fortinet.fortios.fortios_vpn_ssl_settings – Configure SSL VPN in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_vpn_ssl_settings.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify vpn_ssl feature and settings category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| access_token
string
|
Token-based authentication. Generated from GUI of Fortigate.
|
||||
| enable_log
boolean
|
|
Enable/Disable logging for task.
|
|||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
|||
| vpn_ssl_settings
dictionary
|
Configure SSL VPN.
|
||||
| algorithm
string
|
|
Force the SSL-VPN security level. High allows only high. Medium allows medium and high. Low allows any.
|
|||
| auth_session_check_source_ip
string
|
|
Enable/disable checking of source IP for authentication session.
|
|||
| auth_timeout
integer
|
SSL-VPN authentication timeout (1 - 259200 sec (3 days), 0 for no timeout).
|
||||
| authentication_rule
list / elements=string
|
Authentication rule for SSL VPN.
|
||||
| auth
string
|
|
SSL VPN authentication method restriction.
|
|||
| cipher
string
|
|
SSL VPN cipher strength.
|
|||
| client_cert
string
|
|
Enable/disable SSL VPN client certificate restrictive.
|
|||
| groups
list / elements=string
|
User groups.
|
||||
| name
string / required
|
Group name. Source user.group.name.
|
||||
| id
integer / required
|
ID (0 - 4294967295).
|
||||
| portal
string
|
SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
| realm
string
|
SSL VPN realm. Source vpn.ssl.web.realm.url-path.
|
||||
| source_address
list / elements=string
|
Source address of incoming traffic.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| source_address6
list / elements=string
|
IPv6 source address of incoming traffic.
|
||||
| name
string / required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| source_address6_negate
string
|
|
Enable/disable negated source IPv6 address match.
|
|||
| source_address_negate
string
|
|
Enable/disable negated source address match.
|
|||
| source_interface
list / elements=string
|
SSL VPN source interface of incoming traffic.
|
||||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
| user_peer
string
|
Name of user peer. Source user.peer.name.
|
||||
| users
list / elements=string
|
User name.
|
||||
| name
string / required
|
User name. Source user.local.name.
|
||||
| auto_tunnel_static_route
string
|
|
Enable to auto-create static routes for the SSL-VPN tunnel IP addresses.
|
|||
| banned_cipher
list / elements=string
|
|
Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
|
|||
| check_referer
string
|
|
Enable/disable verification of referer field in HTTP request header.
|
|||
| ciphersuite
list / elements=string
|
|
Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, set ssl-max-proto-ver to tls1-2 or below.
|
|||
| client_sigalgs
string
|
|
Set signature algorithms related to client authentication. Affects TLS version <= 1.2 only.
|
|||
| default_portal
string
|
Default SSL VPN portal. Source vpn.ssl.web.portal.name.
|
||||
| deflate_compression_level
integer
|
Compression level (0~9).
|
||||
| deflate_min_data_size
integer
|
Minimum amount of data that triggers compression (200 - 65535 bytes).
|
||||
| dns_server1
string
|
DNS server 1.
|
||||
| dns_server2
string
|
DNS server 2.
|
||||
| dns_suffix
string
|
DNS suffix used for SSL-VPN clients.
|
||||
| dtls_hello_timeout
integer
|
SSLVPN maximum DTLS hello timeout (10 - 60 sec).
|
||||
| dtls_max_proto_ver
string
|
|
DTLS maximum protocol version.
|
|||
| dtls_min_proto_ver
string
|
|
DTLS minimum protocol version.
|
|||
| dtls_tunnel
string
|
|
Enable DTLS to prevent eavesdropping, tampering, or message forgery.
|
|||
| dual_stack_mode
string
|
|
Tunnel mode: enable parallel IPv4 and IPv6 tunnel. Web mode: support IPv4 and IPv6 bookmarks in the portal.
|
|||
| encode_2f_sequence
string
|
|
Encode 2F sequence to forward slash in URLs.
|
|||
| encrypt_and_store_password
string
|
|
Encrypt and store user passwords for SSL VPN web sessions.
|
|||
| force_two_factor_auth
string
|
|
Enable to force two-factor authentication for all SSL-VPNs.
|
|||
| header_x_forwarded_for
string
|
|
Forward the same, add, or remove HTTP header.
|
|||
| hsts_include_subdomains
string
|
|
Add HSTS includeSubDomains response header.
|
|||
| http_compression
string
|
|
Enable to allow HTTP compression over SSL-VPN tunnels.
|
|||
| http_only_cookie
string
|
|
Enable/disable SSL-VPN support for HttpOnly cookies.
|
|||
| http_request_body_timeout
integer
|
SSL-VPN session is disconnected if an HTTP request body is not received within this time (1 - 60 sec).
|
||||
| http_request_header_timeout
integer
|
SSL-VPN session is disconnected if an HTTP request header is not received within this time (1 - 60 sec).
|
||||
| https_redirect
string
|
|
Enable/disable redirect of port 80 to SSL-VPN port.
|
|||
| idle_timeout
integer
|
SSL VPN disconnects if idle for specified time in seconds.
|
||||
| ipv6_dns_server1
string
|
IPv6 DNS server 1.
|
||||
| ipv6_dns_server2
string
|
IPv6 DNS server 2.
|
||||
| ipv6_wins_server1
string
|
IPv6 WINS server 1.
|
||||
| ipv6_wins_server2
string
|
IPv6 WINS server 2.
|
||||
| login_attempt_limit
integer
|
SSL VPN maximum login attempt times before block (0 - 10).
|
||||
| login_block_time
integer
|
Time for which a user is blocked from logging in after too many failed login attempts (0 - 86400 sec).
|
||||
| login_timeout
integer
|
SSLVPN maximum login timeout (10 - 180 sec).
|
||||
| port
integer
|
SSL-VPN access port (1 - 65535).
|
||||
| port_precedence
string
|
|
Enable means that if SSL-VPN connections are allowed on an interface admin GUI connections are blocked on that interface.
|
|||
| reqclientcert
string
|
|
Enable to require client certificates for all SSL-VPN users.
|
|||
| route_source_interface
string
|
|
Enable to allow SSL-VPN sessions to bypass routing and bind to the incoming interface.
|
|||
| servercert
string
|
Name of the server certificate to be used for SSL-VPNs. Source vpn.certificate.local.name.
|
||||
| source_address
list / elements=string
|
Source address of incoming traffic.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| source_address6
list / elements=string
|
IPv6 source address of incoming traffic.
|
||||
| name
string / required
|
IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| source_address6_negate
string
|
|
Enable/disable negated source IPv6 address match.
|
|||
| source_address_negate
string
|
|
Enable/disable negated source address match.
|
|||
| source_interface
list / elements=string
|
SSL VPN source interface of incoming traffic.
|
||||
| name
string / required
|
Interface name. Source system.interface.name system.zone.name.
|
||||
| ssl_client_renegotiation
string
|
|
Enable to allow client renegotiation by the server if the tunnel goes down.
|
|||
| ssl_insert_empty_fragment
string
|
|
Enable/disable insertion of empty fragment.
|
|||
| ssl_max_proto_ver
string
|
|
SSL maximum protocol version.
|
|||
| ssl_min_proto_ver
string
|
|
SSL minimum protocol version.
|
|||
| tlsv1_0
string
|
|
Enable/disable TLSv1.0.
|
|||
| tlsv1_1
string
|
|
Enable/disable TLSv1.1.
|
|||
| tlsv1_2
string
|
|
Enable/disable TLSv1.2.
|
|||
| tlsv1_3
string
|
|
tlsv1-3
|
|||
| transform_backward_slashes
string
|
|
Transform backward slashes to forward slashes in URLs.
|
|||
| tunnel_addr_assigned_method
string
|
|
Method used for assigning address for tunnel.
|
|||
| tunnel_connect_without_reauth
string
|
|
Enable/disable tunnel connection without re-authorization if previous connection dropped.
|
|||
| tunnel_ip_pools
list / elements=string
|
Names of the IPv4 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
| name
string / required
|
Address name. Source firewall.address.name firewall.addrgrp.name.
|
||||
| tunnel_ipv6_pools
list / elements=string
|
Names of the IPv6 IP Pool firewall objects that define the IP addresses reserved for remote clients.
|
||||
| name
string / required
|
Address name. Source firewall.address6.name firewall.addrgrp6.name.
|
||||
| tunnel_user_session_timeout
integer
|
Time out value to clean up user session after tunnel connection is dropped (1 - 255 sec).
|
||||
| unsafe_legacy_renegotiation
string
|
|
Enable/disable unsafe legacy re-negotiation.
|
|||
| url_obscuration
string
|
|
Enable to obscure the host name of the URL of the web browser display.
|
|||
| user_peer
string
|
Name of user peer. Source user.peer.name.
|
||||
| wins_server1
string
|
WINS server 1.
|
||||
| wins_server2
string
|
WINS server 2.
|
||||
| x_content_type_options
string
|
|
Add HTTP X-Content-Type-Options header.
|
|||
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure SSL VPN.
fortios_vpn_ssl_settings:
vdom: "{{ vdom }}"
vpn_ssl_settings:
algorithm: "high"
auth_session_check_source_ip: "enable"
auth_timeout: "5"
authentication_rule:
-
auth: "any"
cipher: "any"
client_cert: "enable"
groups:
-
name: "default_name_11 (source user.group.name)"
id: "12"
portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
realm: "<your_own_value> (source vpn.ssl.web.realm.url-path)"
source_address:
-
name: "default_name_16 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_19 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_22 (source system.interface.name system.zone.name)"
user_peer: "<your_own_value> (source user.peer.name)"
users:
-
name: "default_name_25 (source user.local.name)"
auto_tunnel_static_route: "enable"
banned_cipher: "RSA"
check_referer: "enable"
ciphersuite: "TLS-AES-128-GCM-SHA256"
client_sigalgs: "no-rsa-pss"
default_portal: "<your_own_value> (source vpn.ssl.web.portal.name)"
deflate_compression_level: "32"
deflate_min_data_size: "33"
dns_server1: "<your_own_value>"
dns_server2: "<your_own_value>"
dns_suffix: "<your_own_value>"
dtls_hello_timeout: "37"
dtls_max_proto_ver: "dtls1-0"
dtls_min_proto_ver: "dtls1-0"
dtls_tunnel: "enable"
dual_stack_mode: "enable"
encode_2f_sequence: "enable"
encrypt_and_store_password: "enable"
force_two_factor_auth: "enable"
header_x_forwarded_for: "pass"
hsts_include_subdomains: "enable"
http_compression: "enable"
http_only_cookie: "enable"
http_request_body_timeout: "49"
http_request_header_timeout: "50"
https_redirect: "enable"
idle_timeout: "52"
ipv6_dns_server1: "<your_own_value>"
ipv6_dns_server2: "<your_own_value>"
ipv6_wins_server1: "<your_own_value>"
ipv6_wins_server2: "<your_own_value>"
login_attempt_limit: "57"
login_block_time: "58"
login_timeout: "59"
port: "60"
port_precedence: "enable"
reqclientcert: "enable"
route_source_interface: "enable"
servercert: "<your_own_value> (source vpn.certificate.local.name)"
source_address:
-
name: "default_name_66 (source firewall.address.name firewall.addrgrp.name)"
source_address_negate: "enable"
source_address6:
-
name: "default_name_69 (source firewall.address6.name firewall.addrgrp6.name)"
source_address6_negate: "enable"
source_interface:
-
name: "default_name_72 (source system.interface.name system.zone.name)"
ssl_client_renegotiation: "disable"
ssl_insert_empty_fragment: "enable"
ssl_max_proto_ver: "tls1-0"
ssl_min_proto_ver: "tls1-0"
tlsv1_0: "enable"
tlsv1_1: "enable"
tlsv1_2: "enable"
tlsv1_3: "enable"
transform_backward_slashes: "enable"
tunnel_addr_assigned_method: "first-available"
tunnel_connect_without_reauth: "enable"
tunnel_ip_pools:
-
name: "default_name_85 (source firewall.address.name firewall.addrgrp.name)"
tunnel_ipv6_pools:
-
name: "default_name_87 (source firewall.address6.name firewall.addrgrp6.name)"
tunnel_user_session_timeout: "88"
unsafe_legacy_renegotiation: "enable"
url_obscuration: "enable"
user_peer: "<your_own_value> (source user.peer.name)"
wins_server1: "<your_own_value>"
wins_server2: "<your_own_value>"
x_content_type_options: "enable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_vpn_ssl_settings_module.html