fortinet.fortios.fortios_system_admin – Configure admin users in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_system_admin.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify system feature and admin category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | ||||
|---|---|---|---|---|---|---|
| access_token
string
|
Token-based authentication. Generated from GUI of Fortigate.
|
|||||
| enable_log
boolean
|
|
Enable/Disable logging for task.
|
||||
| state
string / required
|
|
Indicates whether to create or remove the object.
|
||||
| system_admin
dictionary
|
Configure admin users.
|
|||||
| accprofile
string
|
Access profile for this administrator. Access profiles control administrator access to FortiGate features. Source system.accprofile.name.
|
|||||
| accprofile_override
string
|
|
Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.
|
||||
| allow_remove_admin_session
string
|
|
Enable/disable allow admin session to be removed by privileged admin users.
|
||||
| comments
string
|
Comment.
|
|||||
| email_to
string
|
This administrator"s email address.
|
|||||
| force_password_change
string
|
|
Enable/disable force password change on next login.
|
||||
| fortitoken
string
|
This administrator"s FortiToken serial number.
|
|||||
| guest_auth
string
|
|
Enable/disable guest authentication.
|
||||
| guest_lang
string
|
Guest management portal language. Source system.custom-language.name.
|
|||||
| guest_usergroups
list / elements=string
|
Select guest user groups.
|
|||||
| name
string / required
|
Select guest user groups.
|
|||||
| gui_dashboard
list / elements=string
|
GUI dashboards.
|
|||||
| columns
integer
|
Number of columns.
|
|||||
| id
integer / required
|
Dashboard ID.
|
|||||
| layout_type
string
|
|
Layout type.
|
||||
| name
string
|
Dashboard name.
|
|||||
| permanent
string
|
|
Permanent dashboard (can"t be removed via the GUI).
|
||||
| scope
string
|
|
Dashboard scope.
|
||||
| vdom
string
|
Virtual domain. Source system.vdom.name.
|
|||||
| widget
list / elements=string
|
Dashboard widgets.
|
|||||
| fabric_device
string
|
Fabric device to monitor.
|
|||||
| fabric_device_widget_name
string
|
Fabric device widget name.
|
|||||
| fabric_device_widget_visualization_type
string
|
Visualization type for fabric device widget.
|
|||||
| fortiview_device
string
|
FortiView device.
|
|||||
| fortiview_filters
list / elements=string
|
FortiView filters.
|
|||||
| id
integer / required
|
FortiView Filter ID.
|
|||||
| key
string
|
Filter key.
|
|||||
| value
string
|
Filter value.
|
|||||
| fortiview_sort_by
string
|
FortiView sort by.
|
|||||
| fortiview_timeframe
string
|
FortiView timeframe.
|
|||||
| fortiview_type
string
|
FortiView type.
|
|||||
| fortiview_visualization
string
|
FortiView visualization.
|
|||||
| height
integer
|
Height.
|
|||||
| id
integer / required
|
Widget ID.
|
|||||
| industry
string
|
|
Security Audit Rating industry.
|
||||
| interface
string
|
Interface to monitor. Source system.interface.name.
|
|||||
| region
string
|
|
Security Audit Rating region.
|
||||
| title
string
|
Widget title.
|
|||||
| type
string
|
|
Widget type.
|
||||
| width
integer
|
Width.
|
|||||
| x_pos
integer
|
X position.
|
|||||
| y_pos
integer
|
Y position.
|
|||||
| gui_global_menu_favorites
list / elements=string
|
Favorite GUI menu IDs for the global VDOM.
|
|||||
| id
string / required
|
Select menu ID.
|
|||||
| gui_new_feature_acknowledge
list / elements=string
|
Acknowledgement of new features.
|
|||||
| id
string / required
|
Select menu ID.
|
|||||
| gui_vdom_menu_favorites
list / elements=string
|
Favorite GUI menu IDs for VDOMs.
|
|||||
| id
string / required
|
Select menu ID.
|
|||||
| hidden
integer
|
Admin user hidden attribute.
|
|||||
| history0
string
|
history0
|
|||||
| history1
string
|
history1
|
|||||
| ip6_trusthost1
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost10
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost2
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost3
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost4
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost5
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost6
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost7
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost8
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| ip6_trusthost9
string
|
Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
|
|||||
| login_time
list / elements=string
|
Record user login time.
|
|||||
| last_failed_login
string
|
Last failed login time.
|
|||||
| last_login
string
|
Last successful login time.
|
|||||
| usr_name
string
|
User name.
|
|||||
| name
string / required
|
User name.
|
|||||
| password
string
|
Admin user password.
|
|||||
| password_expire
string
|
Password expire time.
|
|||||
| peer_auth
string
|
|
Set to enable peer certificate authentication (for HTTPS admin access).
|
||||
| peer_group
string
|
Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).
|
|||||
| radius_vdom_override
string
|
|
Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.
|
||||
| remote_auth
string
|
|
Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.
|
||||
| remote_group
string
|
User group name used for remote auth.
|
|||||
| schedule
string
|
Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.
|
|||||
| sms_custom_server
string
|
Custom SMS server to send SMS messages to. Source system.sms-server.name.
|
|||||
| sms_phone
string
|
Phone number on which the administrator receives SMS messages.
|
|||||
| sms_server
string
|
|
Send SMS messages using the FortiGuard SMS server or a custom server.
|
||||
| ssh_certificate
string
|
Select the certificate to be used by the FortiGate for authentication with an SSH client. Source certificate.local.name.
|
|||||
| ssh_public_key1
string
|
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
|
|||||
| ssh_public_key2
string
|
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
|
|||||
| ssh_public_key3
string
|
Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
|
|||||
| trusthost1
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost10
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost2
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost3
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost4
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost5
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost6
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost7
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost8
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| trusthost9
string
|
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
|
|||||
| two_factor
string
|
|
Enable/disable two-factor authentication.
|
||||
| two_factor_authentication
string
|
|
Authentication method by FortiToken Cloud.
|
||||
| two_factor_notification
string
|
|
Notification method for user activation by FortiToken Cloud.
|
||||
| vdom
list / elements=string
|
Virtual domain(s) that the administrator can access.
|
|||||
| name
string / required
|
Virtual domain name. Source system.vdom.name.
|
|||||
| wildcard
string
|
|
Enable/disable wildcard RADIUS authentication.
|
||||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure admin users.
fortios_system_admin:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
system_admin:
accprofile: "<your_own_value> (source system.accprofile.name)"
accprofile_override: "enable"
allow_remove_admin_session: "enable"
comments: "<your_own_value>"
email_to: "<your_own_value>"
force_password_change: "enable"
fortitoken: "<your_own_value>"
guest_auth: "disable"
guest_lang: "<your_own_value> (source system.custom-language.name)"
guest_usergroups:
-
name: "default_name_13"
gui_dashboard:
-
columns: "15"
id: "16"
layout_type: "responsive"
name: "default_name_18"
permanent: "disable"
scope: "global"
vdom: "<your_own_value> (source system.vdom.name)"
widget:
-
fabric_device: "<your_own_value>"
fabric_device_widget_name: "<your_own_value>"
fabric_device_widget_visualization_type: "<your_own_value>"
fortiview_device: "<your_own_value>"
fortiview_filters:
-
id: "28"
key: "<your_own_value>"
value: "<your_own_value>"
fortiview_sort_by: "<your_own_value>"
fortiview_timeframe: "<your_own_value>"
fortiview_type: "<your_own_value>"
fortiview_visualization: "<your_own_value>"
height: "35"
id: "36"
industry: "default"
interface: "<your_own_value> (source system.interface.name)"
region: "default"
title: "<your_own_value>"
type: "sysinfo"
width: "42"
x_pos: "43"
y_pos: "44"
gui_global_menu_favorites:
-
id: "46"
gui_new_feature_acknowledge:
-
id: "48"
gui_vdom_menu_favorites:
-
id: "50"
hidden: "51"
history0: "<your_own_value>"
history1: "<your_own_value>"
ip6_trusthost1: "<your_own_value>"
ip6_trusthost10: "<your_own_value>"
ip6_trusthost2: "<your_own_value>"
ip6_trusthost3: "<your_own_value>"
ip6_trusthost4: "<your_own_value>"
ip6_trusthost5: "<your_own_value>"
ip6_trusthost6: "<your_own_value>"
ip6_trusthost7: "<your_own_value>"
ip6_trusthost8: "<your_own_value>"
ip6_trusthost9: "<your_own_value>"
login_time:
-
last_failed_login: "<your_own_value>"
last_login: "<your_own_value>"
usr_name: "<your_own_value>"
name: "default_name_68"
password: "<your_own_value>"
password_expire: "<your_own_value>"
peer_auth: "enable"
peer_group: "<your_own_value>"
radius_vdom_override: "enable"
remote_auth: "enable"
remote_group: "<your_own_value>"
schedule: "<your_own_value>"
sms_custom_server: "<your_own_value> (source system.sms-server.name)"
sms_phone: "<your_own_value>"
sms_server: "fortiguard"
ssh_certificate: "<your_own_value> (source certificate.local.name)"
ssh_public_key1: "<your_own_value>"
ssh_public_key2: "<your_own_value>"
ssh_public_key3: "<your_own_value>"
trusthost1: "<your_own_value>"
trusthost10: "<your_own_value>"
trusthost2: "<your_own_value>"
trusthost3: "<your_own_value>"
trusthost4: "<your_own_value>"
trusthost5: "<your_own_value>"
trusthost6: "<your_own_value>"
trusthost7: "<your_own_value>"
trusthost8: "<your_own_value>"
trusthost9: "<your_own_value>"
two_factor: "disable"
two_factor_authentication: "fortitoken"
two_factor_notification: "email"
vdom:
-
name: "default_name_98 (source system.vdom.name)"
wildcard: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_system_admin_module.html