbook, specify: fortinet.fortios.fortios_ips_sensor.

New in version 2.10: of fortinet.fortios

Synopsis

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify ips feature and sensor category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0

Requirements

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

Parameters

Parameter				Choices/Defaults	Comments
access_token string					Token-based authentication. Generated from GUI of Fortigate.
enable_log boolean				Choices: no ← yes	Enable/Disable logging for task.
ips_sensor dictionary					Configure IPS sensor.
	block_malicious_url string			Choices: disable enable	Enable/disable malicious URL blocking.
	comment string				Comment.
	entries list / elements=string				IPS sensor filter.
		action string		Choices: pass block reset default	Action taken with traffic in which signatures are detected.
		application string			Applications to be protected. set application ? lists available applications. all includes all applications. other includes all unlisted applications.
		cve list / elements=string			List of CVE IDs of the signatures to add to the sensor
			cve_entry string		CVE IDs or CVE wildcards.
		exempt_ip list / elements=string			Traffic from selected source or destination IP addresses is exempt from this signature.
			dst_ip string		Destination IP address and netmask.
			id integer / required		Exempt IP ID.
			src_ip string		Source IP address and netmask.
		id integer / required			Rule ID in IPS database (0 - 4294967295).
		location string			Protect client or server traffic.
		log string		Choices: disable enable	Enable/disable logging of signatures included in filter.
		log_attack_context string		Choices: disable enable	Enable/disable logging of attack context: URL buffer, header buffer, body buffer, packet buffer.
		log_packet string		Choices: disable enable	Enable/disable packet logging. Enable to save the packet that triggers the filter. You can download the packets in pcap format for diagnostic use.
		os string			Operating systems to be protected. all includes all operating systems. other includes all unlisted operating systems.
		protocol string			Protocols to be examined. set protocol ? lists available protocols. all includes all protocols. other includes all unlisted protocols.
		quarantine string		Choices: none attacker	Quarantine method.
		quarantine_expiry string			Duration of quarantine. (Format
		quarantine_log string		Choices: disable enable	Enable/disable quarantine logging.
		rate_count integer			Count of the rate.
		rate_duration integer			Duration (sec) of the rate.
		rate_mode string		Choices: periodical continuous	Rate limit mode.
		rate_track string		Choices: none src-ip dest-ip dhcp-client-mac dns-domain	Track the packet protocol field.
		rule list / elements=string			Identifies the predefined or custom IPS signatures to add to the sensor.
			id integer / required		Rule IPS.
		severity string			Relative severity of the signature, from info to critical. Log messages generated by the signature include the severity.
		status string		Choices: disable enable default	Status of the signatures included in filter. default enables the filter and only use filters with default status of enable. Filters with default status of disable will not be used.
	extended_log string			Choices: enable disable	Enable/disable extended logging.
	filter list / elements=string				IPS sensor filter.
		action string		Choices: pass block reset default	Action of selected rules.
		application string			Vulnerable application filter.
		location string			Vulnerability location filter.
		log string		Choices: disable enable	Enable/disable logging of selected rules.
		log_packet string		Choices: disable enable	Enable/disable packet logging of selected rules.
		name string / required			Filter name.
		os string			Vulnerable OS filter.
		protocol string			Vulnerable protocol filter.
		quarantine string		Choices: none attacker	Quarantine IP or interface.
		quarantine_expiry integer			Duration of quarantine in minute.
		quarantine_log string		Choices: disable enable	Enable/disable logging of selected quarantine.
		severity string			Vulnerability severity filter.
		status string		Choices: disable enable default	Selected rules status.
	name string / required				Sensor name.
	override list / elements=string				IPS override rule.
		action string		Choices: pass block reset	Action of override rule.
		exempt_ip list / elements=string			Exempted IP.
			dst_ip string		Destination IP address and netmask.
			id integer / required		Exempt IP ID.
			src_ip string		Source IP address and netmask.
		log string		Choices: disable enable	Enable/disable logging.
		log_packet string		Choices: disable enable	Enable/disable packet logging.
		quarantine string		Choices: none attacker	Quarantine IP or interface.
		quarantine_expiry integer			Duration of quarantine in minute.
		quarantine_log string		Choices: disable enable	Enable/disable logging of selected quarantine.
		rule_id integer			Override rule ID.
		status string		Choices: disable enable	Enable/disable status of override rule.
	replacemsg_group string				Replacement message group. Source system.replacemsg-group.name.
	scan_botnet_connections string			Choices: disable block monitor	Block or monitor connections to Botnet servers, or disable Botnet scanning.
state string / required				Choices: present absent	Indicates whether to create or remove the object.
vdom string				Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.

Notes

Note

Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks

Examples

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443
  tasks:
  - name: Configure IPS sensor.
    fortios_ips_sensor:
      vdom:  "{{ vdom }}"
      state: "present"
      access_token: "<your_own_value>"
      ips_sensor:
        block_malicious_url: "disable"
        comment: "Comment."
        entries:
         -
            action: "pass"
            application: "<your_own_value>"
            cve:
             -
                cve_entry: "<your_own_value>"
            exempt_ip:
             -
                dst_ip: "<your_own_value>"
                id:  "12"
                src_ip: "<your_own_value>"
            id:  "14"
            location: "<your_own_value>"
            log: "disable"
            log_attack_context: "disable"
            log_packet: "disable"
            os: "<your_own_value>"
            protocol: "<your_own_value>"
            quarantine: "none"
            quarantine_expiry: "<your_own_value>"
            quarantine_log: "disable"
            rate_count: "24"
            rate_duration: "25"
            rate_mode: "periodical"
            rate_track: "none"
            rule:
             -
                id:  "29"
            severity: "<your_own_value>"
            status: "disable"
        extended_log: "enable"
        filter:
         -
            action: "pass"
            application: "<your_own_value>"
            location: "<your_own_value>"
            log: "disable"
            log_packet: "disable"
            name: "default_name_39"
            os: "<your_own_value>"
            protocol: "<your_own_value>"
            quarantine: "none"
            quarantine_expiry: "43"
            quarantine_log: "disable"
            severity: "<your_own_value>"
            status: "disable"
        name: "default_name_47"
        override:
         -
            action: "pass"
            exempt_ip:
             -
                dst_ip: "<your_own_value>"
                id:  "52"
                src_ip: "<your_own_value>"
            log: "disable"
            log_packet: "disable"
            quarantine: "none"
            quarantine_expiry: "57"
            quarantine_log: "disable"
            rule_id: "59"
            status: "disable"
        replacemsg_group: "<your_own_value> (source system.replacemsg-group.name)"
        scan_botnet_connections: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_ips_sensor_module.html

Docs

Docs4dev

Title here